Abstract: A server transmits a message from a sender to a recipient. The server receives from the recipient an attachment relating to the message route between the server and the recipient. The server transmits to the sender the message and the attachment and their encrypted digital fingerprints and expunges the transmitted information. To subsequently authenticate the message and the attachment, the sender transmits to the server what the server has previously transmitted to the sender. The server then prepares a digital fingerprint of the message and decrypts the encrypted digital fingerprint of the message and compares these digital fingerprints. to authenticate the message. The server performs the same routine with the attachment and the encrypted digital fingerprint of the attachment to authenticate the attachment the recipient replies to the sender's message through the server. The server records proof of the delivery and content of the reply to the sender and the recipient.

Abstract: A system and method for registering entities for code signing services. The entities may be software application developers or other individuals or entities that wish to have applications digitally signed. Signing of the applications may be required in order to enable the applications to access sensitive APIs and associated resources of a computing device when the applications are executed on the computing device. In one embodiment, a method of registering entities for code signing services will comprise the step of transmitting at least some account data to the registering individual or entity using an out-of-band communication system. This provides added security that the individual or entity registering for a code signing service is who that individual or entity purports to be.

Abstract: According to one embodiment, computer system is disclosed. The computer system includes a central processing unit (CPU) having a first thread having first associated thread identification (ID) and a second thread having second associated thread ID. The computer system also includes a chipset coupled to receive access requests from the CPU and to examine a thread ID included with the access request to determine which thread is requesting access.

Abstract: A proximity device transmits a first dynamic authentication value contactlessly to a terminal. The first authentication value is included in a discretionary data field of message data arranged in an ISO Track 1 and/or ISO Track 2 format. Message data is sent from the terminal to an issuer. The issuer separately derives a second authentication value and compares it with the first authentication value. An identifier associated with the primary account number (PAN) is also used and transmitted instead of the PAN.

Abstract: Systems and methods to secure authorized access are disclosed. A method includes receiving, an electronic device, a request to generate function-authorization settings including function-access data associated with a particular function of the electronic device to be protected. The method also includes prompting for and receiving function-access data. The received function-access data includes first function-access data that specifies access credentials of a first user to access the particular function and second function-access data that specifies access credentials of a second user to access the particular function. The method also includes associating the received function-access data with the particular function and storing the function-authorization settings including the received function-access data at a memory of the electronic device.

Abstract: A hardware device connected to a network access point to authenticate itself to a server is disclosed. The device stores authentication software, and applicative data. The device is used to generate a one-time password to uniquely identify itself to a server.

Abstract: As individuals increasingly engage in different types of transactions they face a growing threat from, possibly among other things, identity theft, financial fraud, information misuse, etc. and the serious consequences or repercussions of same. Leveraging the ubiquitous nature of wireless devices and the popularity of (Short Message Service, Multimedia Message Service, etc.) messaging, an infrastructure that enhances the security of the different types of transactions within which a wireless device user may participate through a Second Factor Authentication facility. The infrastructure may optionally leverage the capabilities of a centrally-located Messaging Inter-Carrier Vendor.

Abstract: A method and apparatus for associating session ticket includes a ticketing authority server. The ticketing authority server receives a ticket generation request and information about a client node. It identifies a master session ticket associated in a storage element with the client node. The ticketing authority server then generates a derivative session ticket for the client node and associates the derivative session ticket with the master session ticket. Finally, the ticketing authority server stores information about the client node and the derivative session ticket in the storage element.

Abstract: A method and a system for obtaining a Security Shell (SSH) host key of a managed device, including: while detecting the managed device, the management station obtaining the related information of the SSH host key in a UDP transport mode. According to the present invention, the management station can obtain the SSH host key and at the same time detect the managed device. As a result, the workload of the distribution management of the host key is reduced and the speed of the host key distribution is increased.

Abstract: A system and method for securely exchanging plurality of information items used to generate a plurality of encryption keys used in a public key-and-private key system. In accordance with the principles of the invention, elements of exchanged information items, such as public key and synchronizing indictors are encrypted before the exchange. The information item element is encrypted using an encryption key determined from information items that were previously exchanged. The encryption of information items used to determine subsequent encryption keys provides additional security to the encryption key used in the transmission of informational data as the encrypted elements of the information item must be decrypted before the data message encryption key can be decrypted. The process of exchanging encrypted information items can be repeated until an agreed upon number of encrypting keys is determined.

Abstract: A highly secure event server receiving and storing encrypted assets and references to those assets over a public wide area network. A system for selectively decrypting and transmitting references to analysis clients such as authenticated mutually unconscious users, and retrieving, decrypting and transmitting certain assets from high-volume storage, distributed storage, or in transit. A method for controlling a plurality of event recordation clients and a plurality of analysis clients transmitting policies and commands requesting upload of assets and obtaining status solely by receiving client initiated sessions.

Abstract: The invention relates to a programmable electronic access control system including: an updating unit which operates in conjunction with a central control unit and is provided with management software for global control of installation access. Access elements are associated with the entrance/exit routes, and a credential is associated with each system user. In addition, each updating unit includes means for the bi-directional transfer of data in relation to user credentials, and the central control unit. The updating unit transfers only the information concerning a particular user and the installation closure plan to the user credentials, while receiving information stored on the user credential relating to past events associated therewith, which have been transferred to each of the access elements.

Abstract: A Centralized Authentication & Authorization (CAA) system that prevents unauthorized access to client data using a secure global hashtable residing in the application server in a web services environment. CAA comprises a Service Request Filter (SRF) and Security Program (SP). The SRF intercepts service requests, extracts the service client's identifier from a digital certificate attached to the request, and stores the identifier in memory accessible to service providers. The client identifier is secured by the SP using a key unique to the client identifier. When the web services manager requests the client identifier, the web services manager must present the key to the SP in order to access the client identifier. Thus, the present invention prevents a malicious user from attempting to obtain sensitive data within the application server once the malicious user has gained access past the firewall.

Abstract: A connection pool can use a credential mapper to map credentials for an application server into a credential to use with the database management system. This can allow objects such as an Enterprise Java Bean to access the database with more specific credentials than the anonymous connection pool connection user name/password.

Abstract: A Virtual Single Account (VSA) system and method that provides a mobile user with automatic authentication and connection to a remote network via local access networks with a single password, where the local access networks may be independent of the remote network. A mobile user has a single authentication credential for one VSA that is utilized by a VSA client installed on a mobile computing device. The VSA client provides for automatically authenticating and connecting the user's mobile device to a current local access network, and the target remote network such as the user's office network. All authentication credentials are encrypted using a key generated from the user's VSA password that is generated from the user's single password. The VSA client derives the key from the submitted VSA password and decrypts all authentication credentials that are required in order to connect the mobile device to the current local access network and thereafter to the office network.

Abstract: A system for delegating authorization relating to an information technology resource is described. The system includes a processor and memory in electronic communication with the processor. A user database is stored in the memory. The user database includes a plurality of user identifications and trusted circle data. Instructions are stored in the memory and are executable to add a new user to the trusted circle data and to provide a user interface for the new user so that the new user is capable of resetting a password for an account owner or of reinstating an account for the account owner.

Abstract: Systems and methods for authentication using paired dynamic secrets in secured wireless networks are provided. Each authenticated user is assigned a random secret generated so as to be unique to the user. The secret is associated with a wireless interface belonging to the user, so that no other wireless interface may use the same secret to access the network. The secret may be updated either periodically or at the request of a network administrator, and reauthentication of the wireless network may be required.

Abstract: Methods and systems of providing security backup services to a home network are described. In one embodiment, the gateway for a home network is registered with a service provider. A network device is enrolled with the home network, and periodically reenrolls. The device detects whether the gateway has been replaced between enrolling and reenrolling, and if it has been replaced, determines whether the new network gateway has been endorsed by the service provider.

Abstract: A terminal comprising resources, a terminal for downloading an application program, wherein the application program is stored in the terminal, and wherein the terminal further comprises a device layer for detecting if the application program activates at least one function endangering at least one resource of the terminal. The device layer determines if the number of activations during a predetermined time period is greater than a predetermined value, and the terminal deletes the application program from the terminal in this case.

Abstract: This invention describes a system and methods for media content subscription service distribution; typical services include cable television, premium content channels, pay-per-view, XM radio, and online mp3 services. Subscribers use portable electronic devices to store digital certificates certifying the subscriber's privileges and an assigned public key. The devices can communicate with specially enabled televisions, radios, computers, or other media presentation apparatuses. These, in turn, can communicate with central databases owned by the provider, for verification purposes. Methods of the invention describe media content subscription service privilege issuing and use. The invention additionally describes methods for protecting media content transmitted to users with a variety of encryption schemes.

Abstract: A hardware multimedia endpoint is located on an adapter card of a personal computer system and comprises an interface for interfacing to the computer system and a processor for receiving cryptographic information from the computer, for processing the cryptographic information and for outputting cryptographic information to the computer. This exchange of cryptographic information is performed such that an authentication procedure with a third party, which is different from the computer, is established for the purpose of decrypting encrypted media content.

Abstract: A method and system for secure automatic user login to a destination website in a single action, without the use of a file manager, cookies, or without storing user login information in a data folder having restricted access or that is external to the user PC. A user computer having a display, a mouse, and a browser is activated for establishing an Internet connection. The connection may be established from the user computer to the destination website with a single mouse click or a single touch on a displayed vendor icon or other symbol placed on a displayed graphic of the user PC display such as the desktop, task bar, or tool bar during a prior setup process. During the setup, an encrypted token is produced encrypting the user credential information. The encrypted token may be stored in the user data folder.

Abstract: A method, and system, and computer program product for authenticating a user. A first server of a plurality of servers receives an access request from the user to access a federated computing environment that comprises multiple servers. After receiving the access request, the first server: receives input authentication information from the user, obtains a server address of a second server having an authentication policy that matches an authentication policy of the first server, transmits the input authentication information to the second server via the server address of the second server, receives from the second server a notification that the second server has successfully authorized the user, and permits the user to access the federated computing environment.

Abstract: An item inheritance system and method are provided. The item inheritance system can be employed to propagate access control information (e.g., an access control list) to one or more item(s), thus facilitating security of item(s). At least one of the item(s) is a compound item. The item inheritance system includes an input component that receives information associated with one or more items. The items can include container(s), object(s) and/or compound item(s). The system can be triggered by a change in security policy to the item(s), for example, adding and/or deleting a user's access to the item(s). Additionally, moving and/or copying a collection of items can further trigger the system. The system further includes a propagation component that propagates access control information to the item(s). For example, the propagation component can enforce the ACL propagation policies when a change to the security descriptor takes place at the root of a hierarchy.

Abstract: Method for monitoring the usage of a service by a communication device coupled to a tamper resistant module, in particular a smart card. A said service is transmitted from a resource able to communicate with said communication device by way of a network. The service comprises a plurality of encrypted data flow and its use comprises successive decryption steps of data flow by a respective first key EK, said first key EK being encrypted in the data flow and decrypted in the tamper resistant module by way of a second key KEK stored in said tamper resistant module or derived inside said module. The invention is characterized in that said method comprises the following steps: a. A counting step, in which a memory location stores a count of occurrences of decryption steps of said first key EK attached to a same service; b. A using step, in which said counter is used to prove the amount of data flow which has been decrypted.

Abstract: Biometric parameters acquired from human forces, voices, fingerprints, and irises are used for user authentication and access control. Because the biometric parameters are continuous and vary from one reading to the next, syndrome codes are applied to determine biometric syndrome vectors. The biometric syndrome vectors can be stored securely while tolerating an inherent variability of biometric data. The stored biometric syndrome vector is decoded during user authentication using biometric parameters acquired at that time. The syndrome codes can also be used to encrypt and decrypt data.

Abstract: An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.

Abstract: In an embodiment, a method is provided. The method of this embodiment provides receiving a packet having a wake-up pattern, and waking up if the wake-up pattern corresponds to one of a number of dynamically modifiable passwords on a pattern wake list, each of the dynamically modifiable passwords being based, at least in part, on a seed value.

Abstract: An evidence-based policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager executes in a computer system (e.g., a Web client or server) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. The policy manager may determine a subset of the permission grant set based on a subset of the received code assembly's evidence, in order to expedite processing of the code assembly. When the evidence subset does not yield the desired permission subset, the policy manager may then perform an evaluation of all evidence received.

Abstract: A system, method and program product for recording the creation of a cancelable biometric reference template in a biometric event journal record. The method includes providing a base biometric reference template having a unique base reference template identifier that uniquely identifies base biometric data collected for an individual, applying a data transform function having a first function key value to the base biometric reference template to create one cancelable biometric reference template and recording the one cancelable biometric reference template in a biometric event journal record. The method further includes creating additional cancelable biometric reference templates using different function key values of the data transform function. The method further includes encrypting the data transform function and the function key value applied to the base biometric reference template.

Abstract: A method and system is described distributing electronic recipes within an electronic cookbook system. The electronic cookbook system is comprised of an electronic cooking device, electronic cooking server, and preferably and electronic cooking website. Particularly, a method and system of distributing a promotional electronic recipe is described, wherein the promotional electronic recipe is efficiently received, stored, and organized by a user's electronic cookbook device.

Abstract: A method of establishing protected electronic communication between various electronic devices equips users beforehand with a personal electronic identity gadget bearing no information about the user identity. Only at the first connection of the blank personal gadget to the electronic devices of an arbitrary electronic service provider, and/or to local electronic devices, the personal electronic identity gadget and the electronic devices and/or the local electronic devices mutually generate a verifiable electronic identity, which is stored in the personal electronic identity gadget and in the electronic devices and/or local electronic devices, for the needs of further mutual electronic communication, separately from other identities and without the knowledge of personal data about the user.

Abstract: A service policy manager may be used to enable a first subscriber in a community to administer rules on another subscriber in the same community. A service selection gateway (SSG) may then be configured according to the rules to provides services according to the rules. As a result, the services provided to a subscriber depend not just on the individual profile of the subscriber, but also potentially on the rules administered by other members of the communities the subscriber is a part of.

Abstract: The present invention relates to a method for method or system which is able to control access to a new computer user password reset. The system is preloaded with a random password that does not needed to be known by anyone. There are two main situations in which this method will be used. The first situation involves a locally managed password and account where the user does not log in to a domain. The second situation involves remote management, where the user logs in to a domain.

Abstract: A system and method for controlling access to a resource is provided. A user provides input to the system. Based on the user inputs, a security code may be automatically assembled by extracting stored data. If the assembled security code matches a required value, access may be granted. Otherwise, the user may be denied access to the resource.

Abstract: The present invention provides systems and processes for transforming any system that implements a static password authentication or 1st-factor authentication so as to enforce strong 2-factor authentication, requiring the user to present both a static password and a dynamic password, without having to modify the existing system.

Abstract: Provided is a communication system-decentralized terminal control method that can prevent terminals from having the same communication system.

Abstract: One embodiment of the present invention provides a system that facilitates securely forgetting a secret. During operation, the system obtains a set of secrets which are encrypted with a secret key Si, wherein the set of secrets includes a secret to be forgotten and other secrets which are to be remembered. Next, the system decrypts the secrets to be remembered using Si, and also removes the secret to be forgotten from the set of secrets. The system then obtains a new secret key Si+1, and encrypts the secrets to be remembered using Si+1. Finally, the system forgets Si.

Abstract: Various embodiments are disclosed for a services policy communication system and method. In some embodiments, a network device executes a service controller for a plurality of device groups, in which the service controller includes a capability to securely partition one or more device group database partitions, each device group partition includes service controller system settings, and each device group includes a plurality of communication devices controlled by a virtual service provider.

Abstract: A system and method for preventing an administrator impersonating a user from accessing sensitive resources on a target system is provided. The method comprises receiving a first request from a user to change the user's password on a target system to be changed, sending a “change password” request for the user to the target system, storing the user's new password, receiving a second request from the target system on behalf of the user for access to a sensitive resource, wherein the second request contains information about the user's password, and denying the second request if the information about the user's password is not consistent with the user's stored new password.

Abstract: A method and system for incorporating trusted metadata in a computing environment is described. One illustrative embodiment is a system comprising at least one functional module configured to query a personalized database of trusted metadata including at least one report from an informer network that includes the computer user and at least one informer, each informer in the informer network being trusted by the computer user either directly or indirectly, each indirectly trusted informer being trusted directly by at least one other informer in the informer network, each of the at least one report including a subjective assertion regarding the quality of an item or an expression of a degree of trust in an informer; and at least one functional module configured to perform a task in the computing environment based at least in part on results of a query of the personalized database of trusted metadata.

Abstract: A client receives encrypted content from content server. The header of the content includes license-identifying information for identifying a license required to utilize the content. The client requests a license server to transmit the license identified by the license-identifying information. When receiving the request for a license, the license server carries out a charging process before transmitting the license to the client. The client stores the license received from the license server. The stored license serves as a condition for encrypting and playing back the content. As a result, content can be distributed with a high degree of freedom and only an authorized user is capable of utilizing the content.

Abstract: The present invention pertains to a system for managing network access to resources that allows a first entity to impersonate a second entity. In one embodiment, the first entity can impersonate the second entity without knowing the second entity's password and/or without altering anything in the entity's set of personal information. This invention provides the first entity with the ability to troubleshoot in a live production system without disrupting the users or the system. In one embodiment, the first entity authenticates as itself. Access to resources is provided in response to an authorization process based on the identity of the entity being impersonated.

Abstract: A system and methodology that facilitates management of a single identity and billing relationship for multiple UE (user equipment) associated with a subscriber is provided. Specifically, each of the multiple UEs can employ LTE (Long Term Evolution) radio technology to authenticate and register with a femto access point. Further, the transport level billing associated with the multiple UE can be facilitated by the femto access point by employing a femto id (identity) and/or credentials. Moreover, the femto access point can be employed by the multiple UEs as a network hub and can be employed by the UEs to perform authentication to connect to a core network. In addition, the femto access point can determine an authorized IP cloud associated with a registered UE and allow the registered UE to access only the authorized IP cloud.

Abstract: A computer apparatus which integrates at least two or more services of user management domains has a processor, a memory and an interface. The processor receives an access request, specifies an access source domain, specifies an access target domain, and judges whether the specified access source domain matches the specified access target domain. If the access source domain is different from the access target domain, the processor extracts a user ID of the specified access source domain from the received access request, and refers to ID conversion information indicating correspondence of user IDs between the user management domains whose services are integrated to convert the extracted user ID of the access source domain into a user ID of the specified access target domain. Thus, loads of configuration at the time of service integration are reduced.

Abstract: A server system has a function to send management information in response to a management information transmission order from an external manager as well as relates to a server which is a component of the server system. It is capable of acquiring object management information by specifying the same object ID both when a manager acquires server management information via a management section and when the manager instructs a server directly to send management information. Not only the management section, but also the servers use SNMP proxy functions. Also, the same objects as those defined in the MIB tree of the management section are defined in the MIB tree of each server and SNMP proxy settings are made for each server in such a way as to convert the OIDs of the defined objects into desired OIDs in the MIB tree of the server itself.

Abstract: A method and computer program product for building a multiple layer object-oriented software application with reusable components. The method includes the steps of creating business classes containing business logic for the software application; reading templates utilizing reusable components from a template solution file; and generating programming code for the software application based on the created business classes and selected template. The multiple layers include a data layer, a data access layer, a business logic layer and a user interface layer with executable logic for each layer placed into a corresponding assembly data structure. Security tokens are required to access the classes and methods in either the business logic assembly or data access assembly. A serializable data assembly includes container classes that are used to pass data between the business logic layer and data access layer when a dataset or data table is not appropriate.

Abstract: The invention relates to a system and a method for assigning access rights in a computer system. The system transforms an existing system of access rights to a more structured system. In many cases this is a prerequisite such that role-based administration can be used. The method identifies the existing system of access rights and identifies new roles by means of a correlation approach. New roles are created and all old roles are deleted. All direct access rights are avoided making an administration of the system easier and the computer system more secure.

Abstract: A power management architecture for an electrical power distribution system, or portion thereof, is disclosed. The architecture includes multiple intelligent electronic devices (“IED's”) distributed throughout the power distribution system to manage the flow and consumption of power from the system. The IED's are linked via a network to back-end servers. Security mechanisms are further provided which protect and otherwise ensure the authenticity of communications transmitted via the network in furtherance of the management of the distribution and consumption of electrical power by the architecture. In particular, public key cryptography is employed to identify components of the architecture and provide for secure communication of power management data among those components. Further, certificates and certificate authorities are utilized to further ensure integrity of the security mechanism.

Abstract: A method (as well as system and signal-bearing medium) of processing biometric data, includes receiving biometric data including a data set P, selecting a secure hash function h, and for each data set P to be collected, computing h(P), destroying the data set P, and storing h(P) in a database, wherein data set P cannot be extracted from h(P).