Abstract: A method and system of authenticating a service to access data respective of a user on a low-end mobile device are provided. The method includes receiving a request from a service to access data respective of the user device, wherein the user device is a low-end mobile device; sending the user device a first authentication token over a first communication path; receiving a second authentication token over a second communication path, wherein the second authentication token is received from a host server hosting the service; comparing the first authentication token to the second authentication token; and allowing access to the data upon determination that the first authentication token matches the second authentication token.

Abstract: Approaches are described for automatically generating new security credentials, such as security tokens, which can involve automatically re-authenticating a user (or client device) using a previous security token issued to that user (or device). The re-authentication can happen without any knowledge and/or action on the part of the user. The re-authentication mechanism can invalidate and/or keep track of the previous security token, such that when a subsequent request is received that includes the previous security token, the new security token can be invalidated, and the user caused to re-authenticate, as receiving more than one request with the previous security token can be indicative that the user's token might have been stolen.

Abstract: Techniques are provided for dynamically propagating identity context for a user in a Service-Oriented Architecture. Methods and apparatus are provided that include receiving a request to invoke a web service, retrieving first security claims from application identity context information pertaining to a user, generating second security claims at runtime, packaging the first and second security claims into an authentication token, and transmitting the authentication token to a second computer system in a service request. The second computer system can be configured to extract the first and second security claims from the authentication token, validate the extracted first and second security claims, generate identity context information based upon the extracted first and second security claims, and publish and propagate the identity content information in an identity context object.

Abstract: The invention relates to a security token comprising a communication interface adapted to communicate with a host computer; a security module, comprising encryption based security features; and a non volatile memory storing at least an application to be uploaded and executed in a host computer. The application makes use of the security features when executed in a host computer in communication with the communication interface. The security token is adapted to modify the content of the application as uploaded or its execution parameters at successive connections of the security token to a host computer.

Abstract: A computer program product for processing a message is provided. The computer program product comprises a computer readable storage medium having program instructions embodied therewith. The program instructions readable by a processing circuit cause the processing circuit to perform a method. The method validates a security token for a user. The method allows the user to compose a message. Based on the security token, the method verifies that the user is authorized to send the message to an intended recipient of the message and that a security level of the message is at or below a security level of the user.

Abstract: Methods, systems and articles of manufacture consistent with features of the present invention allow the generation and use of derived user accounts, or DUA, in a computer system comprising user accounts. In particular, derivation rules define how a DUA is linked to or created based on an existing original user account, or OUA. Derivation transformations may also update the state of a DUA based on its corresponding OUA or give feedback from the state of a DUA to the state of its corresponding OUA.

Abstract: A distributed operation is performed using at least one first and second computer-based object, wherein control information is used to influence or determine a property, a function of the first and/or second computer-based objects. The control information includes details of a parameter identifier, a value associated with the parameter identifier, a range of validity and a remote access attribute. The control information is provided in a retrievable manner, according to the included range of validity, in a memory organized according to ranges of validity and is associated with the first computer-based object. During a function or service call for performing the distributed operation, which is sent from the first computer-based object to the second, the control information is transmitted to the second computer-based object, provided in a retrievable manner in the memory organized according to the ranges of validity and associated with the second computer-based object.

Abstract: A policy description for a web service is received at a web service client. The policy description includes a predefined security policy constraint, requires that an application requesting execution of the web service also provide a security token generated by a security token service, and requires that the security token complies with the predefined security policy constraint. A message is generated that is compliant with the policy description for obtaining the security token. The message is sent to the security token service. The security token generated by the security token service is received in response to receipt of the message. The security token is compared against the predefined security policy constraint to verify compliance of the security token generated by the security token service against the predefined security policy constraint.

Abstract: An authentication system, method and device are provided in the present application. The authentication system includes an Application Server (AS) for providing non Internet protocol Multimedia Subsystem (IMS) service, an authentication gateway and an IMS terminal. The AS forwards a connection request message sent by the IMS terminal to said authentication gateway, the authentication gateway sends a obtained first random number to said IMS terminal through the AS, the IMS terminal generates a first Response (RES) value according to the first random number and sends the generated first RES value to the authentication gateway through the AS, and if the received first response value and an obtained Expected Response (XRES) value is found coincident after being compared by the authentication gateway, the authentication gateway determines that the authentication to the IMS terminal is passed, and indicates the AS to provide non IMS service for the IMS terminal.

Abstract: A method is provided for transferring data linked to an application installed on a security module associated with a mobile terminal, the data being stored in a first secure memory area of the security module, suitable for receiving a request to access the data, to read the data, and to transmit or store the data after encryption. A method is also provided for accessing these data suitable for transmitting a request to access, to receive and to decrypt the encrypted data. A security module, a management server, and a system implementing the transfer and access methods are also provided.

Abstract: A mobile device includes a session maintainer application, a native application and a shell application and a link to a web application. If a user is seeking to access a native application, and an active session has not been established, user login credential is obtained, a session token is obtained upon verification of the user login credential, and the obtained session token is provided to the native application. If the user is seeking to access a web application, and an active session has not been established, a session token is obtained upon verification of the user login credential and the obtained session token is provided to the shell application. If an active session has been established then the obtained session token is automatically provided to the native or shell application when the user subsequently seeks access to the respective application.

Abstract: A method is used in validating association of client devices with sessions. Information of a client device executing a user agent is gathered by a server for creating a device identifier for the client device upon receiving a request from the user agent for establishing a session between the user agent and the server. The device identifier includes information identifying the client device. The device identifier is associated with the session. The client device is validated by the server upon receiving subsequent requests from the client device during the session. Validating the client device includes gathering information of the client device sending each subsequent request for creating a device identifier for the client device and comparing the device identifier created from the information gathered during each subsequent request with the device identifier associated with the session.

Abstract: An app runs on a user operated computing device, e.g., a mobile device running a sandboxed operating system. The app requests a session ID from a publisher Idp. The app registers for notifications on the session ID with a notification service. The app directs a browser to navigate to the publisher IdP, and to pass it the secure session ID and an ID of a specific partner. The publisher IdP returns a redirect to a third party IdP used by the specific partner to authenticate users. The browser navigates to the third party IdP, which prompts the user for authentication credentials. The third party Idp uses the credentials to authenticate the user, and redirects the authentication result to the publisher IdP. The publisher IdP sends the app a notification, via the notification service. In response, the app calls the publisher IdP, and receives a secure authentication token.

Abstract: A method for digitally signing a document, a secure device, and a computer program product for implementing the method. The method employs a secure device which is protected against malicious software or malware and is adapted to establish a secure connection to a recipient via a host. The method includes: connecting to a terminal; accessing the contents of a document received by the secure device; instructing at the secure device to communicate the accessed contents to an output device other than the terminal such that the contents can be verified by a user; ascertaining at the secure device a command received to digitally sign the document; executing at the secure device the ascertained command; and instructing to send a digitally signed document to a recipient over a connection established via the host connected to a telecommunication network.

Abstract: A security processor may be embedded within a digital cable ready (DCR) digital TV (DTV) system-on-chip to performing content protection operations during digital TV signal processing. The embedded security processor may be used to perform operations that are currently performed by an external entity, such as, for an example, a CableCard. The embedded security processor maybe configured to use a conditional access function including, but not limited to, CableLabs® Downloadable Conditional Access System (DCAS) based function. The security processor may be reprogrammable to enable the system-on-chip to be reconfigured with a different function and/or to allow operation with a new cable service provider. The security processor may enable secure reprogrammability of the system-on-chip utilizing security algorithms and/or other mechanisms including use of chip-specific identification information. The SoC may be enabled to operate with a CableCard whenever the security processor may be disabled.

Abstract: In a device registration system, user authentication and device authentication of a CE device are executed in a single session, and the user and the CE device are associated with each other if these authentications succeed. The CE device obtains information for user authentication from an IC card and portable memory, and sends the information and device authentication information to a device registration unit. The device registration unit sends the information for the user authentication to a user authentication unit, and the device authentication information to a device authentication unit. The user authentication unit executes a user authentication process and sends information of the user to the device registration unit if authentication succeeds. The device authentication unit executes a device authentication process and sends information of the device to the device registration unit if authentication succeeds.

Abstract: A method of authenticating a client to a service via a network includes retrieving a client ID and a lockstep code from a token interfaced with a client device, sending the client ID and the lockstep code to an authentication server as part of a verification request, at the authentication server, comparing the lockstep code to a confirmation lockstep code relating to the client ID, based on the comparison, sending an authentication message from the authentication server, at the authentication server, generating a new confirmation lockstep code, sending the new confirmation lockstep code to the client device, and updating the lockstep code of the token to an updated lockstep code that matches the new confirmation lockstep code.

Abstract: An arrangement for secure user authentication includes a computer or telecommunication terminal with a smartcard and a device. The smartcard is adapted to securely store biometric information relating to at least one user and the device is adapted to detect biometric data of users. The smartcard and the device include a radio interface for communicating together and a module for exchanging biometric information between each other. In this way, tampering of the transferred biometric information is difficult. In order to increase the security, one or more of the following measures may be used: a secure communication channel between the device and the smartcard, a direct (preferably short range) communication channel between the device and the smartcard and encryption and decryption of biometric information transferred between the device and the smartcard.

Abstract: An apparatus for, and method of, single sign-on collaboration among a plurality of mobile devices, includes a server for issuing a first identity token to subsequently authenticate a user of a first of the mobile devices to a service provider, and for generating and sending a collaboration key to the first device based on the first identity token or user authentication. The first device generates and sends a collaboration credential based on the collaboration key to a second device paired with the first device. The server also issues a second identity token to subsequently authenticate to the service provider the user of the second device based on the collaboration credential received from the first device, to support single sign-on collaboration for the user across the plurality of mobile devices.

Abstract: A token used when a first device authenticates itself to a third device may be associated with a token issue timestamp. Upon receipt of an indication that all previously issued tokens are to be revoked, a second device may store a revocation timestamp. Upon receiving, from the second device, a request for establishing conditions for a file transfer, from the first device, and an indication of a token issue timestamp associated with the request, the second device may compare the token issue timestamp to the revocation timestamp. Responsive to determining, based on the comparing, that the token issue timestamp precedes the revocation timestamp, the second device may deny the request.

Abstract: Techniques to allow a security policy language to accommodate anonymous credentials are described. A policy statement in a security policy language can reference an anonymous credential. When the policy statement is evaluated to decide whether to grant access to a resource mediated by the policy statement, the anonymous credential is used. The policy language can be implemented to allow one anonymous credential to delegate access-granting rights to another anonymous credential. Furthermore, an anonymous credential can be re-randomized to avoid linkage between uses of the anonymous credential, which can compromise anonymity.

Abstract: A method and apparatus are provided to allow a user of a communications device to utilize one-time password generators for two-way authentication of users and servers, i.e., proving to users that servers are genuine and proving to servers that users are genuine. The present invention removes the need for a user to have a separate physical device, e.g., token, per company or service, reduces the cost burden on the companies and allows for two-way authentication via multiple access methods, e.g., telephone, web interfaces, automatic teller machines (ATMs), etc. Also, the present invention may be utilized in consumer and enterprise applications.

Abstract: Event-based biometric authentication is provided using a mobile device of a user. A user attempting to access a protected resource is authenticated by receiving a request to access the protected resource; collecting biometric information from the user in response to the request using a mobile device of the user; performing biometric authentication of the user using the collected biometric information; and granting access to the protected resource based on the biometric authentication. The authentication optionally comprises an event-based authentication. The mobile device does not have to contain token generating material.

Abstract: The present invention provides, in one aspect, a system and method for managing authentication tokens that operate across multiple types or physical resources binding the tokens to one or more external electronic Identity Providers; generating tokens; authenticating the tokens at multiple physical resources; managing access to physical resources by linking the tokens to the electronic identities; translating the tokens to the appropriate physical token type based on infrastructure services available at the point of service; validating tokens at the physical resource; tracking and conveying usage information; and making use of social group relationships and other data defined by individual usage to, among other things, simplify the process of granting user-generated credentials to persons connected to a given individual via the Identity Provider or an external social network, for example.

Abstract: A method for utilizing a secure credential vault on a mobile computing device includes: prompting a user for and receiving from the user a credential vault password; prompting a user for and receiving a near-field communication (NFC) security token from a NFC-enabled device; verifying the credential vault password and the received NFC security token; and opening a secure session with the secure credential vault in response to successful verification.

Abstract: The invention defines a digital programmable smart card terminal device and token collectively known as the token device. The token device comprises a field programmable token device which accepts a users smart card. The combination of token device and smart card may then be used for a variety of applications that include user authentication, secure access, encryption. One specific application is that of an electronic wallet. The token device can be used both in connected and unconnected modes.

Abstract: A first server is configured to receive a first token from a user device, determine whether the first token is valid, request the user device to provide a set of credentials to a second server, based on determining that the first token is invalid, and receive a first response from the user device. The first response may include information identifying whether the user device is authenticated to communicate with the first server. The first server is further configured to send the first response to a third server. The third server may generate a second response to indicate authentication of the user device to communicate with the first server. The first server is further configured to receive the second response from the third server, generate a second token, based on receiving the second response, and send the second token to the user device.

Abstract: Various embodiments of the present invention relate to systems, methods, and computer-readable medium providing licensing rights for media content that follows a subscriber so that the subscriber may experience the media content on various content distribution platforms. In particular embodiments, the systems, methods, and computer-readable medium transfer licensing rights for a user for particular media content that is associated with a first device on a first distribution platform so that the rights are associated with a second device on a second distribution platform. As a result, in various embodiments, the user is able to experience the particular media content with the use of the second device on the second distribution platform.

Abstract: A physical, non-human readable representation of a digital key may be in a physical key article. The key article may enable a person to generate a signal representing the digital key from a user interface device in communication with a computer by physical manipulation of the key article. Access to digital content via the computer may be unlocked in response to receiving the signal. In addition, a key may be represented by a pattern of unreadable errors in a computer-readable medium.

Abstract: A major management apparatus, an authorized management apparatus, an electronic apparatus for delegated key management and key management methods thereof are provided. The major management apparatus generates a first delegation deployment message and a second delegation deployment message, which are transmitted to the authorized management apparatus and the electronic apparatus, respectively. The authorized management apparatus encrypts an original key management message into a key management message by an authorization key included in the first delegation deployment message. The original key management message includes an operation code and a key identity. The electronic apparatus decrypts the key management message into the original key management message by the authorization key included in the second delegation deployment message. The electronic apparatus selects an application key according to the key identity and operates the application key based on the operation code.

Abstract: An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

Abstract: Embodiments of an invention for feature licensing in a secure processing environment are disclosed. In one embodiment, a processor includes an instruction unit and an execution unit. The instruction unit is to receive an instruction to initialize a secure enclave. The execution unit is to execute the instruction. Execution of the instruction includes determining whether a requested feature is licensed for use in the secure enclave.

Abstract: Token detection at a single computing platform may be linked with a user identification to unlock content and/or effectuate modifications in virtual space instances presented via multiple computing platforms, in accordance with one or more implementations. Exemplary implementations may enhance consistency in a user's experiences of a virtual space across multiple computing platforms.

Abstract: An authentication system including: (i) a user device, such as a mobile phone or media player, for storing random identification data for a user of the user device, and for processing entered token data to generate response data on the basis of the identification data; (ii) a client device, such as a personal computer, for use by the user to request a session, such as an online banking session, with a server system, for receiving the token data in response to the request, and for sending the response data to the server system; and (iii) a server of the server system, for storing the random identification data for the user, generating the token data for the client device on the basis of the identification data in response to the request, and for processing the response data to determine authentication for the client device for the session.

Abstract: A method of establishing a communication channel between a network client and a computer server over a network is described. The network client may be configured to communicate with the computer server over the network and to communicate with a token manager. The token manager may be configured with a parent digital certificate that is associated with the token manager. The token manager or network client generates a credential from the parent digital certificate, and transmits the credential to the computer server. The credential may be associated with the computer server. The network client may establish the communications channel with the computer server in accordance with an outcome of a determination of validity of the credential by the computer server.

Abstract: Systems and method for authenticating users are presented. A system can send a passkey to a user interface of a known device. A user can then send a messaging service message with the passkey from a second device to the system. After receiving the message from the user, the system can extract the passkey from the message, and compare the received passkey against the passkey originally sent to the user. The known device and the second device can each have separate and unique device identifiers.

Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HTTP communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.

Abstract: Included are systems and methods for tokenizing sensitive data. Some of the systems and/or methods are configured to receive sensitive data from a vendor, determine a token key for the vendor, and utilize a proprietary algorithm, based on the token key to generate a vendor-specific token that is associated with the sensitive data. Some systems and/or methods include creating a token identifier that comprises data related to the token key sending the vendor-specific token and the token identifier to the vendor.

Abstract: A method for securing electronic transactions includes associating a mobile electronic device with a first user. A first computer system retrievably stores registration data relating to the first user, including a device identifier that is unique to the mobile electronic device. A security application that supports in-application push notifications is installed on the mobile electronic device. The first computer system sends a push notification to the mobile electronic device, the push notification prompting the first user to provide a confirmation reply via a user interface of the security application for activating the mobile electronic device as a security token. The mobile electronic device is activated as a security token for the first user in response to receiving at the first computer system, from the mobile electronic device, the confirmation reply from the first user.

Abstract: A method and system for providing secure access to a remote file is disclosed. According to one embodiment, a portable memory device containing a secure desktop is provided to a user. The user has a user device that removably accepts the portable memory device. The user is allowed to securely access a dedicated storage of the cloud storage system that is created at a request from an administrator. The secure desktop runs independently from a user desktop of the user device. The user's access to a local storage of the user device is blocked while the secure desktop is running.

Abstract: Methods and apparatuses, including computer program products, are described for communication session transfer between a plurality of computing devices. A first computing device detects a presence of a second computing device in proximity to the first device, where the first device has established a first communication session with a remote computing device. The first device establishes a wireless connection to the second device. A first token is transmitted to the second device. A second token is received from the second device. The second token is authenticated via comparison to the first token. The first device transmits, to the second device, information indicating a state of the first communication session to enable the second device to establish a second communication session with the remote device, where the second communication session is established using the state of the first communication session.

Abstract: A method for running a computer application for interfacing with a crew of a vehicle, for example an aircraft, to a corresponding system and to an aircraft including the system. The method reads a removable medium, including the application to be run, by a removable-medium reader with which an on-board running system in the vehicle is equipped, and runs the application by a running mechanism with which the running system is equipped and connected to the removable-medium reader. The running of the application requires permanent recording of data necessary for execution thereof only on the removable medium. As an example, a portable application is used or the running system is booted from an installed operating system provided on the removable medium.

Abstract: A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Abstract: In order to prevent leakage of data possessed by a tenant to other tenants in multitenant service, it is necessary to control access. However, the conventional access control method is designed and developed to meet a specified request. Thus, costs for a dedicated design, development, administration, and maintenance need to be considered. Such costs can be reduced by using role information for each of a plurality of services and determining whether to allow or not allow access in a uniform manner.

Abstract: Embodiments of methods and systems for incorporating user generated content into a web page are disclosed. In particular, embodiments of such systems and methods may incorporate user generated content into a web page such that the user generated content can be consumed by indexers associated with search engines in association with that web page. Additionally, embodiments may also provide a mechanism by which user generated content may be received and included in a web page when that web page is rendered. Using embodiments as disclosed herein user generated content may be exposed to a search engine indexer in a web page while still providing a mechanism for incorporating the freshest user generated content in such a web page. Embodiments may also improve the ability of search engines or search engine indexers to determine the site of origin for such user content.

Abstract: A service provider may provide one or more services to and/or for a client. Providing a service may involve receiving a service request including a security token at the service provider and determining whether the security token is valid. Providing the service may also involve determining a session security token if the security token is valid and generating a service response including the session security token. Providing the service may further involve receiving a service request including the session security token, determining whether the session security token is valid, and, if the session security token is valid, generating a second service response.

Abstract: The method is for activating a device. A communication device is provided that is in communication with a server unit that has a processor for generating a number series. An application device has a processor for generating a number series. The communication device is not communicating directly with the application device. The user sends a message including the identification number to the server. The server identifies a code number pointed at by a pointer and sends back the code number. The pointer steps forward in the number series at predetermined time intervals. The user enters the code number into the application device. The processor compares the code number with a number pointed at by a pointer and sends an activation signal to an activation device to activate the application device.

Abstract: Provided are management and use of an authentication medium, and specifically, to an apparatus and method for registering and using an IC card as an authentication medium in a user terminal. An apparatus for using the IC card as the authentication medium includes an ID extracting module configured to extract identification information from the IC card that performs near field communication with a user terminal; an ID checking module configured to determine whether the extracted identification information matches identification information of the IC card that is previously registered as an authentication medium; and a security service module configured to provide a security service interface for a security service provided by the determined IC card.

Abstract: Identity-independent authentication tokens enable issuance of a single strong credential that can be mapped to an individual at each of multiple accounts within the online world. An issuer generates one or more authentication tokens for issuance to individuals or other entities. In some instances, each of these authentication tokens comprises a unique serial number. The individual or other entity may then request an authentication token from the issuer. The issuer may then issue the token to the individual without the need to ask or require the individual to identify his or herself. The individual may then map this issued authentication token to the individual's password at each of the individual's online accounts.

Abstract: A method is presented for rebooting a local data processing entity requiring an access code to boot. The method may include receiving, on a local entity, an access code from a remote entity. The access code may be stored on an auxiliary device coupled to the local entity. The local entity may receive a reboot command from the remote entity and begin rebooting in response thereto. The auxiliary device may provide the access code to the local entity in response to the beginning of the reboot. The access code may then be deleted from the auxiliary device.