Abstract: The present invention is directed at providing a system and method for Automatic Client Authentication for a Wireless Network protected by PEAP, EAP-TLS, or other Extensible Authentication Protocols. The user doesn't have to understand the difference between the protocols in order to connect to the network. A default authentication protocol is automatically attempted. If not successful, then the authentication switches over to another authentication method if the network requests it.

Abstract: Objects on application servers may be defined into classes which receive different levels of security protection, such as definition of user objects and administrative objects. Domain-wide security may be enforced on administrative objects, which user object security may be configured separately for each application server in a domain. In a CORBA architecture, IOR's for shared objects which are to be secured on a domain-wide basis, such as administrative objects, are provided with tagged components during IOR creation and exporting to a name server. Later, when the IOR is used by a client, the client invokes necessary security measures such as authentication, authorization and transport protection according to the tagged components.

Abstract: A computer readable storage medium includes executable instructions to retrieve a list of one or more widgets from a repository. A set of items representing the list of one or more widgets is displayed. A widget is selected from amongst the one or more widgets in the repository.

Abstract: Techniques for identity techniques for single sign-on functionality for secure communications over insecure networks are provided. A principal achieves single sign-on access to a server via a client by initially authenticating to third-party authentication service. Next, a credentialing service supplies a randomly generated credential to the client and the server unbeknownst to the principal. The principal is then equipped to engage in secure communicates over an insecure network using the credential that is managed by services of the client to authenticate to services of the server in a fashion that the principal is unaware of.

Abstract: A system, method and apparatus for securing communications between a trusted network and an untrusted network are disclosed. A perimeter client is deployed within the trusted network and communicates over a session multiplexing enabled protocol with a perimeter server deployed within a demilitarized zone network. The perimeter client presents requests to make available and communication initiation requests to the perimeter server which presents corresponding sockets to the untrustred network. The session multiplexing capabilities of the protocol used between the perimeter server and perimeter client permit a single communication session therebetween to support a plurality of communication sessions between the perimeter server and untrusted network. In the event data flows across the communication sessions are encrypted, decryption of the data flows is left to the components at the end points of the communication session, thereby restricting exposure of privileged information to areas within trusted networks.

Abstract: A secure framework for wireless sensor networks. The framework provides a system and method for providing network device authentication. The system and method comprises installing a unique device key in a network device and creating a chain of keys, wherein each subsequent key is encrypted using the previous key. The method executes an authentication process for storing and issuing keys, wherein the authentication process uses a unique device key to install a device site key in the network device and uses the device site key and the unique device key to authenticate the network device for communicating with a wireless network router, wherein the wireless network router creates a unique network-device-router key. The unique network-device-router key is used to authenticate the network device for communicating over the wireless network using an encrypted network session key and allows secure encrypted link-layer communications over the wireless network.

Abstract: Methods, systems, and program products for a client application provide child passwords mapped to a parent password authorized for login to a secure network resource server. A child user logs in to the client application by entering the child password. When a child user properly requests a secure resource from the secure network resource server, the client application uses the authorized parent password to login to the secure server and retrieve a secure resource without communicating the child password to the secure server. The child user login session is administered by the local application pursuant to access rules or limitation parameters associated with the child password. Child passwords may be set to expire. The client application may also monitor secure server access by a child user; monitored use may also be reported, and an access rule or password limitation parameter may be revised in response to monitoring and use reporting.

Abstract: A security protocol for use by computing devices communicating over an unsecured network is described. The security protocol makes use of secure data provided to a peripheral memory device from a server via a secure connection. When the peripheral memory device is coupled to a computing device that attempts to establish a secure connection to the server, the secure data is used to verify that the server is authentic. Similarly, the secure data assists the server in verifying that the request to access the server is not being made by a malicious third party.

Abstract: Methods and systems for a computer network security system are disclosed. A computer security system includes at least one computer configured to be operably coupled to a remote network and having an application program comprising a login scripts database and a variable database. The security system further includes a client device configured to be operably coupled to the computer to allow for the use of the application program. The application program is configured to dynamically generate a password upon attempting to access a remote network. Furthermore, the application program may update passwords within a user's login scripts database. Additionally, a remote network may support the security system and may include at least one computer system having an administrator application program installed thereon and configured to receive a network device and an administrator device. A network administrator may use the network and administrator device to monitor and modify contents of the security system.

Abstract: Methods and systems for a computer network security system are disclosed. A computer security system includes at least one computer configured to be operably coupled to a remote network and having an application program comprising a login scripts database and a variable database. The security system further includes a client device configured to be operably coupled to the computer to allow for the use of the application program. The application program is configured to dynamically generate a password upon attempting to access a remote network. Furthermore, the application program may update passwords within a user's login scripts database. Additionally, a remote network may support the security system and may include at least one computer system having an administrator application program installed thereon and configured to receive a network device and an administrator device. A network administrator may use the network and administrator device to monitor and modify contents of the security system.

Abstract: A secure server installation is provided that abstracts credit card identifiers from its server, network, application and database environments, thus reducing investment in securing, segregating and/or isolating these environments in their entirety. The secure server installation intercepts credit card transactions sent from front end applications to back end applications, and forwards tokens in replacement of credit card identifiers for processing by the back end applications. The same secure server installation can be applied for the encryption, storage (data-at-rest), transmission of private data within a network of other private or sensitive data not limited to social insurance numbers, drivers license numbers, phone numbers, bank account numbers, etc.

Abstract: Distributed computing systems can exchange authorization information in a manner which alleviates the need for a receiving system to utilize any external systems when making an authorization decision. The trusted authorization provider can digitally sign authorization snippets of information. The requestor sends the digitally signed authorization snippet with the request. Because both computing processes trust the same authorization provider, the servicer of the request is able to grant or deny access in a completely autonomous fashion without having to rely on external resources for authorization. A requesting process can determine the digitally signed authorization snippet corresponding with the request. The servicing process can rely on the digitally signed authorization snippet to perform the authorization.

Abstract: The present disclosure is directed to a system and method for managing communications with robots. In some implementations, a computer network, where operators interface with the network to control movement of robots on a wireless computer network includes a network arena controller and a plurality of robot controllers. The network arena controller is configured to provide firewall policies to substantially secure communication between robot controllers and the associated robots. Each controller is included in a different robot and configured to wirelessly communicate with the network arena controller. Each robot controller executes firewall policies to substantially secure wireless communication.

Abstract: A system, method and computer program product for providing unified authentication services in an Application Service Provider (ASP) setting to a registered end-user of one or more online (or web) applications. The system includes client side components, a user management component coupled to the client side components and server side components coupled to the user management component. The client side components include an authentication control component that manages the process of capturing a user-determined policy for a first account and user credentials. This allows the user to define the level of protection to access the first account. This includes, but is not limited to, accounts/applications that have been configured specifically for used with the system and particular user credentials and accounts that have been subsequently set up but configured to use the same user credentials.

Abstract: Secure network transaction system obtains user-authorized genetic term or bioinformatic profile, and transacts online service according to genetically-based user medical or other risk determined therefrom. Insurance policy, promotional offer, or other service may dynamically address genetically-based condition. Bioinformatic data classifies user per personal mask which filters subset of user genetic sequence. Risk profile may be calculated according to actuarial statistics, genetics and/or heredity using non-discriminatory rules specified for users in temporal or jurisdictional groups. User transactions are modifiable according to bioinformatic data representing genetically-based risk increase or decrease. Data is securely processed, modulated, and stored by network server for remote access and transaction using various portable user devices.

Abstract: In a method and arrangement for securely exchanging data between a first data processing unit and a second data processing unit, a secure communication channel is established between the first data processing unit and the second data processing unit in a communication configuration step, and a first message is transmitted from the second data processing unit to the first data processing unit via the secure communication channel in a data transmission step. During the data transmission step, the second data processing unit generates a second message by appending a predetermined annex to the first message and a third message by encrypting the second message using a secret key that is available only in the first data processing unit and in the second data processing unit and then transmits the third message to the first data processing unit.

Abstract: The invention provides secure and private communication over a network, as well as persistent private storage and private access control to the stored information, which is accomplished by imposing mechanisms that separate a user's actions from their identity. The system provides (i) anonymous network browsing, in which event the anonymity system is unaware of both the user's identity and browsing activities, (ii) private network storage and retrieval of data such as passwords, profiles and files in a manner such that the data can be stored into the system and later retrieved without the system knowing the contents or owners of the data, and (iii) the ability of the user to control and manage access to the remotely stored data without the system knowing the contents, owners, or accessors of the data.

Abstract: A subscriber's terminal 201 is configured to be connected to an internet service provided 208 via a LAN 202, and an IP subnet distribution switch 209 within a network service provider 203. When a packet signal that has not received the authentication is input, a physical-port changeover switch 204 gives a temporary IP address to the subscriber's terminal 201, and causes the subscriber's terminal 201 to employ this for making an authentication process. If the authentication succeeds, a normal IP address is given, and the packet signal, which made use of this, is distributed to a network that is an object by the IP subnet distribution switch 209.

Abstract: A system and method for providing secure electronic storage in a plurality of electronic safes which each include a plurality of electronic compartments. The owner of each electronic safe can generate new compartments and determine who has access to each of the compartments in their electronic safe.

Abstract: Techniques for authenticating a user are described. In one implementation, a user requests access to protected information or resources by providing a user name and a password to a web server that controls access to the information or resources. If the user name and password match a known user profile, the web server retrieves a user identifier (e.g., a personal identification number) and constructs a translation table around the user identifier. The translation table includes the values that constitute the user identifier, random representations of each value, visual images that represent each value, and random image names for each visual image. The information in the translation table is then used to generate a user interface that allows the user to enter his or her user identifier via the user's computing device without exposing the actual user identifier values to the computing device.

Abstract: The present application relates to a method and an apparatus of encrypting and/or decrypting password to secure secrecy of the password.

Abstract: This invention relates to a method for providing a superior file storage system which utilizes the Internet and which has security as well as a superior user experience as foremost goals. The invention is ideal for the secure storage of critical documents, combining the security of a safe deposit box with the advantages of online file storage. Furthermore, the invention is designed to minimize time spent by an end user on organization, security, and file format issues.

Abstract: An authentication graphic included in a password prompt can allow a user to visually authenticate the password prompt. In one embodiment, the present invention includes a client device receiving a password challenge from a server, and displaying a prompt asking the user for a password, the prompt including an authentication graphic visible to the user.

Abstract: A system and method for generating and authenticating a password to protect a computer system from unauthorized access. The characters of the password are placed in data packets by an access device. Prior to sending the packets, the device inserts a predefined number of blank packets between each of the character-carrying packets. The number of blank packets is retrieved from a number sequence that is shared between the access device and an authentication device. The authentication device determines whether the received set of password characters matches a stored set of password characters, determines whether the received number of blank packets between the received character-carrying packets matches a predefined number of blank packets, and positively authenticates the access device only if both conditions are met.

Abstract: A secure device capable of reducing influences by interruptions of communication with an external device and allowing a user to install a desired application program speedily and safely. Command storage section (106) of this secure device (100) stores command groups for executing card issuance. Card issuance section (104) extracts a series of card issuance commands corresponding to a function of a card to be acquired from the command group stored in command storage section (106) and writes the commands into a buffer of card management section (102), Card management section (102) executes each card issuance command written by card issuance section (104). Card issuance is completed through internal processing of secure device (100).

Abstract: A method of irregular password configuration and verification, comprising one irregular character series with a series of texts, numbers or symbols inputted into a system to generate a series of password displaying onscreen of a display device. The series of password comprises at least one register code and at least one random combination unit with a text and a number, or a symbol, wherein the register code is concealed in the random combination unit.

Abstract: Without actually storing session-state information, the described exemplary implementations of session-state manager identify a user, validate the user's current logon state, and determine whether the user's session should expire. User identification and logon validation are checked by a server in a stateless network by generating a mathematically session-state token and sending that token to a user. Subsequently, the server receives a mathematically session-state token from the user and checks that token. If that token checks out, then the user is allowed continuing access under the same session. If it doesn't check out, then the user may be forced to start a new session by logging-on again. Alternatively, the server may check to see if the token would check out if it had come at an earlier time block. The session-state tokens are mathematical encoded and are generated using a one-way encryption scheme. Such a one-way encrypted token is scientifically impossible to reverse-engineer.

Abstract: Herein disclosed is a communication apparatus to be operative in combination with first and second external devices for respectively producing first and second information, comprising: first information receiving means for receiving the first information from the first external device; communication performing means for performing a communication with the second external device by receiving the second information from the second external device and producing an exchange information to be transmitted to the second external device and; controlling means for controlling the communication performing means by assuming two different operational states including a first operational state to allow the communication performing means to be operable to perform the communication with the second external device and a second operational state to allow the communication performing means to be inoperable to perform the communication with the second external device, the controlling means being adapted to selectively assume th

Abstract: Techniques for use in enterprise and similar computing systems securely protect data during software application use by generating private table seeds as a function of a predetermined parameters and private tables as a function of the private table seeds. Each of the private tables associates with a distinct one of the private table seeds, each of the private tables associates with a site. An enterprise table seed is formed using other parameters and an enterprise table is derived from the enterprise table seed. The enterprise table permits data communication throughout an enterprise. A string of characters allows accessing a global private information protection system which includes global tables for integrating the private tables, the enterprise tables, and the global tables into a runtime application program at a remote location and coordinating the user's use to control assure only secure use and prevent inadvertent disclosure of the protected information.

Abstract: A method of accessing content on a local trusted network from trusted and untrusted environments. The method includes assigning a software system associated with the local trusted network a unique name; associating the unique name with a local address and a dynamic external address; routing client communications to the software system using the unique name; and accessing the content from trusted and/or untrusted environments with a single method.

Abstract: A system and method are disclosed for providing security for a computer network. Content sets are generated for a computer associated with the network. It is determined whether a user should be routed to the generated content sets. If it is determined that the user should be routed to the generated content sets, a generated content set is selected and the user is so routed. Various actions and events may be recorded in a logfile, and the logfile is analyzed using regular expressions.

Abstract: A security system for a computer network that has a plurality of devices connected thereto comprises a security subsystem, a master system and a secure link. The security subsystem is connected to at least some of the devices in the network. The security subsystem is configured to monitor activities of the at least some devices on the network and detect attacks on the at least some devices. The master system monitors the integrity of the security subsystem and registers information pertaining to attacks detected by the security subsystem. The secure link is connected between the security subsystem and the master system. The master system monitors the integrity of the security subsystem and receives the information pertaining to the attacks through the secure link.

Abstract: The present invention provides for validating that one or more modules reside on the same machine. When a second module wishes to establish communication with a first module, a shared memory that is accessible by the modules—but inaccessible by modules outside the machine—is used to store random data. The first module listens on a transport address corresponding to the random data for communication activity. The second module retrieves the random data from the shared memory, and then uses this data for determining the appropriate transport address to send information to when establishing the communication with the first module.

Abstract: Example embodiments of the present invention disclose a method for processing an application packet for transmission includes receiving a plurality of segments of the application packet in a byte stream, the byte stream including a plurality of blocks, creating a plurality of superblocks within the byte stream by grouping a number of the plurality of blocks within the byte stream, and creating first pseudorandom bits for the plurality of superblocks. The method also includes determining a block number and a superblock number for a beginning of each of the plurality of segments, determining a block number and a superblock number for an ending of each of the plurality of segments in the byte stream.

Abstract: The present invention relates to a method of authenticating a user in a communication system comprising a user terminal and an authentication server which is capable of storing two types of nonce values, namely dedicated nonce values unique in the system and common nonce values shared between users in the system. In the method the authentication server receives (401) from the user terminal an access request. Then the authentication server uses a predefined criterion for determining the type of a first nonce value to be sent to the user terminal as a response to the access request. In case the predefined criterion is fulfilled, then a dedicated nonce value is sent, otherwise a common nonce value is sent (402). Then the authentication server receives (403) from the user terminal a response comprising a second nonce value and a response code to the first nonce value.

Abstract: For authenticating a user using a communication terminal (1) to access a server (4) via a telecommunications network, a personal identification code is received from the user From secure session establishment protocol messages exchanged (S1, S2, S3) between the communication terminal (1) and the server (4), a data set is generated (S4). Based on the data set, a transaction authentication number is generated (S52) using the personal identification code. The transaction authentication number is transmitted (S54) from the communication terminal (1) to the server (4). In the server (4), the transaction authentication number received is verified (S20) based on the secure session establishment protocol messages exchanged with the communication terminal (1). The transaction authentication number enables session aware user authentication that protects online users against real-time man-in-the-middle attacks.

Abstract: The present invention discloses a system and method for configuration of access rights to sensitive information handled by a sensitive Web-Service. In a case of requested configuration changes initiated by the client system the Web-Server system provides a configuration data file to the client system preferably using a SOAP-communication protocol. The changes of the configuration data file are exclusively performed offline at the client side and the updated configuration data file is signed with authentication information and sent as a part of a SOAP-request to the Web-Server system. The Web-Server system provides a filter component for identifying and discarding non-SOAP requests as well as an access control manager for providing authentication examination for incoming SOAP-requests. After successful passing these components the SOAP-request is used for updating the existing configuration data file.

Abstract: When a user successfully logs into an account, the user is provided with a first-class login token, which entitles the user to one or more unsuccessful login attempts without experiencing delays the user would otherwise experience. If attempts with a second-class login token or an expired first-class login token is impermissible, a subsequent login attempt is subject to delays the user would otherwise not experience. The delays minimize the effectiveness of dictionary attacks. Additionally, if the user attempts to login without a login token or an invalid login token, the login attempt is impermissible and the user is provided with a second-class login token for use in a delayed, subsequent login attempt.

Abstract: At a vendor-managed web site, purchasing information is received from a first terminal, including purchasing information that is customized for a customer. The customer includes first and second users having respective first and second levels of authorized access to the purchasing information. The first user is identified by a first identifier, and the second user is identified by a second identifier. To a second terminal, access at the vendor-managed web site is provided to: only a first portion of the purchasing information in response to receiving the first identifier from the second terminal which identifies the first user; and at least a second portion of the purchasing information in response to receiving the second identifier from the second terminal which identifies the second user. The second portion includes at least a part of the first portion and a third portion of the purchasing information. The part of the first portion includes at least a portion of the customized purchasing information.

Abstract: An information output apparatus includes a tray determining unit that determines an output tray to which printed sheets are output, a secret information generating unit that generates first secret information corresponding to tray identification information for identifying the output tray determined, a transmitting unit that transmits the first secret information generated by the secret information generating unit to a terminal, an input accepting unit that accepts an input of second secret information from a user, and a tray controlling unit that specifies the output tray based on the first secret information when the second secret information and the first secret information coincide with each other, and allows a slot of the specified tray to be open.

Abstract: The present invention refers to a process of transaction authenticity and integrity check that allows the user to verify the authenticity of an internet bank site. Said process does not require the use of special devices by the users, thus avoiding extra implementation costs and making its adoption easy.

Abstract: Associating a computing device with a group of other computing devices. A service receives a common credential from the computing device and associates the computing device with the other computing devices also associated with the common credential. The service generates a machine-specific credential for use by the computing device in subsequent communications with the service. The machine-specific credential is used to authenticate, identify, and group the computing device with the other computing devices in the subsequent communications.

Abstract: Disclosed herein are a password management apparatus and method, a certification information storage apparatus and a certification information management method. The password management method of accessing and managing desired passwords through a portable password management apparatus and a terminal on which a password management program is installed, includes a first step of executing the password management program on the management terminal, a second step of receiving a user authentication number from the management apparatus, and comparing the first authentication number with a user authentication number previously stored in the management terminal, thereby authenticating whether a user is a legitimate user, and a third step of, only if the user is authenticated as a legitimate user, receiving a password list from the management apparatus and outputting the received password list onto a screen.

Abstract: A Centralized Authentication & Authorization (CAA) system that prevents unauthorized access to client data using a secure global hashtable residing in the application server in a web services environment. CAA comprises a Service Request Filter (SRF) and Security Program (SP). The SRF intercepts service requests, extracts the service client's identifier from a digital certificate attached to the request, and stores the identifier in memory accessible to service providers. The client identifier is secured by the SP using a key unique to the client identifier. When the web services manager requests the client identifier, the web services manager must present the key to the SP in order to access the client identifier. Thus, the present invention prevents a malicious user from attempting to obtain sensitive data within the application server once the malicious user has gained access past the firewall.

Abstract: Disclosed is a user authentication system, which is designed to present a presentation pattern to a user subject to authentication, and apply a one-time-password derivation rule serving as a password of the user to certain pattern elements included in the presentation pattern at specific positions so as to create a one-time password. An authentication server is operable to generate a pattern seed value adapted to be combined with a user ID so as to allow a presentation pattern to be uniquely determined, and transmit the generated pattern seed value to an authentication-requesting client. The authentication-requesting client is operable to display a presentation pattern created based on an entered user ID and the received pattern seed value and in accordance with a given pattern-element-sequence creation rule, so as to allow the user to enter therein a one-time password, and transmit the entered one-time password to the authentication server.

Abstract: but a registration-requesting information transmission unit transmits the registration-requesting information containing the terminal ID and a device ID for discriminating the contents reproducing device. A registration unit specifies a registration record on the basis of the terminal ID contained in the registration-requesting information, and registers the device ID in the registration record and returns registration-completed information to the contents processing device. A list update unit adds, as it receives the registration-completed information from the management server, a group ID of the contents processing device itself to a second source ID list of the contents reproducing device.

Abstract: An online compliance engine stored on a computer readable storage medium includes an intercept module programmed to intercept a request by a client for content on a destination server, and a compliance module programmed to access and parse the content from the destination server requested by the client, and to determine whether or not the destination server is authorized to distribute the content, the compliance module being further programmed to allow the destination server to distribute the content to the client if the destination server is compliant, and to block the destination server from distributing the content if the destination server is not compliant. The engine also includes a billing module programmed to bill the destination server if the content is distributed to the client.

Abstract: An arrangement is provided for securely sharing data on a network by enabling a user to select and install a commonly-shared password in each terminal device that is on the network. The terminal devices are then able to form a network that is temporarily secured using the user-installed password. A terminal-generated password is next created by one of the terminal devices and distributed over the temporarily secured network to the other devices. The terminal-generated password replaces the user-generated password so that the network is reformed and secured using the terminal-generated password. In one illustrative example, the terminal-generated password is created using a unique identifier, such as one or more MAC (Media Access Control) addresses associated with terminal devices on the network, as an input to a hash function that generates the new password having sufficient length and randomness to provide robust protection against password attack.

Abstract: A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. A system is provided using a common identity data store for both DIR issuance and identity token issuance, decreasing synchronization issues. Various methods are provided for creating new DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.

Abstract: A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. Various methods are provided for creating new DIRs, requesting DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.