Abstract: A system for the time-based accounting of access by users to services provided by a data network includes a primary access node to provide access by users by establishing via the primary access node a steady connectivity between the users and the network. A secondary access node is associated with the primary access node, such secondary access node being configured for acting as a backup node to maintain connectivity in the case of failure involving the primary access node. The primary access node is configured for issuing a request for credentials for any user requesting access to said data network and, as a result of receiving valid credentials from the user, starts time-based accounting for the user. An authentication node cooperative with the primary access node and the secondary access node stores the secondary access node information items concerning the time-based accounting started for the user.

Abstract: A method, system, and computer program product for detecting and enforcing compliance with access requirements for a computer system in a restricted computer network. A compliance validation configuration file is created for the computer system. A maintenance service utility is configured to launch a compliance validation executable file at a specified time during operation of the computer system. A digital hash is generated for the compliance validation executable file and for the compliance validation configuration file. A determination is made if the computer system or a computer system user is a member of a configured restricted group. If the computer system or the computer system user is a member of a configured restricted group, a determination is made if a directory site code for a subnet of the restricted computer network to which the computer system is connected corresponds to a configured and allowed site.

Abstract: A first device receives, from a second device, a first request to set up an account, where the first request includes a shared key and information associated with the second device, where the shared key is calculated based on a private key, of a private key/public key pair, and information regarding an identity selection, from user identity information, associated with a user of the second device; and store the shared key in a memory.

Abstract: The present invention provides a security module for Web application, especially a portal application, using a rewriter proxy. The security module ensures that the rewritten URIs are appended by an authentication identifier for determining whether the rewritten URI has not been changed. Preferably, the authentication identifier can be generated by applying a secure hash algorithm and/or secret key to the original URIs of the remote resource or the entire rewritten URIs. When a client activates those URIs, a request is sent to the rewriter proxy. Before a connection to the access protected remote resource is established, the security module validates whether the URIs contained in the user client request have been changed by the user.

Abstract: Aspects of the invention provide a method, system and computer program product for managing multiple user identities for a user of an electronic commerce (e-commerce) site. The method comprises defining the e-commerce site as one or more security domains; and in response to a user's request to invoke an operation of the e-commerce site: determining a one of the one or more security domains to which the operation relates; performing one of a) creating a session and b) reusing a session for the user automatically in accordance with the determined security domain, said session associated with a user identity and a role indicating privileges for invoking operations of the e-commerce site in at least the determined security domain; and persisting said session for reuse. The user's request may be received in association with one or more sessions persisted for the user and a one of the sessions selected in accordance with the determined security domain. In response, either a session may be created or reused.

Abstract: Disclosed are a method and system for managing access to and verifying personal identity. A person is provided with a private key that uniquely identifies that person, and that person uses the private key to access an identity manager. The person then uses the identity manager to specify a desire to establish a business relationship with a business entity. The user can then contact that business entity. The business entity is provided with a private key that uniquely identifies the business entity. That business entity then receives a request to conduct business with the entity from a person alleging to have the personal identity. The business entity then accesses the identity manager using the private key, and that entity then determines if a person having the personal identity has used the identity manager to specify a desire to conduct business with the business entity.

Abstract: A method for provision of access for a data requesting entity (IRE) to data related to a principal is disclosed, comprising the steps of (i) creating an access granting ticket comprising an access specification specifying a permission for an access to data related to the principal, said data being available at a data providing entity (IPE1), and a principal identifier representing the principal towards the data providing entity (IPE1), (ii) encrypting the access granting ticket with an encryption key of the data providing entity (IPE1), (iii) communicating to the data requesting entity (IRE) the encrypted access granting ticket accompanied by an identifier of the data providing entity (IPE1), (iv) communicating from the data requesting entity (IRE) to the data providing entity (IPE1) a request comprising the encrypted access granting ticket, (v) decrypting the encrypted access granting ticket with a decryption key of the data providing entity (IPE1) corresponding to the encryption key, (vi) providing to the d

Abstract: For the transmission of an MBMS content to a plurality of user equipment units, the use of a p2m channel may only be beneficial if the number of joined user equipment units exceeds a threshold. However, counting is made difficult due to the fact that idle mode UE, also a non joined UE, may reply to the notification, and hence pretend a higher number of UEs which are ready and able to receive the MBMS content. According to the present invention, when joining the MBMS service, a number which is only known to the user equipment unit, as well as to those RNCs which will deliver the MBMS service for which the UE has joined, is provided to the UE. Whenever the UE replies to a service notification, it uses this number. The RNC determines a corresponding number and in case the number received from the UE matches the number determined by the RNC, the UE is counted. Advantageously, an integrity protection may be provided for the notification reply for joined UEs which are still in the idle mode.

Abstract: A system and method is provided to verify configuration of a client access device requesting access to a network by establishing a communications link between a network access system and the client access device to authenticate and authorize the client access device and a user associated with the client access device. The network access system further receives client device configuration data from the client access device over the communications link during an authentication and authorization exchange and processes the client device configuration data to determine if the client access device will be granted access to the network.

Abstract: A method for authenticating a user to a computer system is disclosed, comprising using a first input and a second input in producing a digital signature in response to a challenge. The digital signature is valid when the first input matches a personalized secret and the second input matches a trio comprising a public modulus, a public exponent, and a private-key-dependent exponent. Selection of the personalized secret is discretionary and changeable. A crypto-key generation process uses the personalized secret and two primes as input to produce the trio. The public modulus and public exponent of the trio form a public key used in digital signature validation. Also disclosed is a business method that replaces the conventional public-key certificate with an agreement on the user's public key.

Abstract: A method for preventing MAC address counterfeiting may include: receiving, by an authentication device, a source MAC address and access port information of an access port, wherein the source MAC address and the access port information are associated with an authentication request from the access port; determining, by the authentication device, whether the source MAC address received is a counterfeit MAC address according to the source MAC address received, the access port information received, and access port information that is stored in the authentication device and corresponds to the source MAC address received; and if the source MAC address received is a counterfeit MAC address, rejecting, by the authentication device, the authentication request. A system, an access device and an authentication device are also proposed.

Abstract: A mechanism is provided for secure PIN management of a user trusted device. A user trusted device detects a memory card coupled to the user trusted device. The user trusted device receives user input of an external PIN (ext_PIN). The user trusted device identifies a key (K) associated with the external PIN, wherein the key is stored in the persistent memory. The user trusted device computes a card PIN (card_PIN) using a function (f) and the key as stored on the persistent memory, wherein the card PIN is computed using the following equation: card_PIN=f(K, ext_PIN). The user trusted device unlocks the memory card using the card PIN, thereby forming an unlocked memory card.

Abstract: This invention relates to processes of personal user authentication in computer and mobile wireless communications networks to perform transactions including payments. The process provides remote user authentication in various computer networks, the Internet inclusive, to perform secure transactions such as e-commerce and remote banking (on-line banking, remote banking, direct banking, home banking, internet banking, PC banking, phone banking, mobile-banking, WAP-banking, SMS-banking, GSM-banking, TV banking).

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: A method for linking of a first characteristic of a first device and a second characteristic of a second device by a server is disclosed. The method comprises the steps of selecting a first linking information and a second linking information, the first linking information matching to the second linking information, sending from the server the first linking information to the first device and the second linking information to the second device, presenting by the first device the first linking information and by the second device the second linking information, entering into the first device an indication of the matching of the first linking information and the second linking information, and based on the entered indication of the matching, sending to the server a matching confirmation for confirming the matching to the server, and associating the first characteristic and the second characteristic based on the received matching confirmation.

Abstract: The invention provides a method and system for locally tracking network usage and enforcing usage plans at a client device. In an embodiment of the invention, a unique physical key, or token, is installed at a client device of one or more networks. The key comprises a usage application and one or more access parameters designated the conditions and/or limits of a particular network usage plan. Upon initial connection to the network, the usage application grants or denies access to the network based on an analysis of the current values of the access parameters. Therefore, network usage tracking and enforcement is made simple and automatic without requiring any back-end servers on the network while still providing ultimate flexibility in changing billing plans for any number of users at any time.

Abstract: Methods, apparatus, and systems are disclosed for, among other things, passphrase input using secure delay, passphrase input with characteristic shape display, user authentication with non-repeated selection of elements with a displayed set of elements, document authentication with embedding of a digital signature stamp within a graphical representation of the electronic document wherein the stamp comprises digits of a digital signature, and sub-hash computation using secure delay.

Abstract: A system for centrally managing credential information of a user and a virtual object of a user across a plurality of virtual world (or corresponding virtual world servers) is disclosed. The system includes an identity service module for managing an authentication request (e.g., verifying credential information of a user) from a user and an inventory service module for managing virtual properties of a user. Furthermore, a method for logging in a virtual world by using the system is disclosed. A method for teleporting a virtual property from a virtual world to another virtual world by using the system is disclosed. A method for logging out from a virtual world by using the system is also disclosed.

Abstract: There is provided a method and system for authenticating users to an application. The method comprises receiving a master account identifier corresponding to a master account associated with the application. The method further comprises determining if at least one subaccount is assigned to the master account. The method comprises requesting a master password if at least one subaccount is not assigned to the master account. Finally, the method includes requesting a subaccount identifier and a subaccount password if at least one subaccount is assigned to the master account.

Abstract: Methods, systems, and products are disclosed for aggregating content of disparate data types from disparate data sources for single point access by a user. Embodiments include establishing a user account for the user; retrieving content of disparate data types from identified disparate data sources associated with the user account; storing the retrieved content; and associating the stored content with the user account.

Abstract: A password management system generates passwords for users. The system registers the passwords with applications in network elements in a communication network. The system indicates the passwords to the users who use the passwords to access the applications. The system generates new passwords before the old passwords expire. The system registers the new passwords with the applications and indicates the new passwords to the users before the old passwords expire. The users use the new passwords to access the applications. The system may also register network addresses with the applications for the users.

Abstract: Virtual disks management methods and systems. First, a file space is set and a first password is set. A first device code is acquired. The file space is encrypted according to the first password and the first device code to obtain an encrypted file. Thereafter, a designation of the encrypted file is received. A second password is received, and a second device code is acquired. It is determined whether the second password conforms to the first password, and whether the second device code conforms to the first device code. If so, the encrypted file is mounted as a virtual disk.

Abstract: A pseudonymous ID (identification) management apparatus includes a token processing unit for validating an authentication token; a pseudonymous ID generation unit for issuing a pseudonymous ID corresponding to the authentication token; a temporary ID generation unit for issuing a temporary ID for use in an offline subscription; and an ID validation unit for validating a pseudonymous ID received from a web service apparatus along with a pseudonymous ID validation request and transmitting pseudonymous ID validation result to the web service apparatus, and validating a temporary ID received from the web service apparatus along with a pseudonymous ID exchange request and transmitting a pseudonymous ID corresponding to the temporary ID to the web service apparatus. The web service apparatus provides a service to which a user desires to subscribe.

Abstract: A method is provided for enrolling and authenticating an attendee of an event or activity so that content can be delivered to a mobile device associated with the attendee. The method includes receiving an identifier of a mobile communication device associated with an authorized attendee while the attendee and the mobile communication device are in a venue at which the event or activity takes place. The mobile communication device is registered by storing the identifier in a database of authorized attendees who have entered the venue. Entitlement credentials are communicated to the mobile device that are to be further communicated from the mobile device to a content server when requesting event or activity related content therefrom.

Abstract: An approach is provided for managing access rights of users to information spaces using signatures stored in a memory tag. A signature manager caused reading of a memory tag to initiate a request, from a device, for an initial access to an information space. The request includes an authorization signature associated with the device. The signature manager determines a level of access to the information space by comparing the authorization signature against a lattice of signature primitives associated with the information space. The signature manager then modifies the authorization signature based on the determination and stores the modified authorization signature for validation of subsequent access to the information space by the device.

Abstract: Disclosed is an off-line user authentication system, which is designed to present a presentation pattern to a user subject to authentication, and apply a one-time-password derivation rule serving as a password to certain pattern elements included in the presentation pattern at specific positions so as to create a one-time password. An off-line authentication client pre-stores a plurality of pattern element sequences each adapted to form a presentation pattern, and a plurality of verification codes created by applying a one-time-password derivation rule to the respective presentation patterns and subjecting the obtained results to a one-way function algorism. A presentation pattern is created using one selected from the stored pattern element sequences, and presented to a user. A one-time password entered from the user is verified based on a corresponding verification code to perform user authentication. The present invention provides an off-line matrix authentication scheme with enhanced security.

Abstract: A removable drive such as a USB drive or key is provided for connecting to computer devices to provide secure and portable data storage. The drive includes a drive manager adapted to be run by an operating system of the computer device. The drive manager receives a password, generates a random key based on the password, encrypts a user-selected data file in memory of the computer device using the key, and stores the encrypted file in the memory of the removable drive. The drive manager performs the encryption of the data file without corresponding encryption applications being previously loaded on the computer system. The drive manager may include an Advanced Encryption Standard (AES) cryptography algorithm. The drive manager generates a user interface that allows a user to enter passwords, select files for encryption and decryption, and create folders for storing the encrypted files on the removable drive.

Abstract: There is provided a system and method for generating a time-dependent password in a security device using time information. An exemplary method comprises checking whether the security device has access to an external time signal. The exemplary method also comprises requesting a user of the security device to enter the time information, if it is determined that the security device has no access to the external time signal. The exemplary method additionally comprises generating a time-dependent password using the time information entered in response to the request.

Abstract: A method and system is provided for generating a one-time passcode (OTP) configured for use as a personal identification number (PIN) for a user account from a user device. The OTP may be generated using an OTP generator which may include an algorithm an user account-specific OTP key. The OTP key may be camouflaged by encryption, obfuscation or cryptographic camouflaging using a PIN or a unique machine identifier defined by the user device. Obtaining an OTP from the user device may require inputting a data element which may be one of a PIN, a character string, an image, a biometric parameter, a user device identifier such as an machine effective speed calibration (MESC), or other datum. The OTP may be used for any transaction requiring a user PIN input, including ATM and debit card transactions, secure access and online transactions.

Abstract: Systems, apparatus, methods, and computer program products for multicast access control are provided to analyze incoming data based on a source zone and a destination zone of the incoming data. Appropriate access control rules are applied to incoming data based on the results of the analysis. Additional implementations of a multicast access control include using a proxy rendezvous point operable to function as a rendezvous point in place of a physical rendezvous point.

Abstract: Techniques for authenticating a user are described. In one implementation, a user requests access to protected information or resources by providing a user name and a password to a web server that controls access to the information or resources. If the user name and password match a known user profile, the web server retrieves a user identifier (e.g., a personal identification number) and constructs a translation table around the user identifier. The translation table includes the values that constitute the user identifier, random representations of each value, visual images that represent each value, and random image names for each visual image. The information in the translation table is then used to generate a user interface that allows the user to enter his or her user identifier via the user's computing device without exposing the actual user identifier values to the computing device.

Abstract: A system and method for managing information on a network using an identity index may include a software program stored on a computer-readable medium which is operable to associate one or more users with the information objects that define the user. The software program can maintain a “virtual identity” for each user, the virtual identity comprising a list of information objects (e.g., accounts) associated with the user and the identities of resources at which the information objects can be found. The list of information objects may include an information object identifier for each information object. The software program may maintain a resource definition for each identified resource. The resource definition may include a set of connection parameters that can be used by the software program to connect to the corresponding resource.

Abstract: The present invention facilitates access to a restricted service related to secure transactions via a network. The present invention allows a user to select a minimum security level of authentication for its own login to a restricted service. The user's selected minimum security level of authentication may be registered in an authentication method system, so that the user must use the selected minimum security level for authentication in order to gain access to the restricted service. Alternatively, the user may specify that the selected minimum security level for authentication may be over-turned by the user, or optionally re-set to a new authentication method depending on the needs of the user. As such, the present invention allows the user the flexibility to select its own authentication method for accessing a restricted service.

Abstract: One embodiment of the present invention provides a system that accommodates different types of verifiers in a computer system. During operation, the system receives a username and a password. The system then computes a verifier based on the password. If the size of the verifier exceeds a storage limit, the system transforms the verifier into a transformed verifier which conforms to the storage limit, thereby allowing the computer system to compare the transformed verifier with a locally stored verifier associated with the username to facilitate user authentication.

Abstract: The present invention provides a new method of site and user authentication. This is achieved by creating a pop-up window on the user's PC that is in communication with a security server, and where this communication channel is separate from the communication between the user's browser and whichever web site they are at. A legitimate web site embeds code in the web page which communicates to the security server from the user's desktop. The security server checks the legitimacy of the'web site and then signals both the web page on the user's browser, as well as the pop-up window to which it has a separate channel. The security server also sends a random image to both the pop-up window and the browser. If user authentication is requested by the web site the user is first authenticated by the security server for instance by out of band authentication. Then the security server computes a one time password based on a secret it shares with the web site and sends it to the pop up window.

Abstract: An offline trust system establishes a trust relationship between a trust authority computer system and a target computer system without relying on an active network connection between the computer systems. The offline trust system separates the trust establishment operation into a provisioning phase and a configuration phase. The provisioning phase can be performed entirely on the trust authority, while the configuration phase can be performed entirely on the target computer system requesting trust. The two phases can be performed at different times and do not assume any connection between the two computer systems. An administrator may perform the provisioning phase for many target computer systems at the same time. Thus, the offline trust system provides a way to establish trust between computer systems that is more reliable and less prone to failure.

Abstract: A password recovery technique for access to a system includes receiving a request from a first party to recover the first party's password to access the system, receiving a selection of a second party from the first party, sending a message to the second party requesting that the second party authorize the request to recover the first party's password, receiving authorization from the second party for the request to recover the first party's password, and resetting the first party's password responsive to receiving authorization from the second party.

Abstract: The present disclosure relates to systems and methods for providing secure support to virtual appliances delivered to customer sites without passwords or enabled ports for service. A virtual appliance may be established on a first device. The virtual appliance may comprise a self-contained virtual machine with a pre-installed operating system and may be established with no root password enabled and a remote access port disabled. An administration tool may receive from a requestor a request to enable maintenance for the virtual appliance. The administration tool may generate, responsive to the request, a random password. The administration tool may enable, responsive to the request, the remote access port. The virtual appliance may wait for a connection to the remote access port for a predetermined period of time. The administration tool may transmit the random password to a service of a second device remote to the first device.

Abstract: Tracking data operations associated with unauthenticated computing devices to enable subsequent identification and remediation thereof. In embodiments in which one computing device has to trust another computing device without authenticating the other computing device, a machine identifier and a credential group value are associated with data operations in communications from the unauthenticated computing device. The data operations may be subsequently identified based on the machine identifier and credential group value. Remedial action may be taken on the identified data operations to restore data integrity.

Abstract: Access of a first device, communicating with a second, portable device, to digital content is controlled by authentication of the first device by a remote server; upon successful authentication of the first device by the remote server, securely providing by the remote server credentials to the portable device, the credentials enabling the portable device to authenticate the first device; securely providing by the remote server rights objects to the portable device, the rights objects comprising usage rights and information which is necessary to access the content; authentication of the first device by the portable device using the credentials received from the remote server; and, upon successful authentication of the first device by the portable device, delivering by the portable device to the first device the information which is necessary to access the content.

Abstract: A network management method and system is provided that issues a digital certificate easily and safely. A digital certificate is issued to a personal computer that is to newly join a network by the following method. A provisional authentication server issues a first digital certificate that is a provisional certificate of the personal computer. The personal computer enters the first digital certificate and a private key corresponding thereto. The personal computer and a formal authentication server establish a connection for encryption communication based on the first digital certificate. After establishing the connection, the formal authentication server generates a second digital certificate that is a formal digital certificate of the personal computer. Further, an experimental network independent of the network is prepared and participation of a personal computer having the first digital certificate into the experimental network is allowed.

Abstract: An information communication method performed by a communication terminal apparatus, the method including: sharing a first encryption key with a first server; receiving a request for sending identification information of the communication terminal apparatus; authenticating the first server based on certificate information of the first server that is acquired while sharing the first encryption key and verification information retained in the communication terminal apparatus; encrypting the identification information of the communication terminal apparatus using a second encryption key; and encrypting, using the first encryption key, according to an authentication result, encrypted identification information of the communication terminal apparatus as generated by using the second encryption key, and transmitting resulting double-encrypted identification information of the communication terminal apparatus to the first server.

Abstract: A communication apparatus includes a storage device to store security associations to be exchanged between an opposite party's apparatus, an update device to update the security associations stored in the storage device, before starting a sleep mode for a power-saving operation, and a notification device to notify a message of updating of the security associations by the update device to the opposite party's communication apparatus.

Abstract: Automatic identification and authentication of a user of a mobile application entails receiving from the wireless communications device a unique device identifier and an e-mail address corresponding to the wireless communications device, associating a registration identifier with the unique device identifier and the e-mail address, generating an authentication token, and communicating the authentication token and the registration identifier to the wireless communications device. This technology obviates the need for the user to remember and enter a user ID and password to access backed-up application data on a server. This is particularly useful for instant messaging applications, e.g. PIN messaging, in which the unique device identifier is used to identify the user and is also the transport address. Once registered, the user who has switched to a new device or has wiped his existing device, can restore contacts or other application data from the server based on the registration identifier.

Abstract: A network boot system including one or more client terminals, a DHCP (Dynamic Host Configuration Protocol) server, a PXE (Preboot Execution Environment) server, a TFTP (Trivial File Transfer Protocol) server, a database administration server, one or more storage devices, and an authentification server (such as a Radius server) connected to each other via a TCP/IP (Transmission Control Protocol)/Internet Protocol) network. A plurality of LU provided in the storage devices as separated into a system area LU and a user area LU prepared per user.

Abstract: A network device and method may provide secure fallback operations. The device includes a port allowing the device to communicate with a network and a processor to generate a security credential, provide the security credential to a call manager during initialization, and provide the security credential to a secondary device during fallback operations. The network device may include a memory to store the security credential and routing information for fallback operations.

Abstract: There is provided a user identification module configured for use in a mobile communication device. An exemplary user identification module comprises a first data item being accessible for reading a value of a parameter used in the operation of the user identification module. The exemplary user identification module also comprises at least two second data items, the second data items being unmodifiable and each second data item including a value of the parameter. The first data item includes a modifiable reference addressing one second data item.

Abstract: A method provides for control of access to network resources. A virtual identity machine resides in the network and is pre-authorized to access certain network resources. End users desiring access to those network resources attempt to logically connect to the virtual identity machines. If the logical connection attempt is successful, then the end user assumes the virtual identity of the virtual identity machine and has access to all of the same information that was available to the virtual identity machine.

Abstract: Provided is a control over access to a Device Management (DM) tree of a client. The client receives a secure area creation password from a server, creates a secure area by using the received creation password, and moves the DM tree to the secure area. In addition, the client receives a secure area access password from the server, accesses the secure area by using the received access password, and performs a remote management through a DM command received from the server. The authority to access the DM tree is given to only the client acquiring a password from the server, which effectively prevents an unauthorized change of a DM tree.

Abstract: A network boot system including one or more client terminals, a DHCP (Dynamic Host Configuration Protocol) server, a PXE (Preboot Execution Environment) server, a TFTP (Trivial File Transfer Protocol) server, a database administration server, one or more storage devices, and an authentification server (such as a Radius server) connected to each other via a TCP/IP (Transmission Control Protocol)/Internet Protocol) network. A plurality of LU provided in the storage devices as separated into a system area LU and a user area LU prepared per user.