Abstract: Tools and techniques related to time window based canary solutions for browser security are provided. These tools may receive requests to generate canary values in connection with providing content maintained on server systems, and compute canary values in response to these requests. These canary values may be based on identity information associated with different users, site-specific values associated with websites accessed by these users, and representations of time windows associated with the requests.

Abstract: A method of accessing an internet based service, involves using a cellular telephony device to obtain a token from the provider of the internet based service, and within the cellular telephony device, using the token to calculate a time-limited password. The time-limited password is used in combination with at least one further user identification parameter to obtain access to the internet based service.

Abstract: An interactive system for managing access via a communications network by one or more users to multiple secured Locations. The system comprises a plurality of entry control Devices assigned for use in gaining access to the Locations by multiple users with multiple keys assigned in a hierarchy to the Locations, a searchable database configured to store information on said keys and said entry control Devices, and Software stored on a readable medium and configured to produce a graphical hierarchy report on the keys depicting the hierarchy of the keys and their respectively assigned Locations and/or entry control Devices.

Abstract: A product key for a software product is obtained and an activation service is accessed by a device to activate the software product with the product key. A digital license associated with the software product is received from the activation service, and the digital license is bound to a set of user-identifying credentials of a user of the device. This application of the digital license can take various forms, such as enabling use of a software product altogether or enabling/disabling of a certain set of features. The digital license and an indication of an association of the digital license to the user ID is saved to a remote license management service, may be cached locally, and may expire and become unusable in the system. The license management service receives and saves this digital license, and can remove expired time-limited licenses.

Abstract: An individual may be identified by using a portable communication device. Biological information of the user is input into the communication device. The inputted biological information of the user is checked with reference biological information previously stored in the portable communication device. The portable communication device is connected to the Internet after the inputted biological information of the user and the reference biological information have matched. Then information that the inputted biological information of the user and the reference biological information have matched is transmitted to a server from the portable communication device.

Abstract: An authentication system combining human image recognition capability to recognize transformed images, image transform element (41), and image storage element (38), and image display element (40), is implemented to enable user (32) to access a secure resource (31). Said authentication system provides a mass market solution that does not require expensive capital to implement and cannot be compromised as other authentication methods in prior art.

Abstract: Method, apparatus and computer program for providing access to identity services of users. A Discovery Service DS server (100) stores for a set of users references (RO1A,ROnB) of identity services (IDSRV-A,IDSRV-B) available for them and usable to contact respectively with the Service Providers SPs (120,130) hosting each of said identity services. For a given identity service not yet registered for a given user, the DS server selects a SP (140) that is able to provide it, and stores a new resource offering (RO2X) that corresponds to the registration of said identity service. For selecting the appropriate SP, the DS server can check a service capability storage (103-2,301) that comprises information about what identity service(s) can be provided by a given SP, and which can be dynamically updated from SPs with the identity services they respectively support. The DS server can contact the user to collect SP preferences and/or service data.

Abstract: An improved system and approaches for protecting passwords are disclosed. A file security system for an organization operates to protect the files of the organization and thus prevents or limits users from accessing some or all of the files (e.g., documents) associated with the organization. According to one aspect, a password entered by a user is used, provided it is authenticated, to obtain a respective authentication string (a relatively longer string of numbers or characters). The retrieved authentication string is then used to enable the user to enter the file security system and/or to access secured files therein. According to another aspect, user passwords are not stored in the file security system to avoid security breaches due to unauthorized capture of user passwords.

Abstract: Techniques for implementing flexible identity issuance systems to allow users to specify one or more evaluation processes to be carried out by the issuance system based on input identity information. These evaluation processes may be specified in any suitable manner to allow an issuance system to carry out any process for generating output identity information for a content consumer. In some embodiments, an evaluation process may be specified to the issuance system as a series of tasks to be carried out, where each task corresponds to a conditions and an action to be taken when the condition is met. In this way, an evaluation process may be simply and easily specified by what operations are to be carried out, rather than how the operations are to be carried out. An issuer may interpret the specification to determine a functional process for carrying out the tasks.

Abstract: Techniques are generally described for generating an identification number for an integrated circuit (IC). In some examples, methods for generating an identification of an IC may comprise selecting circuit elements of the IC, evaluating measurements of an attribute of the IC for the selected circuit elements, wherein individual measurements are associated with corresponding input vectors previously applied to the IC, solving a plurality of equations formulated based at least in part on the measurements taken of the attribute of the IC for the selected circuit elements to determine scaling factors for the selected circuit elements, and transforming the determined scaling factors for the selected circuit elements to generate an identification number of the IC. Additional variants and embodiments may also be disclosed.

Abstract: A secure mechanism for transparent key recovery for a user who has changed authentication information is disclosed. A password manager agent intercepts requests by a user to access secure resources that require user credentials. Upon detecting changed authentication information for the user, the password manager agent automatically regenerates the components of a cryptographic key associated with the user that was previously used to encrypt user credentials for the user and then destroyed. After regeneration of the original cryptographic key, the password manager agent uses the key to decrypt the user credentials necessary for the requested application. The regenerated key is then destroyed and the user credentials are re-encrypted by the password manager agent using a new cryptographic key associated with the user made up of multiple components.

Abstract: An authentication device includes a user authentication certificate generation unit that issues to another device user authentication information on which information about a user is recorded; and a right transfer certificate/token generation unit that issues right transfer information and a token corresponding to the right transfer information to another device on the basis of information about a user to whom the right is transferred and a condition under which the right is transferred. A service proxy access device includes a token request unit that requests the issuing of the right transfer information and the token in order to access another device; and a user proxy access unit that accesses another service using the token. The service providing device includes a user authentication certificate request unit that acquires user authentication information from the authentication device using the token.

Abstract: A method and an apparatus that establish a first communication channel or pair with a target device in proximity to a source device are described. A pairing message is sent to the target device in proximity to the source device over the first communication channel from the source device. A secret and an identifier associated with an application are included in the pairing message. In response to receiving the secret back from the target device for a second communication channel, pairing data of the application are sent to the target device over the second communication channel.

Abstract: Systems for providing information on network firewall host application identification and authentication include an identifying and transmitting agent on a host computer, configured to identify each application in use, tag the application identity with a host identity, combine these and other information into a data packet, and securely transmit the data packet to the network based firewall. The embodiment also includes an application identity listener on the network based firewall, configured to receive the information data packet, decode the data packet and provide to the network based firewall the identity of the application. The network based firewall is provided with an application-awareness via an extension of firewall filtering or security policy rules via the addition of a new application identity parameter upon which filtering can be based. Other systems and methods are also provided.

Abstract: A storage device includes a storage unit that stores key information. The storage device also includes an input/output unit that inputs a converted command. Further, the storage device includes an extractor that extracts attached information from the converted command inputted, reads out, from an address according to the attached information, the key information from the storage unit, and performs an inverse data conversion corresponding to a data conversion on the converted command, using the key information, to extract command information and address information. In addition, the storage device includes an output controller that, only when the command information is equivalent to predetermined information, reads out and outputs storage data from an address of the storage unit through the input/output unit, the address of the storage data indicated by the address information extracted by the extractor.

Abstract: A method for access control is provided. A request is received from an administrator to modify a user role for a user. Whether the user is in a user group that belongs exclusively to the administrator is determined. Whether the administrator role permits the request is determined in response to a determination that the user is in the user group. The user role is modified based on the request in response to a determination that the administrator role permits the request, wherein the user accesses a resource based on the user role.

Abstract: Systems and methods for delegating access to resources hosted in a distributed computing environment are described. In one aspect, a server hosts a set of resources. The server receives a request from a user to perform an operation with respect to one of the hosted resources. Responsive to receiving the request, the server determines whether the user has already been delegated authority to perform the operation. The delegated authority is independent of whether the user is a member of an administrators group associated with any resource of the server.

Abstract: Credential information is received from a credential transfer server. The credential transfer server is identified by sending a credential transfer message to a network entity identified by a dynamic host configuration protocol server.

Abstract: Embodiments are directed towards providing an aging of account data points usable in recovering access to an account. The aging functionality of account data points is configured to enable users who may have had access to their account compromised or otherwise denied, still be able to recover access. Account data points are time stamped when associated with an account. When a request is received to delete the account data point, the account data point is instead placed into an aging status for a time period. During the aging status time period, the account data point may still be used to recover access to the account. Moreover, after access is recovered using a certain account data point, any account data points created after the certain account data point may be deleted to minimize unauthorized access to the account.

Abstract: This invention is to safely and surely distribute authentication information to users or user terminals. This method includes: requesting authentication using predetermined authentication information for an access destination via a network; receiving a notification indicating an authentication failure from the access destination; acquiring currently valid authentication information from an authentication information manager by transmitting data to indicate own legitimacy, and storing the acquired currently valid authentication information into a storage device; and requesting the authentication using the acquired currently valid authentication information for the access destination via the network. Thus, by supposing that a failure in the authentication occurs, and by causing the user side to present the data to indicate own legitimacy for the authentication information manager, the currently valid authentication information is distributed, for example, after the encryption.

Abstract: The present system allows disparate secure applications to communicate directly with one another in a heterogeneous application environment by providing for the creation of tokens that can be passed between the applications without human intervention. Security information is passed between applications in the form of a token with a string data type. Since a string is a primitive data type, it can be recognized by a large number of applications and interfaces. The token has no header and therefore no application-specific header configuration, making it platform and technology independent. This eliminates the need for conversion of security information between different formats. The use of tokens also eliminates the need for an application to be authenticated and authorized every time it sends a message to another application. Instead of a permanent context or session, a context is created with every invocation from one application to another.

Abstract: Remote configuration and utilization of a virtual tape management system via communication of encrypted data. At least one security administrator CPU is communicably attached to a virtual tape management CPU. At least one remote data storage CPU is communicably attached to the virtual tape management CPU and to the security administrator. First software within the virtual tape management CPU validates authorized remote access to at least one remote data storage CPU and encrypts the data. Second software facilitates remote configuration and utilization of the virtual tape management CPU. At least one hardware adaptor card connects the virtual tape management CPU to a host.

Abstract: A keystore is described which provides unique views of certificates and keys to particular application components and/or users. Upon receiving a request from a user and/or an application component to view keystore data, the keystore system implements a first set of security restrictions associated with the request and provides a limited view of the keystore data to the requesting user and/or application component based on the results of the first set of security restrictions. Then, upon detecting an attempt by the user and/or application component to access specified portions of the keystore data provided in the view, the keystore system implements a second set of security restrictions associated with the attempt to access the specified portions of the keystore data, and provides access to the keystore data to the user and/or application component based on the results of the second set of security restrictions.

Abstract: Embodiments of website authentication including receiving a request from a user to view a website within a graphical user interface (GUI); generating a one time password (OTP); storing the generated OTP in a database; displaying the generated OTP on the GUI; verifying an identity of the user by receiving an identification datum from a communication device; receiving an entered OTP from the user; comparing the entered OTP with the generated OTP; and communicating whether the website is authenticated.

Abstract: A system and method for cross-authoritative, user-based network configuration management is provided. Users log-in to a network using any device coupled to the network, and an identity manager may provide the user with a custom computing environment by verifying the user's identity and identifying content, assignments, and other configuration information associated with the user. For instance, the identity manager may retrieve a unique identifier assigned to the user, query one or more authoritative source domains based on the unique identifier, and deliver a computing environment assigned to the user. By seamlessly integrating multiple authoritative sources, administrators can make assignments to users across multiple authoritative source domains, and queries to the sources will always be up-to-date without having to perform synchronization processes.

Abstract: A method is provided for improved computer access security, the method including protecting an access record to prevent password access to a computer via the access record, creating an alternate access record corresponding to the protected record, enabling password access to the computer via the alternate record, providing the alternate record with the access level of the protected record, and configuring the alternate record to indicate a supplemental security program to be executed once a correct password for the alternate record is provided.

Abstract: A method, system, and program for user controlled anonymity when evaluating into a role are provided. An anonymous authentication controller enables a user to control anonymity of the user's identity for role based network accesses to resources, without requiring reliance on any single third party to maintain user anonymity. First, a role authentication certificate is received from a role authenticator, wherein the role authentication certificate certifies that the holder of the role authentication certificate is a member of a particular role without allowing the role authenticator issuing the role authentication certificate the ability to track an identity of a user holding the role authentication certificate.

Abstract: A method for one-time password generation, the one-time password being used for user authentication by a restricted resource. The one-time password is generated by means of a mathematical algorithm in a user-specific device, and the one-time password is generated by the mathematical algorithm using at least one user-specific password generation parameter. A first password generation parameter is used for generating a first one-time password for use in user authentication by a first restricted resource, and a second password generation parameter is used for generating a second one-time password for use in user authentication by a second restricted resource, the second restricted resource being different from the first restricted resource, and the first and second password generation parameters being distinct.

Abstract: A method is disclosed for establishing an agency relationship to perform delegated computing tasks. The method provides for initiation of the agency relationship, establishment of credentials to perform a delegated computing task, and performance of the delegated computing task. Benefits of establishing an agency relationship in a computing environment include improved security, efficiency, and reliability in performing delegated computing tasks.

Abstract: The auditing of authorization decisions is facilitated by integrating or coupling an audit policy to access control decisions. In an example implementation, an audit policy of an auditing scheme is coupled to a semantic framework of an access control scheme such that the audit policy is specified using at least a portion of the semantic framework. In another example implementation, audit policy rules include audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data of authorization decisions is to be included in an audit record. In yet another example implementation, a semantic of an audit trigger rule comports with a semantic framework of an access request and of a logical evaluation for an authorization decision.

Abstract: In a communication system, a first wireless communication apparatuses belonging to a communication group receives a connection request frame including a notifying security level from a second communication apparatus outside of the communication group. The first communication apparatus stores a reference security level peculiar to the communication group, which is selected from security levels depending on one of encryption methods including non-encryption and encryption strengths. In the first communication apparatus, the notifying security level is compared with the reference level, and a response frame including one of a connect rejection and a connection permission is described, is generated and transferred to the second communication apparatus. The connect rejection represents a rejection of connection to the second communication apparatus and the connection permission represents a permission of connection to the second communication apparatus.

Abstract: An authentication information management program of an authentication information management apparatus allowing the authentication information management apparatus to execute: changing the first authentication information in correspondence information which is information including the first authentication information and second authentication information in association with each other and stored in a storage section of the authentication information management apparatus; transmitting the authentication apparatus of the changed first authentication information; determining, in response to a request from the apparatus to be authenticated, whether the second authentication information in the authentication request coincides with the second authentication information in the correspondence information; and returning, in the case where it is determined that the second authentication information in the authentication request coincides with the second authentication information in the correspondence information, the

Abstract: A system comprises a database configured to store a presentation, the presentation having a presentation identifier and comprising a sequence of discrete presentation items, a first discrete presentation item of the plurality being associated with first content with first content type and a second discrete presentation item of the sequence being associated with second content of a second content type. A presenter interface is configured to receive viewer identification information identifying a viewer to which the presentation is to be made accessible. An access controller is configured to create an access credential using both the presentation identifier and the viewer identification information, the access credential to enable access to the presentation by a viewer computer system. A tracker configured to generate access history data pertaining to access by the viewer computer system to each of the sequence of discrete presentation items.

Abstract: Techniques for the remote authorization of secure operations are provided. A secure security system restricts access to a secure operation via an access key. An authorization acquisition service obtains the access key on request from the secure security system when an attempt is made to initiate the secure operation. The authorization acquisition service gains access the access key from a secure store via a secret. That is, the secret store is accessible via the secret. The secret is obtained directly or indirectly from a remote authorization principal over a network.

Abstract: A system for detecting and preventing replay attacks includes a plurality of interconnected authentication servers, and one or more tokens for generating a one-time passcode and providing the one-time passcode to one of the authentication servers for authentication. The system includes an adjudicator function associated with each authentication server. The adjudicator evaluates a high water mark value associated with a token seeking authentication, allows authentication to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication, and prevents authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication. The token is associated with a home authentication server that maintains a current high water mark of the token. The home authentication server validates the current high water mark on behalf of the adjudicator function evaluating the token for authentication.

Abstract: A method and system for storage and retrieval of data, such as personal data. In an embodiment of the invention, a distributed network for storage and retrieval of data comprises a plurality of data origin servers, a plurality of credential servers, and an authentication server. Each data origin server is configured to store items of data and corresponding credentials, each credential at least in part identifying an owner of the corresponding item of data. Each credential server is configured to store associations between credentials and data origin servers on which data corresponding to a respective credential is stored. The authentication server is configured to register and authenticate each user based at least in part on the user's associated credential, and to link each authenticated user to respective credential servers storing associations for the user's credential.

Abstract: A system and method of distributing authentication information for remotely accessing a computer resource. A request for authentication information, including identity information, is received from a user of a remote device. When the user is authenticated based on the identity information, requested authentication information is retrieved and returned to the remote device. The authentication information, or information generated from the authentication information, is then used for remotely accessing the computer resource.

Abstract: A system, method and computer program product for recovering a password including, for each possible password to be tested, generating a periodicity unit based on a number of symbols in the password and a size of a chunk used by a one-way function to encrypt the password. The periodicity unit is substantially shorter than an input string, that includes replicated actual password used to encrypt the password. Based on the periodicity unit, using the one-way function, generating a control value for the periodicity unit. The control value is tested for a match with a control value generated from the actual password. An indication of a match is provided to a user.

Abstract: In a job allocation control apparatus, whether or not a job has security setting is discriminated, if it is decided that the job has the security setting, this job is set to a scheduling target to a clean device, and if it is decided that the job does not have the security setting, this job is set to a scheduling target to a non-clean device. When a process of the job having the security setting as a scheduling target to the clean device cannot be executed, the job having the security setting is set to the scheduling target to the non-clean device. Whether or not the non-clean device satisfies a predetermined condition is discriminated. If the predetermined condition is satisfied, the job having the security setting is transmitted to the non-clean device.

Abstract: Objects on application servers are distributed to one or more application servers; a user is allowed to declare in a list which objects residing on each application server are to be protected; the list is read by an interceptor; responsive to exportation of a Common Object Request Broker Architecture (“CORBA”) compliant Interoperable Object Reference (“IOR”) for a listed object, the interceptor associates one or more application server security flags with interfaces to the listed objects by tagging components of the IOR with one or more security flags; and one or more security operations are performed by an application server according to the security flags tagged to the IOR when a client accesses an application server-stored object, the security operations including an operation besides establishing secure communications between the client process and the server-stored object.

Abstract: Methods, apparatuses and systems directed to detecting address spoofing in wireless networks by, after receiving a wireless management frame, transmitting verification messages to determine whether a given wireless node (e.g., a wireless access point, or wireless client) has legitimately lost its connection state.

Abstract: Systems and methods for developing an application for a data processing device using a portal, such as a world wide web portal. In one exemplary method, an application signing certificate is generated using the portal, and the portal designates the data processing device using a unique device identifier. A unique application identifier for the application is created using the portal. An application provisioning file is created using the portal. The application provisioning profile comprises the application signing certificate, the unique application identifier, and the unique device identifier.

Abstract: A method of verifying a password and methods of encryption and decryption using a key generated from a one-time pad. In one embodiment, the method of verifying includes: (1) receiving a password attempt, (2) retrieving a pointer from memory, (3) searching a one-time pad based on the pointer to retrieve a password, (4) comparing the password attempt with the password and (5) generating a new pointer if the password attempt matches the password.

Abstract: A method and system for authorization of applications executing on a device having a key store. Applications obtain an application-level ticket to permit access to one or more key values located in the key store. Each ticket is securely associated with an application and being generated on the determination that the application is a trusted application. Tickets are potentially associated with one key value in the key store, with a subset of key values in the key store, or with all key values in the key store. Access to key values by an application is possible independently of a user providing a password for each such access.

Abstract: A computing system for managing a virtual server includes a machine remote from the virtual server that operates a provisioning service, a credentials server remote from the virtual server, and at least one guest server manager running on a guest host associated with the virtual server. The provisioning service obtains credentials from the credentials server and delivers them to the at least one guest server manager. The server manager acts under the direction of the provisioning service.

Abstract: A method and apparatus are provided for creating a personal area network with a wireless keyboard, comprising generating a text message on a keyboard integrated display to prompt a user to enter a password, determining all available personal area network devices and displaying a subset of the available personal area network devices based upon access permissions associated with the password. Generally, the wireless keyboard includes logic for generating prompts to a user to create a master password and user passwords with defined access privileges. Moreover, a user, by utilizing the display, may select alternate or additional devices with which to couple. In one embodiment, the wireless keyboard is further operable to send and receive text messages with a cell phone which are further propagated through a cellular network using legacy text message protocols.

Abstract: A secure and transparent digital credential sharing arrangement which utilizes one or more cryptographic levels of indirection to obfuscate a sharing entity's credentials from those entities authorized to share the credentials. A security policy table is provided which allows the sharing entity to selectively authorize or revoke digital credential sharing among a plurality of entities. Various embodiments of the invention provide for secure storage and retrieval of digital credentials from security tokens such as smart cards. The secure sharing arrangement may be implemented in hierarchical or non-hierarchical embodiments as desired.

Abstract: A system and method for associating message addresses with certificates, in which one or more secondary message addresses are identified and associated with a user-selected certificate. The secondary message addresses are saved in a data structure that resides in a secure data store on a computing device, such as a mobile device. When a message is to be encrypted and sent to an individual using a particular certificate, an address mismatch would not be detected so long as the address to which the message is to be sent matches any of the message addresses associated with the certificate. The message addresses associated with the certificate include any message addresses contained within the certificate itself (“primary message addresses”) as well as any secondary message addresses that have been subsequently associated with the certificate.

Abstract: An image input apparatus determines whether an image input apparatus that has sent image data is an authorized sender when storing of the image data to a specific storage area is detected. According to a determination result indicating that the image input apparatus is the authorized sender, the image input apparatus applying one or more processes to the image data.

Abstract: A multi-room media network includes a network for providing device interconnectivity for receiving and sending data and a plurality of content control devices coupled to the network. Password control for multi-room digital video recorder is provided through the resetting and/or resynchronization of a password for a multi-room digital video recorder.