Abstract: A password strength checking method has the steps of inputting a password to be checked, generating a plaintext password candidate according to the same generation procedure as that used by a password guessing tool, determining whether or not the inputted password and the generated password candidate match each other, directing generation of the next password candidate when the match is not determined, determining strength of the inputted password based on the number of the generated password candidates when the match is determined, and outputting information of the determined password strength.

Abstract: A system for providing access control for an information server implemented by a mobile terminal includes a proxy gateway configured for receiving a set of control rules, the rules identifying one or more clients by respective telephone numbers associated therewith. The proxy gateway receives a client request across a network to access a resource of the information server, where the request reflects a network address of the proxy gateway, and an identity of the information server outside the network. The proxy gateway determines if the client is authorized to access the requested resource based upon a telephone number associated with the client and the set of control rules, the proxy gateway having received the telephone number associated with the client before the request. If the client is authorized, the proxy gateway sends the request to the information server based upon the identity of the information server reflected in the request.

Abstract: Random partial shared secret recognition is combined with using more than one communication channel between server-side resources and two logical or physical client-side data processing machines. After a first security tier, a first communication channel is opened to a first data processing machine on the client side. The session proceeds by delivering an authentication challenge, identifying a random subset of an authentication credential, to a second data processing machine on the client side using a second communication channel. Next, the user enters an authentication response in the first data processing machine, based on a random subset of the authentication credential. The authentication response is returned to the server side on the first communication channel for matching. The authentication credential can be a one-session-only credential delivered to the user for one session, or a static credential used many times.

Abstract: A computer readable medium includes instructions for managing execution of an application module by receiving a request to execute the application module, where the application module is configured to execute on a virtual machine, retrieving license registration information and license status information associated with the application module, communicating the license registration information and the license status information to a license validation module to obtain an authorization response, where the license validation module is associated with the application module and registered with the virtual machine, and executing the application module, if the authorization response indicates that the license registration information and the license status information are valid.

Abstract: A system and method for implementing data transfer security mechanisms. The method includes a first component transferring a data type handler object to a second component. The second interface invokes an interface accessible through the date type handler object which includes instructions that are executed by the second component to implement a data transfer security mechanism. Further, the data type handler interface can be encrypted, include cryptographic keys, and/or include digital signatures.

Abstract: A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Abstract: The present invention describes a framework for the analytical and visual analysis and tuning of complex speaker verification systems guided by a policy finite state machine. The Receiver Operating Curve associated with the acoustic speaker recognition task is transformed into a multi-dimensional Receiver Operating Map (ROM), which results from a probabilistic analysis of the policy state machine. A Detection Cost Function (DCF) Map can be similarly generated. Results indicating that optimization over this surface (or the ROM) is an appropriate way to set thresholds are given.

Abstract: System and method for storing identity mapping information in an identity management system to enable a user authenticated at a first domain to access a second domain. The method may include digitally signing the identity mapping information by the user; providing the mapping information to an identity management system; and storing the user-signed mapping information after being further digitally signed by the identity management system.

Abstract: A management device of a license management system acquires a usage request of a content from an SD card or a printer via a relay device, analyzes the acquired usage request, acquires usage environment information of the SD card or the printer from the relay device, analyzes the acquired usage environment information, generates license information including a usage rule corresponding to the analysis results of the usage request and the usage environment information, generates instruction information indicating how to handle the license information in the relay device based on the analysis result of the usage environment information, embeds the generated instruction information in the license information, and sends the license information to the relay device.

Abstract: The bread pudding protocol of the present invention represents a novel use of proofs of work and is based upon the same principle as the dish from which it takes its name, namely, that of reuse to minimize waste. Whereas the traditional bread pudding recipe recycles stale bread, our bread pudding protocol recycles the “stale” computations in a POW to perform a separate and useful task, while also maintaining privacy in the task. In one advantageous embodiment of our bread pudding protocol, we consider the computationally intensive operation of minting coins in the MicroMint scheme of Rivest and Shamir and demonstrate how the minting operation can be partitioned into a collection of POWs, which are then used to shift the burden of the minting operation onto a large group of untrusted computational devices. Thus, the computational effort invested in the POWs is recycled to accomplish the minting operation.

Abstract: An apparatus and method for authenticating users on a data processing system is implemented. The present invention provides for aggregating authenticated identities and related authorization information. A security context created in response to a first user logon is saved in response to a second logon. A composite or aggregate security context is created based on the identity passed in the second logon. Access may then be granted (or denied) based on the current, aggregated security context. Upon logout of the user based on the second identity, the aggregate security context is destroyed, and the security context reverts to the context previously saved.

Abstract: A first method and system includes receiving initial information related to a person; verifying the accuracy of the initial information; assigning a plurality of scores to the person, the plurality of scores having a plurality of score types, each of the plurality of scores having a score value and a score type; and setting the score value of at least one of the plurality of scores based on the verified initial information. A second method and system includes, for each person of a plurality of persons, assigning a plurality of scores, each of the plurality of scores having a score type and a score value, the score value of at least one of the plurality of scores being based on verified information; receiving a request for information related to a specific score type and a specific score value; and determining a portion of the plurality of persons which have scores related to the specific score type and specific score value.

Abstract: Resetting a password for a network service account may include redirecting the user to a password reset tool, wherein the user is blocked from network access other than the password reset tool while being redirected. After redirecting the user to the password reset tool, user entry of verification information may be accepted, and the verification information from the user may be compared with known verification information for the user. User entry of a new password may be accepted if the verification information accepted from the user matches the known verification information for the user; and the new password may be stored as the known password for the user. Related systems and computer-program products are also discussed.

Abstract: The present invention provides an anonymous selectable credential system and method therefor. In the system, a credential authority issues root credentials to a user for certain user rights. The user generates an anonymous selectable credential from the root credentials that correspond to a selected set of user rights, and presents the anonymous selectable credential to a service. Using the anonymous selectable credential, the user can prove to the service through a knowledge proof that the selected set of user rights was granted by the credential authority. Then the service may provide service to the user according to the verified user rights. By generating and presenting different anonymous selectable credentials, the user could remain anonymous no matter how many times he/she accessed one or more services. The user can selectively prove any portion of his/her full set of rights, and no matter how many rights is to be proved, the computational cost is basically the same as that for proving only one right.

Abstract: A method for secure distribution of digital content to an untrusted environment, comprising the steps of; constructing a relatively trusted environment within the untrusted environment; constructing at least two digital inputs, the digital inputs are operable in order to reproduce the digital content; transferring digital media to the relatively trusted environment such that each of the inputs is transmitted via a different path, and combining the inputs in order to reproduce the digital content.

Abstract: A method and apparatus for a network-wide authentication and authorization mapping system for a network is provided. The global authentication and authorization mapping system enables a seamless transition from one web-based application in the network configuration to another web-based application in the network configuration, including a single sign-on capability for users. There are no localized security enforcement processes required to further authenticate a user.

Abstract: A network cache is automatically configured so that the network cache is able to communicate with a database to authenticate a user. A user ID is received as input and is used to query a database for objects having the user ID. The user object corresponding to the user ID is selected and the attributes within the user object are output to a user interface. The attribute name corresponding to the user ID is selected. Attribute names corresponding to group IDs in the user object are selected. If other forms of group membership exist, a non-parent object is retrieved and the attribute name corresponding to the group ID in the object is selected. Once each attribute name is selected the attribute name is stored in a configuration file in the network cache.

Abstract: Techniques are disclosed for federating identity management within a distributed portal server, leveraging Web services techniques and a number of industry standards. Identities are managed across autonomous security domains which may be comprised of independent trust models, authentication services, and user enrollment services. The disclosed techniques enable integrating third-party Web services-based portlets, which rely on various potentially-different security mechanisms, within a common portal page.

Abstract: In order to remove security vulnerability in an IP-SAN and eliminate unauthorized access by spoofing, firewalls are installed in valid user servers and storage devices, and a distributed firewall manager for managing the firewalls integrally is provided in the IP-SAN. The distributed firewall manager obtains discovery domain information from an iSNS server, determines nodes registered in the iSNS server as the nodes of valid users, and autocreates a security policy according to sets consisting of an iSCSI name and portal information. This security policy is distributed to all of the firewalls as a common policy, whereupon access control is executed to deny TCP connection requests from unauthorized access sources.

Abstract: A method, system and program product for authenticating a user seeking to perform an electronic service request is provided. The method includes verifying user identity data received from a user requesting an electronic service, detecting whether or not any variances are found based on the set of user profile data associated with the user seeking to perform the electronic service requested, identifying the risk level for the electronic service based on whether or not any variances are found and any characteristics thereof, if any variances are found, applying one or more business policies or rules for handling any variances that are found. The method further includes issuing to the user, using a customer relationship management system, a challenge corresponding to the risk level identified for the electronic service requested, and authorizing the user to perform the electronic service requested only if a correct response is received to the challenge issued.

Abstract: Embodiments of the present invention encompass systems and methods for use in identity authentication. One illustrative application is in the context of authenticating the identity of a subject by verifying items of identifying information stored by, or accessible through, a plurality of data sources. In particular, a multi-item query can be presented to multiple data sources and the results of the query can be combined into an overall composite result that can be used to authenticate the subject's identity.

Abstract: Exemplary methods and systems for acquiring network credentials for network access are described. The exemplary method comprises receiving network configuration information from a network device on a communication network, generating a credential request, transmitting the credential request to a credential server over a standard protocol of the network device, receiving the credential request response, and providing a network credential from the credential request response to the network device to access the communication network.

Abstract: A method for producing a certificate, the certificate including data, the method including choosing a seed s, the seed s including a result of applying a function H to the data, generating a key pair (E,D), such that E=F(s,t), F being a publicly known function, and including s and t in the certificate. Related methods, and certificates produced by the various methods, are also described.

Abstract: A method of enabling a server to contact an unknown Internet account holder can begin with the server receiving a request for a resource. The server then determines whether the request for the resource warrants sending a notice, and if so, identifies a notice destination to which the notice is to be sent. The server then generates a notice comprising an apparent IP address, a time the server received the request, and a communication; and sends the notice to the notice destination via a standardized communications pathway. An ISP can receive a notice from the server via the standardized communication pathway, and based thereon can identify the account holder based the requesting IP and optionally the request time. The ISP can then send the account holder the communication by an arranged manner despite the server not having known the identity of the account holder.

Abstract: Methods and systems consistent with the present invention provide a Supernet, a private network constructed out of components from a public-network infrastructure. Supernet nodes can be located on virtually any device in the public network (e.g., the Internet), and both their communication and utilization of resources occur in a secure manner. As a result, the users of a Supernet benefit from their network infrastructure being maintained for them as part of the public-network infrastructure, while the level of security they receive is similar to that of a private network. The Supernet has an access control component and a key management component which are decoupled. The access control component implements an access control policy that determines which users are authorized to use the network, and the key management component implements the network's key management policies, which indicate when keys are generated and what encryption algorithm is used.

Abstract: Methods, apparatuses and systems facilitating integration of the functionality associated with a first on-line service entity with the functionality associated with a second on-line service entity. Embodiments of the present invention allow a first on-line service entity having its own membership model to efficiently collaborate with a second on-line service entity to offer its users the services of the second on-line service entity in a seamless and consistently branded manner. One implementation obviates the need for synchronization of the membership models between the first and second on-line service entities. One implementation allows the second on-line service entity to provide services to the users associated with the first on-line service entity in a seamless manner without the first on-line service entity having to proxy the session between the second on-line service entity and the users.

Abstract: The invention relates to using a universally unique identifier in a database to uniquely identify, both within and outside of the database system, a user. A storage system, according to the invention, includes a first storage area having an object stored therein; and a second storage area having stored therein an object identifier that identifies the object. The object identifier is unique within and outside of the storage system, and can be a Universal Unique Identifier (UUID). The invention also relates methods for storing and retrieving objects identified based on the unique identifier.

Abstract: When a login request in which a network terminal serves as a login destination is received from an administrator terminal, a login request receiving unit of a login administration server causes the administrator terminal to transmit a shared account and fingerprint information. A search engine unit performs a search in an authentication table by using the account and the user fingerprint information as a key, and, when the authentication succeeds, acquires association data including a right upon successful authentication and a login permitted terminal (in this case, a terminal) from an association data table. A login request transmitting unit transmits a login request to the network terminal of the login destination so as to achieve login and imparts the right upon successful authentication.

Abstract: Systems and methods are disclosed for an appliance to authenticate access of a client to a protected directory on a server via a connection, such as a secure SSL connection, established by the appliance. A method comprises the steps of: receiving, by an appliance, a first request from a client on a first network to access a server on a second network, the appliance providing the client a virtual private network connection from the first network to the second network; determining, by the appliance, the first request comprises access to a protected directory of the server; associating, by the appliance, an authentication policy with the protected directory, the authentication policy specifying an action to authenticate the client's access to the protected directory; and transmitting, by the appliance in response to the authentication policy, a second request to the client for an authentication certificate. Corresponding systems are also disclosed.

Abstract: A method for providing secure and efficient link expiration that includes determining an email address for a member that a link is to be sent; generating a link by encrypting the member's email address; determining an expiration date for the link; and applying a scaling factor to the expiration date. The method also includes combining the expiration date with the link; sending an email message to the member's email address, with the email message including the link embedded therein; taking the member to a web site after receiving data corresponding to selection of the embedded link by the member; determining if the link has expired based on the expiration date with the reduced memory requirement; decrypting the link if it is determined that the link has not expired; and determining if the link is valid.

Abstract: An authority management apparatus configured to communicate with an external apparatus having one or more functions includes a management unit configured to manage authority information indicating an authority concerning use of the one or more functions of the external apparatus with respect to a particular user, an updating unit configured to, based on permission information for permitting a second user different from a first user to use a function of the external apparatus that the first user can execute, update the authority information concerning the second user, and a sending unit configured to send the authority information updated by the updating unit to the external apparatus to be used by the second user.

Abstract: An information management method restoring electronic data using backup information upon the loss of electronic data stored on a recording medium. Information stored in a predetermined area of the recording medium having medium-specific information is encrypted using medium-specific information or a key generated therefrom and is derived outside the predetermined area.

Abstract: A method for altering encryption status in a relational database in a continuous process, wherein at least one table of said database comprises at least one base area and at least one maintenance area, comprising the steps of: copying all records from said base area to said maintenance area; directing action of commands intended for said base area to said maintenance area; altering encryption status of said base area; copying all data records from said maintenance area to said base area; and redirecting action of commands to said base area.

Abstract: Federated management framework for credential data. The framework permits credential-using applications to provide user interface panels and associated semantics to manage the credentials that are relevant to each application. This framework is suitable for use in a multi-application environment where credentials are shared among each the applications. With this framework, each management user interface associated with one of the applications can have the credentials appear in the interface. Furthermore, the framework can detect when one application's management user interface attempts a modification to a credential that will affect another application that has an interest that credential.

Abstract: Methods and apparatus, including computer program products, for defining rights applicable to a digital object. A set of initial rights and a set of modifying rights are received for the digital object. At least one of the set of initial rights and the set of modifying rights specifies one or more conditions on rights in the respective set of rights. A new set of rights is defined for the digital object based on the set of initial rights and the set of modifying rights. The new set of rights specifies one or more new conditions on rights in the new set of rights. The new conditions are defined based on one or more of the conditions in the set of initial rights and/or the set of modifying rights.

Abstract: The present invention relates to systems and methods to generate accounts on a client when joining the client to a domain while preserving user profiles that were generated prior to joining the client. In general, a user with an account on a client can customize the account, wherein the customization can be saved in an associated profile. The client can employ the user profile when the user logs on in order to return the customization to the user. The present invention provides a novel approach to retain a user's existing user profile when joining the client via mapping the user's existing account to the account that will be generated, and then automatically migrating the user's profile to the generated account during joining the client. The foregoing can provide reduced client setup time, improved setup efficiency, reduced setup cost, and mitigation of severing customization from a user's account.

Abstract: An authentication system performs user authentication between a client and a server using a one-time password. Each of the client and the server generates random authentication data. The generated random authentication data is exchanged between the client and the server. In this way, authentication based on a complete random authentication data not using specific one-time password generation logic can be provided. Furthermore, by applying the method for authentication and the method for updating a one-time password according to the present invention, spoofing can be detected even when a password is stolen. As a result, unauthorized access can be prevented.

Abstract: An information processing system, which includes: an information distribution server; a client apparatus; and a plurality of service providing servers that provide service to a user of the client apparatus, and the information distribution server including: a user authentication information memory that stores user authentication information; a receiving section that receives authentication information from the plurality of service providing servers; and an authentication proxy information distributing section that distributes authentication proxy information prepared based on the user authentication information and the authentication information, and the client apparatus including: a user authentication section that carries out authentication of the user, and an authentication proxy section that, if the authentication is carried out by the user authentication section, executes a proxy authentication when the user accesses at least one of the plurality of service providing servers on the basis of the distribut

Abstract: A portable computer system such as a laptop computer system includes a processor coupled to a wireless module that may communicate with a computer network via a connection to a wireless network. In addition, portable computer system includes an authentication unit that may be coupled to the wireless module and configured to generate and provide authentication information to the wireless module. The wireless module may be further configured to provide the authentication information to the computer network in response to a challenge from the computer network during a initiation of the connection to the computer network without intervention of the processor. In addition, the wireless module may enable features such as authenticating a remote admin-level user, which may further enable that user to perform security related functions through the wireless module.

Abstract: A method (300;400) and system (100) for transmitting information across a firewall (130b) between multiple endpoints (120) and gateways (135), in a resource management environment (such as the TME) having characteristics that are firewall-incompatible. A gateway proxy (125g) and an endpoint proxy (125e) are associated with the endpoints and the gateways, respectively. The two proxies are connected to each other by means of a pass through communication tunnel crossing the firewall, which tunnel is secured by mutual authentication of the gateway proxy and the endpoint proxy at its ends. Each endpoint and each gateway is tricked into communication only with the respective proxy. Particularly, a listening port is allocated on the endpoint proxy on behalf of each endpoint, so that the corresponding gateway will open a connection back to the endpoint proxy on the listening port for transmitting any packet to the endpoint.

Abstract: An authenticating unit authenticates an external terminal and stores the result of authentication in an authentication state table. A receiving unit receives a first message containing information relating to a first application and identification information unique to the external terminal. A determining unit determines whether the external terminal contained in the first message is authentic by referring to the information in the authentication state table, each time the first message is received. A generating unit generates a second message containing a port, which is to be used by the first application, and an address of the external terminal when the external terminal is determined to be authentic. A transmitting unit transmits the second message to a firewall.

Abstract: An exemplary digital rights management engine and related methods divides multimedia content into service level layers, encrypts at least some of the layers, and offers access to the encrypted layers by permission. The multimedia content may be layered using multiple different layering approaches simultaneously, and access to the different types of layers may be offered simultaneously. One of the layers may be left unencrypted to allow free browsing of a low quality service level. An exemplary system of key management for digital rights management is also disclosed.

Abstract: A method and system is directed to providing policies for handling authenticated messages, such as email, and the like, by combining Public Key encryption and the Internet Domain Name System (the “DNS”). The policies include system, user, statistics, new domain, unverified domain, and third party. A domain owner may validate that an email originates from an authorized sender within their domain by using a private key component to digitally sign email outbound from its domain. Employing a public key component, along with a selector, an email recipient may check the validity of the signature, and thus determine that the email originated from a sender authorized by the domain owner. In one embodiment, the public key component used to verify an email signature may be “advertised” or otherwise made available via a TXT record in the DNS.

Abstract: A method, apparatus and computer program product for controlling access to host access credentials required to access a host computer system by a client application is provided. The host access credentials are stored in a restricted access directory. The method comprises authenticating directory access credentials received from a client application. The authenticated client application then requests the host access credentials and a determination as to whether the authenticated client process is authorized to access the requested host access credentials, and, if authorized, these are provided to the client application.

Abstract: A system and method for defining and enforcing a security policy. Security mechanism application specific information for each security mechanism is encapsulated as a key and exported to a semantic layer. Keys are combined to form key chains within the semantic layer. The key chains are in turn encapsulated as keys and passed to another semantic layer. A security policy is defined by forming key chains from keys and associating users with the key chains. The security policy is translated and exported to the security mechanisms. The security policy is then enforced via the security mechanisms.

Abstract: Techniques for validating identities are provided. A sign-on request is authenticated for a given principal. Attributes associated with that principal are acquired from an identity service and compared against local maintained attributes for that principal. If the identity-service acquired attributes match the local attributes, then the principal is validated for access. During principal access, selective events drive updates to the identity-service acquired attributes, and the comparison with the local attributes is performed again to determine whether the validated principal is to be invalidated or is to remain validated.

Abstract: Upon receiving server side entity information and a principal confirmation profile request data from a server side entity device, a consolidation apparatus transmits an entity information transmission request to each of a plurality of client side entity devices and receives client side entity information from each of the client side entity devices. Then, it determines the principal confirmation profile ID in each piece of client side entity information and the principal confirmation profile ID in the server side entity information according to the principal confirmation profile ID request information having the highest priority in the principal confirmation profile request data and prepares a routing table information associating the processing capability IDs and the entity IDs corresponding to the determined principal confirmation profile ID, which routing table information is then stored in a memory.

Abstract: In accordance with certain aspects of the present invention, improved methods and arrangements are provided that improve access control within a computer. The methods and arrangements specifically identify the authentication mechanism/mechanisms, and/or characteristics thereof, that were used in verifying that a user with a unique name is the actual user that the name implies, to subsequently operating security mechanisms. Thus, differentiating user requests based on this additional information provides additional control.

Abstract: An output system having a data processor and an printer or other output device for outputting data in a specific format, which is sent from the data processor, to which is installed driver software for controlling the output device. Whether the data on output request passes the driver software is determined in sending data to the output device. Data are prohibited from being sent to the output device for output requests on which data bypasses the driver software.

Abstract: The present invention provides an Internet Key Exchange (IKE) daemon self-adjusting negotiation throttle for minimizing retransmission processing during Security Association (SA) negotiation requests. A method in accordance with an embodiment of the present invention includes: receiving a request for a new negotiation to be performed by a negotiation system; determining if the negotiation system is in congestion; and if the negotiation system is determined to be in congestion: determining if a token is available in a token bucket; and if a token is available in the token bucket, removing the token from the token bucket; and performing the new negotiation.