Abstract: Systems and methods for associating multiple credentials with a single user account in a distributed authentication system. A user can be authenticated to a service by providing any one of the multiple credentials to the authentication system. Thus, a user can provide credentials that are more easily entered or supplied on a given device. All of the credentials are associated with a single user account. The credentials can be associated symmetrically, where the user account is independent of each credential, or asymmetrically, where the user account is stored with a primary credential and the other credentials are secondary credentials that reference the primary credential.

Abstract: Provided is a method and system for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module of a host server, generating a transition cookie including a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.

Abstract: An application is activated with access permission to resources which are granted to unsigned applications. In parallel with the execution of the application, tamper check is performed on the application using a tamper check thread. When access to a resource which is not granted to unsigned applications is requested during the execution of the application before the completion of the tamper check, the application is put in a wait state until the completion of the tamper check. After the application is judged as having been untampered with as a result of the tamper check, the application is further granted access permission to resources that are specified by a permission information file included in the application. If this further-granted access permission includes the access right to the resource, the execution of the application is continued.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to access control and provide a method, system and computer program product for access control management for a collection of heterogeneous application components. In a first embodiment, a data processing system for role-based access control management for multiple heterogeneous application components can include at least one business role descriptor associating a business role with multiple, different application roles for corresponding, disparate application components. The system also can include at least one access policy associating a user with the business role. Finally, the system can include policy deployment logic include program code enabled to process the access policy to assign the user to the different application roles in the disparate application components.

Abstract: Disclosing a secure personal identification number (“PIN”) associated with a financial account to an account holder. A PIN reveal application can interact with a hardware security module (“HSM”) to decrypt and disclose the PIN to the account holder one or more PIN character(s) at a time. The account holder also can set a new PIN in a secure manner. A PIN set application can interact with the HSM to encrypt PIN characters received by the PIN set application from the account holder. The HSM provides a secure platform to encrypt and decrypt the secure PIN.

Abstract: Methods for associating a first and a second device. Each device broadcasts an identity, the first device stores new identities and counts them. Upon user instruction and if there just one new identity, the first device sends a request for association to the second device that acknowledges this. The second device then sends, upon user instruction, a confirmation to the first device that verifies that the confirmation was sent by the second device and acknowledges this. The method is particularly suitable for use on devices that are unable to display identities of other devices.

Abstract: An authentication system includes a plurality of personal authentication servers, a client terminal, a replacing portion and a renewing portion. The plurality of personal authentication servers store at least a part of enrolled data different from each other for user personal authentication and perform authentication with stored enrolled data according to authentication request from a client terminal. The client terminal stores identification information for specifying the personal authentication server storing each enrolled data, and requests an authentication to the personal authentication server specified with the identification information. The replacing portion replaces at least a part of the enrolled data between the plurality of personal authentication servers according to the authentication request condition to the plurality of personal authentication servers from the client terminal. The renewing portion renews the identification information according to the replacing result of the replacing portion.

Abstract: A network system includes a plurality of individual Internet service providers each having access points, and a parallel Internet service provider connected to the plurality of individual Internet service providers, the individual Internet service providers and the parallel Internet service provider each include an authentication server. When the access point of a provider receives a connection request from a user who contracts with the parallel service provider, the provider transfers a connection ID and a password to an authentication server of the parallel Internet service provider to perform user authentication. When a result of the authentication is good, the user terminal is connected to the user terminal through the access point.

Abstract: A method and a system for access authentication. A shared services resource includes a second factor authentication module. At least one network resource each include a first factor authentication module. A trusted computing base communicates with the shared services and the at least one network resource through a pipe. An assertion may be obtained on a trusted computing base for accessing at least one network resource. At least one of the at least one network resource may be accessed with the trusted computing base when the assertion has been obtained by the trusted computing base and is valid.

Abstract: Encrypted communications to a secure server. A user at a terminal, communicatively coupled to the secure server by a secure link, can obtain web pages from web sites in a network, in encrypted form, via the secure link. Addresses associated with the web pages are altered to make it appear as if the web pages come from the secure server rather than from the web sites. Spoofing units may be used as alternative access points to the secure server, with the secure server sending the requested web pages directly to the terminal.

Abstract: A server certificate issuing system confirms existence of a Web server for which a certificate is to be issued. The web server includes means for generating an entry screen to input application matters for an issuance of a server certificate, means for generating a key pair a public key and a private key, means for generating a certificate signing request file (CSR) containing the generated public key, and means for generating a verification page indicating intention of requesting the issuance of the certificate. A registration server retrieves the CSR from a received server certificate request and accesses the Web server to read the verification information, and compares the read verification information with the CSR. If the verification information read from the Web server is identical to the CSR, it is determined that the Web server for which the server certificate is to be issued exists.

Abstract: A wireless communication authentication program whereby a slave station in a small-scale wireless LAN system can be authenticated by a simple procedure. A wireless communication authentication device periodically increments a first system timer value (Step S1) for which an optional numerical value is set beforehand. A wireless communication device sets therein a second system timer value (Step S2) so as to coincide with the first system timer value and periodically increments the second system timer value (Step S3). The wireless communication device transmits an authentication request command including a third system timer value (Step S4), and the wireless communication authentication device compares the third system timer value included in the authentication request command with the first system timer value thereof assumed at the time of reception of the command (Step S6).

Abstract: A password, unknown to a user to be authenticated by the password, is created by comparing an image provided by the user to a master image. Random differences between the images are found and used to create the password. The password is then validated to determine whether the user is authorized and/or to determine whether a communication provided by the user is to be processed.

Abstract: Bootstrapping a trusted cryptographic certificate or other credentials into a client web browser application can be used to provide protection against “phishing” and “man-in-the-middle” attacks made over a computer network. Verification credentials are provided to users who connect directly to an authentication server and provide sufficient authentication information. The authentication server can rely upon the use of private URLs associated with each user as part of the verification process and can reject users who connect by clicking on a hyperlink directed to the authentication server.

Abstract: A method and apparatus for providing multi-domain control over a digital data item via a first domain security policy assigned to the digital data item at a first domain, the data item being transferred from the first domain to a second domain, the second domain being autonomous from the first domain in respect of security policies. The method comprises assigning the security policy to the digital item within the first domain; transferring the digital items to the second domain together with data defining the first domain security policy; analyzing the first domain security policy within the second domain; and distributing and/or allowing usage of the digital items within the second domain in accordance with analyzed first domain security policy, and/or reporting breaches or attempted breaches of the policy.

Abstract: Updating the access control of a smart card at multiple points of the smart card life cycle. The system and method for updating the access control mechanisms during the smart card life cycle includes implementing an interface having a method for providing access control and a method for registering an access manager as an active access manager. In response to a request to register an access manager, the system and method executes the method for determining whether registering the access manager may be allowed.

Abstract: It is convenient to allow access to a private network, such as a corporate intranet, or outward facing extranet application, from an external network, such as the Internet. Unfortunately, if an internal authentication system is used to control access from the external network, it may be attacked, such as by a malicious party intentionally attempting multiple invalid authentications to ultimately result in an attacked account being locked out. To circumvent this, an authentication front-end, proxy, wrapper, etc. may be employed which checks for lockout conditions prior to attempting to authenticate security credentials with the internal authentication system.

Abstract: Systems and methods for authentication using paired dynamic secrets in secured wireless networks are provided. Each authenticated user is assigned a random secret generated so as to be unique to the user. The secret is associated with a wireless interface belonging to the user, so that no other wireless interface may use the same secret to access the network. The secret may be updated either periodically or at the request of a network administrator, and reauthentication of the wireless network may be required.

Abstract: The invention provides methods and systems for management of image-based password accounts. A password management account may be accessed by a user undergoing image-based authentication. The invention may allow a user to manage parameters relating to image-based authentication. The invention may also allow a user to manage authentication at one or more web site.

Abstract: A secure transmission of a device management message via a broadcast (BCAST) channel, by which a BCAST server can securely transmit a device management message including an authentication value to a plurality of terminals via a one way BCAST channel, and accordingly the terminals is not required to use a separate channel for authenticating the device management message received from the BCAST server.

Abstract: Disclosed is an off-line user authentication system, which is designed to present a presentation pattern to a user subject to authentication, and apply a one-time-password derivation rule serving as a password to certain pattern elements included in the presentation pattern at specific positions so as to create a one-time password. An off-line authentication client pre-stores a plurality of pattern element sequences each adapted to form a presentation pattern, and a plurality of verification codes created by applying a one-time-password derivation rule to the respective presentation patterns and subjecting the obtained results to a one-way function algorism. A presentation pattern is created using one selected from the stored pattern element sequences, and presented to a user. A one-time password entered from the user is verified based on a corresponding verification code to perform user authentication. The present invention provides an off-line matrix authentication scheme with enhanced security.

Abstract: Methods and systems for collaborative, incremental specification of identities are provided. Users of an information processing system collaborate to define and refine identities of entities, and users can create references for those identities. Relationships among the identifiers implied related keywords that can be used to improve search, navigation, and integration. Relationship factoring can be used to maintain efficient logical and physical representations.

Abstract: In order to control the authorisation of a user during an attempt to access an IP transport network (5) by means of an access network (1, 2), a user terminal (11, 12, 13) emits an access request to an access supplier (6, 7, 8), containing data for authenticating the user to the access supplier, and said request is then transmitted to an access server (9) of the access network (1, 2) in view of being addressed to a remote authentication server (15) of the access supplier. On reception of the access request, the access server (9) emits a RADIUS request to a proxy server (10) of the access network (1, 2) which determines whether the user must be locally authenticated, and if this is the case, the proxy server transmits, to the access server (9), a request for authentication data to be addressed to the terminal of the user, and carries out a local procedure to authenticate the user, on the basis of the authentication data supplied by the user.

Abstract: Application program network service requests are translated into specific actions that are then performed through the management plane and/or control plane. The translations and resulting actions are responsive to previously defined policies for the communication network, and may further reflect processing of previous service requests by the same or another application program. The amount of resources available for use by a given application program may be predefined based on a globally defined network policy. Each service request obtained from an application program may be translated into multiple actions performed using various specific protocols and/or interfaces provided by either the management plane, the control plane, or both the management and control planes. Reports of network activity, status and/or faults for a requesting application program may be tailored to the requesting program's view of the network, and passed directly and exclusively to the requesting program.

Abstract: In an exemplary method implementation, a method includes: designating a neighborhood administrator; receiving notification of a delinquent router from the designated neighborhood administrator; and excluding the delinquent router responsive to the notification. In an exemplary mesh router implementation, a mesh router is capable of establishing a wireless mesh network with other mesh routers, the mesh router is further capable of designating a neighborhood administrator mesh router; and the mesh router is adapted to exclude another mesh router that is associated with a particular certificate when the particular certificate has been identified as delinquent by the designated neighborhood administrator. mesh router.

Abstract: A method of providing collaborative security and collaborative decision making in a service-oriented environment. The method includes validating request(s) by application(s) for service(s) in the environment, and providing each service for which an application request is validated. The method also includes monitoring a situational state exposed by services being provided in the environment. Based on the monitored state, the validating of one or more service requests is influenced.

Abstract: The invention provides methods and means for assisting the control of a User Terminal's, UT's, (240), access to an access network domain in a radio communications network.

Abstract: In one implementation, form field(s) of a form of a website or application are populated with data obtained using a digital identity, and the populated form field(s) are submitted to the website or application. A form field specification specifying information about the form fields of the form is obtained. A user selects or creates a digital identity. Data is obtained using the digital identity, and the data is used to provide values to the form. The data is submitted to the website or application. In another implementation, a username and password are automatically generated. The username and password that are generated meet parameters that may be specified by the website or application. The username and password are submitted to the website or application for a purpose such as registration or authentication, and stored away for future authentication.

Abstract: XML communication protocol between a user terminal, such as a radio alarm clock, and a services platform via the Internet network for accessing an audio file available from a data streaming server.

Abstract: A version number is associated with an encrypted key executable to allow real time updating of keys for a system which facilitates users signing on to multiple websites on different domains using an encrypted ticket. Two keys may be used at each site during updating of keys, each having an associated one digit Hex version tag. When a key is to be updated with a new key, the existing or old key is provided an expiration time. A second key is provided from the system in a secure manner with a new version number and made the current key which provides decryption of the encrypted ticket. The system tracks both keys while they are concurrent. After the existing key expires, only the second, or updated key is used to provide login services for users. The system periodically flushes old keys.

Abstract: A tag device causes a second calculator to read a confidential value from a confidential value memory and to apply a second function F2 which disturbs a relationship between elements of a definition domain and a mapping thereof to generate tag output information. The tag device delivers the tag output information to a backend apparatus. Subsequently, a first calculator reads out at least part of elements of the confidential value from the confidential value memory, and applies a first function F1, an inverse image of which is difficult to obtain, and a result of such calculation is used to update a confidential value in the confidential value memory by overwriting.

Abstract: Secure access to a resource is provided by receiving a user request associated with a username for access for a resource and checking the username associated with the request against a reference username associated with the user. The reference username is linked to a second username associated with the user. If the received username matches the reference username, the request is modified by replacing the received username with the second username, and the modified request is forwarded towards the resource. A new username can be recorded upon receiving a request for the user. In response to the received request, the new username is recorded at a reference location linked to the location of the second username.

Abstract: Various embodiments include methods and systems for providing packaged health care solutions.

Abstract: Methods and systems for processing information that is secured in transit between communicating computers utilizing a security protocol. In accordance with one embodiment of the present invention, processing with respect to the security protocol is performed by an intermediate network device located remotely from a secure data center, while maintaining the security of persistent credentials such as passwords and private cryptographic keys. The invention may be employed in conjunction with beneficial networking functions such as acceleration, traffic management and monitoring, content filtering, and the like, allowing such functions to be performed on secured traffic. The invention allows the remotely located network device to perform security protocol processing on behalf of a computer without having direct access to the persistent credentials of that computer, thereby improving overall system security.

Abstract: All operations available on an intranet are securely performed from an outside of the intranet without taking out a file on the intranet from the intranet. A file on the intranet is not taken out, but, instead of this, image information on a target computer 1 is transmitted to an operational computer 4 with the http protocol, the https protocol, or the SSL protocol, and keyboard information, pointing information, or the like are transmitted from an operational computer 4 to the target computer 1. Consequently, the target computer 1 is operated.

Abstract: One embodiment of the present invention provides a system that facilitates managing security policies for databases in a distributed system. During operation, the system creates multiple label security policies. The system stores these security policies in a directory and automatically propagates them from the directory to each database within the distributed system. In doing so, the system allows for applying policies to individual tables and schema in any database in the distributed system. The system facilitates centralized administration of security policies and removes the need for replicating policies, since the policy information is available in the directory.

Abstract: A method for quantifying the relative degree of uniqueness of an indicated data item in a repository of data items stored at locations associated with their digital fingerprints.

Abstract: A system and method for permitting a sender to provide electronic mail (email) to a recipient, said method comprising providing a recipient email address to the sender; requesting of the recipient that the sender be allowed to send email to the recipient; determining whether the request is acceptable based on at least one of: 1) a sender identity verification method; 2) user input; and 3) third party information; adding the sender to an email access list if the request is acceptable; and wherein the email access is used to determine whether or not email from the sender is permitted to reach the recipient.

Abstract: A system and method for simplifying a login process makes use of a set of bookmarks that can be used to playback a series of actions and provide a stored username and password to a website or webservice. A user can access a bookmark manager component of the system and an identify manager component of the system either locally or remotely and have the two components act independently of each other but in communication to store the bookmarking and identity information.

Abstract: Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a source processor that is used to identify the source associated with a request for authentication or authorization. The source processor can maintain the initial source associated with the request through the use of an association token. The associate token can be transmitted with each subsequent request that includes authentication or authorization data. The source processor can use the associate token to verify that the source associated with the initial request is the same as the source associated with subsequent authentication and authorization requests.

Abstract: A computer-implemented method for authorizing a user request from a user to perform an action with respect to one of at least one of the plurality of nodes and at least one of the plurality of packages of a cluster is disclosed. The user request is received from a host coupled to communicate with the cluster. The method includes consulting an authorization map to ascertain a role associated with the user. The authorization map is kept in a memory space in one of the plurality of nodes. The method further includes authorizing the user to perform the action if the role associated with the user includes a granted privilege that is higher than a privilege required to perform the user request.

Abstract: Upon integration of a file system, user identifier recorded in a storage as management data is translated. A file server connected to a storage storing the data of a file system therein has a file system operation unit for managing the file system, a file server operation unit for receiving the access request to the file, and a user identifier translation unit for carrying out translation between first user identifier, which is used by the client and second user identifier, which is recorded in the storage as management data of the file system. Receiving the access request to the file from the client, the user identifier translation unit translates the second user identifier included in the management data of the file that is an access target of the access request into the first user identifier, and the file server operation unit transmits the management data to the client.

Abstract: The disclosure relates to the management of PKI digital certificates, including certificate discovery, installation, verification and replacement for endpoints over an insecure network. A database of certificates may be maintained through discovery, replacement and other activities. Certificate discovery identifies certificates and associated information including network locations, methods of access, applications of use and non-use, and may produce logs and reports. Automated requests to certificate authorities for new certificates, renewals or certificate signing requests may precede the installation of issued certificates to servers using installation scripts directed to a particular application or product, which may provide notification or require approval or intervention. An administrator may be notified of expiring certificates, using a database or scanning or server agents.

Abstract: A distributed access control technique assigns permission to a user without permission explosion, thereby facilitating the system administration of user access to a piece of content represented by a Web service. Permissions are granted to pieces of content through expressions rather than explicitly coupled between a piece of content and a user. Each expression defines an access scope for either a user or a piece of content. An expression defining the access scope for a user can be created and maintained independently of an expression defining the access scope to a piece of content, hence simplifying management information system implementation and administration.

Abstract: Systems and methods for securely managing Internet user passwords are presented herein. A formation component can enable a user to create a master account on a web server, the master account comprising a master username and password. An access component can enable the user to access a plurality of password protected websites from a web browser or non-browser software application resident on the user's computing device when the user logs into the master account by entering the valid master username and password. A selection component can log the user into a website of the plurality of password protected websites when the user selects a hyperlink associated with the website, selects a linked image associated with the website, or selects the website from a pulldown list contained in a toolbar of a web browser. A display component can open a web browser or tab associated with the website.

Abstract: A system such as in a networked computer system comprising a user, an application server, a gatekeeper server and an authentication server. Communication within the system is managed by the gatekeeper server, wherein the user communicates with the authentication server and the application server through the gatekeeper server. Once the user has been initially authenticated by the authentication server, the user may request application services from a plurality of application servers within the networked computer system without having to be re-authenticated.

Abstract: Methods for ad-hoc trust establishment using visual verification are described. In a first embodiment, a visual representation of a shared data is generated on two or more devices and the visual representations generated can be visually compared by a user. This method can be used to verify that the correct devices are involved in a negotiation, when pre-existing trust relationships do not exist between the devices. The visual representation may, for example, comprise a picture with a number of different elements, each representing a part of the shared data. In another embodiment, a method of secure key exchange is described in which, before sharing the keys, the parties exchange information which encapsulates the key. This information can be used subsequently to check that a party has not changed the key that they are using and prevents a man in the middle attack.

Abstract: Generally speaking, systems, methods and media for automatically generating a role based access control model (RBAC) for an organizational environment with a role based access control system such as a hierarchical RBAC (HRBAC) system are disclosed. Embodiments may include a method for generating an RBAC model. Embodiments of the method may include accessing existing permissions granted to users of an organizational environment and analyzing the permissions to create permission characteristics. Embodiments of the method may also include performing cladistics analysis on the permission characteristics to determine role perspective relationships between individual users of the organizational environment. Embodiments of the method may also include generating an RBAC model based on the determined role perspective relationships between individual users of the organizational environment.

Abstract: The disclosure relates to the management of PKI digital certificates, including certificate discovery, installation, verification and replacement for endpoints over an insecure network. A database of certificates may be maintained through discovery, replacement and other activities. Certificate discovery identifies certificates and associated information including network locations, methods of access, applications of use and non-use, and may produce logs and reports. Automated requests to certificate authorities for new certificates, renewals or certificate signing requests may precede the installation of issued certificates to servers using installation scripts directed to a particular application or product, which may provide notification or require approval or intervention. An administrator may be notified of expiring certificates, using a database or scanning or server agents.

Abstract: The disclosure relates to the management of PKI digital certificates, including certificate discovery, installation, verification and replacement for endpoints over an insecure network. A database of certificates may be maintained through discovery, replacement and other activities. Certificate discovery identifies certificates and associated information including network locations, methods of access, applications of use and non-use, and may produce logs and reports. Automated requests to certificate authorities for new certificates, renewals or certificate signing requests may precede the installation of issued certificates to servers using installation scripts directed to a particular application or product, which may provide notification or require approval or intervention. An administrator may be notified of expiring certificates, using a database or scanning or server agents.