Abstract: The described embodiments relate to data security. One exemplary system includes a first component associated with data on which an action can be performed and a second component configured to perform the action on the data. The system also includes a third component configured to ascertain the action and determine, as a function of the action, at least one policy to be implemented prior to allowing the second component to access the data.

Abstract: One embodiment of the invention is a method for providing media content while preventing its unauthorized distribution. The method includes transmitting from a client to an administrative node a request for delivery of an instance of media content (IMC); determining which content source (CS) of a plurality of CSs to provide delivery of the IMC, provided the client is authorized to receive the IMC; transmitting to the client an access key and a location of the IMC; transmitting from the client to the CS a second request and the access key; in response to receiving the second request and the access key, transferring the IMC from the CS to the client; transmitting from the client to the administrative node an indicator indicating a successful transfer of the IMC; and generating a transaction applicable to the client and associated with the transfer of the IMC to the client.

Abstract: According to the teachings presented herein, a wireless communication device reverts from subscription credentials to temporary access credentials, in response to detecting an access failure. The device uses its temporary access credentials to gain temporary network access, either through a preferred network (e.g., home network) or through any one of one or more non-preferred networks (e.g., visited networks). After gaining temporary access, the device determines whether it needs new subscription credentials and, if so, uses the temporary access to obtain them. Correspondingly, in one or more embodiments, a registration server is configured to support such operations, such as by providing determination of credential validity and/or by redirecting the device to a new home operator for obtaining new subscription credentials.

Abstract: A technique for evaluating computer system passwords is disclosed. The technique commences with obtaining, for each user of a computer system, password information generated by performing a security procedure on a password entry. The technique sequentially performs, for each user name, the security procedure on sequenced entries of a dictionary until either a match with the password information is detected or the sequenced entries are exhausted. The technique adjusts the sequence of a sequenced entry in the dictionary based on the number of matches detected for the sequenced entry, so that analysis of subsequent computer system password lists more rapidly identify passwords that may present a security risk to the computer system.

Abstract: A secured network connection requires three authentication routines. A system access authentication routine requires a client network device to submit user authentication information to a network server. Upon successful user authentication, the network server creates a Client Service Access Pass, embeds this pass into a dynamic web page transmitted to the client device. A client application access authentication routine requires that the dynamic web page pass the Client Service Access Pass to an instantiated client application, which in turn submits it back to a service server on the network server for authentication. Upon success authentication, the network server destroys the Client Service Access Pass, creates a Media File Access Pass, and sends this pass to the client application. A media file access authentication routine requires the client application to submit the Media File Access Pass along with any file access requests to the network server.

Abstract: A system and method for online content production is provided. Customized orders for content, such as a customized video to be used by a content requester (e.g., a business), can be created using a central website. The business can specify a location at which the content is to be produced, as well as desired shots to be included in the content. A plurality of content providers can register with the present invention to obtain assignments to produce content in response to the orders. The content provider creates the content at the location(s) specified in the order, including shots specified in the order. After the content has been produced, the content provider uploads the content to the central website, wherein the uploaded content is reviewed to determine whether it complies the specifications of the order. Content can be downloaded by the business, and payments for the content can be disbursed in accordance with pre-defined royalty distributions.

Abstract: In a first information processing device, a specific part of a binary code of a first application program developed in a first memory and a specific function are used to calculate a first identification value. The first identification value is transmitted from the first information processing device to a second information processing device. In the second information processing device, a specific part of a binary code of a second application program developed in a second memory and a specific function are used to calculate a second identification value, and the first identification value received from the first information processing device is compared with the second identification value. If these identification values are identical, connection with the first information processing device is permitted in the second information processing device.

Abstract: A management apparatus comprising memory to store owner information, dependence relationship information, and authorized user information are associated with file information identifying the secret file, an authorized user determination unit to determine whether a source user of the browse request is registered as the authorized user of the browse request file, a dependent file specifying unit to specify a dependent file having a dependence relationship with the browse request file by referring to the dependence relationship information when the source user is authorized; and a browse permission response transmitting unit to transmit the browse permission response to the source user based on whether or not the source user is registered as the authorized user of the dependent file by referring to the authorized user information.

Abstract: The present invention is a system and method of selectively distributing media content to consumers, the system comprising essentially of a USB-type storage device loaded with media content, a network and a user interface system. The method comprises essentially of providing a USB-type storage device loaded with media content, distributing the device to retail outlets, instructing a user to contact a network that is in electronic communication with the USB-type storage device, selectively registering the media content on the network, activating the USB-type storage device, displaying the activated media content to the consumer on a display device associated with the user interface system, and providing a means to upload media content onto the USB-type storage device in the event the media content becomes corrupted or erased.

Abstract: Methods and systems taught herein allow communication device manufacturers to preconfigure communication devices to use preliminary access credentials to gain temporary network access for downloading subscription credentials, and particularly allow the network operator issuing the subscription credentials to verify that individual devices requesting credentials are trusted. In one or more embodiments, a credentialing server is owned or controlled by the network operator, and is used by the network operator to verify that subscription credentials are issued only to trusted communication devices, even though such devices may be referred to the credentialing server by an external registration server and may be provisioned by an external provisioning server. Particularly, the credentialing server interrogates requesting devices for their device certificates and submits these device certificates to an external authorization server, e.g., an independent OCSP server, for verification.

Abstract: A method and apparatus for automatic user authentication are described. The method includes receiving information at a device, the device including a credential container; storing the information at the credential container and performing cryptographic calculations on the received information and providing the encrypted information upon request.

Abstract: The invention provides a method and system for locally tracking network usage and enforcing usage plans at a client device. In an embodiment of the invention, a unique physical key, or token, is installed at a client device of one or more networks. The key comprises a usage application and one or more access parameters designated the conditions and/or limits of a particular network usage plan. Upon initial connection to the network, the usage application grants or denies access to the network based on an analysis of the current values of the access parameters. Therefore, network usage tracking and enforcement is made simple and automatic without requiring any back-end servers on the network while still providing ultimate flexibility in changing billing plans for any number of users at any time.

Abstract: Techniques for migrating content from a first set of conditions to a second set of conditions are disclosed herein. In particular, a content migration certificate is utilized to enable content migration and set forth under what conditions content may be accessed after migration. The content migration certificate may, for example, be stored as a file in a removable storage unit or transferred online once an indication that conditions have changed is received. The change in conditions may involve a new device attempting to access the content file, a new user attempting to access the content, or any other similar conditions. Access to the information in the content migration certificate may be protected by encryption so that only devices and/or users meeting the conditions of the certificate are permitted to transfer content. By accessing the content migration certificate in the prescribed manner, migration of content is enabled in a controlled and easy process.

Abstract: An authentication server, on receipt of a request to delete a user account, determines whether the account exists in a user authentication table. If the account exists, the authentication server deletes the account, and retrieves, from a requesters list in which information of devices from which users have to date requested user authentication is saved, an address of a device from which the user targeted for deletion has previously issued an authentication request, and issues a deletion request to that device together with account information. Similar processing to change a user account is performed in response to a change request.

Abstract: A system and method for authenticating a user with a wireless data processing device.

Abstract: A cryptographic method and apparatus for anonymously signing a message. Added to the anonymous signature is another signature which is calculated (operation 13) using a private key common to all the members of a group authorized to sign and unknown to all revoked members. The private key is updated (operations 8, 11) at group level on each revocation within the group and at member level only on anonymous signing of a message by the member.

Abstract: A user profile having consent information regarding a network server for a second party is created. Such consent information is received from a first party and stored in the user profile of the second party. The second party may access the network server if the consent information stored in the user profile of the second party shows that the first party has provided consent. The second party may not access the network server if the consent information stored in the user profile of the second party shows that the first party has denied consent.

Abstract: Setting information is transferred to an information processing apparatus from another information processing apparatus. The information processing apparatus includes a transfer unit, a rule unit, an acquiring unit, and an updating unit. The transfer unit sets transfer instruction information to instruct a transfer process to be performed, when the user logs in and while an administrator is logged in. The rule unit sets up an operating environment for the user based on rule setting information in a case when the user logs into the information processing apparatus for the first time. The acquisition unit acquires setting information of the user from a transfer file where the setting information acquired from the other information processing apparatus as a transfer source is stored while the user is logged in, where the transfer instruction information has been set. The updating unit updates the rule setting information with the acquired setting information.

Abstract: The present invention relates to a system and methodology to facilitate communications security in a distributed computing and applications environment. A pass-phrase is generated to wrap a strong set of security credentials that are employed to establish trusted relationships between entities such as a service provider and one or more partners seeking access to the provider. The pass-phrase is generally constructed from weaker cryptographic material and is generally transported or communicated separately from the wrapped security credentials. When the partner desires to access service resources, the pass-phrase is employed to unlock the strong set of security credentials contained within the wrapper. The unlocked security credentials are then utilized to establish encrypted communications channels between the service provider and the partner.

Abstract: A local computer system and a remote computer system are connected by a network. When the local computer system needs to initiate communication with the remote computer system or vice versa, a cross-system request is generated, and placed in a request queue on the computer system generating the request. All cross-system requests residing on request queues and are handled by two jobs executing on local computer system. The first of these jobs, a request push job, pushes cross-system requests existing on local computer system's request queue to the remote computer system's request queue. The second of these jobs, a request pull job, pulls cross-system requests existing on remote computer system's request queue over to local computer system's request queue. In this way, all cross-system communications are initiated from a computer system inside the firewall (e.g., local computer system) without violating any outside-in dataflow limitations.

Abstract: A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

Abstract: A requester requests a secure certificate for a domain name from a validating entity, such as a certification authority. To verify that the requestor has control over the domain name, the validating entity generates a pass string. The requestor enters the pass string into a domain zone. The validating entity determines if the pass string was entered in the domain zone. If the pass string is present in the domain zone, the validating entity may issue the secure certificate. If the pass string is not in the domain zone, the validating entity may deny issuing the secure certificate to the requestor.

Abstract: Techniques for reducing storage space and detecting corruption in hash-based applications are presented. Data strings are hashed or transformed into numerically represented strings. Groupings of the numeric strings form a set. Each numeric string of a particular set is associated with a unique co-prime number. All the numeric strings and their corresponding co-prime numbers for a particular set are processed using a Chinese Remainder Theorem algorithm (CRT) to produce a single storage value. The single storage value is retained in place of the original numeric strings. The original numeric strings can be subsequently reproduced and verified using the single storage value and the co-prime numbers.

Abstract: A system, device and method for keeping the identity of a user secret, while managing requests for information, in an information distribution system. The identity of the user is kept secret by the use of a persistent pseudonym and a temporary pseudonym, which are associated with a user identity device. The process of information distribution is enhanced by the use of licenses and certificates, which the user obtains by representing himself with the permanent pseudonym. When accessing the requested information, the user is represented by the temporary pseudonym.

Abstract: A selective cross-realm authenticator associates an identifier with a request from an entity authenticated in one realm to access a resource associated with a second realm. The identifier indicates that the entity was authenticated in a realm other than the realm associated with the requested resource. A domain controller associated with the resource performs an access check to verify that the authenticated user is authorized to authenticate to the requested resource. Permissions associated with the resource can be used to specify levels of access to be granted to entities authenticated by a domain controller associated with another realm.

Abstract: A method that controls user access to the stored data elements using security label components is disclosed. Each stored data element is associated with a set of data security label components, and each user is associated with a set of user security label components. The method receives a user request to access the stored data elements, compares the set of user security label components to the set of data security label components associated with the users, and based on the comparison result, determines whether or not to permit access to the stored data.

Abstract: The present invention provides a method of authenticating, authorizing, encrypting and decrypting an application by utilizing a mobile secure server as the platform that can allow the subscriber to authenticate, authorize, encrypt or decrypt a document or an application through the mobile secure server. The account user can register and activate the service to have a secure banking transaction, such as online payment.

Abstract: A system and method for detecting computer port inactivity are disclosed. In one embodiment, a system includes a router that has a first interface to communicate with a first connection at an end-user computer and a second interface to communicate with a second connection at a distributed computer network. The system includes detection logic responsive to the first interface to detect inactivity at the end-user computer and further includes blocking logic responsive to the detection logic. The blocking logic is operable to selectively initiate a blocking signal to disable communicating data received at the second interface to the end-user computer via the first interface. The detection logic and the blocking logic are embedded within a port of the router.

Abstract: Techniques for generating a multi-factor asymmetric key pair having a public key and split private key with multiple private portions, at least one of the multiple portions being a multiple factor private key portion, are provided. First and second asymmetric key pairs are generated, each having a private key and a public key. A text string and the first private key are cryptographically combined to make a first private key portion of the split private key. This first private key portion is a multiple factor private key portion. A second private key portion of the split private key is generated based upon the generated first private key portion and the second private key.

Abstract: A method for providing multiple users with security access to an electronic system is provided. The method comprising: providing a plurality of parent security roles, wherein each parent security role includes a plurality of transactions authorized to be performed in the electronic system, providing a plurality of child security roles, wherein each child security role is derived from one of the plurality of parent security roles, setting up the multiple users in the electronic system and their associated user passwords, assigning one of the plurality of child security roles to each of the multiple users to provide the multiple users with security access to the electronic system at once, and providing each of the multiple users with security access to the electronic system, via the associated user password, in accordance with the child security role assigned to the user.

Abstract: Improved approaches for accessing secured digital assets (e.g., secured items) are disclosed. In general, digital assets that have been secured (secured digital assets) can only be accessed by authenticated users with appropriate access rights or privileges. Each secured digital asset is provided with a header portion and a data portion, where the header portion includes a pointer to separately stored security information. The separately stored security information is used to determine whether access to associated data portions of secured digital assets is permitted. These improved approaches can facilitate the sharing of security information by various secured digital assets and thus reduce the overall storage space for the secured digital assets. These improved approaches can also facilitate efficient management of security for digital assets.

Abstract: A system for providing computer services includes a camera and an electronic device. The camera obtains recognition information for a user. The electronic device is operable for executing a first operating system for conducting user authentication according to the recognition information and for automatically operating a user-defined application program after the user passes said user authentication.

Abstract: A method and system for providing an online reputation of a client participating in one or more online forums. The method includes providing a unique client identifier associated with the client. In addition, a plurality of forum identifiers is provided for a plurality of online forums within which the client is participating, wherein each online forum is associated with a corresponding user profile. A plurality of unique verification codes is provided that is based on the plurality of forum identifiers and the client identifier. A plurality of verification sequences is provided for purposes of verifying a plurality of user profiles of the client associated with the plurality of online forums, wherein each of the plurality of verification sequences includes a corresponding verification code. Verification of a plurality of credentials associated with the plurality of user profiles is performed.

Abstract: Managing via a web portal a remote device from a source device connected to a communication network. A device ID is assigned to the remote device, and a remote management software for remote management of the remote device is not installed on the source device or the remote device. Based on the assigned device ID, a connection is established with the remote device via the communication network. A first instruction is received from a user for authenticating access to the web portal. The user is authenticated in response to the received first instruction. An online status is established for the authenticated user. A second instruction is received from the authenticated user requesting access to the remote device. The device ID of the remote device is validated. The validated device ID is associated with the authenticated user. A connection is established between the remote device and the web portal.

Abstract: Terminal information of a user terminal requesting a log-in is acquired, a log-in procedure to be applied to the user terminal is determined based on the terminal information, a log-in operation based on the determined log-in procedure is accepted, and the log-in from the user terminal is permitted when the log-in operation is right.

Abstract: A method, apparatus, system, and signal-bearing medium that, in an embodiment, receive cues, one-time passwords, and a presentation order. The cues and one-time passwords are associated with a user name. In response to a cue request, the cues are presented in the presentation order and input data is received. If the input data matches the associated one-time password, then access to secure information is granted and the one-time password is invalidated. If the input data does not match the associated one-time password, then access to secure information is denied. In various embodiments, the cues may be text, images, audio, or video. In this way, in an embodiment, one-time passwords may be used in response to cues, which may increase security when accessing information from a non-trusted client because if the one-time password is misappropriated via the non-trusted client, the one-time password is no longer valid for future use.

Abstract: Computer-implemented methods for delegating access to online accounts and for facilitating delegates' access to these online accounts are disclosed. In one embodiment, a method for delegating access to an online account comprises receiving a request to delegate access to a first online account to a first delegate, identifying the first online account, identifying a contact record for the first delegate, and delegating access to the first online account to the first delegate by associating the contact record for the first delegate with the first online account. Corresponding systems and computer-readable media are also disclosed.

Abstract: Methods, apparatuses, and computer program products that respond to wake events of communication networks are disclosed. One or more embodiments comprise setting a wake password of a computing device, such as a notebook computer or a server. Some of the embodiments comprise receiving a wake request from a communications network, establishing a secure communication session, and setting the wake password with the secure communication session. Some embodiments comprise an apparatus having a network controller to allow a platform to communicate via a communications network, non-volatile memory that stores a wake password, and a management controller which may communicate with a management console via a secure communication session to update the wake password. One or more embodiments the network controller may wake management hardware and/or wake the management controller while keeping one or more of the devices in the power conservation mode.

Abstract: An apparatus, system, and method are disclosed for Asynchronous Java Script and XML (AJAX) form-based authentication using Java 2 Platform Enterprise Edition (J2EE). The apparatus for AJAX form-based authentication using J2EE is provided with a plurality of modules configured to functionally execute the necessary steps for redirecting an AJAX client request to an authentication required servlet, issuing an AJAX response to the client, authenticate the user security credentials, and process the client request for secure data. In addition, a method of the present invention is also presented for programming Asynchronous Java Script and XML (AJAX) form-based authentication that avoids a page change using Java 2 Platform Enterprise Edition (J2EE).

Abstract: A credential provisioning technique is provided that is secure yet easy to administer. A credential provisioner such as a network AP is configured to leave a secure mode of operation and allow open authentication with a wireless supplicant. After open authentication is established, the wireless supplicant requests credential provisioning. In response, the credential provisioner supplies the supplicant with an encrypted password. To prevent unauthorized access, the supplicant again requests credential provisioning but also proves knowledge of the encrypted password. At least one credential is supplied to the wireless supplicant in response to the proof only if a waiting period expires with just one request for credential provisioning being received by the credential provisioner.

Abstract: A method of managing access to a network resource is provided. An access query generated by a user requesting access to one of a group of resources is received. In response, a directory schema is used to determine the privileges assigned to the user for accessing the resource. The directory schema includes an association object associating user objects representing multiple users, a resource group object representing the group of resources, and privilege objects representing privileges of users for accessing each of the group of resources such that the association defines the privileges of various users for accessing the group of resources.

Abstract: A method of providing permissions to consume content objects within a domain includes creating a domain and a domain membership rights object for each member. The domain facilitates the sharing of content objects amongst the members of the domain. The domain membership rights objects for each member include permissions for each member in the domain to consume content objects in the domain.

Abstract: This disclosure describes, generally, methods and systems for password management. In one embodiment, a method may include receiving, at a centralized password repository, requests from users. Each request may be configured to request a password to allow access to an associated application. In one embodiment, at least two of the users are at different locations. The method may further include performing a validation analysis for the users' credentials, and in response to verification of a user's credentials, transmitting a response including the password configured to provide access to the associated application.

Abstract: In a method for improving client's login and sign-on security in accessing services offered by service providers over shared network resources such as Internet and particularly working within the framework of the www, a password is created for the client at a first attempt to access the service provider. The client's password is generated either at an authentication authority in trust relationship with the service provider and transmitted to the client, or the client is allowed to create his or her password on the basis of random character sequences transmitted from the authentication authority. For subsequent access to the service provider the authentication authority presents a client for characters in ordered sequences or in a diagram containing in an appropriate order a single occurrence of each password character.

Abstract: The present invention provides an apparatus for sharing a user control enhanced digital identity that allows a user to have all controls and control the flow of identity sharing on the user basis when the user shares user's personal information. According to the present invention, a user can decrease infringement of personal information due to illegal usage of the personal information by allowing a user to control usage of user's personal information and prevent the user's personal information from being carelessly used. Further, a provider that provides the services can efficiently associate the services between providers.

Abstract: A method for generating a word sequence for a passcode involves choosing a schema to guide the generation of the word sequence, and transforming the passcode into the word sequence using the schema, wherein the word sequence contains mnemonic structure.

Abstract: Techniques are provided for dynamically establishing and managing authentication and trust relationships. An identity service acquires and evaluates contracts associated with relationships between principals. The contracts permit the identity service to assemble authentication information, aggregated attributes, and aggregated policies which will drive and define the various relationships. That assembled information is consumed by the principals during interactions with one another and constrains those interactions. In some embodiments, the constraints are dynamically modified during on-going interactions between the principals.

Abstract: An application programming interface (API) translation agent and method for converting a message from one application configured according to a first API to a message configured according to a second API so that the first application, which is configured to communicate only in accordance with the first API, can communicate with a second application, which is configured to communicate only in accordance with the second API. The first and second applications can include a security application and a network access control (NAC) agent installed on an end point computing device, and the API translation agent can be used by the NAC agent to obtain information regarding a security status of the end point computing device, the information being used to determine whether the end point computing device is in compliance with the security policies of a network.

Abstract: The current invention describes methods and apparatuses for providing improved security for access to networks, on and off the Internet. A series of sign-in options configured according to several parameters prevent several types of automatic hacking. The nature of the choices for access, the method of controlling one's choices, and the method of randomization are new. Devices for applying these options include data-processing units such as computers and cell phones to which these methods are written. Some applications of increased security are online storage solutions, web-based email, and a shopping cart system. One particular combination of these applications that is discussed is the integration of web-based email with online storage for other files as well.

Abstract: In an embodiment, a secure module is provided that provides access keys to an unsecured system. In an embodiment, the secure module may generate passcodes and supply the passcodes to the unsecured system. In an embodiment, the access keys are sent to the unsecured system after receiving the passcode from the unsecured system. In an embodiment, after authenticating the passcode, the secure module does not store the passcode in its memory. In an embodiment, the unsecured module requires the access key to execute a set of instructions or another entity. In an embodiment, the unsecured system does not store access keys. In an embodiment, the unsecured system erases the access key once the unsecured system no longer requires the access key. In an embodiment, the unsecured system receives a new passcode to replace the stored passcode after using the stored passcode. Each of these embodiments may be used separately.