Abstract: A drive preserves a default input password. When there is no password input from the user, the default input password is regarded as a user input password and is compared and collated with a password for access protection, thereby controlling the access protection. In this instance, if the default input password and the password for access protection have the same value, a collation coincidence is obtained. The drive permits the access without needing a password input of the user.

Abstract: A method and apparatus for analyzing the perimeter security of communications networks. More particularly, information is identified which defines a particular communications network, e.g., an intranet, and identifying the connected hosts thereto. Utilizing such information, a determination is made with respect to identifying the routes that define the network. Utilizing the routing information, the connectivity of the hosts within the network, e.g., an intranet, is probed to ascertain the integrity of the network and thereby identifying potential security risks across the perimeter defense of the network.

Abstract: A method and terminal for enabling a login, and a method for establishing a session with a specific object, are discussed. According to an embodiment, the method includes: if a first client logs in to the service server using user authentication information and then a second client requests a login to the service server, checking whether the first client is logged out from the service server; and if the checking step indicates that the first client is logged out from the service server, enabling the second client to be logged in to the service server.

Abstract: An authentication or security system can provide multiple categories to user (e.g., a young user), where at least one of the categories does not relate to an experience to be recalled by the user, but relates to one or more fictional stories, fictional narratives, historical stories, fictional locations, fictional constructs, fictional characters (e.g. avatars) etc., and the user selects a category and answers several questions to personalize the story/construct/etc. Received data for this personalization is then stored in an authorization profile that is later used to authenticate the user. Other features and aspects are also disclosed.

Abstract: Multiple different credentials and/or signatures based on different credentials may be included in a header portion of a single electronic message. Different recipients of intermediary computing systems may use the different credentials/signatures to identify the signer. The electronic message may include an encoding algorithm and a type identification of a credential included in the electronic message, allowing the recipient to decode and process the credential as appropriate given the type of credential. Also, the electronic message may include a pointer that references a credential associated with a signature included in the electronic message. That referenced credential may be accessed from the same electronic message, or from some other location. The recipient may then compare the references credential from the credentials used to generate the signature. If a match occurs, the integrity of the electronic message has more likely been preserved.

Abstract: A method and system of selectively and securely enabling an added or premium functionality in a printer can be created by transmitting or inputting to the printer an electronic key correlated to the unique serial number stored in that printer. In this way, the key used to activate an added or premium functionality in a particular printer cannot be used to activate the same functionality in any other printer. This prevents the unauthorized activation of added or premium functions in other printers.

Abstract: A system and method for detecting an idle or inactive data port connection on a personal computer (PC) and blocking external access, e.g., Wide Area Network (WAN) access to an end-user PC is presented. The system provides for added security for unattended PCs having broadband connections. The idle time period for detection/blocking logic initiation of a blocking signal to disable communications, e.g., Ethernet port access to the PC, may be for a fixed time period or may be determined by a user of the end-user PC.

Abstract: A communication apparatus having a public key authentication function and a communication method thereof are disclosed. The communication apparatus includes a calculating unit to calculate a first user authentication data for authenticating public information, and a transmitting and receiving unit to transmit the calculated first user authentication data and the public information to be authenticated, and to transmit a password in a form in which a user characteristic input for authenticating the public information is reflected. Accordingly, if the parties to a communication unexpectedly request mutual authentication under an IP-based communication environment, the apparatus can safely authenticate the public information with a use of a user characteristic sensing channel.

Abstract: An identity based service system is provided, in which an identity is created and managed for a user or principal, such that at least a portion of the identity is available to use between one or more system entities. A discovery service enables a system entity to discover a service descriptor, given a service name and a name identifier of the user, whereby system entities can find and invoke the user's other personal web services. The discovery service preferably provides a translation between a plurality of namespaces, to prevent linkable identity information over time between system entities.

Abstract: A system and method for initializing a SNMP agent in SNMPv3 mode. In one aspect of the invention, a method is provided that allows an operator to securely enter the initial SNMPv3 privacy and authentication keys into a SNMPv3 device and cause the device to enter in SNMPv3 mode. The SNMP manager and SNMP agent both generate an associated random number and public value. The SNMP manager passes its public value to the SNMP agent in a configuration file, which causes a proprietary MIB element in the SNMPv3 device to be set with the public value of the SNMP manager. The SNMP manager reads the public value of the SNMP agent through a SNMP request using an initial valid user having access to the public value of the SNMP agent. The SNMP agent and SNMP manager each independently compute a shared secret using the Diffie-Hellman key exchange protocol.

Abstract: System and method for authorizing access to an entity by a user, by binding an access control list to each entity; specifying for the user a set of user privileges; intersecting the access control list and set of user privileges in a compiled ACL table; incrementally refreshing the compiled ACL table responsive to run time modification of relevant tables containing the access control list and set of user privileges; and referencing the compiled access control list to authorize a user request to access an entity.

Abstract: Various systems, methods, and programs are provided that facilitate access to a secure application. In one embodiment, a method is provided that includes encrypting at least one authentication sequence in a computer system using a network identifier as an encryption key, and storing the encrypted at least one authentication sequence in a memory accessible to the computer system. Next, the encrypted at least one authentication sequence is decrypted using a second network identifier as a decryption key, the second network identifier is procured after storing the encrypted at least one authentication sequence. Thereafter, an expedited login task is performed to access the application with the at least one authentication sequence if the decryption of the at least one authentication sequence is successful.

Abstract: A disk management server (“DMS”), to manage a remote storage device; a wireless communication network; and a mobile computer create a system for secure remote booting of a mobile computer's operating system. To facilitate access to remote boot code, a multiple connection disk management server utilizes a trusted connection to negotiate communication security and an untrusted connection for transferring data once communication security has been established. The trusted connection is established through a physically securable interface, such as a wired network or line-of-site wireless network, e.g., infrared. Successful negotiation of communication security produces a security key that can be utilized to secure information exchange over the untrusted network. The untrusted connection may utilize any standard wireless communication protocol such as IEEE 802.11b.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.

Abstract: An apparatus and method for multi-threaded password management are provided. With the apparatus and method, resources may be grouped into families of resources. A family of resources is defined as a group of resources that may make use of the same password. When a user sets a new password for a family of resources, all of the passwords for each of the resources in the family are reset to this new password. That is, the multi-threaded password management apparatus and method spawns threads to reset the passwords of the other resources in the family. In this way, a single operation of resetting a password for a resource in the family may cause a plurality of passwords to be reset. Moreover, the passwords need only be reset when the earliest reset time of the resources in the family occurs. Thus, the number of passwords that must be memorized by a user is significantly reduced. Furthermore, the number of times that passwords need be reset is also reduced due to the resetting of passwords on a group level.

Abstract: An apparatus, system, and method enable a new platform storage system to have access to an external storage system having data encrypted thereon by an existing platform storage system. Encryption information corresponding to the encrypted data in the external storage system is stored in a memory in the existing platform storage system. The encryption information stored in the memory of the existing platform storage system is transferred to an encryption table stored in the new platform storage system, so that the new platform storage system can read the encrypted data stored in the external storage system.

Abstract: Conventional archive and retrieval systems inadequately identify the archival data with sufficient granularity to associate data items with retrieval performance, and do not define a recourse following loss of archived data. A method for file archiving, identification, and failure recourse facilitates successive disposition by generating an authenticated receipt of files transferred for storage via an authentication instrument that is verifiable towards both the data stored and a corresponding agreement. The authenticated receipt provides nonrepudiation assurances about the content of the file and the contractual terms under which the file was stored via an authenticating signature of the archive storage server which associates the file content with the contractual terms.

Abstract: In a communication system, a first wireless communication apparatuses belonging to a communication group receives a connection request frame including a notifying security level from a second communication apparatus outside of the communication group. The first communication apparatus stores a reference security level peculiar to the communication group, which is selected from security levels depending on one of encryption methods including non-encryption and encryption strengths. In the first communication apparatus, the notifying security level is compared with the reference level, and a response frame including one of a connect rejection and a connection permission is described, is generated and transferred to the second communication apparatus. The connect rejection represents a rejection of connection to the second communication apparatus and the connection permission represents a permission of connection to the second communication apparatus.

Abstract: A method and system for a vendor-neutral method of integrating single sign on functionality with the features of a robust identity management application in a cost effective, reliable and timely manner is disclosed. A user accesses the system through a commercially-available single sign on application. When a user requests to be logged in to one or more applications, the request is not sent to a custom business logic layer as known in the art but, instead, is directed to an intermediary application which takes action depending on the nature of the user's login information. The intermediary application serves as the interface between the single sign on application and the identity management system. The intermediary application contains a work flow or business process engine and a method for mapping the business logic. Information flows seamlessly between the single sign on application and the identity management system without regard to either products' platform or vendor.

Abstract: Preventing replay attacks without user involvement. A method according to one embodiment of the invention includes recording a serial number that was verified following a previous request to access a resource, and later receiving a request to access the resource. A serial number is acquired from the source of the request and then updated by increasing its value. The updated serial number is verified by comparing it with the recorded serial number, and access to the resource is granted only if the value of the updated serial number exceeds the value of the recorded serial number.

Abstract: An inventive security framework for supporting kernel-based hypervisors within a computer system. The security framework includes a security master, one or more security modules and a security manager, wherein the security master and security modules execute in kernel space.

Abstract: In order to prevent illegal data tampering or leakage of information caused by devices connected to a system such as a conference system and save time and trouble in setting functional restrictions separately from an application, an access point uses authentication information for authenticating electronic devices operated by participants who participate in a conference also as the information to decide functional restrictions on the electronic devices during the conference.

Abstract: A method and apparatus for secure distribution of information over a network, comprising: encrypting payload information using a first encryption key in a first data processor; sending the payload information encrypted using the first encryption key to a second data processor; encrypting the payload information encrypted using the first encryption key using a second encryption key in the second data processor; and sending the payload information encrypted using the first encryption key and the second encryption key to a third data processor, and generating a decryption key based on the first encryption key and on the second encryption key, such that the decryption key is operable to compute the payload information by decrypting the payload information encrypted using the first encryption key and the second encryption key.

Abstract: An apparatus to enable operation of a computer by authorized users when in a secure mode of operation is provided. One exemplary apparatus includes a hub configured to be in communication with the computer. The hub includes a card reader, a card microprocessor and an encryption engine. The apparatus also includes a card configured for insertion into the card reader. The card includes a card microprocessor. In addition, the apparatus includes a user authentication device configured to validate the user as an authorized user of the card. If the user is validated as the authorized user, then the card microprocessor passes a key to the hub microprocessor in response to the validation of the user as the authorized user of the card. The encryption engine of the hub is then activated to operate in a secure mode of operation.

Abstract: A client receives encrypted content from content server. The header of the content includes license-identifying information for identifying a license required to utilize the content. The client requests a license server to transmit the license identified by the license-identifying information. When receiving the request for a license, the license server carries out a charging process before transmitting the license to the client. The client stores the license received from the license server. The stored license serves as a condition for encrypting and playing back the content. As a result, content can be distributed with a high degree of freedom and only an authorized user is capable of utilizing the content.

Abstract: Method, instructions and system for establishing and enforcing change password policy in a single sign-on environment. In response to receiving a change instruction identifying a first single sign-on password, the first single sign-on password is changed to create a second single sign-on password. Then a target password is retrieved. The target password is modified in a user selected manner to match the second single sign-on password to create a modified target password. The modified target password is stored. In response to a request from a user requesting access to an application, the modified target password is retrieved and the modified target password is provided to the requested application.

Abstract: A method of using digital rights management (DRM) content while roaming is provided. The method includes issuing disposable authentication information to a mobile device; receiving a request for remote authentication along with the authentication information from an unauthorized device included in a remote domain; transmitting a query for the remote authentication to the unauthorized device; receiving a response to the query; and transmitting data approving authentication of the unauthorized device to the unauthorized device.

Abstract: The present disclosure is a method for bridging requests for access to resources between requestors in a distributed network and an authenticator servicing the distributed network. The bridging mechanism has security features including a naming service for machine authentication and machine process rules to authorize what process machines can perform. The security proxy bridge intercepts an access request, and checks the IP address for machine authentication as well as the machine process rules and if both verifications are successful, the bridge then forwards the request for access to the authenticator. The security proxy framework utilizes a data structure that provides a method for storing selected security information stored as data records supporting an authentication and authorization system for users to access resources on multiple components of a distributed network supporting multiple business units of an enterprise.

Abstract: An ID is being calculated in a manner distributed among devices of the user's personal area network (PAN). The devices communicate in a wireless manner. A server runs a simulation of the PAN. If the server and the PAN calculate matching results, it is assumed that the user's ID is correct for purposes of conditional access. The distribution of the calculation of the ID among the user's PAN devices and its, for practical purposes, stochastic nature render the system very hard to hack.

Abstract: In the present invention, when one open or running software application having secured features enters an access signed-in or logged-in state, other open or running software applications having secured features enter a ready signed-in state automatically, without prompting user intervention. The same operation that signed-in or logged-in the initial software application will transition other software applications that are presently open, active to run, or that start in run mode to a ready signed-in state. The access signed-in state fully authenticates the user's identity and grants access to secured features. The ready signed-in state places the software application in a state of readiness to authenticate and access secured features without prompting user intervention. One feature of the present invention is the sharing of a sign-in or login credential (e.g.

Abstract: A system and method initiates secure sessions without occupying a process on the server until the premaster key is received from the client.

Abstract: A certificate authority for certifying the validity of the collation result from a user terminal is placed on a communication network. The user terminal identifies a user himself or herself by collation by using biometrical information of the user. In response to notification of the collation result from the user terminal across the communication network, a service providing apparatus requests across the communication network the certificate authority to certify the validity of the collation result. When a certificate which certifies the validity of the collation result is notified from the certificate authority across the communication network, the service providing apparatus provides a predetermined service to the user.

Abstract: A system and method that facilitates entities acting as agents to manage plural domains for plural registrants includes a domain manager capable of direct attachment to the shared registry system. The domain manager resides on a server of an accredited registrar or on a server of a partner website that has made a server of an accredited registrar authoritative for at least plural domain names. A variety of DNS or zone file information can be altered using simple graphical user interfaces to enter change information and pass that change information to the domain manager server. The domain manager server passes the change information to the DNS servers either directly through the SRS or through an accredited server that passes the change information through the SRS and to the root servers. Most preferably, the domain manager has substantially direct access to the shared registry system, which asynchronously updates the DNS servers.

Abstract: A method and apparatus for selectively enforcing network security policy using group identifiers are disclosed. One or more access controls are created and stored in a policy enforcement point that controls access to the network, wherein each of the access controls specifies that a named group is allowed access to a particular resource. A binding of a network address to an authenticated user of a client, for which the policy enforcement point controls access to the network, is created and stored. The named group is updated to include the network address of the authenticated user at the policy enforcement point. A packet flow originating from the network address is permitted to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network.

Abstract: In a computer resource assignment apparatus, a registration request processing section assigns a computer resource to a user in response to a temporary registration request from the user. A computer resource management section manages the computer resource assigned to the user of the temporary registration request by unit of each user.

Abstract: In an enterprise server environment having a uniform resource locator (URL) access management and control system. The server includes a user authentication logic to authenticate users attempting to connect to the server to access URL file and directories residing in the server. In one embodiment of the present invention, the user is provided with an identification token and a user URL access policy which allows the user's credentials to be validated and permitted access to a list of URLs in the directory server. In one embodiment of the present invention, a URL access enforcement logic uses the user's URL access policy to determine which URLs in the directory server a user may or may not access. The user's URL access policy may include an access deny or an access allow value which respectively denies or allows the user access to particular URL.

Abstract: A system, method, and computer-readable medium for enabling a user account in a network system are provided.

Abstract: The present invention provides a method and apparatus for authenticating the identities of network devices within a telecommunications network. In particular, multiple identifiers associated with a network device are retrieved from and used to identify the network device. Use of multiple identifiers provides fault tolerance and supports full modularity of hardware within a network device. Authenticating the identity of a network device through multiple identifiers allows for the possibility that hardware associated with one or more of the identifiers may be removed from the network device. For example, a network device may still be automatically authenticated even if more than one card within the device are removed as long as at least one card corresponding to an identifier being used for authentication is within the device during authentication.

Abstract: A password system and a method for authenticating a user of such a password system are disclosed. The present invention provides a novel method for inputting a password which is capable of preventing a password from being revealed to others observing the course of inputting the password, and an improved password system which is capable of providing a user interface suitable to such a method for inputting a password. The user interface provides at least two symbol boards, and symbols arranged on the two symbol boards are matched by means of matching means provided to a user. At this time, the symbols matched for inputting the password and other different false symbols disguised as the symbols matched for inputting the password are matched simultaneously, whereby it is not possible for an observer to distinguish which of the symbol matching is the one for inputting the password.

Abstract: A server receives a message from a sender and transmits the message to a recipient. The server normally transmits the message in a first path to the recipient. When the sender indicates at a particular position in the message that the message is registered, the server transmits the message in a second path to the recipient. The sender can also provide additional indications in the message to have the server handle the message in other special ways not normally provided by the server. After learning from the recipient or the recipient's agent that the message was successfully received, the server creates, and forwards to the sender, an electronic receipt. The receipt includes at least one, and preferably all, of the message and any attachments, a delivery success/failure table listing the receipts, and the receipt times, of the message by the recipient's specific agents, and the failure of other agents of the recipient to receive the message and a an encrypted hash of the message and attachments subsequently.

Abstract: Theft, distribution, and piracy of digital content (software, video, audio, e-books, any content of any kind that is digitally stored and distributed) is generally accomplished by copying it, if possible, or, if it is protected from being copied in any fashion, such piracy is based upon a number of reverse engineering techniques. Aside from the straightforward copying of unprotected content, all of these other methods require first an understanding of the protective mechanism(s) guarding the content, and finally an unauthorized modification of that protection in order to disable or subvert it. Methods that prevent a skilled individual from using reverse engineering tools and techniques to attain that level of understanding and/or prevent anyone from performing such modifications can offer significant advantages to content creators who wish to protect their products.

Abstract: A method, apparatus, and article of manufacture for maintaining policy compliance on a computer network is provided. The method provides the steps of electronically monitoring network user compliance with a network security policy stored in a database, electronically evaluating network security policy compliance based on network user compliance, and electronically undertaking a network policy compliance action in response to network security policy compliance.

Abstract: Apparati, methods, and computer readable media for authenticating an entity (9) in a shared hosting computer network (4) environment. A service provider computer (2) contains a plurality of entity sites (5). Connected to the service provider computer (2), a trusted third party computer (1) is adapted to provide a conglomerated authenticity certification to the service provider computer (2). Coupled to the trusted third party computer (1) is a means (10) for enabling an entity (9) to seek to convert the conglomerated authenticity certification into an individualized authenticity certification covering that entity's site (5).

Abstract: A security system for preventing unauthorized use of a computer device. An extractable security piece includes an extractable main private key and a main PC public key. A PC security area which is a non-extractable part of the computer device includes a PC private key and an extractable main public key, which, together with the keys of the extractable security piece, constitute a Public Key Infrastructure. The extractable security piece and the PC security area include processing means for mutual authentication of the extractable security piece and the PC security area after the extractable security piece, which had been previously removed, has been reinserted in the computer device, thereby enabling the authorized user to access data stored in the computer device.

Abstract: Embodiments of the present invention relate to systems and methods for managing information concerning users of a network web site. The system includes a web server for providing access to various network resources, such as web pages and applications and an applications server coupled to the web server for running two or more protected applications, to which access is restricted to authorized users. The system also includes a customer profile and registration application for receiving user login information and authenticating users and providing single sign-on capability. The system further includes a user directory server for centrally managing information concerning users, a first database for storing user credentials and a second database for storing user profile information. User profile information and user credentials can be added, modified, deleted or retrieved by operations carried out within at least one of said applications.

Abstract: Encrypted music information or the like and encryption processing information itself employed for the encrypting is transmitted from a set top box (BX) to a recorder (R) via a serial bus (B) after decoded, and the music information or the like is recorded in a DVD-R (1). Upon this recording, the music information encoded by employing an asynchronous transmission region in the IEEE 1394 standard that is a standard with which the serial bus (B) conforms is transmitted at a high speed. On the other hand, encode processing information encoded by employing an isochronous transmission region in the IEEE 1394 standard is transmitted at a 1-fold speed.

Abstract: An adaptive multi-tier authentication system provides secondary tiers of authentication which are used only when the user attempts a connection from a new environment. The invention accepts user input such as login attempts and responses to the system's questions. User login information such as IP address, originating phone number, or cookies on the user's machine are obtained for evaluation. User/usage profiles are kept for each user and the user login information is compared to the information from the user/usage profile for the specific user which contains all of the user information that the user used to establish the account and also the usage profile detailing the user's access patterns. The trust level of the current user login location is calculated and the invention determines if any additional questions to the user are required. If the trust level is high, then the user is granted access to the system.

Abstract: A method, system, and program product for enabling administrative recovery of a user's lost/forgotten boot-up passwords without compromising the administrative/master password(s). A restricted-use password is dynamically generated from a first hash of a random number generated on a client system and a secret retrieved from a secure device associated with the client system. The restricted-use password operates as a master password but is not the administrative password of the client system. Once the password is generated, it is provided to the user/client system to enable user access to said client system and hardfile and reset of the user passwords.

Abstract: Described herein is an implementation of a technology for managing credentials. With an implementation, a credential manager is domain-authentication aware and concurrent authentications with multiple independent networks (e.g., domains) may be established and maintained. Moreover, a credential manager provides a credential model retrofit for legacy applications that only understand the password model. The manager provides a mechanism where the application is only a “blind courier” of credentials between the trusted part of the OS to the network and/or network resource. The manager fully insulates the application from “read” access to the credentials. This abstract itself is not intended to limit the scope of this patent. The scope of the present invention is pointed out in the appending claims.

Abstract: The present invention allows for a pre-licensing process for content that is subject to rights management in order to allow a principal access to the content when the principal does not have access to the rights management server. Rather than requiring the principal to submit a rights account certificate and request for a use license to the rights management server, the present invention allows the message server to obtain a use license on behalf of the principal. Accordingly, the principal can access the use license from the message server and decrypt protected content without having to request the use license from the rights management server.