Abstract: A device capable of remote configuration, provisioning and/or updating comprising a network detector capable of detecting a network regardless of the state of the operating system on the device, wherein the network requires layer two authentication, and an Embedded Trust Agent capable of generating an authentication credential for layer two authentication and communicating the authentication credential via a layer two authentication protocol without a functioning operating system.

Abstract: An authentication gateway apparatus for accessing a ubiquitous service includes: an authentication server of a service provider that receives an authentication data request message from a portable apparatus, and provides an authentication token; a first authentication device of the portable apparatus that transmits the authentication data request message to the authentication server, receives and stores an authentication token from the authentication server, and is used as a representative authentication device; and second authentication devices of ubiquitous apparatuses that are connected to the first authentication device of the portable apparatus by a wireless communication system, and have individual unique values.

Abstract: An application programming interface (API) translation agent and method for converting a message from one application configured according to a first API to a message configured according to a second API so that the first application, which is configured to communicate only in accordance with the first API, can communicate with a second application, which is configured to communicate only in accordance with the second API. The first and second applications can include a security application and a network access control (NAC) agent installed on an end point computing device, and the API translation agent can be used by the NAC agent to obtain information regarding a security status of the end point computing device, the information being used to determine whether the end point computing device is in compliance with the security policies of a network.

Abstract: Methods, systems, and computer products for providing media over an Internet Protocol (IP) based network. The methods, systems, and computer products include receiving a handle and/or password input by a user, associating the handle and/or password to a channel inaccessible by the public, mapping the handle and/or password input by the user to the inaccessible channel, and providing the inaccessible channel to the user.

Abstract: A system and method for searching and retrieving certificates, which may be used in the processing of encoded messages. In one broad aspect, a message management server generates certificate identification data from a message that uniquely identifies a certificate associated with the message. The certificate identification data can then be used to determine whether a given located certificate retrieved from one or more certificate servers in response to a certificate search request is the certificate associated with the message. Only the certificate identification data is needed to facilitate the determination at a user's computing device (e.g. a mobile device), alleviating the need for the user to download the entire message to the computing device in order to make the determination.

Abstract: A system including an application configured to request a key, a keystore configured to provide the key, wherein the keystore comprises a non-application specific directory, and an application-specific subdirectory.

Abstract: The principles of the present invention relate to systems, methods, and computer program products for more efficiently and securely authenticating computing systems. In some embodiments, a limited use credential is used to provision more permanent credentials. A client receives a limited-use (e.g., a single-use) credential and submits the limited-use credential over a secure link to a server. The server provisions an additional credential (for subsequent authentication) and sends the additional credential to the client over the secure link. In other embodiments, computing systems automatically negotiate authentication methods using an extensible protocol. A mutually deployed authentication method is selected and secure authentication is facilitated with a tunnel key that is used encrypt (and subsequently decrypt) authentication content transferred between a client and a server. The tunnel key is derived from a shared secret (e.g., a session key) and nonces.

Abstract: Techniques for dynamic generation and management of password dictionaries are presented. Passwords are parsed for recognizable terms. The terms are housed in dictionaries or databases. Statistics associated with the terms are maintained and managed. The statistics are used to provide strength values to the passwords and determine when passwords are acceptable and unacceptable.

Abstract: The present invention provides a computer and a method of sending security information for authentication, which relate to transmission of data information in computers. The present invention solves the vulnerability of information when a user conducts network transaction activities by a terminal. The computer of the present invention comprises: a virtual system platform; a first guest operating system installed on the virtual system platform, which is for installing a service application module, wherein the service application module generates a security information input interface when it is being executed; a second guest operating system installed on the virtual system platform; the second guest operating system comprises: a dynamic password generation module for generating security information, the security information is input into the security information input interface and is sent to a network server for authentication. The security of network activities conducted by users can be enhanced.

Abstract: An automated system for credentialing physicians or practitioners in other professions employs a databank of verified practitioner data on a central computer server. The file for each practitioner can include education, employment history, board certification record, and derogatory information, such as disciplinary proceedings, if any. A remote computer station can access the central computer server to download a credentialing profile on the computer screen. The computer station can have an RFID reader for inputting a practitioner identity code that uniquely identifies the respective practitioner. There may be RFID tags embedded in diplomas or certificates to aid in verifying authenticity.

Abstract: A method for creating a proof of possession confirmation for inclusion by an attribute certificate authority into an attribute certificate, the attribute certificate for use by an end user. The method includes receiving from the attribute certificate authority in response to a request by the end user, a plurality of data fields corresponding to a target system, the identity of the end user, and a proof of identity possession by the end user. The method further includes preparing a data structure corresponding to an authorization attribute of the attribute certificate, the data structure including a target system name, the identity of the end user, and the key identifier of the end user. Using a private key associated with the target system, the method includes signing the data structure resulting in a proof of possession confirmation, and sending the proof of possession confirmation to the attribute certificate authority for inclusion into the attribute certificate.

Abstract: The invention relates to embedding a spread spectrum watermark in a data signal as well as to detection of the embedded watermark. A data signal (4) is encrypted (15) or received in the form of an encrypted data signal (9), the signal being encrypted by modifying (3) it in accordance with one or more entries of a look-up-table (2) in which an encryption table (6) is stored. The encryption is carried out by a first computing device (15) such as a server device. The watermark is actually embedded while decrypting (13) the signal. This takes place in a second computing device (16), possibly in a client device, in a similar manner The client device employs a decryption table (8), which is a modified (i.e. watermarked) version of the encryption table (6). The decryption table may generated by the server and securely communicated to the client. The data signal is decrypted in accordance with entries of a look-up-table (12).

Abstract: A set of one or more positional control parameters includes at least one of a geographic limit, a velocity limit, and a direction of travel limit. A control list identifies at least one feature in a mobile device. The at least one feature may be associated with at least one of the positional control parameters.

Abstract: A system and method are described for securing over the air communications between a service and a communication device. For example, one embodiment of a method for creating a security token on a communication device for communication between the communication device and a service includes combining a device identification of the communication device with a device capability to create a device information, the device capability known by the service. The method further includes encrypting the device information.

Abstract: A system and method are described for securing over the air communications between a service and a communication device. For example, one embodiment of a method for creating a security token on a communication device for communication between the communication device and a service includes combining a device identification of the communication device with a device capability to create a device information, the device capability known by the service. The method further includes encrypting the device information.

Abstract: A system and method is provided to verify configuration of a client access device requesting access to a network by establishing a communications link between a network access system and the client access device to authenticate and authorize the client access device and a user associated with the client access device. The network access system further receives client device configuration data from the client access device over the communications link during an authentication and authorization exchange and processes the client device configuration data to determine if the client access device will be granted access to the network.

Abstract: The present invention relates to an information security bot system for the mitigation of damage upon its victims, or enforcement of Identity Theft laws, by searching and inducing transactions with perpetrators of identity crimes (e.g. identity theft.). Searching is accomplished using a software spider search robot (“bot”) that turns any transmitted personal information in to a bit-keyed array that cannot betray any of the known information of the users. Transactions with perpetrators are induced and affected using machine generated natural language techniques. In instances of success, data (actual, bogus or “poisoned”) is transferred to or received from said perpetrators. This data can be used to protect victims or to ensnare perpetrators. In addition, the invention relates to offensive and proactive prevention of identity theft and other related crimes.

Abstract: A distributed enterprise includes a policy management module and policy library for automating policy change alerting. The policy management module and policy library are configured to list associations between published policies, published policy exceptions, and one or more systems policies, and to determine if changes to published (written) enterprise policies, published policy exceptions, or systems policies have occurred. The policy management module and policy library are also configured to notify personnel of the distributed enterprise so that appropriate actions may be implemented.

Abstract: One embodiment of the present invention provides a system that performs single sign-on to web applications using dynamic directives. The system operates by first receiving a request at an application to provide content to a user. In response to the request, the application provides public content to the user. Upon receiving a request from the user to access private content, the application sends a dynamic directive to a web module that can access a single sign-on server on behalf of the application, wherein the dynamic directive specifies that an authentication credential is required from the user. Next, the application allows the web module to request the authentication credential from the single sign-on server on behalf of the application. When the authentication credential is received from the single sign-on server, the application provides the private content to the user.

Abstract: A cooperative processing and escalation method and system for use in multi-node application-layer security management is disclosed. The method includes the steps of identifying individual application security nodes, grouping and configuring nodes for cooperative processing, assigning the default operational mode at each node, assignment of logging and alert event tasks at each node, and defining escalation and de-escalation rules and triggers at each node. Both loosely-coupled and tightly-coupled configurations, each with its cooperative processing model, are disclosed. The method includes provision for central console configuration and control, near real-time central console dashboard operations interface, alert notification, and operator override of operational modes and event tasks.

Abstract: A method and a system are disclosed, of enabling a user of an Internet application to access protected information. An idea behind at least one embodiment of the invention is that a user identifier token is created, after a user has been authenticated by way of a logon mechanism of the Internet application. The user identifier token is then associated with the authenticated user and stored at an Internet client of the authenticated user. When protected information is to be made available for a requesting user, the concerned set of protected information is associated with the authenticated user and an information identifier token is created and associated with the protected information. The information identifier token is delivered to the authenticated user via e-mail.

Abstract: Embodiments of the system may utilize a Knowledge Broadcasting System for specifying content metadata and locating Internet documents. In this instance embodiments of the invention comprise an improved manner of specifying the content of an Internet document in such a way that the users of the system are able to retrieve relevant Internet documents. This is accomplished using a three-tiered search engine where the first-tier is denoted as a category search, the second tier is denoted as a context search, and the third-tier is denoted as a keyword search. At each step relevant information is filtered out and the focus of the search is narrowed. In the general search, the user narrows the focus of the search by selecting a hierarchical definition.

Abstract: Multiple different credentials and/or signatures based on different credentials may be included in a header portion of a single electronic message. Different recipients of intermediary computing systems may use the different credentials/signatures to identify the signer. The electronic message may include an encoding algorithm and a type identification of a credential included in the electronic message, allowing the recipient to decode and process the credential as appropriate given the type of credential. Also, the electronic message may include a pointer that references a credential associated with a signature included in the electronic message. That referenced credential may be accessed from the same electronic message, or from some other location. The recipient may then compare the references credential from the credentials used to generate the signature. If a match occurs, the integrity of the electronic message has more likely been preserved.

Abstract: Communication between a human user and a computer over an insecure channel is accomplished by encoding user input using one or more character substitution tables. The character substitution tables are transmitted to the user over the insecure channel in a perceptually modified form which renders them difficult for use by automated adversaries but keeps them easily understandable by humans.

Abstract: A method of recording content data of system including a transcoding device connectable to a recorder, via a communication network. The method includes transcoding source content data into transcoded content data, transmitting, without recording the transcoded content data locally, the transcoded content data to the recorder via the communication network in substantially real time, and recording the transcoded content data onto a recording medium. Accordingly, the content data can be directly recorded onto a recording medium of another device, not on a recoding medium related to the transcoding device. Consequently, an apparatus including the transcoding device can obtain content data without a limit on storage capacity.

Abstract: A mobile trusted platform (MTP) configured to provide virtual subscriber identify module (vSIM) services is disclosed. In one embodiment, the MTP includes: a device manufacturer-trusted subsystem (TSS-DM) configured to store and provide credentials related to a manufacturer of the MTP; a mobile network operator-trusted subsystem (MNO-TSS) configured to store and provide credentials related to a mobile network operator (MNO); and a device user/owner-trusted subsystem (TSS-DO/TSS-U) configured to store and provide credentials related to user of the MTP. The TSS-MNO includes a vSIM core services unit, configured to store, provide and process credential information relating to the MNO. The TSS-DO/TSS-U includes a vSIM management unit, configured to store, provide and process credential information relating to the user/owner of the MTP. The TSS-DO/TSS-U and the TSS-MNO communicate through a trusted vSIM service.

Abstract: Structures and methods are disclosed for facilitating secure connectivity of a remote client to an enterprise network using OTP-enabled nodes of a remote access platform. Embodiments described herein include an OTP device associated with a client device (for example and without limitation, an OTP device residing within a PC card associated with a laptop or desktop computer) defining a first node of a remote access platform; and an OTP server defining a second node of a remote access platform that generates and maintains the same OTP as the OTP device at the first node, for purposes of authenticating the client device and/or user of the client device.

Abstract: A method for protecting against keylogging, the method includes: detecting from a host browser application, a request for a password input by a user of an alphanumeric input device in an entry field of a transaction; inserting a temporary indicator password in the entry field; sending an identifier of the host application with the temporary indicator password to an alternative device; retrieving a user assigned password stored in a table in the alternative device in response to matching the identifier of the host application and the temporary indicator password; sending the user assigned password to the host application; inserting the user assigned password in place of the temporary indicator password in the entry field; and sending the transaction to a server for verification and further processing.

Abstract: The present invention provides a system and method for establishing security credentials for using an Internet or other network application requiring user authentication. In an exemplary embodiment, a user electronic device may connect to an application server to initiate use of the application. The application server may respond by transmitting to the user electronic device session identification information (a Session ID). The user electronic device may then transmit an SMS message containing the Session ID back to the application server, which permits the application server to link to the user electronic device. The application server may generate for the user encrypted security credentials and transmit an encryption key for them to the user electronic device in a response SMS message. In a separate message, the security credentials are transmitted to the user. In this manner, only the legitimate user electronic device has both the encryption key and the encrypted security credentials.

Abstract: A system for the time-based accounting of access by users to services provided by a data network includes a primary access node to provide access by users by establishing via the primary access node a steady connectivity between the users and the network. A secondary access node is associated with the primary access node, such secondary access node being configured for acting as a backup node to maintain connectivity in the case of failure involving the primary access node. The primary access node is configured for issuing a request for credentials for any user requesting access to said data network and, as a result of receiving valid credentials from the user, starts time-based accounting for the user. An authentication node cooperative with the primary access node and the secondary access node stores the secondary access node information items concerning the time-based accounting started for the user.

Abstract: A client quarantine agent requests bill of health from a quarantine server, and receives a manifest of checks that the client computer must perform. The quarantine agent then sends a status report on the checks back to the quarantine server. If the client computer is in a valid security state, the bill of health is issued to the client. If the client computer is in an invalid state, the client is directed to install the appropriate software/patches to achieve a valid state. When a client requests the use of network resources from a network administrator, the network administrator requests the client's bill of health. If the bill of health is valid, the client is admitted to the network. If the bill of health is invalid, the client is placed in quarantine.

Abstract: A method of controlling access in a content management system includes defining a domain among a plurality of domains for the content management system and designating a domain administrator for the domain. This enables the domain administrator to perform administrative tasks within the domain without revealing or affecting information in other domains of the content management system. For example, a domain administrator can view user information only for users associated with that domain. The domain administrator also can associate a user with only the defined domain, thereby limiting the user's access to information in the system to information associated with the domain.

Abstract: The generation of a unique password using a secret key and an application name is disclosed. Other passwords may be generated for other applications using the same key. A user provides a key that is not easily able to be guessed by third parties. The user also inputs a name of an application for which a password is desired. The system utilises the application name and the secret key to generate a unique password for that application, using standard encryption techniques. The system generates the same password for that application and secret key combination every time. Alternate embodiments generate a user identifier from the same secret key and application name.

Abstract: A method and arrangement for utilising a generally available personal data terminal as a secure and reliable authentication factor for user authentication is described. Also, a method for secure transfer of data between two parties, a user and a service provider, where the user generates a unique authentication factor adapted for user authentication (104), called a user code, and the service provider registering the user's user code as an authentication factor is disclosed. The method is useful for various security services involving a user and a service provider in electronic channels where service providers are faced with the challenges of authenticating the users of their services.

Abstract: A method for reconfiguring the security mechanism of a wireless network system includes steps of: sending a packet from a network node to a mobile node; sending a negotiation packet from the mobile node to the network node according to a selected authentication protocol; the mobile node and the network node proceeding the authentication process if the received negotiation packet is valid; the mobile node and the network node generating a security association after the authentication process is completed.

Abstract: A server transmits, to clients, display data for displaying a plurality of input areas for pieces of identification information which identify apparatuses in which software is to be installed. The server receives the plurality of pieces of identification information input to the input areas. The server then issues, to the clients, license information for permitting installation of the software to the apparatuses corresponding to the pieces of received identification information. This makes it possible to efficiently issue license information of software.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: A method of controlling password changes in a system having a plurality of data processing systems having separate password registries. Contents of passwords in the password registries of the data processing systems are controlled using password content policies that are centrally shared between the plurality of data processing systems.

Abstract: A method of operating via a smart card an access gateway between a local area network and a wide area network under the control of a management system includes the steps of providing in the smart card at least a first memory area containing configuration data for access to the wide area network that cannot be modified by the user and a second memory area adapted for storing personalized configuration data of the user, and providing in the access gateway a third memory area and storing the contents of the second memory area of the smart card in the third memory area.

Abstract: An authentication server authenticates a first user, and generates a voucher code that is provided to the authenticated first user. The first user may provide the voucher code to a second user, responsive to a request by the second user for the first user to vouch for the second user, to thereby allow the second user to be authenticated. The authentication server receives the voucher code from the second user, and authenticates the second user based on the voucher code. The authenticated second user may be provided with a temporary password or other type of code utilizable for at least one additional authentication.

Abstract: There is provided a system and method for managing connections between computers and a server pool. An exemplary system comprises a file configured to store a list of a plurality of servers in the server pool. The exemplary system further comprises a session distributor configured to distribute communication sessions among the plurality of servers by directing multiple requests for a common communication session to a specific one of the plurality of servers based on the list. The exemplary method includes selecting a server from a list of a plurality of servers stored in a file, selecting a port number, generating login information, and linking the server, port number, and login information such that multiple requests for a common communication session are directed to the server.

Abstract: Dependents of benefit plan participants can be given access to personal information of a plan participant. The dependents, who are not existing users or members of the plan, can be allowed access to some or all of the personal information associated with the plan participant.

Abstract: In various embodiments, techniques for flexible resource authentication are provided. A principal attempts to login to a target resource using first credentials. The target resource does not recognize the first credentials and in response thereto forwards the first credentials to an identity service. The identity service authenticates the principal via the first credentials and supplies second credentials to the target resource. The target resource recognizes and authenticates the second credentials and grants access to the principal.

Abstract: An information processing apparatus and method prevent the use of content by any unauthorized third parties and enable content to be used on any desired information processing apparatuses. An approval server receives data for identifying a content management program from a personal computer, generates a group key which is shared in a group, stores the data and the group key as related with each other, and transmits the group key to the personal computer.

Abstract: Methods and apparatuses for integration of authentication and policy compliance enforcement. An enforcement agent may reside on a device. If an access assignment is provided to the device in conjunction with authentication, authorization to use the access granted may be restricted by the enforcement agent. In one embodiment a reduced-access assignment is made by an authenticator.

Abstract: A mobile wallet and network system using onetime passwords for authentication is disclosed according to one embodiment of the invention. A onetime password may be generated at a mobile wallet server and transmitted to the mobile device. The onetime password may then be used to authenticate the user of the mobile wallet when completing a transaction. Authentication may require entry of the onetime password and confirmation that the onetime password entered matches the onetime password sent by the mobile wallet server. In other embodiments of the invention, a mobile wallet and a mobile wallet server are in sync and each generate the same onetime password at the same time. These onetime passwords may then be used to authenticate the user of the mobile wallet.

Abstract: The present invention relates to a method of identifying a user, the method being implemented by means of a database containing personal data of users and containing for each user at least one unmodified biometric characteristic (E1,i), at least one biometric characteristic (E2,i) that has been modified and that is accessible from the unmodified biometric characteristic, and at least one item of identification data (D) that is accessible from a code identifying the modification that has implemented on the second biometric characteristic. The method comprises the steps of comparing first and second biometric characteristics (e1,i) read from the user with the characteristics in the database in order to determine (5) what modification has been implemented and to deduce therefrom the code identifying the modification; and extracting (6) the identification data by means of the code as deduced in this way. The invention also provides a database for implementing the method.

Abstract: A small-scale wireless communication system offering advanced security level. An encryption key memory of an access point stores an encryption key list of a plurality of different encryption keys. A change information transmitter periodically transmits change information to a terminal by radio, the change information requesting the change of encryption key. An encryption key selector selects an encryption key from the encryption key list under a rule when the change information transmitter transmits the change information. A terminal-side encryption key memory of the terminal stores a terminal-side encryption key list which is the same as the encryption key list. A change information receiver receives the change information from the access point. Upon reception of the change information, a terminal-side encryption key selector selects an encryption key from the terminal-side encryption key list under a rule which is the same as the rule which the encryption key selector used to select the encryption key.

Abstract: In a communication system, a first wireless communication apparatuses belonging to a communication group receives a connection request frame including a notifying security level from a second communication apparatus outside of the communication group. The first communication apparatus stores a reference security level peculiar to the communication group, which is selected from security levels depending on one of encryption methods including non-encryption and encryption strengths. In the first communication apparatus, the notifying security level is compared with the reference level, and a response frame including one of a connect rejection and a connection permission is described, is generated and transferred to the second communication apparatus. The connect rejection represents a rejection of connection to the second communication apparatus and the connection permission represents a permission of connection to the second communication apparatus.

Abstract: Automated test equipment (ATE) is provided with a plurality of hardware components, at least two of which provide a common test feature. The ATE is also provided with program code to access a number of security tokens, each token of which grants rights to use one or more test features without specifying a particular hardware component on which the test features are to be enabled. If a number of security tokens granting rights to use the common test feature are available, the program code enables the common test feature on user-selected ones of the hardware components that provide the common test feature, as permitted by the number of security tokens. Methods for provisioning and using the security tokens to enable the ATE are also disclosed.