Abstract: A method for performing at least one evolution operation in a dynamic, evolutive community of devices in a network comprising at least a first device. The method comprises a step of sending at least one message over the network from the first device to a second device, wherein the first device continues the method without acknowledgement of the at least one message from the second device. The method is suitable for execution on clockless devices. A device for performing the method is also claimed.

Abstract: A network device may provide secure fallback operations. The device includes a port allowing the device to communicate with a network and a processor to generate a security credential, provide the security credential to a call manager during initialization, and provide the security credential to a secondary device during fallback operations. The network device may include a memory to store the security credential and routing information for fallback operations.

Abstract: A computer network management system with an embedded processor, an analog communication means and a digital interface for network management provides a system for remotely and securely managing a network. Backup power in the form of an uninterrupted power supply, or other power means as appropriate, allows the modem to provide power outage notification to a remote site. The system further provides authentication and authorization capabilities for security purposes.

Abstract: A computer implemented web based access control facility for a distributed environment, which allows users to request for access, take the request through appropriate approval work flow and finally make it available to the users and applications. This program also performs an automatic task of verifying the health of data, access control data as well as the entitlements, to avoid malicious user access. The system also provides an active interface to setup a backup, to delegate the duty in absence. Thus this system provides a comprehensive facility to grant, re-certify and control the entitlements and users in a distributed environment.

Abstract: A system and method for authenticating users against an external directory service. A client device issues an LDAP (Lightweight Directory Access Protocol) request (e.g., a login request) to a local or native directory server (e.g., an Oracle Internet Directory server) configured to authenticate users for access to a resource (e.g., an Oracle database, an Oracle application server). The native directory server does not maintain or synchronize user passwords, and forwards the request (or details of the request) to a plug-in residing in the resource. The plug-in forwards or issues the request to an external or third-party directory server or service, which attempts to authenticate the user and returns a result indicating success or failure. The plug-in returns the result to the local server, which responds to the client.

Abstract: A method of protecting a password being used to establish interaction between a user and an application includes detecting a request for the password from the application by receiving a notification from the user indicating the request. The method further includes combining the password with information identifying the application, so as to produce a protected password, and authenticating to the application using the protected password. The method may also include a mutual authentication capability between user and the application.

Abstract: Methods are disclosed for providing replicas of a sporting trophy and for scoring the sporting trophy. The first method includes providing a sporting trophy to be scanned, scanning the sporting trophy to provide three-dimensional image data of the sporting trophy, and providing the three-dimensional image data of the sporting trophy to a replica generating system to provide a replica of the sporting trophy. The second method includes providing three-dimensional digital data of a sporting trophy having a volume and a surface area, providing at least one sporting-relevant measurement based on the three-dimensional data of the sporting trophy, and providing a score of the sporting trophy based on the at least one sporting-relevant measurement.

Abstract: A technique of allowing entry of the password which is not 100% correct. This password would be used to verify identity and/or login information in low security techniques. The password is scored relative to the correct password. The scoring can take into effect least mean squares differences, and other information such as letter groups, thereby detecting missed characters or extra characters, as well as shift on the keyboard.

Abstract: Systems and methods that facilitate processing data, such as by encryption/decryption, and storing and retrieving data to/from memory such that actual data can be distinguished from information associated with, or representative of, erased/blank memory locations. A processor can include a comparing component that compares information input to the processor to determine whether such information is associated with actual data, or associated with, or representative of, erased/blank memory locations. Information associated with, or representative of, an erased/blank memory location can be processed so that it can be interpreted as such by other components. If actual data is processed such that the comparing component interprets the processed data to be equivalent to an erased/blank memory location, then the data can be re-processed, so it is not interpreted as such, before being forwarded to its next destination.

Abstract: Embodiments of the invention address deficiencies of the art in respect to electronic messaging security through replicated certificate stores and provide a method, system and computer program product user-specific certificate repository replication. In one embodiment of the invention, a method of replicating with multiple different messaging systems disposed in correspondingly different computing clients, retrieving a local repository of untrusted certificates from each of the different messaging systems during replication, and associating each retrieved local repository with a particular end user can be provided. Moreover, the method can include updating a global repository of untrusted certificates with the untrusted certificates of each local repository while eliminating redundant instances of an untrusted certificate present in different retrieved local repositories.

Abstract: A camera assembly that generates a high-quality self portrait may include a plurality of reflecting surfaces, such as an array of mirrors or a multi-faceted reflecting element. Each reflecting surface may be arranged so as to assist the user align the camera by rotational movement and/or translated movement to achieve a different field of view for the camera assembly for each reflecting surface. In this manner, the user may sequentially use the various reflecting surfaces to capture an image corresponding to each reflecting surface so that each image corresponds to a different portion of a scene. These portions of the scene may have some overlap and may be stitched together to form a panoramic self portrait that includes the user and portions of the scene behind the user.

Abstract: A transactional server is configured to receive a transactional procedure call from a client to initiate one or more transaction processes. Said transactional server includes a Lightweight Directory Access Protocol (LDAP) authentication server which is configured to forward the transactional procedure call from the transactional server to a distributed authentication server for authentication. When the transactional procedure call to initiate a transaction is received at the transactional server, the LDAP authentication server identifies a user associated with the transactional procedure call, determines that the distributed authentication server should authenticate the user, and initiates an LDAP session between the transactional server and the distributed authentication server.

Abstract: A home relationship is established between a device and a network by storing an ownership record in the device that identifies the network, and storing in the network a device identifier that identifies the device. Thereafter, communication is established between the device and the network. The ownership record is then transmitted from the network to the device, and automatic access to the device is granted to the network once the device verifies the transmitted ownership record against the ownership record stored in the device. In addition, the device identifier is transmitted from the device to the network, and automatic access to the network is granted to the device once the network verifies the transmitted device identifier against the device identifier stored in the network.

Abstract: The present disclosure is directed to a system and method to manage data flow in a network. The method can include storing a plurality of profiles of a user, wherein each profile includes user data. The method can also include receiving a request for a portion of user data. The method also includes selecting a type of credential, at least partially based on: an origin of the request, the user data requested, a transaction value, a plurality of data disbursement rules, or any combination thereof.

Abstract: A management computer collects, from a storage subsystem via a management network, path definition information including the contents of a security setting made to a path accessible to a volume in the storage subsystem, and when the volume in the storage subsystem is an original volume having a replica volume, replica definition information of the original volume. Based on the replica configuration information thus collected from the storage subsystem, the replica relationship between the volumes is to be grasped. Then, based on the path definition information also collected from the storage subsystem, the contents of the path security setting are verified for the volumes under the same replica relationship, and the verification result is output. In such a structure, consistency verification can be easily done for the security setting of the original and replica volumes.

Abstract: An apparatus and method for providing at least one root certificate are disclosed. Specifically, a plurality of root certificates is received and stored. Afterwards, a request is received from a first endpoint device for a desired root certificate, where the desired root certificate is used by the first endpoint device to verify an identity of a second endpoint device. Furthermore, the first endpoint device and the second endpoint device are associated with different certificate hierarchies. The desired root certificate is then sent to at least the first endpoint device.

Abstract: A computer-implemented service acts as an intermediary between merchant sites and users thereof, and enables the users to purchase items on the merchant sites without having to create accounts with such sites. A user may invoke the service from a web page of a merchant site, and complete a purchase transaction, without having to browse away from the merchant site. The service may either forward the user's payment information to the merchant's system to enable the merchant to charge the customer, or may charge the user on behalf of the merchant. In some implementations, the service enables users to make single-action purchases from the merchant sites.

Abstract: The need for realtime password resetting is providing by using a converged HTTP/SIP container. The container allows interaction between the different protocols of HTTP and SIP. When a user needs to reset a password that would normally require sending a new temporary password through the mail, the user can be appropriately authenticated and provided with a temporary key. After a temporary key is created and sent electronically to the user via the computer system which initiated the request, a telephony application calls the user. The user is prompted for authentication information and then enters the temporary key. The temporary key entered is compared with the temporary key created, and if matched, the user can reset the password in realtime.

Abstract: A network configuration device or entity has control of defined management and security functions in the network, or in many embodiments, in a Fiber Channel fabric. The network configuration device may control many functions. Foremost, it may control the recognition, operation and succession procedure for network configuration entities. It may also control user configurable options for the network, rules for interaction between other entities in the network, rules governing management-level access to the network, and rules governing management-level access to individual devices in the network. In addition, the network configuration entity may exploit policy sets to implement its control.

Abstract: Remote routers are configured to block the return path to malicious websites with the use of split tunneling while allowing paths to third party resource websites. The iBGP protocol runs on the agent's router, advertises routes and enables the head-end to set up a policy at each remote router. Enterprise policies for blocking access to “blackholed” website addresses are centrally administered but third party website traffic is not routed to the enterprise's network resources. Since remote offices may connect directly to third party websites, latency is minimized and network resources at the enterprise are not unduly burdened.

Abstract: A method and apparatus are provided for generating passwords that may be memorized by a user, yet not easily guessed by an attacker. A user is presented with one or more textual, audio or visual hints. A password is automatically generated based on the selected hint (and possibly further input from the user). The presented hints may include poems, songs, jokes, pictures or words. The generated password and selected hint can be presented to the user during enrollment for further reinforcement and stored in a user database for subsequent reinforcement and verification. The enrollment process may schedule the sending of one or more reminder messages to the user containing the hint to reinforce the password in the user's memory.

Abstract: Enterprises are fast moving towards restructuring their IT infrastructure by exploiting the emerging models of data centers. In one extreme, the whole of application, storage, and network needs of an enterprise are to be managed by third party data centers. While the use of third party data centers is an attractive proposition for enterprises, it can potentially put their intellectual property in the form of applications and data assets under threat. There is a need for a system that is a part of a data center but owned by an enterprise that provides a single point of entry and exit for interacting and communicating with the data center and the enterprise relies on this system to obtain an insight into the functioning and behavior of the data center.

Abstract: A grid is provided for creating secure and confidential passwords for use in sign-in procedures on electronic user accounts. The tool includes a grid having multiple rows and columns defining cells, with each cell having randomly assigned keyboard characters, such as letters, numbers, and symbols. A user creates a password by selecting a starting cell, and progressing in a user-selected pattern through a pre-selected number of cells. Multiple unique grids may be provided in hard copy or digital form for use in creating multiple passwords which may be created using the same or different starting cells and/or patterns.

Abstract: A computer-implemented system and method for controlling third party access to personal content includes accepting different versions of personal content, displaying a public version of the content, prompting for a passcode and then displaying a private version of the content that is dependent on the passcode.

Abstract: A client apparatus includes a wireless network access unit configured to access wireless networks, a packet analysis unit configured to analyze uplink and downlink data packets, a security tunnel processor configured to establish a mobile security tunnel and to maintain the established mobile security tunnel when handover is performed in heterogeneous networks, a wireless network controller configured to control a wireless network accessing process and a connection releasing process of the wireless network access unit, a mobile security tunnel controller configured to perform a MOBIKE protocol and to control a process of establishing and maintaining a mobile security tunnel of the security tunnel processor, and a wireless network connection manager configured to request the mobile security tunnel controller to perform a MOBIKE protocol by managing MOBIKE information and to control handover by setting up and managing a wireless network access policy.

Abstract: A communication device including an access authority data managing DB device for managing access authority data with which access authority for at least one of storage area defined logically or physically in a storage device. File data stored in the storage area is defined while at least one of a user making the access and a group to which the user concerned belongs is set as a unit. A non-open WWW device controls access to the storage device on the basis of the access authority data achieved from the access authority data managing DB device in accordance with an access from a terminal device.

Abstract: A number of secondary passwords can be encrypted with a primary password and stored in a credential vault. An encrypted secondary password from the credential vault can be decrypted using the primary password and provided the secondary password to an application. Encrypted secondary passwords can be updated when the primary password changes.

Abstract: The invention provides a system that includes: a web server, an application server, and a data server all connected to each other. The system is intended to protect web based applications. A web server receives a request and transmits it as a message to the application server. When the application server receives the request, the application server extracts attributes of this request. The application server uses an authorization engine to determine if each attribute of the request is authorized by accessing the data server to compare each attribute of the request with at least one rule from a rules store. The rules store resides on the data server. If the attributes of the request meet the rules in the rules store, then the request is executed by the application server.

Abstract: An extensible authentication framework is used in cable networks such as Data Over Cable Service Interface Specification (DOCSIS) cable networks. The authentication scheme allows for centralized authentication of cable modems, as well as authentication of the cable network by cable modems. Additionally, the authentication scheme allows a Cable Modem Termination System (CMTS) to authenticate devices downstream from cable modems, such as Customer Premise Equipment (CPE) devices.

Abstract: An apparatus and method establish a secure, direct, station-to-station communication between a first station and a second station in a topology (e.g., PBSS) having a central secret holder/provider that allows secure, direct, station-to-station communications and that allows secure station-to-station broadcast communications. The first station and the second station will have previously established a security association (SA) with a topology control point (PCP). The method includes creating pair-wise unique material for the first station. The pair-wise unique material is computed as a function of (i) a known shared secret associated with the PCP, (ii) a first piece of unique data associated with the first station, and (iii) a second piece of unique data associated with the second station. The method includes securely communicating the pair-wise unique material from the first station to the second station.

Abstract: A system, method, and computer usable medium for utilizing audit information for challenge/response during a password reset process. In a preferred embodiment of the present invention, a client tracker compiles a log of user actions while a user accesses an account on a data processing system. In response to a user password reset request, the client tracker selects at least one user action from the log of user actions, forms a challenge question based on the selected user action, and in response to an acceptable response to the challenge question, resetting a password associated with the account.

Abstract: In various embodiments, security may be provided for application to application (A2A) and application to database (A2DB) implementations. In some embodiments, a method comprises receiving a registration request at a first digital device for a first application, receiving a first program factor associated with the first application, confirming the first program factor, generating a first password for a second application based, at least, on the confirmation of the first program factor, and providing the first password to a second digital.

Abstract: A system and method for providing secure communications between remote computing devices and servers. A network device sends characteristics of a client computing device over the network. A network device receives characteristics of a client computing device over the network. A plurality of credentials are generated where at least one of the plurality of credentials based on both the received characteristics of the client computing device and a unique client key, and at least one of the plurality of credentials based on both the received characteristics of the client computing device and a generic key. A network device sends the plurality of credentials over the network. A network device receives the plurality of credentials via the network.

Abstract: In various embodiments, a method comprises scanning a directory structure to generate a scan result comprising a plurality of discovered systems, identifying one or more accounts associated with at least one of the plurality of discovered systems, configuring a security appliance to change one or more old passwords to one or more new passwords for the one or more accounts, and changing, with the configured security appliance, the one or more old passwords to the one or more new passwords.

Abstract: Systems and methods are disclosed for privacy-preserving flexible user-selected anonymous and pseudonymous access at a relying party (RP), mediated by an identity provider (IdP). Anonymous access is unlinkable to any previous or future accesses of the user at the RP. Pseudonymous access allows the user to associate the access to a pseudonym previously registered at the RP. A pseudonym system is disclosed. The pseudonym system allows a large number of different and unlinkable pseudonyms to be generated using only a small number of secrets held by the user. The pseudonym system can generate tokens capable of including rich semantics in both a fixed format and a free format. The tokens can be used in obtaining from the IdP, confirmation of access privilege and/or of selective partial disclosure of user characteristics required for access at the RPs. The pseudonym system and associated protocols also support user-enabled linkability between pseudonyms.

Abstract: In various embodiments, a method comprises receiving a custom login script from a first user, receiving a custom change password script from the first user, logging onto an account on a digital device using the custom login script from the first user, changing an old password on the account to a new password at predetermined intervals using the custom change password script from the first user, receiving a password request from a second user, approving the password request, and checking out the new password to the second user.

Abstract: Techniques for verifying a user is human as opposed to a machine are provided. A series of images may be presented to the user sequentially along with a challenge question that instructs the user to select the image that is responsive to the challenge question. If the user selects the correct image, there likelihood that the user is a human as opposed to a machine is greatly increased. Techniques for varying certain parameters associated with display of images and challenge question are also provided. The variations in these parameters may further help distinguish human users from machines.

Abstract: A method and system for incorporating trusted metadata in a computing environment is described. One illustrative embodiment is a system comprising at least one functional module configured to query a personalized database of trusted metadata including at least one report from an informer network that includes the computer user and at least one informer, each informer in the informer network being trusted by the computer user either directly or indirectly, each indirectly trusted informer being trusted directly by at least one other informer in the informer network, each of the at least one report including a subjective assertion regarding the quality of an item or an expression of a degree of trust in an informer; and at least one functional module configured to perform a task in the computing environment based at least in part on results of a query of the personalized database of trusted metadata.

Abstract: A terminal, server and method for identifying contents are discussed. According to an embodiment, the present invention provides a method for controlling content in a content identifying system, including receiving content related information regarding a content from a terminal; generating function information for calculating a content ID based on the content related information; transmitting the function information to the terminal; receiving a content ID generated based on the function information from the terminal; comparing the received content ID with stored content ID information; and performing at least one operation based on the comparison result.

Abstract: A method using an electronic chip for authentication and configuring an one time password uses a one time password generated at a one time password service end replacing a personal identification number required in authenticating operations on an electronic chip (IC cards, such as smart card, hardware secure module(HSM)e, EMV chip . . . etc.). Before operating on the electronic chip, a request for the one time password is sent to the one time password service end; or the one time password with access condition is applied in advance, and is used as a key to authenticate operations on the electronic chip. The method enhances privacy of the password and provides added application method for improved confidentiality.

Abstract: Systems and methods for service activation using algorithmically defined keys are disclosed. A consumer who has a relationship with a first party may wish to enroll in a service provided by a third party. The first party can maintain control of such enrollments through the use of algorithmically defined keys. The algorithmically defined keys also allow the third party service provider to verify data provided by the consumer as matching data stored by the first party. The verification provides for data synchronization without requiring the third party to have access to the first parties data systems.

Abstract: The storage system of the present invention is able to update a secret while maintaining a session between a host and storage. The administrator configures a new secret for the host and the storage. The session manager issues a request to the storage to open a session that uses the new secret. The session manager opens a session that uses the new secret following authentication. A response to an old command issued prior to the secret update is transmitted from the storage to the host via a session that uses an old secret. A new command following the secret update is transmitted from the host to the storage via the session that uses the new secret. When all the old command processing is complete, the old secret using session is closed.

Abstract: This invention provides a tool for generating ACLs in an environment where a set of network elements or servers (e.g. web servers, IPTV servers, application servers . . . ) need to be secure. The tool also performs ACL validation to ensure that the filtering rules are correct before they are deployed in a network. The system enables a central view of the security configuration concerning the filtering rules in the network. Furthermore, it allows end-to-end configuration of the ACL rules, from the definition of the flows between the servers to the deployment of the rules on the network elements.

Abstract: Embodiments of the invention are generally directed to a system and method for enrolling a user into an authentication system. In some embodiments of the invention, a user completes a first portion of the enrollment or setup process using a first computer environment, but is not permitted to complete the enrollment or setup process from the first computer environment. The system permits the user to complete the enrollment or setup process only from a second computer environment different from the first computer environment. In one embodiment, the second computer environment is any computer environment outside of the first computer environment.

Abstract: A method of configuring a network access device connected to an access network connected to a plurality of service networks, the network device having a first network address allocated to a subscriber of services of a first service provider provided by a first service network, with a new network address allocated to a second subscriber of services of either the first service provider, or a second service provider provided by a second service network. The method comprises the steps of: sending a request from the network access device to the access network with user credentials for the second subscriber requesting access to the first service provider or a change to the second service provider; receiving a response from the access network; and initiating a network address change request using a configuration protocol.

Abstract: An interactive method for authentication is based on two shared secrets, including a first shared secret in the form of an ordered path on the frame of reference, and a second shared secret in the form of locations on the frame of reference at which characters identifying a subset of the ordered path are to be displayed. An instance of the frame of reference comprises a set of characters which is arranged in a random or other irregular pattern. Authentication requires that a user enter the characters in the displayed instance of the frame of reference found in the locations in the random subset of the ordered path by indicating characters either in these locations, or any other locations having the same characters. Thus, a secret challenge identifying the random partial subset is embedded within the displayed instance of the graphical representation of the frame of reference.

Abstract: A method of managing online communities within an online community management system can include declaratively specifying a taxonomy of online community types, declaratively specifying a plurality of roles for members of online communities, and declaratively specifying a security policy that associates permissions with roles and online community types. A plurality of online community profiles can be maintained. Each online community profile can represent an online community, specify an online community type from the taxonomy, and specify a list of members of that online community as well as an associated role for each member. Access can be provided to a selected online community according to the online community type of the selected online community, a role within the selected online community that is associated with a user attempting to access the selected online community, and the security policy.

Abstract: Methods and apparatus, including computer program products, for defining rights applicable to a digital object. A set of initial rights and a set of modifying rights are received for the digital object. At least one of the set of initial rights and the set of modifying rights specifies one or more conditions on rights in the respective set of rights. A new set of rights is defined for the digital object based on the set of initial rights and the set of modifying rights. The new set of rights specifies one or more new conditions on rights in the new set of rights. The new conditions are defined based on one or more of the conditions in the set of initial rights and/or the set of modifying rights.

Abstract: A method, apparatus, and system are provided for authenticating a user. According to one embodiment, a request for authentication of a user is received via a secondary site, the request for authentication of the user including user information corresponding to the user. The user information is verified and, based on the verifying, a token associated with the user is generated, the token to be used to enable the secondary site to perform a task on the primary site on behalf of the user. The token is then transmitted to the secondary site.

Abstract: The present invention comprises a system and method for managing an inventory of PINs in a PIN distribution network. The distribution network includes a hub coupled to a one or more servers and each of the servers is coupled to at least one client terminal. The system includes a hub for dynamically allocating PINs of the inventory among the servers so as to substantially maintain a quantity of PINs at each server at a desired level for each server. Additionally, the hub acquires additional PINs in response to at least one PIN in the inventory being distributed to at least one user from at least one of the client terminals. In variations, the hub maintains centralized databases and synchronizes the centralized databases with corresponding databases at each server.