Abstract: An evidence-based policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager executes in a computer system (e.g., a Web client or server) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. The policy manager may determine a subset of the permission grant set based on a subset of the received code assembly's evidence, in order to expedite processing of the code assembly. When the evidence subset does not yield the desired permission subset, the policy manager may then perform an evaluation of all evidence received.

Abstract: A computer system includes a peripheral device and a processing unit. The processing unit is adapted to execute a driver for interfacing with the peripheral device in a standard mode of operation and an authentication agent in a privileged mode of operation, wherein the authentication agent includes program instructions adapted to authenticate the driver. The peripheral device may comprise a communications device, such as a software modem. A method for identifying security violations in a computer system includes executing a driver in a standard processing mode of a processing unit; transitioning the processing unit into a privileged processing mode; and authenticating the driver in the privileged processing mode. The driver may be adapted for interfacing with a communications peripheral device, such as a software modem.

Abstract: A system and method is described for controlling the password(s) of one or more programs through a universal program. The universal control program allows access to one or more other programs and allows editing of the passwords of the other programs directly through the universal access program.

Abstract: A communications system includes a physical layer hardware unit and a processing unit. The physical layer hardware unit is adapted to communicate data over a communications channel. The physical layer hardware unit is adapted to receive unencrypted control codes and encrypted user data over the communications channel and transmit an upstream data signal over the communications channel based on the control codes. The processing unit is adapted to execute a software driver for interfacing with the physical layer hardware unit. The software driver includes program instructions for implementing a protocol layer to decrypt the user data and provide the upstream data to the physical layer hardware unit. A method for configuring a transceiver includes receiving unencrypted control codes over a communications channel; receiving encrypted user data over the communications channel; and transmitting an upstream signal over the communications channel based on transmission assignments defined by the control codes.

Abstract: Described are systems and methods used for the administration of access control to numerous resources and objects. An administrator may control access to resources and objects in accordance with defined rules using an “object-centric” view. A template may be used for creating and managing access policies to large numbers of resources. The template may use parameters to define instances of a template. Parameters may be used to define variations of the template. Access privileges of a resources may be inherited in accordance with a hierarchy.

Abstract: Mechanisms and techniques provide a system that operates in a data communications device to provide automatic authentication of a client device to a server device. The mechanisms and techniques (i.e., the system) operate to detect a requirement for authentication of a request for data sent from a client device to a server device. In response, the system creates an authentication response in response to detecting the requirement for authentication. The authentication response contains authentication information required by the server device to allow the client device to access data via the server device. The system then automatically inserts the authentication response into the data communications session between the client device and the server device. The authentication response authenticates, to the server device, access to the data by the client device.

Abstract: A plurality of services are defined for one service memory field (overlap service), and a plurality of access methods, such as “only read” and “read/write”, are set in the service memory field. When an overlap service is defined, a PIN code may be set to each service. For example, when two services “read” and “read/write” can be started corresponding to a service memory field, two PIN codes are set.

Abstract: A method is disclosed for determining the authentication capabilities of a supplicant before initiating an authentication conversation with a client, for example, using Extensible Authentication Protocol (EAP). In one aspect, the method provides for sending, to a supplicant that is requesting access to a computer network subject to authentication of a user of the supplicant, a list of first authentication methods that are supported by an authentication server; receiving, from the supplicant, a counter-list of second authentication methods that are supported by the supplicant; determining how many second authentication methods in the counter-list match the first authentication methods; and performing an authentication policy action based on how many of the second authentication methods match the first authentication methods. Policy actions can include blocking access, re-directing to sources of acceptable authentication methods, granting one of several levels of network access, etc.

Abstract: Techniques for implementing a digital signature algorithm in electronic computer hardware include computing the multiplicative inverse of a particular integer modulo a prime modulus by computing a first quantity modulo the prime modulus. The first quantity substantially equals, modulo the prime modulus, the particular integer raised to a power of a second quantity. The second quantity is two less than the prime modulus. The techniques allow an integrated circuit block to compute a modulo multiplicative inverse, such as for signing and verifying digital signatures, using existing blocks of circuitry that consume considerably less area on a chip, and incur fewer developmental costs, than an implementation of an algorithm conventionally used in software.

Abstract: An email access control scheme capable of resolving problems of the real email address and enabling a unique identification of the identity of the user while concealing the user identification is disclosed. A personalized access ticket containing a sender's identification and a recipient's identification in correspondence is to be presented by a sender who wishes to send an email to a recipient so as to specify the recipient as an intended destination of the email. Then, accesses between the sender and the recipient by verifying an access right of the sender with respect to the recipient according to the personalized access ticket at a secure communication service.

Abstract: An access system provides identity management and/or access management services for a network. An application program interface for the access system enables an application without a web agent front end to read and use contents of an existing encrypted cookie to bypass authentication and proceed to authorization. A web agent is a component (usually software, but can be hardware or a combination of hardware and software) that plugs into (or otherwise integrates with) a web server (or equivalent) in order to participate in providing access services.

Abstract: A first device is used to initiate and direct a rights-management transaction, such as content licensing, acquisition, or activation, on behalf of a second device. The first device may, for example, be a desktop computer, laptop computer, or electronic kiosk at a bricks-and-mortar store. The second device may, for example, be a handheld computer that is cradled to establish communicative connectivity with the first device. A user interacts with the first device to initiate a transaction on behalf of the second device. The first device then obtains the information from the second device that is necessary to perform the transaction on behalf of the second device, communicates with a server, and provides the result of the server communication to the first device. Thus, the first device acts as a proxy for the second device.

Abstract: Methods and apparatuses are provided for limiting access, by users of a networked computer system, to networked services on the computer system. More specifically, the present invention facilitates limiting access by other users to a first user's credential that can be used to facilitate access to networked services. A method includes authenticating a user, determining a credential for that user, and generating a corresponding random secret. The credential is stored in memory that can only be accessed through execution of a local security authority (LSA). The random secret is written to a secret file that is readable and writeable only by the user. When the user initiates an application, a security library associated with the application reads the random secret from the secret file and passes the secret to the LSA. The LSA identifies the credential corresponding to that secret and return a credential handle to the application client via the security library.

Abstract: A method and system for managing access information for users and other entities in a distributed computing system is disclosed. An aspect is directed to sharing schemas across multiple users. This can be accomplished by mapping multiple global users to the same local schema. Any users mapped to that local schema would, upon logging in, receive the set of privileges associated with the global user and the local schema. In this manner, separate schemas would not need to be defined for each global user.

Abstract: A method and system for secure authentication of a user in a session conducted over an interactive communication channel, such as a two-way telephony communication channel, with an authenticating entity, such as a financial institution, utilizes a session identifier, such as pseudorandom noise to detect and identify attempts to play back authentication information, such as user-spoken phrases, intercepted and recorded by an unauthorized party during a previous session between the user and the authenticating party.

Abstract: A method and apparatus for verifying the integrity of devices on a target network having two components: a subsystem connected to the target network, and a master system, isolated therefrom by a secure link. The topological and hierarchical relationship of the of the devices to each other improves stability of the apparatus. Random testing of target network devices by the subsystem and random testing of the subsystem by the master system provide verification and independent self-checking.

Abstract: Methods and apparatus for authenticating a mobile node are disclosed. A server is configured to provide a plurality of security associations associated with a plurality of mobile nodes. A packet identifying a mobile node may then be sent to the server from a network device such as a Home Agent. A security association for the mobile node identified in the packet may then be obtained from the server. The security association may be sent to the network device to permit authentication of the mobile node. Alternatively, authentication of the mobile node may be performed at the server by applying the security association.

Abstract: A method is provided for using an identity service for protecting identity information during an electronic transaction. The method includes registering an identity client, wherein the identity client possesses an associated multi-component identity. The method further includes regulating access to the multi-component identity such that the identity service authorizes dissemination of fewer than all components of the multi-component identity to an identity requestor. Additionally, a method for providing client identity repair protect a client from fraudulent distribution of electronically available client identity information. Upon detection of fraudulent distribution of identity information, a new identity reference is created and attempts to access an old identity reference are tracked. If the attempts to access the old identity reference are authorized, the attempts are re-directed to the new identity reference. However, if the attempts were unauthorized, access to the new identity reference is denied.

Abstract: When software is initially loaded to RAM 20, an engine 30A is installed at the beginning of an otherwise empty area of RAM 20. When the protected application is called, the engine first creates a series of steps (FIG. 3D), including a CALL command to a protection block 38. On reaching the call 36, the protection block 38 is executed, to complete various security checks. If these are successful, step 2 is created and written over the call 36 so that execution of steps 2 and 3 can continue as normal. Consequently, the protected software (steps 1, 2 and 3) is not exposed to scrutiny unless the security checks have successfully been completed.

Abstract: Operating system upgrades in a trusted operating system environment allow a current trusted core of an operating system installed on a computing device to be upgraded to a new trusted core. The new trusted core is allowed to access application data previously securely stored by the current trusted core only if it can be verified that the new trusted core is the new trusted core expected by the current trusted core. In accordance with one implementation, the new trusted core is allowed to access only selected application data previously securely stored by the current trusted core.

Abstract: A universal browser operates in conjunction with an underlying browser to provide a user of a PC with access to an enhanced service. The enhanced service can be post-marking for an electronic communication, encryption, or some other service or product offered by the universal browser provider. The universal browser is displayed as a frame, on a tool-bar, on a pull-down menu, as an icon, or the like on a page that has been accessed by the underlying browser.

Abstract: A probe attached to a customer's network collects status data and other audit information from monitored components of the network, looking for footprints or evidence of unauthorized intrusions or attacks. The probe filters and analyzes the collected data to identify potentially security-related events happening on the network. Identified events are transmitted to a human analyst for problem resolution. The analyst has access to a variety of databases (including security intelligence databases containing information about known vulnerabilities of particular network products and characteristics of various hacker tools, and problem resolution databases containing information relevant to possible approaches or solutions) to aid in problem resolution. The analyst may follow a predetermined escalation procedure in the event he or she is unable to resolve the problem without assistance from others.

Abstract: A method and system for registering, storing and managing personal data for use over a network, and for allowing users to register for, link to and log onto third party Web sites. The invention queries a user for registration, authentication credentials information, such as user names, passwords, etc., for any type of application, and securely stores this data in a centralized user database. The invention prompts when registration/authentication is needed, and either manually with user intervention or automatically with user permission inputs stored data, or automatically creates the registration/authentication credential data for the user. The invention further monitors a user's network browsing, detects when registration/authentication is needed, and either manually with user intervention or automatically with user permission inputs stored data, or automatically creates the registration/authentication credential data for the user.

Abstract: A method of securing information. The method comprises: obtaining a path to the information; and performing a security check regarding the path.

Abstract: A policy engine generates configlets that are vendor-neutral, vendor-specific or both, based on a selected target level and a selected device/device group. A translator translates and combines the configlets to form vendor-dependent configuration files. The policy engine generates the configlets using policies associated with the selected target level and its sub-target levels, as defined by a target level hierarchy. A policy includes at least a condition, and an action which the policy engine performs if the condition is true. In performing the action, the policy engine typically writes to at least a partial configlet. A policy may further include a verification clause, which is used to verify a running configuration. Policy dependencies may also be defined such that where a second policy is dependent on a first policy, the second policy must be evaluated after the first policy. This is necessary, where, for example, the first policy generates and stores a value to be used by the second policy.

Abstract: Performance of a pattern-matching intrusion detection system (IDS) is improved by ranking signatures in its signature table by likelihood of occurrence, so that the table may be searched efficiently. Occurrence data associated with signatures is kept, and the ranking adaptively revised according to updates of the data. When the IDS detects a system event, the signature table is searched. If the search does not find a signature matching the event, thereby suggesting that the event poses no threat, a null signature is added to the signature table in a strategic location to terminate future searches early. In one embodiment, null signatures may be stored in a cache. When a system event is detected, the cache is searched. If a match is not found, the signature table is searched. If a match is not found in the signature table, a null signature is cached.

Abstract: A method and apparatus are disclosed for managing a firewall. The disclosed firewall manager facilitates the generation of a security policy for a particular network environment, and automatically generates the firewall-specific configuration files from the security policy simultaneously for multiple gateways. The security policy is separated from the vendor-specific rule syntax and semantics and from the actual network topology. Thus, the security administrator can focus on designing an appropriate policy without worrying about firewall rule complexity, rule ordering, and other low-level configuration issues. In addition, the administrator can maintain a consistent policy in the presence of intranet topology changes. The disclosed firewall manager utilizes a model definition language (MDL) and an associated parser to produce an entity relationship model. A model compiler translates the entity-relationship model into the appropriate firewall configuration files.

Abstract: In a device authentication management system in which a device acquires a secret information from an authentication management unit and carries out an authentication in order to carry out communications with another device by using the secret information, the authentication management unit generates the secret information that contains a first authentication information for carrying out communications between the authentication management unit and the device, and a second authentication information for carrying out communications between the device and the another device; carries out the authentication in order to carry out communications with the device, by using the first authentication information; and transmits the second authentication information according to the authentication.

Abstract: A security service layer and method for controlling a communication between a client running an application and a target wherein a message including parameters specifying the communication is analyzed and, based on the analyzing result, at least one service routine is selected from a number of available service routines. The communication is then controlled on the basis of the selected service routines. The client and the application running at the client may be security unaware since all security relevant functions are executed on behalf of the application by the service security layer. Application dependent service routines are selected dynamically during the communication between the client and the target. A service routine may include security mechanisms or support mechanisms, such as data handling.

Abstract: A customer computer 12, vendor computer 16 and verification computer 14 are interconnected by means of a network 18, such as the internet The customer 12 can initiate a transaction, such as the purchase of information from the vendor 16. However, the vendor 16 will not proceed until verification of the transaction has been received from the site 14. This is not provided until the customer 12 has sent a unique fingerprint of data to the site 14, identifying the customer machine by reference to hardware device types or serial numbers, software types or licences, e-mail addressed or the like. This fingerprint is stored for future reference in showing that the transaction was validly implemented by the customer machine 12.

Abstract: A network of radio devices is managed by carrying out a radio device registration at a registering authentication server when it is possible to communicate with all the authentication servers, distributing registration information to the authentication servers, managing the registration information at each one of the authentication servers, carrying out a radio device deletion at a deleting authentication server, distributing deletion information to the authentication servers, and deleting the radio device from the registration information according to the deletion information at each one of the authentication servers.

Abstract: A computer system provides system-wide computer application security using role-based identifiers. The programmer identifies secured functions within a software application using a hierarchical identifier. The hierarchical identifiers are grouped together into privilege sets. The privilege sets and other hierarchical identifiers are grouped together into job functions, which are in turn grouped into larger subsets called user roles. These user roles are stored in a data store. User identifiers are created. Each user identifier is linked to one user role in the data store. A surrogate identifier is created to correspond to each user role and is stored in the data store. The surrogate identifiers are not disclosed to the users. A user is given permission to access secured functions within an application by retrieving a surrogate identifier from the data store, which shares the same user role as the user. Access rights are determined using the surrogate identifier to validate permissions on a security provider.

Abstract: A security unit to prevent unauthorized retrieval of data includes an encrypting unit for encrypting data in accordance with commands received by the security unit, and a common register for storing both intermediate results and final results of the data encryption. A switching element operatively coupled to the register selectively outputs the contents of the register. The switching element is controlled to prevent external access to the intermediate results of the encryption. The security unit is particularly useful as part of a memory unit that is attachable to a recording/reproduction device such as a digital audio recorder/player.

Abstract: An information management method includes invoking a client environment hosted on a client machine. The client environment is registered with a discovery machine coupled to the client machine by a network. A server machine coupled to the network registers with the discovery machine. A host environment of the client environment on the server machine registers with the discovery machine upon an indication that the server machine has a communication for the client environment. A direct link is established between the client machine and the server machine and the communication is delivered from the server machine to the client machine.

Abstract: A computer system and process for automated identification, processing and issuance of digital certificates uses web server domain-control vetting to issue web server certificates. A requestor requests a web server certificate from a certificate authority and uses approver email address or addresses to request that the approver approve issuance of the certificate. If approved, the certificate authority accepts the request, creates and signs the certificate, and the signed certificate is sent to the requestor.

Abstract: A method for programming a programmable logic controller (PLC) is disclosed. The PLC may be used to control devices of a secured facility, such as a detention center, jail, or prison. The disclosed method may include creating a spreadsheet including information relating to devices and functions of a system to be controlled by the PLC, such as the number and type of door locks and the functionality of the door locks. The method may further include analyzing the spreadsheet to detect errors in the information stored in the spreadsheet. The method may further includes writing PLC logic to control the system based in the information in the spreadsheet.

Abstract: An identification and authentication scheme maintains control relationships among identities in order to allow a user to dynamically grant or deny permission for a technical support representative to access the user's data, while allowing the user to retain ultimate control over access to the data. Interactions entered by the representative can be distinguished from those entered by the user, while execution paths for representative-entered interactions are configured so that, to an application, the representative-entered transactions appear substantially identical to user-entered transactions. Technical support representatives are thereby able to duplicate users' problems to enable diagnosis and resolution of problems without requiring users to reveal their passwords or login credentials.

Abstract: An access control system includes an access control device, a wireless communication device, and a central controller. The central controller issues authorization codes to the wireless communication device. The wireless communication device is used by an authorized party to enable or activate a protected function secured by an access control device. To enable or activate the protected function, the authorized party uses the wireless communication device to transmit an access request to the access control device, which responds by transmitting an authentication challenge to the wireless communication device. The wireless communication device must transmit a valid authentication response based on the authentication challenge and a valid authorization code stored in its memory. If a valid authentication response is received, the access control device enables or activates the protected function.

Abstract: A system and methods for automatic digital certificate installation on network devices in a data-over-cable network are developed. One of the methods includes sending a digital certificate request from a cable modem to a predetermined network server upon determining on the cable modem that there is no digital certificate already installed on the cable modem. The method further includes generating at least one digital certificate on the network server and providing the at least one digital certificate to the cable modem.

Abstract: An improved firewall for providing network security is described. The improved firewall provides for dynamic rule generation, as well using conventional fixed rules. This improvement is provided without significant increase in the processing time required for most packets. Additionally, the improved firewall provides for translation of IP addresses between the firewall and the internal network.

Abstract: A method and apparatus for the configuration of a wireless network adapter is disclosed. A wireless network adapter is provided with software that enables the adapter to recognize and connect with one or more networks. Software profiles are loaded onto or created on the adapter. The software profiles each correspond to a unique network.

Abstract: A user authentication information management method receives a meta-password from a user. A repository (34) lists network addresses (36) and associated handles (38), each handle having an associated encoded password. An authentication response from the user is intercepted. A modified authentication response is generated by identifying a network address to which the response is directed (208), searching for the identified network address (210) in the repository (34), identifying a handle (212) corresponding to the address based on the searching (210), decoding the password associated with the handle using the meta-password as a decoding key (214), and substituting the decoded password for the meta-password in the authentication response (216). The method also generates pseudo-random passwords (124) consistent with password rules (128). The repository (34) can reside on a client device (14), a proxy server, a local area network, or a security server having an Internet protocol (IP) address.

Abstract: A method for providing a user with access to a plurality of computer resources, at least some of which utilize distinct protocols for receiving security information and for providing access to outside systems based on received security information. A request is received from the user identifying one of the plurality of computer resources. From a set of previously stored records each of which identifies one of the plurality of computer resources and contains security information for allowing access to the computer resource identified in the record, one of the records of the set is selected whose identification of one of the plurality of computer resources best matches the request's identification of one of the plurality of computer resources. The security information in the selected record is used to provide access to the computer resource identified in the request according to the distinct protocol utilized by that resource.

Abstract: A communications system includes a physical layer hardware unit and a processing unit. The physical layer hardware unit is adapted to communicate data over a communications channel in accordance with assigned transmission parameters and receive an incoming signal over the communications channel and sample the incoming signal to generate a digital received signal. The processing unit is adapted to execute a standard mode driver in a standard mode of operation and a privileged mode driver in a privileged mode of operation. The standard mode driver includes program instructions adapted to extract encrypted data from the digital received signal and pass the encrypted data to the privileged mode driver. The privileged mode driver includes program instructions adapted to decrypt the encrypted data to generate decrypted data including control codes and transfer the control codes to the physical layer hardware unit.

Abstract: A method is disclosed for providing mobile code software applications to users via an application service provider (ASP). The ASP receives a mobile code application, such as a Java application, from a provider, along with a security specification. The security specification defines access privileges requested to execute the application, including privileges to execute functions performed by the application and privileges to access local resources of the ASP. The ASP receives a subscription to the application from a user. The subscription includes subscription information granting or denying privileges, and specifying parameters for the privileges, requested in the security specification. The ASP executes the application at runtime by determining for each executable function whether the user has authorized the requested privilege. Those functions authorized by the user are executed in one embodiment.

Abstract: A method and apparatus for negotiating a shared secret among members of a multicast group are disclosed. A tree that represents the group is created and stored in a memory. Each node of the tree is associated with a group member. The shared secret is generated by traversing the tree in post-order, and at each node of the tree, recursively generating a partial key value for use in the shared secret and a base value for use in subsequent recursive partial key value generation. At each node, a partial key value is computed by accumulating the exponent portion of the Diffie-Hellman key equation and computing a new base value for use in subsequent computations. If a particular node has a left or right child sub-tree, each sub-tree is also recursively traversed in post-order fashion. When traversal of the entire tree is complete, all nodes have the shared secret key.

Abstract: A rights management module controls access to a data set by processing requests for flexibly defined types of access to the data set and determines if the requested access may be granted. The requester's right for the requested type of access is verified by a verification module that may be part of the rights management core or verified through expansion rights verification modules. Extension verification modules may be contained within the data set itself or obtained from a separate store. Extension verification modules are authenticated by the rights management core.

Abstract: A method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network are disclosed. An address translation alteration performed on packets communicated between a management source and a plurality of security devices, resulting from implementation of a proposed new network security policy, is detected. One or more sets of security devices are identified that would each have one or more configuration dependencies as a result of the address translation alteration. Configuration instructions are sent from the management source to each of the one or more sets of security devices using an order determined by the identified configuration dependencies. The configuration instructions are used to implement the security policy on the network. As a result, firewalls and similar devices are properly configured for a new policy without inadvertently causing traffic blockages arising from configuration dependencies.

Abstract: A method and system for allowing access to an exchange by a casual user without compromising exchange security. The present invention allows a casual user to provide required input and complete simple business transactions without becoming a registered member of the exchange. The system knows what information to provide to or to collect from the casual user and provides him with a context sensitive personal identification number (CS-PIN) to allow access for that purpose.

Abstract: The present invention provides a solution to the needs described above through a system and method for a business applications server. The automated system of the present invention uses a persistence framework to provide a process for saving and restoring state of business objects and for performing operations thereon, and metadata driven processes to dynamically define class properties and behavior for each class of business object, in order to control the execution of the required tasks with minimum use of redundant data input to the several applications, thereby minimizing the use of hardware resources and user input and programming effort.