Abstract: A policy-based management mechanism is provided, whereby the mechanism provides for at least the controlling of access to network resources, the integration of different frameworks into a common open standard, and modular components for assembling integrated date and voice services. The mechanism accomplishes this by using an access management component that checks for access credentials, a service management component that identifies which resources are available to a requestor of resources, and a resource management component that manages the requested resources. In one exemplary implementation, a fourth component, the policy management component links the first three components such that a resource request gains access to resources based on policy decisions determined by the fourth component for the first three components.

Abstract: Embodiments are directed towards employing a plurality of single use passwords to provide phishing detection and user authentication. A user receives a plurality of single use passwords that expire within a defined time period after having been sent to a registered device. During a login attempt, the user enters a user name and a requested one of the passwords, which once entered expires. If valid, the user then enters a portion of another password to complete a displayed portion of a password, and a specified other one of passwords. If the displayed portion of the other passwords does not match any portion of one of passwords, then the user may detect a phishing attempt and terminate the login. If the user correctly the password data, the user may then access secured data. Each new login request requires a different set of passwords to be used.

Abstract: Automatically re-authenticating a computing device seeking access to a network or a resource. A method comprises forwarding a request received from the computing device to an authentication device to enable the authentication device to authenticate the computing device using a full-authentication mechanism. State information related to authenticating the computing device is created from authenticating the computing device. The state information is received and stored. For example, an authenticator device that forwarded the initial authentication request from the computing device to the authentication device receives and stores the state information. The computing device is re-authenticated using the stored state information without again contacting the authentication device.

Abstract: A system for encrypting a data encryption key includes a key encryption key generator configured to receive a public portion of a label, the label including an asymmetric key pair of the public portion and a private portion, the key encryption key generator being further configured to process the public portion of the label to obtain a key encryption key, and a data encryption key encoder configured to receive the key encryption key from the key encryption key generator and to receive a data encryption key from a random number generator, the encoder being further configured to encrypt the data encryption key using the key encryption key to produce an encrypted data encryption key and to provide the encrypted data encryption key to an encryption device.

Abstract: A communication device and method for securing an Internet bank account include setting an alarm password and an access password corresponding to the Internet bank account, accessing the website of the Internet bank, and generate an activation command and the access password if the alarm password is input. The communication device and method further include executing the activation command to activate a global position system to acquire location information, sending an alarm message to a receiving device of the one or more emergency dispatchers, and sending the access password to the website of the Internet bank so as to log into the Internet bank account.

Abstract: Method and system for user authentication in a federated computing environment. The method includes a first method for recording server authentication information, including: establishing a trusting relationship between a first and second server, obtaining an authentication policy of the second server, and registering the authentication policy of the second server within the first server. The method includes a second method for registering new user authentication information of a new user, including: verifying that the new user authentication information conforms to an authentication policy of the first server, and registering the new user authentication information in the first server.

Abstract: The present invention relates to a method for handling or transmitting encrypted user data objects. According to such method, a data preparation component (D) of a data preparation system provides user data objects. The data preparation component first encrypts a user data object that has been prepared. It then determines a checksum of the encrypted user data object and creates a container data object (DCF), in which the encrypted user data object and the determined checksum are provided. The container data object is subsequently transmitted to a first telecommunications device (A). Preferably, in order to use the encrypted user data object, the data preparation component (D) transmits descriptive information (BI1) containing a description of the possible usage rights for the encrypted user data object to the telecommunications device (A).

Abstract: System and method are disclosed for securing and managing individual end-user platforms as part of an enterprise network. The method/system of the invention has three main components: a security module, a manager appliance, and a console appliance. The security module enforces the enterprise licenses and security policies for the end-user platforms while the manager appliance provides secure, centralized communication with, and oversight of, the security module. The console appliance allows an administrator to access the manager appliance for purposes of monitoring and changing the licenses. Security is established and maintained through an innovative use of data encryption and authentication procedures. The use of these procedures allows the appliances to be uniquely identified to one another, which in turn provides a way to dynamically create unique identifiers for the security modules.

Abstract: Methods and devices provide dynamic security management in an apparatus, such as a mobile telephone terminal. The apparatus includes a platform for running an application; a security manager for handling access of the application to functions existing in the apparatus; an application interface (API) between the platform and the application; a set of access permissions stored in the apparatus and used by the security manager for controlling access of the application to functions through the application interface. Methods can include downloading into the apparatus an object containing access permissions applicable to at least one function; verifying the object; and installing the access permissions together with the existing permissions.

Abstract: A system, method and apparatus authenticates and protects an Internet Protocol (IP) user-end device by providing a client-based security software resident on the IP user-end device, authenticating the IP user-end device using the client-based security software and a network security node communicably coupled to the IP user-end device, authenticating a user of the IP user-end device whenever a trigger condition occurs using an in-band channel between the client-based security software and the network security node, and protecting the IP user-end device by: (a) screening incoming IP traffic to the IP user-end device using the client-based security software, and (b) detecting an attack or a threat involving the IP user-end device using the network security node.

Abstract: A method and apparatus for time-based one-time password generation using a wireless communications device for two-factor authentication are described. The computer-implemented method comprising detecting launch of a security code generation application on a wireless communications device, generating a first unique security code upon launching the application, displaying the first security code on the wireless communications device, determining based on time whether to generate a new unique security code, and displaying the new unique security code.

Abstract: A method and system are provided for managing a security threat in a distributed system. A distributed element of the system detects and reports suspicious activity to a threat management agent. The threat management agent determines whether an attack is taking place and deploys a countermeasure to the attack when the attack is determined to be taking place. Another method and system are also provided for managing a security threat in a distributed system. A threat management agent reviews reported suspicious activity including suspicious activity reported from at least one distributed element of the system, determines, based on the reports, whether a pattern characteristic of an attack occurred, and predicts when a next attack is likely to occur. Deployment of a countermeasure to the predicted next attack is directed in a time window based on when the next attack is predicted to occur.

Abstract: In a method of monitoring a group of credential processing devices, credential substrates are processed using the credential processing devices of the group. Next, event outputs are received. Each event output relates to an occurrence of a process event during the processing of the substrate by one of the devices. Finally, a relative condition score is calculated for a subject device of the group based on the event outputs corresponding to the subject device and the event outputs corresponding to the other devices in the group. The relative condition score of the subject device is a measure of a condition of the subject device relative to the conditions of the other devices in the group. Also disclosed is a system configured to perform the above-described method.

Abstract: A method and apparatus for reporting the operation state of digital rights management are provided. In a home network formed with control devices and a control point, the apparatus for reporting the operation state of digital rights management of the control device to the control point includes: a digital rights management (DRM) module which performs digital rights management; a state variable generation unit which receives DRM operation state information indicating the state of a DRM process currently operating, from the DRM module, and based on the received DRM state information, generates DRM state variables; and a universal plug and play (uPnP) module which by using a uPnP protocol, transmits the generated state variables to the control point.

Abstract: An information processing apparatus configured to perform cryptographic processing in response to a request from a server transmitting encrypted information to control an integrated circuit chip includes a managing unit managing types of the cryptographic processing granted in accordance with requests; and an output unit performing predetermined cryptographic processing requested from a predetermined server succeeding in authentication, when the requested predetermined cryptographic processing has a granted type managed by the managing unit, to supply information concerning the processing result to the predetermined server as information to be transmitted to the integrated circuit chip to be controlled.

Abstract: Aspects relate to systems and methods implementing a scheme allowing a Verifier (V) to authenticate a Prover (P). The scheme comprises pre-sharing between V and P a graph of nodes. Each node is associated with a polynomial. V sends P data comprising data for selecting a polynomial of the graph, such as traversal data for proceeding from a known node to another node, a time interval, and a number k. P uses the time interval in an evaluation of the polynomial. P then uses the evaluation as a ? in a Poisson distribution, and determines a value related to a probability that a number of occurrences of an event equals k. P sends the determined value to V. V performs a similar determination to arrive at a comparison value. P authenticates V if the separately determined values match, or otherwise meet expectations. The process can be repeated to increase confidence in authentication.

Abstract: A computing device may provide a credential related to a service. Responsive to a validation of the credential, an identification of the service may be added to a contact listing associated with the computing device. Thereafter, a user of the computing device may select the service from the contact listing in order to upload a content object to the service. Similarly, the user of the computing device may select one or more peer devices from the contact listing. Responsive to the peer device selections, the content object may be transmitted to the one or more peer devices.

Abstract: A rules driven multiple passwords system is provided wherein a list of stored passwords are used in rotation over time in accordance with a set of rules or conditions managed by the system. With such an arrangement, the currently active password of a system User may automatically be changed, in accordance with the rules or conditions, to the next password in the list. The User is notified as to the newly assigned password.

Abstract: Computer implemented methods (200) for protecting web based applications (110, 114) from Cross Site Request Forgery (CSRF) attacks. The methods involve (204) classifying each resource offered by a web server application as a CSRF-protected resource or a not-CSRF-protected resource. The methods also involve (214, . . . , 222) performing a user authentication, (224) initializing an authentication-token, and (226) initializing a CSRF protection secret that is used to validate CSRF protection parameters contained in resource identifiers for the resources. The methods further involve (228) performing a server-side rewriting process (300) to add the CSRF protection parameter to the resource identifiers for the resources and/or (230) performing a client-side rewriting process to add the CSRF protection parameter to a resource identifier for a second resource (e.g., a resource created at a client computer (102)).

Abstract: A host based security system for a computer network includes in communication with the network a credential host that is operative in concert with a local computer and a destination site. The destination site has a credential authentication policy under which credentials associated with the local computer upon being authenticated authorizes data to be communicated between each of the destination site and the local computer during a communication session over the network. The credential host stores the credentials to be used by the destination and is operative to transmit the credentials onto the network in response to a request received from the local computer. The destination site upon the credentials being received and authenticated thereat is operative to transmit session information onto the network. In turn, the local computer is then operative to commence the communication session upon receipt of said the information.

Abstract: Permissions using a namespace is described. In an embodiment, a namespace system includes a network resource that has a resource permission, and includes a namespace that has one or more members associated with the namespace. The namespace system also includes a namespace permission to permission the network resource to one or more of the members of the namespace.

Abstract: A multiple-identity secure device (MISD) persistently stores a single identification code (a “seed identity”). The seed identity need not be a network address, and may be stored in an integral memory of the device, or on an interchangeable card received in a physical interface of the MISD. The MISD is provided with a transformation engine, in hardware or software form, that is subsequently used to generate one or more unique identities (e.g., network addresses) from the stored seed identity using predefined logic. The generated identities may be dynamically generated, e.g., in real-time as needed after deployment of a device into possession of a subscriber/customer/user, etc., or may be securely stored in the MISD for subsequent retrieval. The transformation engine may generate a unique identity in accordance with an addressing scheme identified as a default setting, a global/network setting, or as determined from a received data transmission.

Abstract: Disclosed are an authentication system and method thereof for a dial-up networking connection via a terminal. The authentication system includes a terminal for snooping an authentication request packet that includes an authentication ID and password of a computer requesting authentication, and for generating an acknowledge packet of the authentication request packet. The authentication method includes receiving an authentication request packet including an authentication ID and password by a terminal, generating an acknowledge packet by the terminal, and transmitting generated acknowledge packet from the terminal to the computer.

Abstract: The invention relates to secured distributed impersonation, for use within systems such as batch system and batch message transaction systems. In one embodiment, a method includes sending a request for credentials of a network account from an originating account associated with an unpublished object to a dispatch associated with a published object. In one embodiment, both the unpublished and the published objects can each be a message queue. The dispatch authenticates the originating account. Upon successful authentication, the network account access emblem is sent to the originating account—that is, the originating account receives the requested credentials, which facilitate the ability to impersonate into the network account.

Abstract: In a method for loading media data (M) into a memory of a portable data carrier (10) connected to an external operator device (24), the data carrier (10) receives a loading job, an encrypted data transfer channel (50) is set up between the data carrier (10) and a trustworthy, non-local server (30) on which the media data (M) are held, and the media data (M) are transferred in encrypted form via the data transfer channel (50) and written to the memory of the data carrier (10). A data carrier (10) and a computer program product have corresponding features. In addition, an operator device (24) and a computer program product are provided that are configured to provide a user interface for initiating the method for loading the media data (M). The invention provides a technique for loading media data (M) into a portable data carrier (10), which technique prevents unauthorized copying of the media data (M).

Abstract: One aspect relates to a process and associated device for managing digital ID lifecycles for application programs, and abstracting application programs for multiple types of credentials through a common Digital Identity Management System (DIMS) and Application Programming Interface (API) layer.

Abstract: An information monitoring and alert system is provided which registers subscribers and verifiers with a central alert system. The alert system provides an interface for the verifiers to submit queries relating to identification information. Information in this query is compared to the stored data submitted by the subscriber during registration and if a match occurs the subscriber is notified that the identification has been used for a certain purpose. The alert system only stores an encrypted value of the identification with only contact information which is preferably anonymous. Any other information is deleted after registration. The subscriber upon being alerted of the use of the identification is instructed to authorize or reject the transaction pertaining to the query.

Abstract: Exemplary systems and methods for identifying a wireless network are provided. In exemplary embodiments, a method includes at least a digital device receiving network information associated with a network, generating an access identifier based on the network information, generating a credential request including the access identifier, providing the credential request to a credential server, receiving a credential request response from the credential server, the credential request response comprising network credentials to access the network, and providing the network credentials to a network device to access the network.

Abstract: When registering a DECT mobile part (MT) with the base station (BS), the VoIP user ID (user) is formed from the DECT user ID (IPUI) according to a mapping rule and is used for registering an SIP account (SIPA). In addition, the SIP password (pw(AC)) is formed from the DECT authentication code (AC). Roaming or handover of DECT mobile parts (MT) in DECT systems featuring a VoIP connection can be accomplished in a simple manner by adjusting the DECT user ID (IPUI) to the SIP user ID (user (IPUI)) and adjusting the authentication code (AC) to the password (pw(AC)). The DECT mobile parts (MT) can continue to be used without change even when the same are connected to IP-oriented networks (IN), while said DECT mobile parts (MT) can be marketed for a wider range of uses.

Abstract: A system and method for setting up security of a controlled device by a control point in a home network are provided, in which authority to perform a function intended by a user is acquired through authentication between the control point and the controlled device, a security channel is created for performing the function, and a credential setting used by the user is synchronized among controlled devices in the home network.

Abstract: Disclosed herein are several digital certificate discovery and management systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

Abstract: The invention provides a method and system of detecting aliases in a network. The network comprises at least one device and at least one Network management system (NMS) for managing the devices. The NMS identifies each device available in the network with a message digest. The NMS retrieves the message digest of a device that is submitted for management. The NMS tries to locate the retrieved message digest with a database of message digests. In case the retrieved message digest is located on the database, the NMS declares the device as an alias. However, if the message digest is not located on the database, the NMS stores the message digest in the database and starts managing the device.

Abstract: Social networking content can be served to a set of social networking users. The served social networking content can include semantic content associated with specific ones of the social networking users. The semantic content can be shared among different ones of the social networking users during the serving. At least a portion of the semantic content can be stored within a local data store associated with a computing device of the specific user to whom the semantic content applies.

Abstract: A computer-implemented method for delivering targeted advertising in an asynchronous messaging-based social networking platform, the system comprising: providing a messaging server configured to managed asynchronous message delivery to a plurality of users, wherein a message comprises: a content title; a timestamp; a profile id, wherein the profile id is a unique identifier associated with a publisher of the message; and a message; providing a user authentication database configured to store and manage user authentication information for the plurality of users; maintaining a plurality of bindings configured to associate at least one user of the system with at least one other user of the system; storing an articles database configured to store messages within the system; identifying a plurality of publishers wherein each publisher posts a plurality of messages within the system; determining a plurality of channels; for each channel, associating a plurality of the publishers with the channel; and providing adve

Abstract: A process for the automatic handling of requests has a first step of receiving a session request, which results in the issuance of a session token. Upon receipt of a content transfer message accompanied by the previously issued session token, a routing tuple identifying a sender, receiver, and type, the content transfer message also containing content to be transferred, the routing tuple is compared to entries in a process table which resolves into an action and destination. The action and destination associated with the routing tuple and request type are performed if a match is found, or a default action is taken if no match is found, such as placing the content in a user INBOX for future handling. Additionally, the later actions the user takes on the INBOX are examined, and new entries are created in the process table based on the user actions.

Abstract: A method embodied in a daemon resident on a server provides for notification of a client when a new session is initiated with respect to the client's private account. Assuming that a user is able to log onto the server and gain access to the client's account, the daemon checks if the client has requested notification and if so, formats e-mail alerts and distributes them to requested e-mail addresses on, for instance, local computers, cell phones, PDA and other receivers of e-mail traffic. Should the client discover, by receiving one of these e-mails that an impostor client has gained access to the client's account, the daemon is able to close down the sessions selected by the client and cancel the current password in favor of a temporary new password available only to the client.

Abstract: Disclosed herein is a computer implemented method and system that securely aggregates and manages user related data in an online environment while maintaining privacy of a user. The user provides access credentials at a client device for each of multiple data sources. The access credentials are transformed to an unreadable format at the client device using a public key transmitted by a web server. The transformed access credentials in the unreadable format are stored locally on the client device. A communicating software agent on the client device communicates the stored access credentials to the web server. The web server transforms the communicated access credentials to a readable format using a private key and retrieves the user related data by accessing the data sources using the access credentials in the readable format. The web server presents the retrieved user related data to the user in one or more presentation modes.

Abstract: Systems and arrangements for permitting the transmission of fingerprint authentication data to a system remotely, while also permitting the system to employ such data as well as passwords in order to operate a computer system, while ensuring a reliable level of security for any group or organization using such systems and arrangements.

Abstract: The present invention is generally directed toward a mobile device that can be used in a secure access system. More specifically, the mobile device can have credential data loaded thereon remotely updated, enabled, disabled, revoked, or otherwise altered with a message sent from, for example, a control panel and/or controller in the system.

Abstract: A key protecting method includes the steps of: (a) in response to receipt of an access request, configuring a control application program module to generate a key confirmation request; (b) in response to receipt of the key confirmation request, configuring a hardware control module to generate, via the control application program module, a key input request to prompt a user for a key input; (c) upon receipt of the key input, configuring the hardware control module to determine if the key input matches a predefined key preset in the hardware control module; (d) configuring the hardware control module to enter an execution mode if it is determined in step (c) that the key input matches the predefined key; and (e) configuring the hardware control module to enter a failure mode if it is determined in step (c) that the key input does not match the predefined key.

Abstract: System and method for determining crackability of a password in real time. The system and method include and involve a server system that serves a software package, and a client system that is coupled to the server system. The client system is configured to receive the software package. The software package includes a password entry facility permitting a user to enter a password candidate string one character at a time, and a strength determination facility configured to communicate with the password entry facility and to determine the crackability of the password candidate in real time repeatedly as each character of the password candidate string is entered into the password entry facility.

Abstract: A distributed computing system conforms to a multi-level, hierarchical organizational model. One or more control nodes provide for the efficient and automated allocation and management of computing functions and resources within the distributed computing system in accordance with the organization model. The model includes four distinct levels: fabric, domains, tiers and nodes that provide for the logical abstraction and containment of the physical components as well as system and service application software of the enterprise. A user, such as a system administrator, interacts with the control nodes to logically define the hierarchical organization of distributed computing system. The control nodes are responsible for all levels of management in accordance with the model, including fabric management, domain creation, tier creation and node allocation and deployment.

Abstract: A facility for performing an access control check is provided. The facility receives a request to perform an access control check to determine whether authorization exists to access a resource. The access control check is performed against the identity of a principal, a policy that applies to the principal, and the identity of the resource the principal wants to access. The principal may either be an application program or a combination of an application program and an identity of a user in whose context the application program is executing.

Abstract: The present application relates to a technique applied to a system for performing authentication of a user by a one-to-one verification method by using an ID and biometric information of the user. When the user registers the ID and reference biometric information in a service providing system, the information is transmitted from the relevant service providing system to a management server. Then, in the management server, ID management by the reference biometric information is performed, and when the user inputs a wrong ID at the time of verification before the relevant service providing system starts to provide a service, a correct ID of the relevant user is found.

Abstract: Aspects describe spectrum authorization, access control, and configuration parameters validation. Devices in an ad-hoc or peer-to-peer configuration can utilize a licensed spectrum if the devices are authorized to use the spectrum, which can be determined automatically. Aspects relate to distribution of authorization tickets by an authorization server as a result of validating a device's credentials and services to which the device is entitled. An exchange and verification of authorization tickets can be performed by devices as a condition for enabling a validated wireless link using the spectrum.

Abstract: A method, a network element, and a client device for creating a trusted connection with a network are disclosed. A client device 104 may attempt to access a sub-network 106. The client device 104 may determine that a certificate of the sub-network 106 is issued by a certification authority absent from a device certificate trust list. The client device 104 may receive via the sub-network 106 a certificate trust list update 400 from a certificate trust list provider 108.

Abstract: A communication device configured to receive a first packet from a first network including a virtual network, and to transmit a second packet to a second network, the communication device including: a receiver section configured to receive the first packet from the first network; a converter section configured to convert a second destination address of the first packet to the first destination address of the second packet using identifying information of the virtual network; a selector configured to select a security parameter based at least in part on the first destination address of the second packet; an encryption section configured to encrypt the second packet based on the security parameter; and a transmitter section configured to multicast the encrypted second packet to the second network.

Abstract: A method and apparatus are provided for managing system identification information for workforce members such as employees, contractors and consultants that are affiliated with a business entity such as a corporation. The method and apparatus provide for the association of system identification information of a workforce member with each such workforce member in memory and further provides a review process of the same information by the relevant workforce member and one or more of the workforce member's supervisors. The review process allows each of the workforce member and the applicable supervisor(s) to confirm and, in some instances, reject the system identification information as being valid or not valid. The method and apparatus further maintains the review status of the workforce member and the applicable supervisor(s) and in one embodiment, provides for an audit of the same so that any discrepancies in the reviews are brought to light.

Abstract: Techniques are provided for designing, deploying, and executing mashups that integrate human workflows with automated processes. In an example embodiment, a system for executing mashups comprises a human interaction module, an event manager module, and a process orchestration module. The human interaction module is configured to receive user input while a human workflow included in a mashup is being executed, and to raise an event in response to the user input. The event manager module is configured to: receive the event from the human interaction module; based on the event, identify a particular automated process from one or more automated processes that are included in the mashup; and invoke the process orchestration module to execute the particular automated process based on the event. The process orchestration module is configured to execute the particular automated process in response to being invoked by the event manager module.

Abstract: The present invention relates to a personalized service providing system and a profile information classifying and processing method thereof. The system, linked to a plurality of subscriber stations to provide a personalized service to a subscriber station, classifies and processes profile information for the service. In the profile information classifying and processing method, a) subscriber profile information is generated, b) the subscriber profile information is classified into static profile information and dynamic profile information, and c) the dynamic profile information is selected from the subscriber station to manage the selected dynamic profile information and the static profile information is selected from the system to manage the selected static profile information. The the static and dynamic profile information is classified into public and private profile information to manage the classified static and dynamic profile information.