Abstract: A method, a device, and a system for registering user generated content (UGC) are provided. The method for registering UGC includes the following steps. A content registration request is received, in which the content registration request carries a UGC and a guarantee credential corresponding to the UGC, and the guarantee credential is generated by a third party network entity. The UGC is registered according to the guarantee credential. The device and the system correspond to the method. Therefore, the registration of UGC is realized with a simple, feasible, and diversified registration method.

Abstract: System(s) and method(s) are provided to configure access rights to wireless resources and telecommunication service(s) supplied through a set of access points (APs). Access to wireless resources is authorized by access attributes in access control list(s) (ACL(s)) while a profile of service attributes linked to the ACL(s) regulate provision of telecommunication service(s). Access and service attributes can be automatically or dynamically configured, at least in part, in response to changes in data that directly or indirectly affects an operation environment in which the set of APs is deployed. Automatic or dynamic configuration of access or service attributes enable control or coordination of wireless service provided through the set of APs; degree of control or coordination is determined at least in part by enablement or disablement of disparate services for disparate devices at disparate access points at disparate times and with disparate service priority.

Abstract: A custom database connectivity component is deployed in conjunction with a native database connectivity component and a credential manager. The custom connectivity component has a requestor interface for communicating with a requestor application, a credential service interface for communicating with the credential manager, a native database connectivity interface for communicating with native connectivity components, and a decision engine for determining how to convert a request from a requestor to an appropriate API call to the credential manager. The custom connectivity component provides an authenticated and authorized database connection for a requestor application. The component transparently serves retrieves database, or other target resource, credentials on a real time basis, without requiring code changes to the requestor application.

Abstract: Method, apparatus, and computer products are provided for centralized account provisioning by an automated provisioning manager on a device. A logins application of a device is logged into. A request queue is accessed of the device. A ticket to provision is selected from the request queue of the device. Cells of the ticket are parsed to obtain details of a request on the ticket of the device. In response to obtaining details of the request, servers or applications are connected to in order to gather further data corresponding to the details. A corresponding function is called based on a request type of the details of the device, and the corresponding function is configured to the request of the request type. The account is provisioned by utilizing the corresponding function on the device.

Abstract: A method and system to protect users against potentially fraudulent activities associated with spoof web sites are described. According to one aspect of the present invention, the URL of a document downloaded via a web browser client is compared to the URLs in a list of URLs for known spoof sites. If the URL for the downloaded document is found in the list of URLs for known spoof sites, a security indicator is displayed to the user to indicate to the user that the downloaded document is associated with a known spoof site. According to another aspect of the invention, a security server maintains a master black list and periodically communicates updates of the master black list to the local list of a client security application.

Abstract: Articles and associated methods, systems, and computer program products relate to a service framework to register multiple plug-ins on a client and to provide access to functionality that would otherwise be unavailable to a user until they logged-in. One plug-in module enables an unauthenticated user to interact with a server to initiate a password reset feature from a secure desktop environment on the client. Another plug-in module enables a user to reset cached credentials on a remote client when requesting a password reset from outside of the server's local network. In some implementations, a server may authenticate the user by issuing challenge questions and monitoring the user's responses. A variety of other services may be provided as plug-ins to the client framework. A library of plug-ins may be stored on the server. The server may select plug-ins to send to each client based upon criteria according to business rules.

Abstract: A method and system is disclosed for creating and tracking network sessions. A request to access a network is received from an entity. The entity is authenticated after the request is received. Authenticated identity information associated with the entity, network address information associated with the entity, and network location information associated with the entity is collected. An information set is created. The information set comprises and binds together the authenticated identity information, the network address information, and the network location information. The information set indicates a present association among the authenticated identity information, the network address information, and the network location information. The information set is stored in a session record in a centralized database. The session record represents a session in which the entity accesses the network. The session record is one of a plurality of session records that are stored in the centralized database.

Abstract: A system and method for correlating a user's use of a first network service with a user's use of a second network service. For each user with which the first network service communicates, the network service transmits a unique ID to the user such that the unique ID is visible to the user. When the user communicates with the second network service, the user provides the second network service with the unique ID. The first and second networks each may store some indication of their respective associations with the user. The user's use of the second network service is correlated with the user's use of the second network service based on the unique ID and any information stored by the networks in association with the unique ID.

Abstract: A method, computer program product, and apparatus for managing compliance to security policy by measuring it and enforcing security policy compliance based on the measurement for software under development.

Abstract: Aspects for secure access and communication of information in a distributed media network may include detecting when a legacy media peripheral is connected to a PC and/or a media processing system on the distributed media network. One or more identifiers associated with the legacy media peripheral may be established and utilized to facilitate communication of the legacy media peripheral over the distributed media network. At least one legacy media peripheral identifier and at least one identifier of a user utilizing the legacy media peripheral may be requested. The legacy media peripheral identifier may be a serial number of the legacy media peripheral, while the user identifier may be a user password and/or a user name. Media peripheral association software may be executed on the PC and/or the media processing system and utilized for media peripheral association and authentication in accordance with various embodiments of the invention.

Abstract: A method and system for enabling devices to join secure networks without requiring the devices to be aware of any particular security credential delivery mechanism or to implement multiple security credential delivery mechanisms.

Abstract: The present invention discloses a system and method for configuration of access rights to sensitive information handled by a sensitive Web-Service. In a case of requested configuration changes initiated by the client system the Web-Server system provides a configuration data file to the client system preferably using a SOAP-communication protocol. The changes of the configuration data file are exclusively performed offline at the client side and the updated configuration data file is signed with authentication information and sent as a part of a SOAP-request to the Web-Server system. The Web-Server system provides a filter component for identifying and discarding non-SOAP requests as well as an access control manager for providing authentication examination for incoming SOAP-requests. After successful passing these components the SOAP-request is used for updating the existing configuration data file.

Abstract: A method, computer readable medium and apparatus for providing data security for a computing environment having a plurality of nodes are provided. The apparatus comprises of a password mechanism residing in a storage location in the computing environment; and a user specific dictionary including entries generated by the password mechanism about each user by retrieving available data from one or more databases. The password mechanism rejects a proposed password for the user by comparing it with entries in the user specific dictionary when the proposed password matches at least part of any entry in the user specific dictionary.

Abstract: A root user identifier of a computing system is disabled. Thereafter, and in response to determining that a problem with the computing system requires root privileges to the computing system to solve, a code patch for installation on the computing system is received from a third party. The code patch is installed on the computing system, resulting in a user identifier temporarily having the root privileges to the computing system. The user identifier is different than the root user identifier is. A password for the user identifier is provided to the third party to permit the third party to solve the problem with the computing system using the root privileges, via the user identifier temporarily having the root privileges to the computing system. The code patch is computer code installable on the computing system.

Abstract: A method, apparatus, and system are directed toward managing a Transmission Control Protocol/Internet Protocol (TCP/IP) handshake. A SYN-ACK cookie is determined based on a cryptographic operation using a secret key and at least one network characteristic. The SYN-ACK cookie is provided in a SYN message's field. The SYN message is sent from a client to a server. Another sequence number based on the received SYN-ACK cookie is included in a SYN-ACK message. The SYN-ACK message is sent to and received by the client. The other sequence number is validated based on the secret key to generate at least another network characteristic. A TCP/IP connection is established if the network characteristic matches the other network characteristic. In one embodiment, the component sending the SYN message may be a different component than the component receiving the SYN-ACK message. In this embodiment, the secret key may be shared between the two components.

Abstract: Embodiments of the present invention provide apparatuses, methods, and systems for authenticated distributed detection and inference. In various embodiments, an apparatus comprises an interface configured to communicatively couple a node hosting the apparatus to a network, and a distributed detection and inference (DDI) agent coupled to the interface and configured to receive, via the interface, DDI collaboration parameters from an authentication node is disclosed. Other embodiments may be described and claimed.

Abstract: A secure and transparent digital credential sharing arrangement which utilizes one or more cryptographic levels of indirection to obfuscate a sharing entity's credentials from those entities authorized to share the credentials. A security policy table is provided which allows the sharing entity to selectively authorize or revoke digital credential sharing among a plurality of entities. Various embodiments of the invention provide for secure storage and retrieval of digital credentials from security tokens such as smart cards. The secure sharing arrangement may be implemented in hierarchical or non-hierarchical embodiments as desired.

Abstract: An approach for providing credibility information over an ad-hoc network is described. A trust manager receives content from a transmitting node over an ad-hoc network. The trust manager retrieves one or more trust values associated with the content, the transmitting node, or both, wherein the trust values are assigned by a trust server and further adjusted based on locally collected credibility information. The trust manager conducts a local evaluation of credibility information regarding the content, the transmitting node, or both. The trust manager then generates one or more combined trust values for the content, the transmitting node, or both from the trust values and the local evaluation.

Abstract: A computer-readable recording medium which records a remote control program for allowing data on a network protected by a gateway device to be transferred to an external device by external remote-control operations; a portable terminal device; and a gateway device. The terminal device transmits to the gateway device an access ticket issue request. The gateway device generates key information and transmits to the terminal device an access ticket including the key information. The terminal device transfers to a data acquisition device a data acquisition instruction including the acquired access ticket. The acquisition device transmits to the gateway device a data request including the key information. When the key information added to the access ticket and the key information included in the data request are the same, the gateway device transfers the data request to a data server device. The server device transfers the data to the acquisition device.

Abstract: A network management system is used to secure a communications channel between at least two clients. The network management system includes a network management server which includes network management software. The network management server is coupled to the clients for managing the communication between the clients. The network management system further includes at least two secured communication channels established by the network management server between the network management server and each of the clients, respectively, such that the at least two clients can securely communicate with each other.

Abstract: The HIP creation technique described herein pertains to a technique for creating a human interactive proof (HIP) by applying tearing and/or a conformal transformation to a string of characters while maintaining readability of text. In one embodiment, the technique tears a character string into two or more pieces and applies conformal transformation to warp the pieces in order to create a HIP. The transformation changes the shape and orientation of the characters but preserves angles of the characters which makes it easy for humans to recognize the characters after the transformation. Other embodiments of the technique create HIPs by applying tearing only to a string of characters, or by applying conformal transformation only to the character string.

Abstract: A method of identity authentication and fraudulent phone call verification uses an identification code of a communication device and a dynamic password. The “dynamic password” is directly sent to an Internet user via a dynamic web-page of a specific website instead of by means of a traditional telephone short message. Thus, the “dynamic password” cannot be copied from the spyware infected communication device of the Internet user. Furthermore, even if the “dynamic password” is intercepted or otherwise discovered by a hacker or intruder, authentication is still secure because the dynamic password must be sent back to the specific website via a short message or the like from the same communication device having the corresponding identification code that was initially input by the Internet user in order to generate the dynamic password.

Abstract: Method and apparatus for network protocol filtering of a packet is described. An index to a table is obtained and stored to travel with the packet. The index is obtainable to access the table to obtain packet information. In particular, a method for inbound network address translation packet filtering and a method for outbound packet filtering are described.

Abstract: A system for providing a user with authorization to perform one or more functions using or otherwise involving a computational component is provided. The system includes an authentication file system 100 operable to (a) receive a request from a user for a second set of authentication information permitting a second set of operations to be performed on a computational component, wherein the computational component is operable to be installed by the user on the computational system, wherein the computational component contains a first set of authentication information permitting a first set of operations to be performed on the computational component; and wherein the first and second sets of operations are different; (b) generate an authentication file containing the second set of authentication information; and (c) transmit the authentication file to the computational system.

Abstract: An ID creating apparatus includes a derivative value creating unit for creating a derivative value, a user ID encrypting unit for creating encrypted ID by encrypting information including the user ID and the derivative value based on an encryption key, and a derivative ID creating unit for creating derivative ID based on the encrypted ID. An ID resolving apparatus includes an encrypted ID extracting unit for extracting the encrypted ID included in the derivative ID, an encrypted ID decrypting unit for decrypting the encrypted ID based on a decryption key corresponding to the encryption key and thereby creating decrypted ID, and an ID judging unit for determining that the derivative ID is created from the user ID when part of the decrypted ID coincides with information created based on the user ID.

Abstract: Methods and systems of automatically provisioning authentication credentials on a plurality of network devices. The method may include determining a process for provisioning the authentication credentials for the plurality of devices. The process may include steps of gaining access to a network device, entering a command to reach a network service interface associated to the network device, indicating a location of the authentication credentials, and initiating installation of the authentication credentials. The method may also include providing a computer program to follow the process. The computer program may be a script that is automatically executed without a user intervention.

Abstract: A data delivery apparatus including a storage adapted to store limited-access data which associates user data for specifying a user, with data, access to which is permitted or limited to the user; a function determination unit adapted to determine whether a destination device to which the limited-access data is to be transmitted has an access control function of permitting or limiting access to the limited-access data for each user; an authentication unit adapted to, when the limited-access data destination device is determined not to have the access control function, request input of authentication information and performing an authentication process using the input authentication information; and a transmission control unit adapted to, when the authentication process by said authentication unit is successful, transmitting the limited-access data to the destination device.

Abstract: Method and systems configured for allowing a non-local remote user to access a computer system with a particular authorization level. Such access is facilitated by examining non-local directory services group memberships of the user and performing a mapping of the user's identity to a corresponding universal local user account that have the proper authorization level or levels. Such methods and systems allow any number of non-local remote users access to the computer system in such a way that the remote user assumes the identity of (i.e., is mapped to) a corresponding universal local user account of an appropriate privilege level. All non-local remote users that the computer system determines to be of the same privilege level will share the identity of the same universal local user account.

Abstract: An apparatus, system, and method enable a new platform storage system to have access to an external storage system having data encrypted thereon by an existing platform storage system. Encryption information corresponding to the encrypted data in the external storage system is stored in a memory in the existing platform storage system. The encryption information stored in the memory of the existing platform storage system is transferred to an encryption table stored in the new platform storage system, so that the new platform storage system can read the encrypted data stored in the external storage system.

Abstract: A method for producing a certificate, the certificate including data, the method including choosing a seed s, the seed s including a result of applying a function H to the data, generating a key pair (E,D), such that E=F(s,t), F being a publicly known function, and including s and t in the certificate. Related methods, and certificates produced by the various methods, are also described.

Abstract: A method and apparatus for obtaining room entry information associated with a user, extracting executable operation flows, and displaying an operational screen for executing the extracted operation flows.

Abstract: One embodiment relates to an automated method for compressing an n-partite representation of an access control list or other binary relation. A first joining procedure is applied to join first and second relations in the n-partite representation and so eliminate a first intermediate set of elements, resulting in a first (n?1)-partite representation. A first re-factoring procedure generates updated first and second relations and an updated first intermediate set of elements, resulting in an updated n-partite representation. Other features, aspects and embodiments are also disclosed.

Abstract: Methods and systems for secure user authentication utilizes OTP generation and validation techniques in which the shared secret for generating the OTP is not stored in the user's mobile device but instead is dynamically synthesized based on a PIN that activates the OTP generation and the personalized OTP data. The client software has no knowledge of what the correct PIN should be and always generates a normal looking OTP based on whatever PIN is entered, and the only way to learn whether or not the OTP is correct is to submit it during user login. By limiting the number of failed login attempts before the account is locked, brute-force attacks via the online channel will fail, and further, brute-force attacks to uncover the correct PIN for generating the correct OTP offline will also fail even if a hacker steals the user's mobile device and extracts the data inside for offline hacking, because there is nothing on the client that contains the PIN or encrypted by the PIN.

Abstract: Method, apparatus, and computer products are provided for providing temporary generated codes by a server. Responsive to triplet authentication of a device to service provider network, a server receives an initial code from the device to request a temporary generated code. The server verifies the triplet authentication of device. The server determines whether there is a user account match to the initial code. The server determines a corresponding application server based on the initial code and the user account match. The server generates a temporary generated code to access the application server. The temporary generated code is transmitted to both the application server and the communication device, is set to expire at a preset time, is generated to allow the user access to a single session on the application server, and is generated to expire after the temporary generated code is input to access the single session on application server.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for generating a nonce. In one aspect, a method includes generating, by a data processing apparatus, a source value, and hashing, by the data processing apparatus, the source value to generate the nonce.

Abstract: The present invention relates to methods and arrangement for user-centric interception in a telecommunication system wherein correlated identities are federated in an Identity Management Controller. The method comprises: Sending from an Intercept Unit to the Identity Management Controller, a request for identities correlated with a specified key target identity. The Intercept Unit receives identities federated to the specified key target identity. The received identities are utilized for user-centric interception purposes.

Abstract: A system, method, and computer program product for establishing mutual trust on a per-deployment basis between two software modules. For example, the first software module may be a Websphere (WS) Information Integrator (II) deployment instance, and the second software module may be a plugin instance. By executing for this deployment an initial handshake between the software modules, both modules identify themselves and exchange digital certificates received from a trusted certification authority and respective public keys. Subsequent communications for this deployment between the software modules proceed with each module encrypting its communications with the public key of the other module; thereby establishing mutual trust between the software modules for each deployment.

Abstract: An electronic device includes password protected functionality using a password that can be changed by the user. A user-specified password is stored in association with unique version data that is subsequently provided to help user recall of the password associated therewith.

Abstract: A system and method for three-party authentication and authorization. The system includes an authorizer that authorizes requestors, a client that makes a request, and a local attendant that provides a conduit through which messages between the client and the authorizer pass. The authorizer, the client, and a peer on which the requested resource may be accessed are each in separate domains. A domain is defined as a set of one or more entities such that if the set includes more than one entity, a connection between any two of the entities in the set can be secured by static credentials that are known by each of the two entities. A subscriber identity module (SIM) may be used to generate a copy of a key for the client to be used in accessing a requested resource.

Abstract: A system, method and apparatus for securing communications between a trusted network and an untrusted network are disclosed. A perimeter client is deployed within the trusted network and communicates over a session multiplexing enabled protocol with a perimeter server deployed within a demilitarized zone network. The perimeter client presents requests to make available and communication initiation requests to the perimeter server which presents corresponding sockets to the entrusted network. The session multiplexing capabilities of the protocol used between the perimeter server and perimeter client permit a single communication session therebetween to support a plurality of communication sessions between the perimeter server and untrusted network. In the event data flows across the communication sessions are encrypted, decryption of the data flows is left to the components at the end points of the communication session, thereby restricting exposure of privileged information to areas within trusted networks.

Abstract: A self-adjusting Internet Key Exchange (IKE) daemon negotiation throttle minimizes retransmission processing during Security Association (SA) negotiation requests. The self-adjusting IKE daemon receives a request for a new negotiation to be performed by a negotiation system; determines if the negotiation system is in congestion; and if the negotiation system is determined to be in congestion: determines if a token is available in a token bucket; and if a token is available in the token bucket, removes the token from the token bucket; and performs the new negotiation.

Abstract: A probe attached to a customer's network collects status data and other audit information from monitored components of the network, looking for footprints or evidence of unauthorized intrusions or attacks. The probe filters and analyzes the collected data to identify potentially security-related events happening on the network. Identified events are transmitted to a human analyst for problem resolution. The analyst has access to a variety of databases (including security intelligence databases containing information about known vulnerabilities of particular network products and characteristics of various hacker tools, and problem resolution databases containing information relevant to possible approaches or solutions) to aid in problem resolution. The analyst may follow a predetermined escalation procedure in the event he or she is unable to resolve the problem without assistance from others.

Abstract: A method, server and client for protecting communications among a plurality of clients, for use in a networked communication system comprising a server and the plurality of clients, the plurality of clients comprising at least a first client and a second client, are provided. The method includes communicating, from the first client to the server, a request for a credential token for a communication between the first client and the second client, selecting, by the server, the credential token for the communication between the first client and the second client, communicating, from the server to each of the first client and the second client, the selected credential token, and communicating, between the first client and the second client using security algorithms and information contained in the credential token received from the server.

Abstract: A method is provided in which a user registers a Session Initiation Protocol (SIP) address with a server that uses digest access authentication; If the user has another address already registered with the server, the server requests the user name and password for the existing address. The user enters the user name and password into a client application. The client application transmits the user name and password to the registration server as clear text over an encrypted channel. The registration server generates a digest from the received user name and password and compares the generated digest with the digest stored on the registration server for the existing address in order to determine whether the user submitted a valid user name and password. If the generated and stored digests match, the registration server sets the password for the existing email account of the user as the password for the new email.

Abstract: A system, method, and program product is provided that provides authentication on a per-role basis in a Role-Based Access Control (RBAC) environment. When a user attempts to acquire a role, the improved RBAC system determines whether (a) no authentication is required (e.g., for a non-sensitive role such as accessing a company's product catalog), (b) a user-based authentication (e.g., password) is required, or (c) a role-based authentication (e.g., role-specific password is required).

Abstract: A printer as an image forming device establishes the same password for multiple confidential printing jobs received within a specified time period from the same user and sends them back to the source of the transmission. The printer approves the execution of the particular confidential printing job when the entered password matches with the password established for the confidential printing job.

Abstract: Scalable session management is achieved by generating a cookie that includes an encrypted session key and encrypted cookie data. The cookie data is encrypted using the session key. The session key is then signed and encrypted using one or more public/private key pairs. The encrypted session key can be decrypted and verified using the same private/public key pair(s). Once verified, the decrypted session key can then be used to decrypt and verify the encrypted cookie data. A first server having the private/public key pair(s) may generate the cookie using a randomly generated session key. A second server having the same private/public key pair(s) may decrypt and verify the cookie even if the session key is not initially installed on the second server. A session key cache may be used to provide session key lookup to save public/private key operations on the servers.

Abstract: A Secret file access authorization system with fingerprint limitation includes an authorization module, encryption module and certification module in a server linked by programs. A user module of least one client machine contains a kernel encryption/decryption unit embedded in the client operation system kernel, so access authorization to secure files can be limited by environment or time fingerprint. Therein the authorization module provides an authorization secret key (ASK) and fingerprint template. The encryption module accepts the ASK and secret files to be encrypted, and provides a decryption secret key (DSK). The user module accepts the ASK and encrypted secret files, and presents a claim for the ASK certification to the certification module. The certification module accepts the DSK and the claim and the template, and provides the certified DSK for the user module, to start the kernel encryption/decryption unit in the user module, and achieve reading and writing of encrypted files.

Abstract: A system for providing a user with authorization to perform one or more functions using or otherwise involving a computational component is provided. The system includes an authentication file system 100 operable to (a) receive a request from a user for a second set of authentication information permitting a second set of operations to be performed on a computational component, wherein the computational component is operable to be installed by the user on the computational system, wherein the computational component contains a first set of authentication information permitting a first set of operations to be performed on the computational component; and wherein the first and second sets of operations are different; (b) generate an authentication file containing the second set of authentication information; and (c) transmit the authentication file to the computational system.

Abstract: A connection assistance apparatus avoids unauthorized access and DoS attacks, prevents a performance degradation from occurring, and does not need to recognize different connections to gateway apparatus. An authenticating unit authenticates the validity of a terminal by checking if the terminal is a valid terminal capable of communicating with a gateway apparatus according to IPSec in response to a request from a user who owns the terminal. If it is judged that the terminal is a valid terminal, then a preshared key generating unit generates a preshared key for the terminal and the gateway apparatus, and a firewall opening instruction information generating unit generates firewall opening instruction information to open a firewall of the gateway apparatus. A transmitting unit sends the preshared key to the terminal and the gateway apparatus and sends the firewall opening instruction information to the gateway apparatus.