Abstract: The present invention is an information processing terminal capable of preventing leakage of identification information while adopting a general-purpose OS to provide development environment for a free application software and using a common keyboard for entry of identification number information and entry of other information. The information processing terminal is so constituted that a management mechanism comprises an execution management unit for operating a first and second information processing mechanisms, when a trigger detecting unit detects a trigger operation, so as to restrict execution of a first application and start a second application.

Abstract: This document discusses, among other things, a system and method for detecting an initiation of a transaction and generating a string of characters based on the detection. A first portion of the string of characters may be presented in such a way as to be distinguished from a second portion of the string of characters. In various example embodiments, the transaction is validated based on an identification of the first portion of the string of characters.

Abstract: Federated systems for issuing playback certifications granting access to technically protected content are described. One embodiment of the system includes a registration server connected to a network, a content server connected to the network and to a trusted system, a first device including a non-volatile memory that is connected to the network and a second device including a non-volatile memory that is connected to the network. In addition, the registration server is configured to provide the first device with a first set of activation information in a first format, the first device is configured to store the first set of activation information in non-volatile memory, the registration server is configured to provide the second device with a second set of activation information in a second format, and the second device is configured to store the second set of activation information in non-volatile memory.

Abstract: A method and data structure are provided that enables name resolution via a hierarchical or chained lookup of delegated authorities independent of requiring IP addresses of the delegated authorities. In an embodiment, the method provides for lookups by first generating cryptographic keys associated with a namespace. An authority is created using one of the cryptographic keys. Next, the method provides for enabling namespaces to refer to the authority via requesting authorities associated with the namespaces to issue a peer-to-peer type resolution so that names of the namespaces resolve to the authority. For other desired namespaces, the method provides for issuing a resolution that names the authority and names associated with the other namespaces to resolve to the other authorities. For services, the authority and a service name are published to receive and end result such as arbitrary data, an IP address, a protocol name or a port.

Abstract: A remote management method permits the management of a license on a network element in a telecommunications network. One or more features on the network element are enabled for a predetermined time according to a license provided to the network element. Management data is sent to and received from the network element on a first management data connection. User traffic utilizing the one or more features is sent to and received from the network element on a second user data connection. The second user data connection is distinguishable from and controllable independently of the first management data connection. If the license expires, then the second user data connection is blocked, and license management data is downloaded to the network element over the first management data connection while the second user data connection is blocked. The license on the network element is renewed using the license management data downloaded over the first management data connection.

Abstract: A system and method for providing secure access to a computer system. An access device divides the password into multiple segments and places them in data packets. In one embodiment, an authentication server has multiple addresses, and each packet is sent to a different address. The server then reassembles the password. In another embodiment, when the server receives a password, the server sends an index value back to the access device, which then accesses the server on another address indicated by the index value. Alternatively, the password is sent to multiple addresses for the server, and the server determines whether any of the received packets have been altered. The multiple password packets may be forced to follow different paths to the server, thereby denying hackers the ability to intercept all of the password characters or determine the inter-packet timing factor. The system is effective against passive and active hackers, Trojans, and phishing techniques.

Abstract: A method and apparatus for managing network profiles and/or access to a network. Network profiles stored in a computer may be deleted and/or a connection to a wireless network may be disabled when a corresponding access period for the network has been exhausted. The access period may define an amount of time, a number of connections, a number of bits or packets of information, or other measure of connectivity to a network and/or maintenance of profile information related to the network that may be limited in some fashion.

Abstract: An access authorization system is provided, which can reduce the user wait time until the provision of a user-requested service. The access authorization system of the present invention specifies the next service to be provided to a UT (a client-side communication device) after the service currently being provided to the UT, and then executes process to make an authorization decision in advance regarding the next service with respect to the user of the UT, before the UT requests the next service.

Abstract: Method and systems configured for allowing a non-local remote user to access a computer system with a particular authorization level. Such access is facilitated by examining non-local directory services group memberships of the user and performing a mapping of the user's identity to a corresponding universal local user account that have the proper authorization level or levels. Such methods and systems allow any number of non-local remote users access to the computer system in such a way that the remote user assumes the identity of (i.e., is mapped to) a corresponding universal local user account of an appropriate privilege level. All non-local remote users that the computer system determines to be of the same privilege level will share the identity of the same universal local user account.

Abstract: In some aspects of the invention, a method for determining access to data stored within one or more databases is described. The method includes the aspects of receiving a user request from a user at an inference engine for access to the data, wherein the inference engine is in communication with a rules database, including one or more rules governing access rights to the data. Moreover, the method includes the aspects of creating a user credential based on the application of one or more of the rules to a identity information related to the user. Further, the method includes the aspects of comparing the created user credential and the user request at the one or more databases to determine whether the user meets the access rights for retrieving the data. Furthermore, the method includes aspects of determining an answer as to whether the access of the data is permitted or denied.

Abstract: Patterns can be discovered in security events collected by a network security system. In one embodiment, the present invention includes collecting and storing security events from a variety of monitor devices. In one embodiment, a subset of the stored security events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

Abstract: The methods and systems of the invention provide for processing of jobs, that comprise one or more reports to be processed in a reporting system, by assigning a priority to a job. The priority may include a queue or a queue set priority, as well as a sub-queue priority in accordance with some embodiments of the methods and systems of the invention. Once the priority is assigned, the job is placed into a selected queue, selected from a plurality of possible queues, based on the queue priority assigned to the job. The job may also be designated to a particular sub-queue within the selected queue, i.e., based on the sub-queue priority. Then, the job is processed based on the priority.

Abstract: A collaborative engine electronically processes a request for a result using inference logic. If insufficient goals are provided to resolve the request, a partial result is generated as a function of one or more unresolvable goals. The request for a result may be processed with two or more collaborative engines using workspace chaining, to process information from/to multiple domains or systems which have security restrictions preventing full flow of information between them. Inputs available to the workspace of one collaborative engine are resolved as far as possible and a partial result based on that processing is generated and transmitted for further processing in the workspace of another collaborative engine. The invention may be used for determining a routing path for data or telephonic communication to/from a user of a communication network, or for processing of a management action for a component of an electronic data network, or a commercial transaction.

Abstract: The present invention relates to a method of embodying a cooperation system between SEND and IPSec in an IPv6 environment. The cooperation system between SEND and IPSec in accordance with the present invention includes: receiving an authentication completion report message including a first IP address of a host whose authentication is completed by the SEND; generating new authentication information corresponding to the host and storing the new authentication information in a temporary storage area, if authentication information for the host is not present in the temporary storage area, wherein the authentication information includes the first IP address; and if an authentication check request message including a second IP address is received from the IPSec, checking whether the second IP address is present in the temporary storage area, and sending the result of checking to the IPSec.

Abstract: A mobile trusted platform (MTP) configured to provide virtual subscriber identify module (vSIM) services is disclosed. In one embodiment, the MTP includes: a device manufacturer-trusted subsystem (TSS-DM) configured to store and provide credentials related to a manufacturer of the MTP; a mobile network operator-trusted subsystem (MNO-TSS) configured to store and provide credentials related to a mobile network operator (MNO); and a device user/owner-trusted subsystem (TSS-DO/TSS-U) configured to store and provide credentials related to user of the MTP. The TSS-MNO includes a vSIM core services unit, configured to store, provide and process credential information relating to the MNO. The TSS-DO/TSS-U includes a vSIM management unit, configured to store, provide and process credential information relating to the user/owner of the MTP. The TSS-DO/TSS-U and the TSS-MNO communicate through a trusted vSIM service.

Abstract: In accordance with one embodiment of the present invention, there is provided a mechanism for implementing navigation seamlessly between sites in a computing environment in order to access resources without having to require users or user agents to re-authenticate. In one embodiment, there is provided the ability to determine different attribute sets for use with different resources on a target site for a user or user agent authenticated with a first site seeking to access one or more resources of the second site without re-authenticating. In one embodiment, there is provided the ability to map accounts on a first site to accounts on the second site using a set of attributes selected from among attributes provided by an application on the first site. With this mechanism, it is possible for applications or other resources to share information about a user or a user agent across disparate web sites seamlessly.

Abstract: A safety verification device of a reactive system, in which a set of axioms consists only of a commutative law and an associative law, comprises a translation unit (8) which generates, under said set of axioms, a first equational tree automaton which accepts a set of terms; a simulation unit (9) which generates, under a set of rewriting rules and said set of axioms and using said first equational tree automaton as initial data, a second equational tree automaton which accepts said set of terms and a set of terms derived from said set of terms; and a set operation unit (10) which generates a fourth equational tree automaton by associating said second equational tree automaton with a third equational tree automaton which accepts a set of terms to be verified, and determines whether or not a set accepted by the fourth equational tree automaton is an empty set.

Abstract: An access control mechanism that implements access control at a container level is disclosed. In one implementation, the access control mechanism provides one or more access control services, and registers these services with a container. Once registered, the access control services are exposed to other applications in the container, and those applications can invoke the services to have the access control mechanism implement access control on their behalf. The access control mechanism implements access control for all applications within the container; thus, the applications do not need to implement their own access control mechanisms. In addition, the access control mechanism is not an operating system component. Thus, by relying on the access control mechanism for access control functionality, the applications are not relying on any operating system component. As a result, the applications, the container, and the access control mechanism can be ported to and run on other operating systems/platforms.

Abstract: Methods for enabling database privileges are provided. The methods eliminate strict dependency on tradition password, or “secret” based security systems. Instead, database privileges are enabled based on verifying information stored in one or more frames of a call stack corresponds to trusted security logic. In another embodiment, database privileges are enabled based on policies identified in the trusted security logic. The methods and techniques described herein provide a flexible and extensible mechanisms for verifying that trusted security logic has been executed prior to enabling database privileges.

Abstract: Structures and methods are disclosed for selectively capturing (“peeling”) and replicating (“cloning”) OTP tokens from one device to another while maintaining OTP state. Embodiments described herein provide for sending, from a first device to a second device, state information including for example, a key, a current OTP sequence value and a time to expiry value corresponding to selected tokens to be cloned. The second device thereafter uses the state information to generate OTP sequences corresponding to the selected tokens in time-synchronization with corresponding authentication entities. Additionally, embodiments described herein provide for restoring the OTP sequence corresponding to the selected tokens on the first device following a loss of synchronization of the selected tokens on the first device.

Abstract: A method for execution by at least one entity in the service provider network. The method comprises receiving an access request from a communication device; determining a logical identifier intended for use by the communication device during an eventual communication session; and identifying, based on the logical identifier, an object linked to a physical location of the communication device. Finally, in one aspect, the method comprises obtaining account credentials for a customer known to be associated with the object, whereas in another aspect, the method comprises establishing a data session between the communication device and a network entity associated with the object without necessarily obtaining any account credentials.

Abstract: A method includes storing a security credential associated with a communication network on a portable storage device. The method also includes detecting removal of the portable storage device from a specified location. The method further includes allowing at least one communication device to communicate over the communication network using the security credential. In addition, the method includes revoking the security credential after a specified time period has elapsed. The portable storage device could represent a card, and the specified location could represent a card reader/writer. Also, the communication network could represent a wireless network, and the security credential could represent a cryptographic key.

Abstract: A system and program for a proxy server that forwards an access request from a client to a data server and forwards response data from the data server to the client. The proxy server includes a means for storing a first address location and an encoding format of the response data. The proxy server also includes a means for receiving a subsequent access request from the client, which includes a second address location encoded by the encoding format. A means is present in the proxy server for comparing the second address location to the first address location to determine if the second address location is related to the first address location. The proxy server also includes a means for decoding the second address location based on the encoding format in response to a determination that the second address location is related to the first address location.

Abstract: A first information-communication device generates first biometric pattern used for comparison based on user biometric information retrieved by a biometric sensor, and sends the generated first biometric pattern to a second biometric information-communication device. The second information-communication device compares the first biometric pattern sent from the first information-communication device with second biometric pattern, which is user biometric pattern stored in memory, and sends the second biometric pattern to the first information-communication device when the compared biometric pattern matches. The first information-communication device then stores the second biometric pattern sent from the second information-communication device.

Abstract: Machine-readable media, methods, apparatus and system for a community-based trust are provided. In an embodiment, it may be determined whether a requesting node obtains a trust from a targeting node through an endorsement from an intermediate node. If the requesting node obtains the trust through the endorsement from the intermediate node, an intermediate trust level that indicates how much the targeting node trusts the intermediate node may be obtained; and a new trust level that indicates how much the targeting node trusts the requesting node may be calculated based upon the intermediate trust level.

Abstract: Methods, apparatus, and systems are provided to secure access to an account of a user. The account may have a system administrator. The user may have a credential for accessing the secure data on the account. The methods, apparatus, and systems involve setting a universal reset credential associated with the account, denying the system administrator of the account permission to change the first credential of the access feature, and permitting the system administrator to reset the access feature from the first credential to the universal reset credential.

Abstract: A data transmission method with multiple token mechanism in wireless token ring protocol is provided. First, (a) a logical ring with M nodes is provided; (b) a k-th node is selected from the logical ring, and a token in the k-th node is generated; (c) a first message is sent to a (k+1)-th node from the k-th node with the token, and whether the (k+1)-th node responds a second message is judged, if yes, the data to be transmitted is transmitted from the k-th node, otherwise, the token of the k-th node is eliminated; (d) the token is sent to the (k+1)-th node from the k-th node after completing the transmission of the transmitted data of the k-th node, a generation token sequence is generated in a i-th node, and sent to a (i?1)-th node; and (e) the token is generated for the (i?1)-th node with the generation token sequence.

Abstract: Identity-independent authentication tokens enable issuance of a single strong credential that can be mapped to an individual at each of multiple accounts within the online world. An issuer generates one or more authentication tokens for issuance to individuals or other entities. In some instances, each of these authentication tokens comprises a unique serial number. The individual or other entity may then request an authentication token from the issuer. The issuer may then issue the token to the individual without the need to ask or require the individual to identify his or herself. The individual may then map this issued authentication token to the individual's password at each of the individual's online accounts.

Abstract: Multiple network domains may be grouped together. One network domain may represent a primary domain, while one or more additional network domains may represent secondary domains. User cookies associated with users may be stored in the primary domain. When a user attempts to access the primary domain, the primary domain may retrieve and use the user cookie to log the user into the primary domain. When a user attempts to access a secondary domain, the secondary sends a request to the primary domain. The primary domain sends the user cookie or related information (such as a token) to the secondary domain, which uses the user cookie or related information to log the user into the secondary domain. In addition, an active session between the user and one of the network domains can be transferred to another network domain.

Abstract: This document discusses, among other things, a system and methods for weak authentication data reinforcement. In an example embodiment, authentication data is received in a request to authenticate a user. In response to authentication being detected to be weak authentication data, it may be determined whether the request to authenticate is associated with a human user. An example embodiment may include initiating an authentication process based on determining that the request to authenticate is associated with the human use.

Abstract: Methods, devices, and systems are provided for optimizing the dissemination of information in various types of systems such as an access control system. More specifically, there are provided various mechanisms to increase the efficiency with which system updates and other types of information are spread throughout an access control system having at least one non-networked reader.

Abstract: A method for authenticating a user by IP address check includes: receiving a URL and a session cookie from a client; determining whether or not an IP address of the client has been changed based on the session cookie; resetting the session cookie, if the IP address has been changed, by adding the changed IP address as a temporary IP address thereto; determining whether or not the URL is required to perform IP address check; requesting a re-login to the client if it is determined that the URL is required to perform IP address check; and adding the temporary IP address to a valid IP address list for the user if the re-login is successful.

Abstract: Example embodiments relate to a method of transmitting encrypted data between a local server connected to one or several local peripherals. The local server may include a security device in charge of acquiring a first right of use of the data. The method may include transmitting the encrypted data from the local server towards a peripheral, extracting from the first right a second right corresponding to the part necessary for the decryption of the data in the peripherals, encrypting by the security module the second right by a pairing key specific to the couple formed by the security module of the local server and the security module of the peripheral, transmitting the encrypted second right to the local peripheral, decrypting with the help of the pairing key the second right by the security device of the peripheral, and decrypting by the peripheral the data encrypted by the second right.

Abstract: Techniques are disclosed to provide security for user output and input in which a first, host operating system is used along with a second, high assurance operating system (nexus), where the first system provides at least some of the infrastructure for the second system. A trusted UI engine has a trusted input manager and a trusted output manager. The trusted input manager controls access to trusted input, distributing decrypted input to the host operating system where appropriate, or to the appropriate process running in the nexus. The trusted output manager manages output to the display, and allows trusted agents in the nexus to output data for display without needing to be aware of output-device-dependent details.

Abstract: A client terminal reads a device ID fixedly assigned to itself, and sends the device ID to an authentication server to make a request for authentication. The authentication server authenticates the device ID accepted from the client terminal. When succeeding in the authentication, the authentication server issues and sends a ticket to the client terminal. The client terminal receives the ticket, and then sends the ticket to a locator server to make a request for registration of an IP address. The locator server verifies the correctness of the accepted ticket. When the correctness is confirmed, the locator server registers an ID and the IP address of the client terminal in a manner that they are associated with each other, and replies the completion of the registration.

Abstract: A computer network management system with an embedded processor, an analog communication means and a digital interface for network management provides a system for remotely and securely managing a network. Backup power in the form of an uninterrupted power supply, or other power means as appropriate, allows the modem to provide power outage notification to a remote site. The system further provides authentication and authorization capabilities for security purposes.

Abstract: An autonomic trust management system, device or method performs trust management in an autonomic processing manner with regard to evidence collection, trust evaluation, and trust (re-)establishment and control. An autonomic trust management mechanism is embedded into a digital system, such as a device or a distributed system, for supporting trustworthy relationships among system entities. The trust management mechanism provides an autonomic adaptation of trust control modes, which include control mechanisms or operations, in order to ensure the dynamic changed trust relationships based on the feedback from a trust assessment and the adaptive trust (re-)establishment or control loops.

Abstract: The present invention generally relates to a system for blocking spam mail and a method of the same, and the system in accordance with the present invention, comprising: a Mail transceiver receiving the e-mail, temporarily storing the e-mail in a temporary storage for a set time after authentication mail is transmitted, and deleting the e-mail it a sender's response is not received within the set time, then transmitting the temporarily stored e-mail to mail accounts of recipients of a mail server if the sender's response is received within the set time; an authenticator list classifying and storing, according to each recipient, an e-mail address of the sender authenticated through the authentication mail and an e-mail address of a random sender registered by the recipients of the e-mail to receive the e-mail without authentication; and an authentication processor retrieving whether the e-mail address of the sender is included in the authenticator list, sending the authentication mail to the e-mail address of

Abstract: A system and method for using hierarchical policy levels. In one embodiment, computers of the network are arranged into a hierarchy. A management policy server with access to the network queries the network to identify computers at or below its own level within the hierarchy. Computers under the control of the management policy server are identified, and management programs, updates or policies are automatically distributed to the computers, without manual intervention.

Abstract: The invention features various techniques for managing transfers of information in public packet switched communications networks. In one aspect, the invention provides a system for identifying updated items of network-based information, such as pages, to users in a network. A master server receives the data from each of a plurality of network servers and merges them into one or more master logs. The logs have entries that pertaining to creation of or changing of pages of information. Another aspect of the invention features a system for implementing security protocols. A proxy server translates links from a protocol incompatible with the network tool to a protocol compatible with the network tool and back-translates the link. Another aspect of the invention features a system for managing authenticating credentials of a user. A proxy server manages a user's authenticating credentials automatically on behalf of the user.

Abstract: A method and apparatus for distributed authorization by anonymous flexible credential are provided. Pseudonym authority issues a root pseudonym to a user. The user may generate large amount of derived pseudonym from the root pseudonym. The user may obtain resource credentials from resource protectors by using derived pseudonyms. The user may select a set of resource credentials, generate a flexible credential from this set of resource credentials and request access to the resource corresponding to the set of resource credentials to a resource protector by using the flexible credential and a derived pseudonym. Revocation list for each resource may be maintained in the system such that any one of resource credentials of any user may be revoked without affecting other resource credentials of that user.

Abstract: An apparatus, system, and method for constructing, transmitting, and authenticating a password utilized by an authentication device to authenticate an access device. The authentication device receives the password from the access device, authenticates the access device if the password matches stored information, and returns an acknowledgment message that includes an index value associated with a stored character set. The access device constructs and transmits the password. The access device receives from a user, a plurality of predefined characters forming a User ID. The access device also receives the acknowledgment message and index value from the authentication device. The index value is used to identify a set of password modification factors from a plurality of sets stored in a lookup table. The access device utilizes the identified set to modify a password, and transmits the password to the authentication device.

Abstract: A method of mutual authentication with dynamic password includes: generating a dynamic password and a first validation code by using a password generator; entering the dynamic password into a user interface; and transmitting the dynamic password to a verification host to verify the correctness of the dynamic password, if the dynamic password is correct, returning a second validation code to the user interface for a user to confirm whether the first validation code and the second validation code are the same or not. A system of mutual authentication with dynamic password is also disclosed. The above-mentioned system and method of mutual authentication with dynamic password can reduce the risk of phishing attack.

Abstract: The method of the invention allows presenting, in a friendly and intuitive form, to a user of a protected institution, access password codes arranged in the form of a table and to be individually and only once utilized for authenticating a user upon a respective operation to access said institution. The method proposed herein is particularly adequate for the representation of passwords in a mobile device, such as cell phone, PDA, and the like, utilizing a representation practically identical to the tables of printed passwords and already utilized by many users. There are additional advantages in relation to the use of printed tables, such as the possibility of highlighting a determined password, searching a determined index, protecting the tabular token application by password, and updating the passwords, and the like.

Abstract: A method and system is disclosed for authenticating jobs submitted to a computing grid. The method may comprise receiving a grid job for performing on the computing grid, authenticating the grid job for performing on the computing grid, marking the grid job as authentic for acceptance by grid computers of the computing grid, and distributing the grid job marked as authentic to the grid computers. Additionally, a method and system is disclosed for screening jobs on the computing grid. The method may comprise receiving a grid job from a grid customer, deriving a pilot task from the grid job, executing a pilot run of the pilot task on a subset of grid computers on the computing grid, checking for successful performance of the pilot task on the subset of grid computers, and submitting the grid job to grid computers for performance if the pilot run of pilot task is successful.

Abstract: A tamperproof ClientID system to uniquely identify a client machine is invoked upon connection of a client application to a backend. Upon initial connection, the backend issues a unique ClientID containing a checksum. The client-application prepares at least two different scrambled versions of the ClientID and stores them in respective predetermined locations on the client machine. Upon subsequent connection to the backend, the client application retrieves and unscrambles the values at the two locations, verifies the checksums and compares the values. If the checksums are both correct and the values match, the ClientID value is sent to the backend, otherwise the client application sends an error code.

Abstract: A method and system for tracing-back single packets based on storing only one record per flow, ‘FlowId’, observed by a router on a given interface and in a given time window ‘Time Period’. This record can be seen as a canonical representation for all packets seen during this window. A malicious packet may be traced back to its origin by identifying the port of arrival based on that packet time of arrival X and the FlowId.

Abstract: Methods and apparatus for enabling a Pervasive Authentication Domain. A Pervasive Authentication Domain allows many registered Pervasive Devices to obtain authentication credentials from a single Personal Authentication Gateway and to use these credentials on behalf of users to enable additional capabilities for the devices. It provides an arrangement for a user to store credentials in one device (the Personal Authentication Gateway), and then make use of those credentials from many authorized Pervasive Devices without re-entering the credentials. It provides a convenient way for a user to share credentials among many devices, particularly when it is not convenient to enter credentials as in a smart wristwatch environment. It further provides an arrangement for disabling access to credentials to devices that appear to be far from the Personal Authentication Gateway as measured by metrics such as communications signal strengths.

Abstract: A virtual private network device enables individual machines at a remote subnet to be visible and addressable from a central site by establishing a private address range for the remote machines, forming a virtual private network tunnel from the virtual private network device to the central site, and communicating the private address range to the central site to enable connections from the central site to individual machines on the remote subnet.

Abstract: A management computer collects, from a storage subsystem via a management network, path definition information including the contents of a security setting made to a path accessible to a volume in the storage subsystem, and when the volume in the storage subsystem is an original volume having a replica volume, replica definition information of the original volume. Based on the replica configuration information thus collected from the storage subsystem, the replica relationship between the volumes is to be grasped. Then, based on the path definition information also collected from the storage subsystem, the contents of the path security setting are verified for the volumes under the same replica relationship, and the verification result is output. In such a structure, consistency verification can be easily done for the security setting of the original and replica volumes.