Abstract: A system and methods for applying capability-based authorization within a distributed computing environment. Instead of associating permissions or privileges with objects (e.g., computing resources), permissions are associated with subjects (e.g., users, roles). Compared to object-based methods of access control, such as Access Control Lists (ACL), management of capability-based authorizations scales much better as the number of objects becomes very large. A central repository allows changes to the authorization framework (e.g., new subjects, modified permissions) to be made once. The changes can then be propagated across, and applied to, multiple address spaces instead of having to individually or manually update each local node or address space.

Abstract: Disclosed is a security device coupled to a computing device, which is, in turn, coupled to a server through a computer network. The security device stores a serial number associated with the security device and a user key associated with the serial number. When the computing device attempts to log onto the server over the computer network, the server requests a serial number from the security device. If the serial number is stored within a user information database, the server obtains an associated user key and computes a challenge. Further, the server computes an expected response for the security device based on the associated user key. The server then sends the challenge to the security device over the computer network. If the server receives a response back from the security device that matches the expected response, the server will allow the computing device to log onto the server.

Abstract: Tracking data operations associated with unauthenticated computing devices to enable subsequent identification and remediation thereof. In embodiments in which one computing device has to trust another computing device without authenticating the other computing device, a machine identifier and a credential group value are associated with data operations in communications from the unauthenticated computing device. The data operations may be subsequently identified based on the machine identifier and credential group value. Remedial action may be taken on the identified data operations to restore data integrity.

Abstract: A network security enforcement system includes a central location adapted to send a challenge; and at least one client station, each of the client stations being provided with an agent and being in communication with the central location. The system includes a set of S independent one-time passwords, each of the one-time passwords being associated with an index value. In response to a challenge sent by the central location to at least one of the client station, the agent returns a one-time password to the central location corresponding to the correct response otherwise the central location considers the client station insecure.

Abstract: A method including generating a first and second One Time Password (OTP) token from a shared clock, receiving a third OTP token, and comparing the second and the third OTP tokens. A system including a number generator residing on a first server to generate first and second One Time Password (OTP) tokens from a shared clock, a transmitter residing on the first server to transmit the first and the second OTP tokens, a receiver residing on a second server to receive the first, the second, and a third OTP tokens, and a comparator residing on the second server to compare the second and the third OTP tokens to authenticate an identity of a party who generates the third OTP token.

Abstract: A system is illustrated as including a One-Time Password (OTP) device operatively coupled to a computer system to receive data, and a server operatively coupled to the computer system via a network connection. A method is illustrated as including initiating a transmission control protocol (TCP) and internet protocol (IP) connection, requesting a current time, receiving the current time, and updating a clock to reflect the current time. An apparatus including one or more processors to generate two or more clock values, pass these two or more clock values through a hashing function to generate two or more One Time Password (OTP) tokens, display these two or more OTP tokens on a screen, transmit data through a Universal Serial Bus (USB), and receive data through a Universal Serial Bus (USB).

Abstract: A method for provisioning client devices securely and automatically by means of a network provisioning system is disclosed. Provisioning occurs before the client is granted access to the network. The provisioning is determined dynamically at the time a client connects to the network and may depend on a multitude of factors specified by data dictionaries of the provisioning system.

Abstract: A randomized images collection along with user's images credential and having underlying credential values are transmitted from a server-computing device to a client-computing device where a user at the client-computing device is to login and be authenticated by the server-computing device. The randomized images collection will provide a secure mechanism for end users to login into a server-computing device from an insecure client-computing device and provide security against spyware and phishing attack, by not allowing spyware software way of recording the user interaction at the client-computing device, nor allowing phishing attack on the website.

Abstract: A method for performing a domain logon to a computer network is disclosed. A secure storage area containing user identification information and domain password information corresponding to the user identification information is provided. In response to a receipt of a user-entered user identification and a user-entered domain password by a first module of a Windows® operating system, the domain password information stored in the secure storage area and the corresponding user identification information are written to a registry of the Windows® operating system. Authentication for domain logon is then performed by a second module of the Windows® operating system based on the received domain password and the domain password information written to the registry of the Windows® operating system. After the authentication, the domain password information is subsequently removed by the first module of the Windows® operating system from the registry of the Windows® operating system.

Abstract: The present invention provides cache flushing of selected data while leaving remaining cached data intact. Data can be flushed from caches distributed across various components of a network-based computer system. These caches can contain various types of data. In one embodiment, the caches exist in an Access System and contain user identity profile information. In another embodiment, the caches exist in an Access Management System and contain authentication, authorization, or auditing rules. A system in accordance with the invention detects a change to data residing on a server and transmits a synchronization record to a component of the system. The synchronization record identifies the changed data. The system flushes the changed data identified by the synchronization record from caches of the component.

Abstract: A method is disclosed for managing access rights. The method generates a record associated with a change in a status for an individual and sends notification of the change in status to a first entity. The method also determines, by the first entity, if there is to be a change in one or more access levels associated with the individual. The method further sends notification to a second entity if the first entity determines that there is to be a change in the one or more access levels. In addition, the method changes, by the second entity, the one or more access levels.

Abstract: An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.

Abstract: Embodiments of the invention address deficiencies of the art in respect to electronic messaging security through replicated certificate stores and provide a method, system and computer program product user-specific certificate repository replication. In one embodiment of the invention, a method of replicating with multiple different messaging systems disposed in correspondingly different computing clients, retrieving a local repository of untrusted certificates from each of the different messaging systems during replication, and associating each retrieved local repository with a particular end user can be provided. Moreover, the method can include updating a global repository of untrusted certificates with the untrusted certificates of each local repository while eliminating redundant instances of an untrusted certificate present in different retrieved local repositories.

Abstract: A password setting method for setting a same password used for connecting to a network by multiple video receiving apparatuses retaining unique information different from one another, to said multiple video receiving apparatuses includes: a password generation step in which a remote control apparatus for transmitting an operation signal with respect to said multiple video receiving apparatuses, or one video receiving apparatus among said multiple video receiving apparatuses generates said password based on said unique information retained by said one video receiving apparatus, and stores the password in a password storage unit provided in said remote control apparatus; and a password transmitting step in which said remote control apparatus transmits said stored password to any other video receiving apparatus.

Abstract: A method and a system allow accessing several of a user's controlled access accounts by presenting the credentials of only one of the accounts. The method may include (a) storing the credentials for each of the user's accounts; (b) receiving from the user credentials corresponding to any of the user's accounts; (c) presenting the received credentials to access the corresponding account; and (d) upon successful access of the corresponding account, using the stored credentials to access one or more of the user's accounts without requiring the user to present the corresponding credentials. For each of the user's accounts, the credentials are stored encrypted, using a randomly generated key, common to all the encrypted credentials. In addition, the randomly generated key is encrypted using the credentials of each of the accounts. In that manner, plain-text copies of neither the random key nor the credentials of the accounts need to be stored.

Abstract: Communication connection method for connecting server computer to client computer via network, comprises storing group identification information items for identifying groups, in relation to information indicating number of connection request packets uniquely and secretly allocated to each group of groups, each group including users allowed to access server computer, counting connection request packets received from client computer within preset period to obtain counted number, determining whether information corresponds to counted number, acquiring one group of groups to which connection request packets corresponding to counted number are allocated, if information corresponds to counted number, determining whether resources of server computer are allocated to group indicated by acquired group identification item, generating connection request acknowledgement packet in response to at least one of received connection request packets, and transmitting generated connection request acknowledgement packet to netwo

Abstract: Network elements in IMS or other SIP systems are configured to pre-authenticate SIP requests either as proxy or by snooping. One or more of these network elements are pre-loaded with a local database copy of the user profiles as typically contained in the HSS inside of the IMS control structures. A master database, such as the one typically contained in the HSS, is distributed to all network elements using database distribution methods. Advantageously, pre-authentication solves bottleneck issues in the SIP mechanism by allowing an end user device to use fully authenticated SIP requests. This prevents the requirement to perform authentication, authorization, and accounting (AAA) all the way back to the core IMS network, alleviating lag and scaling issues. Additionally, network elements including can become aware of the services requested through SIP requests, and track these requests for optimization. Specifically, resources requested based upon SIP requests can be cached.

Abstract: A management apparatus for managing a wireless parameter is configured to obtain a certificate from a certificate authority by using a timing related to a setting processing based on a wireless parameter setting method as a trigger and send the obtained certificate to a wireless communication apparatus as well as the wireless parameter.

Abstract: The present invention relates to a method, a device and a system for preventing unauthorized introduction of content items in a network containing compliant devices and enabling users in the network to be anonymous. A basic idea of the present invention is to provide a CA (206) with a fingerprint of a content item to be introduced in a network at which the CA is arranged. Further, the CA is provided with an identifier of a content introducer (201), which introduces the particular content item in the network. The CA compares the fingerprint to a predetermined set of fingerprints, and content item intro duction is allowed if the content itemfingerprint cannot be found among the fingerprints comprised in the set. On introduction of the content item, the CA generates a pseudonym for the content introducer and creates a signed content ID certificate comprising at least said fingerprint and a unique content identifier for the content item and the pseudonym of the content introducer.

Abstract: A method that provides access to Privileged Accounts to users by way of a two-way-encrypted credential store. In accordance with this invention, a process that needs to retrieve credentials for a third party system causes the operating system to launch a second process. This second process runs under a secured user id without interactive access. The requesting process can then pass generalized command streams to the second process, including tokenized credential retrieval requests. These tokenized credential retrieval requests are processed to authenticate the requests, perform audit logging of requests and retrieval of credentials. Tokenized credential requests transformed by the second process into credentials, which can be embedded within a command stream and then either forwarded to a sub-process or returned to the requesting process.

Abstract: Systems and methods for unattended authentication of software applications to provide these applications with access to shared resources. A server password manager (SPM) module resident on a node also occupied by a requester software application requesting access to resources receives the requestor's request. The SPM module creates a request package containing the requestor's information as well as the node's identifying information. The request package is then transmitted to a credentials manager (CM) module in a CM node. The request package, encrypted by the SPM module with encryption keys previously generated by the CM module, is decrypted by the CM module. The contents are checked against data stored by the CM module regarding the SPM module and the requestor application when these were registered with the CM. If the data matches, then the CM provides credentials which are used to give the requestor application access to the requested resources.

Abstract: A telematics system that includes a security controller is provided. The security controller is responsible for ensuring secure access to and controlled use of resources in the vehicle. The security measures relied on by the security controller can be based on digital certificates that grant rights to certificate holders, e.g., application developers. In the case in which applications are to be used with vehicle resources, procedures are implemented to make sure that certified applications do not jeopardize vehicle resources' security and vehicle users' safety. Relationships among interested entities are established to promote and support secure vehicle resource access and usage. The entities can include vehicle makers, communication service providers, communication apparatus vendors, vehicle subsystem suppliers, application developers, as well as vehicle owners/users.

Abstract: A method and apparatus for the management of the configuration settings of an electronic device (108) by a remote agent is provided. The remote agent is connected to the electronic device via a network (100). The method includes temporarily authorizing (304) the remote agent to access administrative information and assume administrative control of the electronic device via the network. Further, the method includes modifying (306) the configuration settings of the electronic device in response to commands received from the remote agent. Moreover, the method includes terminating (308) the temporary access and control rights of the remote agent after the configuration settings of the electronic device are modified.

Abstract: Systems and methods for digitally certified stationery are described. In one aspect, a stationery granting authority (SGA) receives a request from a user to generate a document. If the user is authorized for the requested document, the SGA generates a certificate with credentialing information from data in the request. The SGA generates a first digital signature from some of the credentialing information. The SGA communicates the certificate to the user for editing and distribution as the document. A recipient of the document determines whether the document is “official” by contacting a specified service to provide certain information from the document. The verification service computes a second digital signature from the provided information for comparison to the first digital signature. If there is a match, the service notifies the recipient that the document is valid/official. Otherwise, the recipient is notified that the document is not valid.

Abstract: A password is securely distributed to a client device of a network by sending a first encrypted message from the client device to a server of the network, the first message comprising a nonce created by the client device, a username of the client device, and a network address of the client device, then sending a second message from the server to the network address of the client device, the second message comprising the nonce created by the client device, and a password created by the server. If the client device verifies that the nonce received from the server matches the nonce sent to the server, the password and username may be used to enable to client device to access information on the server. The first encrypted message may be an HTTPS message and the second message may be an SMS message.

Abstract: Techniques for user authentication based upon an asymmetric key pair having a public key and a split private key are provided. A first portion of the split private key is generated based upon multiple factors under control of the user. The factors include a password. A challenge is cryptographically combined with a first one of the multiple factors, but not the user password, to form a first message. The first message is transformed with the generated first portion to form a second message, which is then sent to an authentication entity. The sent second message is transformed to authenticate the user by proving direct verification of user control of the first factor.

Abstract: Methods for assigning a personal information number (PIN) to a device for accessing digital services from the device are provided. One of the methods include defining a PIN for the device from a website upon confirming credentials of a user and then mapping the PIN to the device at the website. The method then includes receiving an access request from the device for digital services and forwarding the device a request to enter the PIN on the device. If the PIN entered on the device matches the PIN mapped at the website, then the PIN is activated to enable accessing the digital services from the device using the PIN without having to enter credentials of the user on the device. The device is one having a limited data entry interface. Examples of the device include mobile phones, remotes for interactive televisions, and other limited data entry computing devices.

Abstract: A system and method of providing domain management for content protection and security is disclosed. A secure device domain is generated to allow sharing of content among a plurality of consumer electronic devices. A domain management scheme for authenticating and managing consumer electronics devices in the secure device domain is provided.

Abstract: Systems, methodologies, media, and other embodiments associated with network login security are described. One exemplary system embodiment includes a network edge logic configured to receive information related to a network login request, to gather information associated with the user, and, to gather information related to the user's system. The system further includes a server comprising an identity management agent configured to determine access rights to a network based on the user login request, gathered information associated with the user, gathered information related to the user's system, and, stored access profile information.

Abstract: A system and method for a certificate verifier to make a request to a certificate distribution server for a copy of another entity's digital certificate and to have the certificate distribution center validate it. The certificate distribution center can request the appropriate certificates and validation thereof from a number of certificate authorities or may alternatively obtain copies from a certificate cache and validate the copies against a revocation list server.

Abstract: A novel system for utilizing an authorization token to separate authentication and authorization services. The system authenticates a client to an authenticating server; generates an authorization token with the authenticating server and the client; and authorizes services for the client using the generated authorization token.

Abstract: A method of transmitting contents, which are to be received at a reception side where a portion of the contents is previewed while the contents are not accessible for playing other than for a preview purpose, includes the steps of encrypting the contents by a first encryption key, generating information indicative of an elapsed time of the contents that indicates a relationship between positions on a time axis of the contents representing an amount of time that passes as the contents are played and a time count that accrues as a preview time when the contents are previewed, encrypting the first encryption key and the information indicative of an elapsed time of the contents by a second encryption key, thereby generating first encrypted information, encrypting the second encryption key and content-usage control information by a third encryption key, thereby generating second encrypted information, the content-usage control information indicating usage of the contents on the reception side, and transmitting the

Abstract: The objective of the present invention is to propose a method that allows preventing the use of more than one identical security module for the identification and use of resources administered by an operating centre. This objective is achieved by an anti-cloning method based on the memorization of the identification numbers of the user units connected to said security module. During a connection with an operating centre these numbers are transmitted and compared with the numbers of a previous transmission. Differences are accepted as long as new numbers are added to a list previously transmitted. The security module is declared invalid if the numbers previously memorized are not included in the transmitted numbers.

Abstract: Access to digital content may be controlled by receiving a rights locker enrollment request from a user device associated with a user, where the rights locker enrollment request comprises a digital content request and enrollment authentication data. A determination of whether the user is authorized comprises determining the rights of the user to access the rights locker and the rights of the user to digital content specified by the digital content request. If the user is authorized, the rights locker is initialized with rights to the digital content. If a first token used to create the authenticated rights locker access request has been fully redeemed, a new token that authenticates future access to a rights locker corresponding to the digital content is obtained. An authenticated rights locker access request that is based at least in part on the new token is created and then sent.

Abstract: A computer-assisted system, method and medium for enabling a user to select at least one of a plurality of predefined process steps to create a tailored sequence of process steps that can be used to assess the risk of and/or determine the suitability of a target system to comply with at least one predefined standard, regulation and/or requirement.

Abstract: A method for granting a grace period entitlement, the method comprising receiving a grace period entitlement message, establishing whether a grace period flag indicates that a grace period may be granted, granting a grace period to an expired entitlement based, at least in part, on the grace period entitlement message, only if the grace period flag is “off”, and setting the grace period flag to indicate that the grace period has been granted. Related methods and apparatus are also described.

Abstract: A management interface between embedded systems of a blade server for executing a management method is provided. The management method comprises receiving a login information from a first system and generating a session ID in response to the login information, wherein the login information has a markup language format; receiving a command information from the first system and sending back an execution result of the command information in response to the command information, wherein the execution result has the markup language format; and receiving a logout information from the first system and removing the session ID in response to the logout information so as to invalidate the session ID, wherein the logout information has the markup language format.

Abstract: A method that provides access to Privileged Accounts to users with Privileged Account access permission. A message is sent to a Privileged Accounts manager when a user logs into a Privileged Account. The user must enter a reason for access. All keystrokes are logged. At the conclusion of the user session, the log file is closed and another message is sent to the Privileged Accounts manager. The log file may be sent to the manager at this time or saved for a batch transfer periodically.

Abstract: Techniques for modification of access expiration conditions are presented. A principal supplies a password associated with establishing access to a target resource. In response to the password, characteristics of the password are examined and a custom expiration condition is generated for the password in response to the characteristics and policy. When the custom expiration condition is satisfied, the password and access to the target resource become invalid for use. Moreover, the principal may interactively change a complexity level of any proposed password for purposes of attempting to enhance the expiration condition or for purposes of attempting to degrade the expiration condition.

Abstract: An apparatus is provided. The apparatus includes a memory and a processor in communication with the memory. The processor is configured to: transmit a request to a memory device to access content stored in the memory device; receive a session ticket; and access the content based on the session ticket. The session ticket includes a parameter used to decrypt the content and the session ticket is generated based on a number that is configured to change at a session.

Abstract: A system that uses multi-factor authentication while retrieving information is described. During operation, the system requests and receives multiple authentication factors from a user of an application on a first host. These multiple authentication factors are associated with a document on a second host, and include authentication information that enables access to the document. Furthermore, the system uses the multiple authentication factors to access the document. While accessing the document, the system retrieves information from the document by navigating through the document, identifying the information, and aggregating the information.

Abstract: Techniques for using multiple security access mechanisms for a single identifier are presented. A single identifier is permitted to be associated with multiple authentication secrets. The single identifier resolves to a particular identity in response to the particular authentication secret presented with the single identifier. Moreover, in an embodiment, any resolved identity may have a variety of attributes automatically set for a particular communication session, such as role, access rights, etc.

Abstract: A method and system are provided for managing a security threat in a distributed system. A distributed element of the system detects and reports suspicious activity to a threat management agent. The threat management agent determines whether an attack is taking place and deploys a countermeasure to the attack when the attack is determined to be taking place. Another method and system are also provided for managing a security threat in a distributed system. A threat management agent reviews reported suspicious activity including suspicious activity reported from at least one distributed element of the system, determines, based on the reports, whether a pattern characteristic of an attack occurred, and predicts when a next attack is likely to occur. Deployment of a countermeasure to the predicted next attack is directed in a time window based on when the next attack is predicted to occur.

Abstract: The host name to be used in responding to the reverse look-up request from the correspondent is generated at the name server side and returned as a response, and/or the IP address to be used in responding to the normal look-up request from the correspondent is generated at the name server side and returned as a response, so that the communications can be carried out without exposing the privacy of the communication host or the user to danger.

Abstract: Card reader having a control interface 18 for controlling 12 the card reader from the exterior, and a device for reading data cards, particularly chip cards, and also having a security module 20, where a request arriving via the control interface 18 is forwarded to the security module 20, and the latter's output is reformatted, if appropriate, and is forwarded to the data card, where it is checked.

Abstract: A data management system and method are provided. Specifically, the present invention includes a system for controlling access to data and ensuring that the confidentiality of the data is maintained. In addition, the present invention provides a system for updating data so that confidential data, which has become non-confidential, can be identified and exposed.

Abstract: An improved network architecture employs a super authority having an identity catalog to direct login authentication tasks to appropriate authorities. Authentication tasks may be performed by authorities across namespace boundaries if so directed by the super authority, such that a principal account may be moved without alteration of the account ID. In an embodiment of the invention, the identity catalog comprises a listing associating account IDs with appropriate authenticating authorities.

Abstract: Methods, apparatuses, and articles for receiving, by a server, a plurality of identifiers associated with a client device are described herein. The server may also encrypt a plurality of encoding values associated with the plurality of identifiers using a first key of a key pair of the server, and generate a token uniquely identifying the client device, a body of the token including the encrypted plurality of encoding values. In other embodiments, the server may receive a token along with the plurality of identifiers. In such embodiments, the server may further verify the validity of the received token, including attempting to decrypt a body of the received token with a key associated with a second server, the second server having generated the received token, and, if decryption succeeds, comparing ones of the plurality of identifiers with second identifiers found in the decrypted body to check for inconsistencies.

Abstract: Methods and apparatus are provided for changing passwords in a distributed communication system. The disclosed password management system includes an event server for receiving one or more subscriptions to a password change event from one or more endpoints associated with a user and for notifying the endpoints that subscribed to the password change event of a password change; and a profile service for (i) receiving a request for a new password from one or more of the endpoints in response to the subscription notification from the event server of the password change event; (ii) authenticating the one or more of the endpoints based on an existing password; and (iii) providing a new password to the one or more of the endpoints following the authentication. A password manager notifies the event server and profile service of a password change.

Abstract: Methods, systems, and products for local blade server security are provided. Embodiments include extracting authentication information for a local user from a USB keydrive inserted in the chassis of the blade server; comparing the extracted authentication information with predetermined authentication credentials; and granting access to one or more resources on the blade server if the extracted authentication information matches the predetermined authentication credentials; and denying access to one or more resources on the blade server if the extracted authentication information does not match the predetermined authentication credentials.