Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees

Central trusted authority provides computer authentication

Subclass of:

713 - Electrical computers and digital processing systems: support


Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
713156000 By certificate 500
713159000 Including intelligent token 29
20130031359METHOD AND SYSTEM FOR MODULAR AUTHENTICATION AND SESSION MANAGEMENT - Modular authentication and session management involves the use of discrete modules to perform specific tasks in a networked computing environment. There may be a separate authentication server that verifies the identity of the user and an authorization client that grants various levels of access to users. There may also be an authentication client that receives an initial request from a requesting application and forwards the request to the authentication server to verify the identity of the use. The authorization client may then be invoked to provide the necessary level of access. The use of discrete modules allows multiple business applications to use the same modules to perform user authentication tasks, thus alleviating the unnecessary multiplication of code.01-31-2013
20090077373SYSTEM AND METHOD FOR PROVIDING VERIFIED INFORMATION REGARDING A NETWORKED SITE - A system and method are disclosed for presenting a message relating to a networked site on an end-user device, the message preferably originating from a third party that is not a provider of the site. The end-user device receives a message blob containing the message and associated verification information when the networked site is accessed. A verification application then sends a request to verify the authenticity of a message blob to a verification server. If the verification server verifies that the message blob is authentic based on the verification information, presentation of the site-specific information on the end-user device is enabled.03-19-2009
20100088506METHOD AND SYSTEM FOR PROVIDING A REL TOKEN - The embodiments relate to a method for providing at least one REL (Rights Expression Language) token, the REL-token or tokens being provided in a message by a MIME (Multipurpose Internet Mail Extension) protocol.04-08-2010
20110202758APPARATUS FOR PROVIDING SECURITY OVER UNTRUSTED NETWORKS - A network security apparatus adapted to provide for secure communications across data networks, including untrusted networks. In one embodiment, the security apparatus comprises one or more components disposed within the software stack of a computerized device, the components including an association process adapted to establish security associations between devices on the network, and an encryption key generation process adapted to generate one or more encryption keys. In one variant, the keys are specifically for use with temporary or ad hoc security associations. The one or more keys are exchanged according to a key exchange protocol after the device is authenticated or authenticates another device. In one implementation, the device comprises a portable device such as a laptop computer.08-18-2011
20130086376SECURE INTEGRATED CYBERSPACE SECURITY AND SITUATIONAL AWARENESS SYSTEM - An integrated cyber security system for an organization, such as a governmental or private organization, is disclosed. The security system is installable across an organization and configured to monitor and protect against cyberspace or electronic data vulnerabilities. The security system includes a situational awareness application configurable to receive one or more definitions describing known electronic data access points associated with the organization. The system also includes a communication security system providing cryptographic communications among each of a plurality of users affiliated with the organization and configured to establish a plurality of communities of interest. The system also includes a reporting module configured to generate a plurality of reports based on information gathered across the organization from the situational awareness application and communicate one or more of the plurality of reports to one or more of the communities of interest.04-04-2013
20130080769SYSTEMS AND METHODS FOR SECURING NETWORK COMMUNICATIONS - Secure communications may be established amongst network entities for performing authentication and/or verification of the network entities. For example, a user equipment (UE) may establish a secure channel with an identity provider, capable of issuing user identities for authentication of the user/UE. The UE may also establish a secure channel with a service provider, capable of providing services to the UE via a network. The identity provider may even establish a secure channel with the service provider for performing secure communications. The establishment of each of these secure channels may enable each network entity to authenticate to the other network entities. The secure channels may also enable the UE to verify that the service provider with which it has established the secure channel is an intended service provider for accessing services.03-28-2013
20130080768SYSTEMS AND METHODS FOR SECURE COMMUNICATIONS USING AN OPEN PEER PROTOCOL - A cryptographic system and method for providing secure peer to peer communications over a network. The invention includes systems and methods for generating unique keys in a key-space, using a third party authentication system to provide identities for owners of those keys, proving the ownership of the keys, using a distributed database for establishing any kind of secure communication between two or more parties, and using the ownership of the keys in the key-space to establish secure communications03-28-2013
20130036301Distributed Cryptographic Management for Computer Systems - A distributed cryptographic management system can include: a central key management service accessible through the network and having a database associated therewith; an approval module programed to receive approval for any client machines connectable to the network and applications associated with the client machines, the database storing records for the client machines, and a key management domain being defined by all approved client machines and applications; and an agent module programmed to provide key management agents, wherein the key management agents are transferable and installable on any of the approved client machines and applications within the key management domain.02-07-2013
20090158029MANUFACTURING UNIQUE DEVICES THAT GENERATE DIGITAL SIGNATURES - A method of manufacturing devices that generate digital signatures such that each device may be reliably and uniquely identified includes creating a public-private key pair within each device during manufacture; exporting only the public key from the device; retaining the private key within the device against the possibility of divulgement thereof by the device; and securely linking said exported public key with other information within the environment of the manufacture of the device, whereby each device is securely bound with its respective public key. A database of PuK-linked account information of users is maintained. The PuK-linked account information for each user includes a public key of such a device; information securely linked with the public key during manufacture; and third-party account identifiers, each of which identifies an account to a third-party of the user maintained with the third-party that has been associated with the user's public key by the third-party.06-18-2009
20090158028DRM METHOD AND DRM SYSTEM USING TRUSTED PLATFORM MODULE - The present invention relates to a terminal apparatus including a trusted platform module (TPM) and a DRM method using the same. The terminal apparatus receives information on a validity period from a server, uses the TPM generates a public key including the information on the validity period, transmits the public key to the server, receives encoded digital contents from the server, and uses the TPM to decode the received digital contents.06-18-2009
20100106964AUTHENTICATION TERMINAL, AUTHENTICATION SERVER, AND AUTHENTICATION SYSTEM - In registration, a feature array x[i] obtained by client is basis-transformed into array X[i], transformed with a transformation filter array K[i] into a template array T[i] to be registered in the client. In authentication, the feature array y[i] is basis-transformed into an array Y[i] after inversely sorting and applied to filter K by computation V[i]=Y[i]K[i]. The server obtains array e[i]=Enc (T[i]), and the client obtains e′[i]=Enc (Σ04-29-2010
20100106963System and method for secure remote computer task automation - A system includes a third party authority in communication with a client computer and a target computer. The third party authority is configured to receive a request including authentication information and an access request from the client computer. The third party authority is configured to authenticate the client computer based on the authentication information and to process the access request to grant the client computer access to the target computer to perform a task on the target computer, the access request including the task. The third party authority is further configured to send an access token to the client computer to access the target computer to perform the task, to receive the access token from the target computer for validation, to validate the received access token based on the request for the target computer to process the task, and to grant the target computer permission to process the task upon validation.04-29-2010
20090125715METHOD AND APPARATUS FOR REMOTELY AUTHENTICATING A COMMAND - A system that remotely authenticates a command is presented. During operation, an authentication system receives the command from an intermediary system, wherein the command is to be executed on a target system. Next, the authentication system authenticates the intermediary system. If the intermediary system is successfully authenticated, the authentication system authenticates the command using a private key for the authentication system to produce an authenticated command. Next, the authentication system sends the authenticated command to the intermediary system, thereby enabling the intermediary system to send the authenticated command to the target system so that the target system can use a public key for the authentication system to verify and execute the command.05-14-2009
20130046971AUTHENTICATION METHOD, SYSTEM AND DEVICE - An authentication method, system and device are provided by the embodiments of the present invention. Said method includes the following steps: an Application Server (AS) receives an AS access request, which carries a user identifier, transmitted by a User Equipment (UE); the AS generates a key generation request based on the user identifier and transmits it to a network side; the AS receives the key transmitted by the network side, and authenticates the UE according to the key. In the present invention, generating the key between a terminal without a card and the AS is implemented, and the AS authenticates the UE using the generated key, and the security of the data transmission is improved.02-21-2013
20090044007Secure Communication Between a Data Processing Device and a Security Module - A method of creating a secure link between a data processing device (MOB) and a security module (USIM), the data processing device being adapted to communicate with a security module storing a secret data item (k) necessary for the execution by the device of a data processing task, the data processing device and the security module being adapted to communicate with a telecommunications network (RES), wherein the method comprises the steps of: identifying the data processing device (MOB) and the module (USIM) for which a secure link is to be set up in order to send said secret data item (k) from the module to the device; a step of delivering an encryption key (K) in which a trusted server (SC) connected to the telecommunications network delivers an encryption key (K) both to the module (USIM) and to the data processing device (MOB) that have been identified; an encryption step in which said secret data item (k) is encrypted in the module by means of said encryption key (K); a transmission step in which the result of the encryption step is sent by the module (USIM) that has been identified to the device (MOB) that has been identified; and a decryption step in which the device (MOB) decrypts the result that has been received by means of said encryption key (K) that has been received and obtains said secret data item (k).02-12-2009
20090327700METHOD AND SYSTEM FOR VIRTUALIZATION OF TRUSTED PLATFORM MODULES - A method, an apparatus, a system, and a computer program product is presented for virtualizing trusted platform modules within a data processing system. A virtual trusted platform module along with a virtual endorsement key is created within a physical trusted platform module within the data processing system using a platform signing key of the physical trusted platform module, thereby providing a transitive trust relationship between the virtual trusted platform module and the core root of trust for the trusted platform. The virtual trusted platform module can be uniquely associated with a partition in a partitionable runtime environment within the data processing system.12-31-2009
20090313466Managing User Access in a Communications Network - A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network.12-17-2009
20120191971METHOD AND DEVICES FOR SECURE COMMUNICATIONS IN A TELECOMMUNICATIONS NETWORK - A secure communications method is provided for use in a telecommunications network, wherein a transaction between an entity A and an entity B of the network comprises: entity A sending an authorization request to an Authorization Server S, in which request the entity A identifies itself and authenticates itself; the entity A declares to the Authorization Server its intention to communicate with a certain entity B; the Authorization Server determines a secret key that it shares with the entity B; the Authorization Server generates a session key and sends it to the entity A; the session key being a one-way function of the secret key and also being a function of an integer (transaction number) allocated to the transaction; the Authorization Server also generates a transaction identifier that is a function depending at least on the transaction number in non-invertible manner.07-26-2012
20130073843Network Security Content Checking - Methods, apparatus, and programs for a computer for network security content checking: in particular ones which simplify the critical element of a content checker so it can be trusted and implemented in logic.03-21-2013
20130061040SYSTEMS AND METHODS FOR PROTECTING ALTERNATIVE STREAMS IN ADAPTIVE BITRATE STREAMING SYSTEMS - Systems and methods for performing adaptive bitrate streaming using alternative streams of protected content in accordance with embodiments of the invention are described. One embodiment includes a processor, and non-volatile storage containing an encoding application. In addition, the encoding application configures the processor to: receive source content; obtain common cryptographic information; encode the source content as a plurality of streams including a plurality of alternative streams of content; and protect the plurality of alternative streams of content using the common cryptographic information.03-07-2013
20090271618ATTESTATION OF COMPUTING PLATFORMS - A method and apparatus for attesting the configuration of a computing platform to a verifier. A signature key (SK) is bound to the platform and bound to a defined configuration of the platform. A credential (C(SK), C10-29-2009
20090271617PRIVACY PROTECTED COOPERATION NETWORK - A computerized method and apparatus are established to identify a subject of common interest among multiple parties without releasing the true identity of any subject. Furthermore, a computerized network provides different parties at different locations with a mechanism to conduct cooperative activities concerning such a subject of common interest without exposing that subject to possible identity theft.10-29-2009
20130067217SYSTEM AND METHOD FOR PROTECTING ACCESS TO AUTHENTICATION SYSTEMS - A system and method for protecting access to authentication systems. A mediator may accept original authentication credentials from a client, may process the authentication credentials to provide processed authentication credentials and may forward the processed authentication credentials to an authentication system. Processing original authentication credentials may include encrypting at least one portion of original authentication credentials.03-14-2013
20130067216IN-MARKET PERSONALIZATION OF PAYMENT DEVICES - Systems and methods for remotely personalizing payment devices for consumers are described. In an embodiment, a system includes a MOTAPS server computer that provides data preparation functions and a trusted service provider (TSP) personalization server computer. The system also includes a service provider computer operably coupled to the TSP personalization server computer, and a remote personalization device (RPD) operably coupled to the service provider computer. The RPD transmits personalization requests, receives personalization data, and personalizes a payment device before providing the personalized payment device to a consumer.03-14-2013
20120117380Method for Granting Authorization to Access a Computer-Based Object in an Automation System, Computer Program, and Automation System - An identifier is determined for a control program, and the identifier is encrypted based on a private digital key associated with a control and monitoring unit of the automation system to grant authorization to access a computer-based object in an automation system. A first service of the automation system is provided based on the computer-based object, and a second service of the automation system is provided based on the control program. The encrypted identifier is decrypted when being transmitted to an authentication service and is verified by the authentication service. If the verification process has been successful, the authentication service transmits a temporarily valid token to the second service. When the control program requests access to the computer-based object, the token is transmitted to the first service for checking purposes. The control program is granted access to the computer-based object if the result of the checking process is positive.05-10-2012
20120117379METHODS FOR HANDLING REQUESTS BETWEEN DIFFERENT RESOURCE RECORD TYPES AND SYSTEMS THEREOF - A method, computer readable medium, and device for handling requests between different resource record types includes receiving at a traffic management device a first resource record type from one or more server devices in response to a request from a client device. The traffic management device validates the first resource record type, and creates a second resource record type corresponding to the first resource record type after the validating. Signing the second resource record type at the traffic management device is carried out for servicing the request from the client device.05-10-2012
20110022837Method and Apparatus For Performing Secure Transactions Via An Insecure Computing and Communications Medium - The present invention comprises a user interface hardware implementation and associated method for providing a means to achieve secure transactions between a human user and a remote computing facility or service, wherein the transaction is performed such that intermediate nodes, including the human user's primary computation device (e.g. personal computer, cellphone, etc.) need not be trustworthy while still preserving the privacy and authenticity of communications between the human user and remote computing facility or service.01-27-2011
20110022836Method and apparatus for securing the privacy of a computer network - A method and apparatus for secure access to a computer network and for safeguarding the confidentiality and privacy of data stored and distributed by the network is disclosed. The method and apparatus addresses both limiting access to the computer network to those who are authorized to have access as well as the privacy of the information stored in the network.01-27-2011
20090013176APPLICATION LEVEL INTEGRATION IN SUPPORT OF A DISTRIBUTED NETWORK MANAGEMENT AND SERVICE PROVISIONING SOLUTION - An integrated data network management and data service provisioning environment is provided. The integrated environment includes legacy software application code and current software application code each augmented with code portions enabling exchange of information therebetween via an interworking layer. A facility for participation in and interacting with the integrated environment is also provided. A man-machine interface is integrated across different applications which themselves may be executed on different computers to provide a seamless exchange of information. The advantages are derived from enhanced usage efficiencies in providing data network management and service provisioning solutions. The interworking layer also provides for security enforcement across applications participating in the integrated environment.01-08-2009
20090006843METHOD AND SYSTEM FOR PROVIDING A TRUSTED PLATFORM MODULE IN A HYPERVISOR ENVIRONMENT - A method is presented for implementing a trusted computing environment within a data processing system. A hypervisor is initialized within the data processing system, and the hypervisor supervises a plurality of logical, partitionable, runtime environments within the data processing system. The hypervisor reserves a logical partition for a hypervisor-based trusted platform module (TPM) and presents the hypervisor-based trusted platform module to other logical partitions as a virtual device via a device interface. Each time that the hypervisor creates a logical partition within the data processing system, the hypervisor also instantiates a logical TPM within the reserved partition such that the logical TPM is anchored to the hypervisor-based TPM. The hypervisor manages multiple logical TPM's within the reserved partition such that each logical TPM is uniquely associated with a logical partition.01-01-2009
20090006842Sealing Electronic Data Associated With Multiple Electronic Documents - The description generally provides for systems and methods for a mobile communication network. Archives of seals can be sealed to protect the integrity of the seals and facilitate validation in the event a sealing party's sealed registration document is revoked. A document can be sealed multiple times to nest seals within other seals. Specific evidentiary metadata can be included by the sealing party. A main document including or associated with other documents can be sealed as a collection of documents. The seal of the main document can include external references to the files included in the main document to verify the external files were not changed or altered.01-01-2009
20130166906Methods and Apparatus for Integrating Digital Rights Management (DRM) Systems with Native HTTP Live Streaming - Methods and apparatus for integrating digital rights management (DRM) systems with native HTTP live streaming. Several methods for integrating a DRM system with HTTP live streaming on an operating system (OS) platform are described. In each of these methods, a manifest is delivered to an application on a device; the application then accesses a remote DRM server to obtain a license and one or more keys for the content. The DRM server enforces the rights of the client in regard to the indicated content. The application may modify the manifest to indicate a method for obtaining the key. The application delivers the manifest to the OS, which uses the indicated method (e.g., a URL) to obtain the key. While similar, the methods primarily differ in the manner in which the OS is directed to obtain the key.06-27-2013
20110035584SECURE REMOTE SUBSCRIPTION MANAGEMENT - A method and apparatus are disclosed for performing secure remote subscription management. Secure remote subscription management may include providing the Wireless Transmit/Receive Unit (WTRU) with a connectivity identifier, such as a Provisional Connectivity Identifier (PCID), which may be used to establish an initial network connection to an Initial Connectivity Operator (ICO) for initial secure remote registration, provisioning, and activation. A connection to the ICO may be used to remotely provision the WTRU with credentials associated with the Selected Home Operator (SHO). A credential, such as a cryptographic keyset, which may be included in the Trusted Physical Unit (TPU), may be allocated to the SHO and may be activated. The WTRU may establish a network connection to the SHO and may receive services using the remotely managed credentials. Secure remote subscription management may be repeated to associate the WTRU with another SHO.02-10-2011
20110035583AUTHENTICATION APPARATUS, AUTHENTICATION SYSTEM, AUTHENTICATION METHOD AND COMPUTER READABLE MEDIUM - An authentication apparatus includes an accepting unit and an instructing unit. The accepting unit accepts a request, which requests to issue an authentication medium for a second user, from a first user who is authenticated. The instructing unit instructs to issue the authentication medium for the second user.02-10-2011
20100153709Trust Establishment From Forward Link Only To Non-Forward Link Only Devices - In the present system three methods are provided for establishing trust between an accessory device and a host device, without placing trust in the device/host owner, so that content protection for subscriber-based mobile broadcast services is provided. That is, a secure link may be established between the accessory device and the host device so when the accessory device receives encrypted content via a forward link only network, the accessory device may decrypt the content at the forward link only stack and then re-encrypt it or re-secure it using the master key or some other derived key based on the master key (or the session key) and then send it to the host device which can decrypt it play it back.06-17-2010
20080282084METHODS AND APPARATUS FOR SECURE OPERATING SYSTEM DISTRIBUTION IN A MULTIPROCESSOR SYSTEM - Methods and apparatus provide for: decrypting a first of a plurality of operating systems (OSs) within a first processor of a multiprocessing system using a private key thereof, the plurality of OSs having been encrypted by a trusted third party, other than a manufacturer of the multiprocessing system, using respective public keys, each paired with the private key; executing an authentication program using the first processor to verify that the first OS is valid; and executing the first OS on the first processor.11-13-2008
20080209206Apparatus, method and computer program product providing enforcement of operator lock - A data blob has an operator's certificate that specifies a network. The data blob is encrypted by the network using a private key that authenticates that a user device owns a MAC address. The network sends the encrypted data blob to the user device, which decrypts it using a private key that is locally stored in the user device. From that the user device obtains the operator's certificate, locks the user device to a network specified by the operator's certificate, and sends a response message signed with the private key. The network grants access to the user device based on the signed response message. Various embodiments and further details are detailed. This technique is particularly useful for a WiMAX or WLAN/WiFi network in which there is no SIM card to lock the device to the network.08-28-2008
20110302410SECURE DOCUMENT DELIVERY - A method, machine-readable medium, and server to create a key, set an expiration event for the key to expire, send the key to a first client device to encrypt the document, authenticate a second client device that is in receipt of the encrypted document, delete the key if the expiration event has occurred, and send the key from to the authenticated second client device to decrypt the document if the expiration event has not yet occurred. For one embodiment, the key is used by client devices for encryption and decryption of the document only and is not otherwise accessible to the client devices. For one embodiment, the server facilitates sending the encrypted document to the second client device but does not retain a copy of the encrypted document.12-08-2011
20110289313Ticket Authorization - A method for issuing tickets in a communication system comprising a plurality of nodes that are capable of establishing a communication connection between two or more clients, the method comprising a first client transmitting to a ticket-issuing service a request for a ticket authorizing the first client to establish a communication connection with a second client, the ticket-issuing service determining if the first client is authorized to establish the requested communication connection and if the first client is determined to be authorized to establish the requested communication connection, the ticket-issuing service transmitting to the first client one or more tickets designating the second client which authorizes the first client to establish the requested connection with the second client by means of one or more of the plurality of nodes.11-24-2011
20110289314PROXY AUTHENTICATION NETWORK - A Proxy Authentication Network includes a server that stores credentials for subscribers, along with combinations of devices and locations from which individual subscribers want to be authenticated. Data is stored in storage: the storage can be selected by the subscriber. The data stored in the storage, which can be personally identifiable information, can be stored in an encrypted form. The key used to encrypt such data can be divided between the storage and server. In addition, third parties can store portions of the encrypting key. Subscribers can be authenticated using their credentials from recognized device/location combinations; out-of-band authentication supports authenticating subscribers from other locations. Once authenticated, a party can request that the encrypted data be released. The portions of the key are then assembled at the storage. The storage then decrypts the data, generates a new key, and re-encrypts the data for transmission to the requester.11-24-2011
20110197060Externally Managed Security and Validation Processing Device - An externally managed security and validation processing device includes a cryptographic processing subsystem configured for performing security or validation services; an application interface configured for communicating security or validation services with an application system; and a secure management interface configured for communicating information, including configuration information for the cryptographic processing system for performing said security or validation services, with a service profile system external to the apparatus without passing said configuration information through the application system. The service profile system can typically also migrate security services provided by one apparatus to another apparatus.08-11-2011
20110296170TOLERANT KEY VERIFICATION METHOD - A tolerant key verification method is provided. The tolerant key verification method comprises the following steps. A first key is generated instantly according to first characteristic values from a user terminal and is transmitted to a verification server to perform a comparison. When a data in the verification server matches the first key, the verification server makes no response and asks a network-service server to provide a network service to the user terminal. When the data doesn't match the first key, the verification server makes no response. When no data is available, the verification server makes no response and asks a message server to send a key-regeneration signal to the user terminal such that the user terminal generates a second key instantly according to second characteristic values. The verification server saves the second key and asks the network-service server to provide the network service to the user terminal.12-01-2011
20080307220VIRTUAL CLOSED-CIRCUIT COMMUNICATIONS - A virtual closed circuit supports transactions between businesses and consumers. More generally, techniques are disclosed for supporting a secure, non-public, business-to-consumer communication link suitable for use with financial transactions and other data communications related thereto. The communication link may be deployed in a desktop widget or other application to integrate communications and interactions with various authenticated online businesses.12-11-2008
20100005290METHOD OF IDENTITY PROTECTION, CORRESPONDING DEVICES AND COMPUTER SOFTWARES - A method is provided for authenticating a client terminal with an authentication server. The client terminal holds an authentication certificate. The method includes the following phases: obtaining at least once encryption parameter by the client terminal; encrypting the authentication certificate by the client terminal, based on the at least one encryption parameter, delivering an encrypted authentication certificate; transmitting the encrypted authentication certificate to the server, obtaining the at least one encryption parameter by the server; obtaining the at east one encryption parameter by the server; decrypting the encrypted authentication certificate, based on the at least one encrypting parameter, authenticating and delivering an authentication assertion if the authentication is positive.01-07-2010
20100005289Methods and apparatus for protecting digital content - A processing system to serve as a source device for protected digital content comprises a processor and control logic. When used by the processor, the control logic causes the processing system to generate cipher data, based at least in part on (a) a session key and (b) at least one constant value obtained from a certificate authority. The processing system may use the cipher data to encrypt data, and the processing system may transmit the encrypted data to a receiving device via a wireless connection. Other embodiments are described and claimed.01-07-2010
20100070758Group Formation Using Anonymous Broadcast Information - A number of devices co-located at a geographic location can broadcast and receive tokens. Tokens can be exchanged using a communication link having limited communication range. Tokens that are received by a device can be stored locally on the device and/or transmitted to a trusted service operating remotely on a network. In some implementations, the tokens can be stored with corresponding timestamps to assist a trusted service in matching or otherwise correlating the tokens with other tokens provided by other devices. The trusted service can perform an analysis on the tokens and timestamps to identify devices that were co-located at the geographic location at or around a contact time which can be defined by the timestamps. A group can be created based on results of the analysis. Users can be identified as members of the group and invited to join the group.03-18-2010
20100153707Systems and Methods for Real-Time Verification of A Personal Identification Number - The present invention is directed to improved methods and systems for verifying a person's personal identification data. In one embodiment, the system includes programmatic modules stored on computer readable media. The programmatic modules receive login credentials from a computing device and verify credentials, generate and communicate a request form for accessing personal identification data associated with a person, receive input data from a computing device in response to a request form, test input data in relation to a minimum required data set for requesting personal identification data, format input data into an electronic request in accordance with a predefined format, store, search, and identify a consent form, which establishes a valid consent by a person to access personal identification data, associate the electronic request for a person's personal identification data with a consent form, and transmit the electronic request in accordance with a predefined format to another computing device.06-17-2010
20100161966MUTUAL AUTHENTICATION APPARATUS AND METHOD IN DOWNLOADABLE CONDITIONAL ACCESS SYSTEM - A mutual authentication method in a Downloadable Conditional Access System (DCAS) is provided. The mutual authentication method may receive authentication-related information about authentication between an authentication unit and a security module (SM) from a Trusted Authority (TA), generate an authentication session key using the authentication-related information, transmit the authentication session key by the authentication unit to the SM through a Cable Modem Termination System (CMTS), and control a Conditional Access System (CAS) software to be downloaded to the SM from the authentication unit, when the authentication is completed by the authentication session key.06-24-2010
20100268941REMOTE-SESSION-TO-GO METHOD AND APPARATUS - Examples of systems and methods are provided for communication and for facilitating establishing a remote session between a client device and a remote server. The system may facilitate establishing a trusted relationship between the client device and a host device. The system may be configured to receive login information from the host device for a first remote session established between the host device and the remote server. The system may facilitate continuing the first remote session previously established between the host device and the remote server as a continued remote session between the client device and the remote server.10-21-2010
20100268939METHOD AND APPARATUS FOR AUTHENTICATION OF A REMOTE SESSION - Examples of systems and methods are provided for facilitating establishing a remote session between a host device and a remote server. The system may facilitate establishing a trusted relationship between a client device and the host device. The system may provide remote session login information to the host device to enable the host device to establish a first remote session with the remote server. The system may launch a second remote session with the remote server using the login information.10-21-2010
20110191578Method for digital identity authentication - In a preferred embodiment of the invention, an authenticating device (08-04-2011
20090282239SYSTEM, METHOD AND PROGRAM PRODUCT FOR CONSOLIDATED AUTHENTICATION - A first computer sends a request to the second computer to access the application. In response, the second computer determines that the user has not yet been authenticated to the application. In response, the second computer redirects the request to a third computer. In response, the third computer determines that the user has been authenticated to the third computer. In response, the third computer authenticates the user to the application. In response, the second computer returns a session key to the third computer for a session between the application and the user. The session has a scope of the second computer or the application but not a scope of a domain. In response to the authentication of the user to the second application and receipt by the third computer of the session key from the second computer for a session between the user and the second computer or the application, the third computer generates another session key with a scope of the domain and sends the domain-scope session key to the first computer. The first computer sends another request to the application with the domain-scope session key.11-12-2009
20100169640Method and system for enterprise network single-sign-on by a manageability engine - A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers.07-01-2010
20120131331System And Method For End To End Encryption - Systems and methods for end-to-end encryption are disclosed. According to one embodiment, a method for device registration includes (1) an application executed by a computer processor receiving a user password from a user; (2) using the computer processor, the application combining the user password and a password extension; (3) using the computer processor, the application cryptographically processing the combined user password and password extension, resulting cryptographic public information; and (4) providing the cryptographic public information to a server. The user password is not provided to the server. In another embodiment, a method for user authentication includes (1) using a computer processor, receiving a login page from a server; (2) sending a Hash-based Message Authentication Code to the server; and (3) receiving an authentication from the server. In one embodiment, the login page may include a transkey and a value B.05-24-2012
20100115265System And Method For Enhanced Network Entrance Into A Wireless Network - In one embodiment, a method for wireless communication includes providing, at a base station, access to a network to a preferred endpoint. The method includes sending, at the base station, at least one cryptographic parameter to the preferred endpoint. In addition, the method includes receiving, at the base station, a plurality of ranging codes from the preferred endpoint. The plurality of ranging codes are received after the base station has ceased providing the preferred endpoint access to the network. Also, the method includes determining, at the base station, that the plurality of received ranging codes correspond to a plurality of ranging codes of a predetermined set of ranging codes. The predetermined set of ranging codes is determined utilizing the at least one cryptographic parameter. Further, the method includes providing, at the base station, an entrance to the network to the preferred endpoint in response to determining that the plurality of received ranging codes correspond to the plurality of ranging codes of the predetermined set of ranging codes.05-06-2010
20090187759SYSTEMS, METHODS, AND COMPUTER READABLE MEDIA FOR APPLICATION-LEVEL AUTHENTICATION OF MESSAGES IN A TELECOMMUNICATIONS NETWORK - Systems, methods, and computer readable media for application-level authentication in a telecommunications network are disclosed. According to one aspect, the subject matter described herein includes a method for application-level authentication of messages in a telecommunications network. The method includes, at a node in a telecommunications network, receiving, from a personal communications device having a user, a message requiring application-level authentication, the message including information associated with the user and incorporating first authentication information associated with the user, the first authentication information being provided from a source that is not the user of the personal communications device. A request for second authentication information associated with the user is sent to an authentication server. Second authentication information associated with the user is received from the authentication server, and the authenticity of the message is determined based on the second authentication information associated with the user.07-23-2009
20090037726SECURE VERIFICATION USING A SET-TOP-BOX CHIP - One or more methods and systems of authenticating or verifying a set-top-box chip in a set-top-box are presented. In one embodiment, a set-top-box incorporates a set-top-box chip used to decode or decrypt media content provided by a cable television operator or carrier. The set-top-box chip incorporates a decryption circuitry, a compare circuitry, a hash function circuitry, a key generation circuitry, a back channel return circuitry, a linear feedback shift register, a timer reset circuitry, a modify enable status circuitry, a one time programmable memory, and a non-volatile memory. The cable TV carrier validates a set-top-box chip used in a set-top-box by way of a verification sequence that requires a successful verification by the set-top-box chip.02-05-2009
20120110325METHOD, DEVICE AND MOBILE TERMINAL FOR CHALLENGE HANDSHAKE AUTHENTICATION PROTOCOL AUTHENTICATION - A method, apparatus and mobile terminal for a Challenge Handshake Authentication Protocol (CHAP) authenticating in a CDMA Evolution to packet Data Optimized (EVDO) network are provided in the present invention. It makes the authentication process of EVDO network be successful, even though an authentication server does not support the Message Digest 5 (MD5) authentication method. The CHAP authentication method includes: receiving a CHAP authentication request which contains a first key value and is sent by an authentication server; when confirming that an identifier supporting MD5 authentication method is stored in the user identify module, calling MD5 authentication method to calculate a first authentication key value with the first key value, and sending the first authentication key value to the authentication server to authenticate; when receiving a CHAP re-authentication request which contains a second key value and is returned by the authentication server according to the first authentication key value after the authentication is failure, calling the Cellular Authentication and Voice Encryption (CAVE) authentication method to calculate a second authentication key value with the second key value, and sending the second authentication key value to the authentication server to authenticate.05-03-2012
20120110324METHOD AND APPARATUS FOR SENDING A KEY ON A WIRELESS LOCAL AREA NETWORK - A method and an apparatus for sending a key on a Wireless Local Area Network (WLAN) is provided. In a scenario where an Access Server is separate from an Access Controller, the Access Controller may send a master key of a specified WLAN station to the AC and trigger the AC to agree with the station on a transient key. The method includes: when receiving the master key of the WLAN station sent from an AAA server, searching a station information table for an IP address of an AC associated with the station; sending a message to the AC to instruct the AC to perform a 4-way handshake with the station to agree on a transient key, where the third message carries the master key of the station, a 4-way handshake triggering bit, and a MAC address of the WLAN station.05-03-2012
20100191959Secure microprocessor and method - A method and reconfigurable computer architecture protect binary opcode, or other data and instructions by providing an encryption capability integrated into an instruction issue unit of a protected processor. Opcodes are encrypted at their source, and encrypted opcodes from authorized users are then delivered to a CPU and decrypted “inside” the CPU. Access into the CPU is prevented. Each form of code or data selected for protection is protected from unauthorized viewing or access. Commonly, the binary executable, or object, code is selected for protection. However, protected information could also include source code or data sets or both. Encrypting opcodes will result in making unique opcodes for each processor. Encryption keys and hidden opcode algorithms provide further security.07-29-2010
20100125731METHOD FOR SECURELY MERGING MULTIPLE NODES HAVING TRUSTED PLATFORM MODULES - Method, apparatus and computer program product are provided for operating a plurality of computer nodes while maintaining trust. A primary computer node and at least one secondary computer node are connected into a cluster, wherein each of the clustered computer nodes includes a trusted platform module (TPM) that is accessible to software and includes security status information about the respective computer node. Each clustered computer node is then merged into a single node with only the TPM of the primary computer node being accessible to software. The TPM of the primary computer node is updated to include the security status information of each TPM in the cluster. Preferably, the step of merging is controlled by power on self test (POST) basic input output system (BIOS) code associated with a boot processor in the primary node.05-20-2010
20120239926OBFUSCATED AUTHENTICATION SYSTEMS, DEVICES, AND METHODS - Embodiments of the present invention are directed toward authentication systems, devices, and methods. Obfuscated executable instructions may encode an authentication procedure and protect an authentication key. The obfuscated executable instructions may require communication with a remote certifying authority for operation. In this manner, security may be controlled by the certifying authority without regard to the security of the electronic device running the obfuscated executable instructions.09-20-2012
20100082972Method to allow targeted advertising on mobile phones while maintaining subscriber privacy - An apparatus in one example has: a trusted advertising server operatively coupled to at least one terminal of a subscriber; and a trusted database having respectively at least one profile for the at least one terminal; wherein the trusted advertising server effects sending of one or more advertisements to the terminal based on the profile of the terminal without revealing an identity of the subscriber. The trusted advertising server has a trusted role and an advertising role. The trusted role is to securely maintain the at least one profile, and the advertising role is to receive target demographics for a particular advertiser or advertising broker, to match advertisements to the at least one terminal based on the respective profile in the trusted database, and to deliver the selected advertisements to the at least one terminal based on the respective profile in the trusted database.04-01-2010
20100100726System and method for unlocking content associated with media - There is presented a system and method for unlocking a content associated with media. In one aspect, the method comprises identifying the media, generating an authentication key using at least one key data from a set of key data contained in the media, determining an address in the media of at least one content unit corresponding respectively to each of the at least one key data used to generate the authentication key; requesting the at least one content unit by providing the address; receiving user data in response to the requesting; comparing the user data with the at least one key data used to generate the authentication key; and unlocking the content associated with the media if the user data matches the authentication key.04-22-2010
20090100260Location source authentication - A method and system to validate the source of the location data, such that access to location based service is protected based on a location. When the source of the location data is verified, an authentication, and/or a temporary key pair are generated for the computational device to successfully get the location based service. Moreover, the Location Based Service is assured of providing service to the computational device only at the authorized location. A method and system for managing access to the location based service is also disclosed. A request is received to authenticate the source of the location either by the computational device or by the location based service provider. Access to the location based service is granted when the location is an authorized location. Once access is granted, the temporary key pair is used for successful transactions. Moreover, the validity of the location source is constantly validated by expiring the temporary key pair with time duration.04-16-2009
20090287922PROVISION OF SECURE COMMUNICATIONS CONNECTION USING THIRD PARTY AUTHENTICATION - The present invention relates to communications, and in particular though not exclusively to forming a secure connection between two untrusted devices. The present invention provides a method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb). The method comprises receiving a request from the first device at the authentication server; the authentication server and the first device both generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) sent from the authentication server to the first device; the authentication server and the second device both generating a second device key (K_B) using the second device shared secret data in response to a second device random number (RANDb) sent from the authentication server to the second device; and the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A).11-19-2009
20080288774Contact Information Retrieval System and Communication System Using the Same - There is described a communication system allowing communication over one or more communication networks. The communication system includes a domain name server storing a zone data file for a domain associated with a first party, the zone data file including contact information associated with the first party, the contact information including a plurality of electronic communication identifiers associated with the first party with each electronic communication identifier being associated with a corresponding communication protocol. An access granting system enables the first party to grant a second party access to one or more of the plurality of electronic communication identifiers. In particular, the access granting system encrypts one or more electronic communication identifiers to generate encrypted contact information, stores the encrypted contact information in the zone data file in association with a sub-domain of the domain associated with the first party, and provides the second party with access to the identity of said sub-domain.11-20-2008
20110197059SECURING OUT-OF-BAND MESSAGES - Securing an out-of-band message from a server to a mobile computing device. After requesting a service ticket from a trusted third party (e.g., via a pre-existing ticketing infrastructure), the requested service ticket and a shared secret are obtained from the trusted third party via a first channel. The mobile computing device thereafter sends the service ticket with the shared secret to a server via a second channel. The server encrypts a message (e.g., an SMS message) using the shared secret. The mobile computing device receives the encrypted message from the server via a third channel that is out-of-band relative to the first channel. The encrypted message is decrypted via the shared secret and the decrypted message is provided to a user of the mobile computing device. In some embodiments, the message includes commands for controlling the mobile computing device.08-11-2011
20080244261SEPARATION OF LOGICAL TRUSTED PLATFORM MODULES WITHIN A SINGLE PHYSICAL TRUSTED PLATFORM MODULE - A device, method, and system are disclosed. In one embodiment, the device includes storage to contain more than one trust root, and logic to associate each command ordinal sent to the device with one of the trust roots.10-02-2008
20100100727ENCRYPTION AND AUTHENTICATION SYSTEMS AND METHODS - Methods, apparatus, and systems are disclosed for, among other things, passphrase input using secure delay, passphrase input with characteristic shape display, user authentication with non-repeated selection of elements with a displayed set of elements, document authentication with embedding of a digital signature stamp within a graphical representation of the electronic document wherein the stamp comprises digits of a digital signature, and sub-hash computation using secure delay.04-22-2010
20090276620Client authentication during network boot - A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel.11-05-2009
20090204807ABSTRACTION FUNCTION FOR MOBILE HANDSETS - Handset, computer software and method for protecting sensitive network information, available in the handset, from disclosure to an unauthorized server, by using an abstraction function module, the handset being connected to a network. The method includes receiving at the abstraction function module an encoding key from an abstraction server; receiving at the abstraction function module a request from a client or application for providing the sensitive network information from a control plane module of the handset, wherein the client or application resides in a user plane module, which is different from the control plane module, the sensitive network information is stored in the control plane module of the handset, and both the control plane module and the user plane module reside in the handset; retrieving by the abstraction function module the requested sensitive network information from the control plane module; encrypting, by the abstraction function module, the retrieved sensitive network information based on the received encoding key; and providing the encrypted sensitive network information to the client or application in the user plane module.08-13-2009
20090287921MOBILE DEVICE ASSISTED SECURE COMPUTER NETWORK COMMUNICATION - Mobile device assisted secure computer network communications embodiments are presented that employ a mobile device (e.g., a mobile phone, personal digital assistant (PDA), and the like) to assist in user authentication. In general, this is accomplished by having a user enter a password into a client computer which is in contact with a server associated with a secure Web site. This password is integrated with a secret value, which is generated in real time by the mobile device. The secret value is bound to both the mobile device's hardware and the secure Web site being accessed, such that it is unique to both. In this way, a different secret value is generated for each secure Web site accessed, and another user cannot impersonate the user and log into a secure Web site unless he or she knows the password and possesses the user's mobile device simultaneously.11-19-2009
20110271099AUTHENTICATION SERVER AND METHOD FOR GRANTING TOKENS - An authentication server and method are provided for generating tokens for use by a mobile electronic device for accessing a service. Communications between the device and the authentication server are through a relay. A memory stores a secret shared with a service server from which the service is provided. A processor is configured to generate the token using the shared secret and based on a reliance on the relay to ensure that the device has authorization to access the service. One or more computer readable medium having computer readable instructions stored thereon that cause the device to obtain proof of authorization to access the service is also provided. The instructions implement a method comprising: outputting via a wireless connection to a relay a request addressed to an authentication server for a token and receiving the token from the authentication server via the relay.11-03-2011
20090259839SECURITY AUTHENTICATION SYSTEM AND METHOD - Authentication system and method are provided. The authentication system includes: a server configured to provide at least two security levels and configured to transmit one of at least two security modules corresponding to the security level of a user terminal, via communications network, to the user terminal based, at least in part, upon an environment of the user terminal; and an authentication server communicatively linked with the server and configured to perform a user authentication in response to a user authentication request from the user terminal. Accordingly, various hackings can be prevented and the user authentication can be accomplished with user's convenience and security.10-15-2009
20100281252ALTERNATE AUTHENTICATION - A user may utilize an existing digital identity to authorize the user's access to security-enabled device operations, where the security-enabled device comprises a cryptographic chip. The device can receive a user authentication token from the digital user identification service, which authenticates a user's identity. Further, the security-enabled device can validate the user authentication token, and provide the user access to device security operations on the security-enabled device if the user authentication token is successfully validated, allowing the user to reset their security access information for the device.11-04-2010
20120297186ROUTE OPTIMIZATION WITH LOCATION PRIVACY SUPPORT - The invention relates to a method for route optimisation of packet switched data transmissions between a first mobile node and a second mobile node in a mobile communication system comprising a plurality of access networks. The method comprises the step of transmitting return routability protocol packets and data packets. The return routability protocol packets and data packets are analysed, and at least part of an address comprised in headers of the return routability protocol packets and data packets is removed.11-22-2012
20080244262ENHANCED SUPPLICANT FRAMEWORK FOR WIRELESS COMMUNICATIONS - The present disclosure provides a method that may be used in wireless communications. According to one exemplary embodiment, the method may include partitioning a first device into a user operating system including a supplicant client and a secure operating system including a supplicant core. The method may also include performing a user authentication process at the supplicant core. The method may further include transmitting user authentication data from the supplicant core to at least one wireless network and accessing the supplicant core from at least one additional device. Of course, additional embodiments, variations and modifications are possible without departing from this embodiment.10-02-2008
20080250240Remote Informed Watermark Detection System - A system and a method for secure remote informed watermark detection making use of a side-information. The system in overview comprises a remote detector and a server computing system wherein a database with side-information assigned to specific descriptors of data signals is stored at the server computing system and wherein a remote detector intending to identify the watermark of a data signal will derive the descriptor of the data signal and subsequently contact the trusted server computing system in order to obtain the necessary side-information for the informed watermark detection.10-09-2008
20080288773SYSTEM AND METHOD FOR AUTHENTICATION OF A COMMUNICATION DEVICE - A system and method for authentication of a communication device is disclosed. A system that incorporates teachings of the present disclosure may include, for example, a communication device having a controller element to compute a shared secret key based at least in part on a communication device (CD) private key and a cryptography algorithm, wherein the CD private key is stored in an identity module of the communication device and is unknown to an authentication center, and wherein the communication device is authenticated by the authentication center based at least in part on the shared secret key. Additional embodiments are disclosed.11-20-2008
20120297185MAINTAINING PRIVACY FOR TRANSACTIONS PERFORMABLE BY A USER DEVICE HAVING A SECURITY MODULE - A method and system for maintaining privacy for transactions performable by a user device having a security module with a privacy certification authority and a verifier are disclosed. The system includes an issuer providing an issuer public key; a user device having a security module for generating a first set of attestation-signature values; a privacy certification authority computer for providing an authority public key and issuing second attestation values; and a verification computer for checking the validity of the first set of attestation signature values with the issuer public key and the validity of a second set of attestation-signature values with the authority public key, the second set of attestation-signature values being derivable by the user device from the second attestation values, where it is verifiable that the two sets of attestation-signature values relate to the user device.11-22-2012
20120297184CLOUD COMPUTING METHOD AND SYSTEM - Methods and systems integrating sensitive or private data with cloud computing resources while mitigating security, privacy and confidentiality risks associated with cloud computing. In one embodiment, a computer network system includes a firewall separating a public portion of the computer network from an on-premises portion of the computer network, a database storing private data behind the firewall, and a user device connected with the computer network. The user device accesses an application hosted in the public portion of the computer network. In response, the application generates return information. The user device receives the return information and generates a request for private data based on at least a portion of the returned information. The request is transmitted to the database which generates a response including the requested private data. The response is transmitted in an encrypted form from the database via the computer network to the user device.11-22-2012
20080270786APPARATUS AND METHOD FOR DIRECT ANONYMOUS ATTESTATION FROM BILINEAR MAPS - A method and apparatus for direct anonymous attestation from bilinear maps. In one embodiment, the method includes the creation of a public/private key pair for a trusted membership group defined by an issuer; and assigning a unique secret signature key to at least one member device of the trusted membership group defined by the issuer. In one embodiment, using the assigned signature key, a member may assign a message received as an authentication request to prove membership within a trusted membership group. In one embodiment, a group digital signature of the member is verified using a public key of the trusted membership group. Accordingly, a verifier of the digital signature is able to authenticate that the member is an actual member of the trusted membership group without requiring of the disclosure of a unique identification information of the member or a private member key to maintain anonymity of trusted member devices. Other embodiments are described and claimed.10-30-2008
20100146263METHOD AND SYSTEM FOR SECURE AUTHENTICATION - The invention relates to a method of authentication for a provider comprising requesting a verification system for authentication of a transaction initiated by a user by transmitting to the verification system details of the transaction initiated; requesting the user to authenticate the transaction on a mobile device by transmitting to the user mobile device details of the transaction; validating the authentication request received from the verification system on the mobile device and prompting the user to enter a personal identification number, displaying to the user transaction details on receiving a valid personal identification number and requesting user to authenticate transaction; generating on receiving user authentication an authentication parameter for transmission to the verification system; and authenticating the transaction to the provider on receiving a valid authentication parameter from user mobile device.06-10-2010
20090164775Broadband computer system - A broadband computer system comprising a network, a client computer comprising a secure log-on means, a user interaction means, a display means, processing means and client data storage means, wherein applications used on the client computer are stored on the client data storage means; a server connected to the network comprising a secure log-on verification means and server data storage means, wherein the secure log-on means communicates with the secure log-on verification means across the network to authenticate a user and, after authentication, the processing means of the client computer provides a suite of applications for use by the user and wherein any user data required by the suite of applications is provided across the network by the server data storage means.06-25-2009
20090164774METHODS AND SYSTEMS FOR SECURE CHANNEL INITIALIZATION - Methods and systems for secure channel initialization between a client network element and a server network element are disclosed. In accordance with one embodiment of the present disclosure, the method includes: sending a secure channel initialization request from the client network element to the server network element; receiving the secure channel initialization request at the server network element; creating a server credential and a client credential at the server network element; and sending a secure channel initialization response from the server network element to the client network element, the secure channel initialization response including the server credential and the client credential, wherein said server credential and said client credential are used to establish a secure session.06-25-2009
20090144539HEADEND SYSTEM FOR DOWNLOADABLE CONDITIONAL ACCESS SERVICE AND METHOD OF OPERATING THE SAME - A method of operating a headend system for a downloadable conditional access service, the method including: receiving, by an Authentication Proxy (AP) server, basic authentication information from a Downloadable Conditional Access System (DCAS) host, the basic authentication information being required to authenticate the DCAS host; transmitting, by the AP server, the basic authentication information to an external trusted authority device which authenticates the DCAS host; generating, by the AP server, a session key for encrypting/decrypting a secure micro client using a session key sharing factor; obtaining, by the AP server, download-related information of the secure micro client from a DCAS Provisioning Server (DPS); and commanding, by the AP server, an Integrated Personalization System (IPS) server to download the secure micro client to the DCAS host based on the download-related information, the secure micro client being encrypted by the session key.06-04-2009
20110145565FEDERATED AUTHENTICATION FOR MAILBOX REPLICATION - A data replication mechanism is proposed that relies on existing federation infrastructure enabling distributed authentication instead of storing and using explicit credentials for a remote forest. The data replication mechanism requests a federation token with data replication capabilities targeted to the remote forest and passes this token to the remote forest in lieu of explicit credentials.06-16-2011
20090198998Method and apparatus of ensuring security of communication in home network - Provided are a method and apparatus to ensuring communication security between a control apparatus and a controlled apparatus in a home network. The control apparatus in the home network establishes a registration Secure Authenticated Channel (SAC) with the controlled apparatus by using a Transport Layer Security Pre-Shared Key ciphersuites (TLS-PSK) protocol implemented by using a Product Identification Number (PIN) of the controlled apparatus input from a user, shares a private key with the controlled apparatus via the registration SAC, and uses services of the controlled apparatus via a service SAC established by using the TLS-PSK protocol implemented by using the shared private key to easily implement a framework ensuring communication security in the home network.08-06-2009
20090198996SYSTEM AND METHOD FOR PROVIDING CELLULAR ACCESS POINTS - A system and method for providing a identity association between a subscriber in a private network and a provider over a public network is described. The system and method include a subscriber security gateway in the private network, the subscriber security gateway providing policy enforcement and signaling between the private network and the provider over the public network and at least one digital key associated with the provider and readable by the subscriber security gateway and operable to provide a identity association with the provider. A network device in the private network, the network device operable to establish a trusted media channel between the provider and the network device using the public network as a result of the signaling and policy enforcement at the subscriber security gateway using the digital keys, and a security gateway in the provider network, the security gateway including a registry for authenticating the user using the digital key and for maintaining a record of the subscriber's relationship with the provider.08-06-2009
20090198999SYSTEM AND METHOD FOR DISTRIBUTING KEYS IN A WIRELESS NETWORK - A technique for improving authentication speed when a client roams from a first authentication domain to a second authentication domain involves coupling authenticators associated with the first and second authentication domains to an authentication server. A system according to the technique may include, for example, a first authenticator using an encryption key to ensure secure network communication, a second authenticator using the same encryption key to ensure secure network communication, and a server coupled to the first authenticator and the second authenticator wherein the server distributes, to the first authenticator and the second authenticator, information to extract the encryption key from messages that a client sends to the first authenticator and the second authenticator.08-06-2009
20090198997System and method for secure electronic communication services - A system, method and software module for secure electronic communication services, wherein a public key (08-06-2009
20090100261METHOD AND SYSTEM FOR MEDIATION OF AUTHENTICATION WITHIN A COMMUNICATION NETWORK - A method, a system, and a computer software product provide mediation of authentication within a communication network. The method comprises the steps of sending a request to mediate authentication between a first node 04-16-2009
20090100262APPARATUS AND METHOD FOR DETECTING DUPLICATION OF PORTABLE SUBSCRIBER STATION IN PORTABLE INTERNET SYSTEM - An apparatus and method for detecting duplication of a portable subscriber station (PSS) in a portable Internet system are provided. A master key of a PSS and a master key of an AAA server are identically updated whenever the PSS succeeds in authentication. It is possible to determine whether the PSS is duplicated or not by comparing the master key of the PSS with the master key of the AAA server during an authentication procedure. In addition, it is possible to find out whether duplication for the corresponding PSS is made by a user's own volition or by a third party by additionally performing an authentication procedure which requires an input of a password for a PSS which is doubted as duplicated.04-16-2009
20090063850MULTIPLE FACTOR USER AUTHENTICATION SYSTEM - The present invention describes a method and a system for multi-level authentication of a user and a server. The user registration process in the invention enables user to personalize the web page of the server. Further, the user authentication takes place in a multi-step process including entering credentials such as user ID, subset of user's password, subset of shared secret and a One Time Password (OTP). The system of the present invention provides various means of entering the said credentials which prevents phishing attacks.03-05-2009
20090204806CERTIFYING DEVICE, VERIFYING DEVICE, VERIFYING SYSTEM, COMPUTER PROGRAM AND INTEGRATED CIRCUIT - An authentication system that can show having an authentic computer program, can certify the authenticity of itself, and can verify the certification. The authentication system is composed of a terminal (requesting device) and a card (verifying device). The card stores secret information to be used by the terminal, and an update program for the terminal. The card verifies authenticity of the terminal using information obtained from the terminal. When it judges that the terminal is authentic, the card outputs the secret information to the terminal. When it judges that the terminal is not authentic, the card outputs the update program. With this structure, the terminal is forced to update the program when it attempts to use the secret information.08-13-2009
20090210700COMPUTER SYSTEM FOR JUDGING WHETHER TO PERMIT USE OF DATA BASED ON LOCATION OF TERMINAL - There is provided a computer system comprising a storage system, a terminal, a management server and the terminal, and a positioning module for identifying a location of the terminal. The terminal identifies the location of the terminal by the positioning module in a case of using the data, transmits terminal information including the identified location of the terminal to the management server; and transmits a usage request for the data to the management server. The management server judges whether or not use of the data is to be permitted based on the terminal information, and transmits permit information including usage conditions for the data to the terminal in a case where the use of the data is to be permitted. The terminal selects at least one of the volatile storage area and the nonvolatile storage area based on the usage conditions, and stores the copy of the data therein.08-20-2009
20090204808Session Key Security Protocol - Exchanging information in a multi-site authentication system. A network server receives, from an authentication server, a request by a client computing device for a service provided by the network server along with an authentication ticket. The authentication ticket includes: a session key encrypted by a public key associated with the network server, message content encrypted by the session key, and a signature for the encrypted session key and the encrypted message content. The signature includes address information of the network server. The network server identifies its own address information in the signature to validate the signature included in the authentication ticket and verifies the authentication ticket content based on the signature included in the authentication ticket. The network server decrypts the encrypted session key via a private key associated with the second network server and decrypts the encrypted message content via the decrypted session key.08-13-2009
20090210699METHOD AND APPARATUS FOR SECURE NETWORK ENCLAVES - Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature. The server may also provide the client with new session keys and/or new client session identifiers using server-generated derivation keys if desired, protecting these with the client authorization key.08-20-2009
20120198228SYSTEM AND METHOD FOR DIGITAL USER AUTHENTICATION - A method according to preferred embodiment can include receiving a request at a server from a private key module associated with a first user device; directing a request for a first portion of the private key from the server to a second user device; and in response to a successful user challenge creating a first portion of a digital signature and a second portion of a digital signature at the server. The method of the preferred embodiment can further include combining the first portion of the digital signature and the second portion of the digital signature; and delivering the digital signature to the first user device. The method of the preferred embodiment can function to secure the digital signature process by splitting or dividing the user's private key into two or more portions, each of which require independent authorization from the user in order to create the digital signature.08-02-2012
20090222656SECURE ONLINE SERVICE PROVIDER COMMUNICATION - Computer-readable media, systems, and methods for encrypting communications between a client and an online service provider to ensure the communications are secure. In embodiments an authentication request is received from a user agent associated with the client and the authentication request includes identification information and authentication information. Additionally, it is determined that the identification and authentication information are associated with a user. An authentication ticket is created that includes a user identification and an authentication and indicates to the online service provider that the user is authenticated to access one or more services. Further, a session key is generated and an encrypted session key is embedded into the authentication ticket. The session key is encrypted and the private key is known only to the online service provider and the public key is known at least by an authentication server.09-03-2009
20100275010Method of Authentication of Users in Data Processing Systems - A method of authentication of users in a data processing system is provided. The method includes a “Challenge” univocally associated with a user to be authenticated; processing the “Challenge” to generate an expected answer code, to be compared with an answer code that the user has to provide for authentication; encoding the generated “Challenge” for obtaining an image displayable through a display device; sending the image containing the “Challenge” to the user; displaying the image containing the “Challenge”; through a user device provided with an image-capturing device, optically capturing the displayed image; through the user device, processing the captured image for extracting from the captured image the “Challenge”, and subsequently processing the obtained “Challenge” for generating the answer code; receiving the answer code from the user and comparing it to the expected answer code; and, in case of positive comparison, authenticating the user. One among the actions of generating a “Challenge” and an expected answer code, and the action of processing the captured image that generates the answer code exploit secret information univocally associated with the user.10-28-2010
20090259840Systems and methods for authenticating an electronic message - Systems and methods are disclosed for authenticating electronic messages. A data structure is generated by a computer server which allows for the authentication of the contents and computer server identity of a received electronic message and provides a trusted stamp to authenticate when the message was sent. Data which can authenticate the message, the computer server identity, and the time the message was sent is included into a data structure which is called an Electronic PostMark (EPM).10-15-2009
20100161967Method and system for dynamically implementing an enterprise resource policy - A rules evaluation engine that controls user's security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces.06-24-2010
20090276621SECRET AUTHENTICATION SYSTEM - An authenticated apparatus generates scrambled data from key data and authentication data, such that another key data, which configures the product data, or authentication data is obtained through back-calculation of the product data by using the authentication data or key data, the scrambled data including the product data and the like generated by multiplying the authentication data indicative of the authenticated apparatus's or a user's authenticity by the key data. The authenticated apparatus generates verification data through an operation of the authentication data, key data, or scrambled data, and transmits the verification data and scrambled data to an authenticating apparatus. The authenticating apparatus then verifies authenticity of the authenticated apparatus based on the verification data and scrambled data received from the authenticated apparatus and each authenticated apparatus's or each user's authentication data stored in the authenticating apparatus.11-05-2009
20090276623Enterprise Device Recovery - An administrator of an enterprise can recover a user secure storage device in conjunction with a third-party service without the administrator knowing a user secure storage device password. The administrator secure storage device is communicatively coupled with a host computer. A user secure storage device is communicatively coupled with a host computer. The administrator secure storage device is authenticated to the third-party service. One or more decryptions are performed on an encrypted portion of data with an enterprise private key and a shared administrator private key to produce information associated with the user secure storage device password. The administrator is logged into the user secure storage device using the information associated with the user secure storage device password without the administrator knowing the user secure storage device password.11-05-2009
20120246464METHOD, SYSTEM AND APPARATUS FOR PROTECTING A BSF ENTITY FROM ATTACK - A method, system and apparatus for protecting a bootstrapping service function (BSF) entity from attack includes: a first temporary identity and a second temporary identity are generated after a BSF entity performs a mutual authentication with a user equipment (UE) by using an initial temporary identity sent from the UE; the BSF entity receives a re-authentication request carrying the first temporary identity from the UE; and the UE sends a service request carrying the second temporary identity to a network application function (NAF) entity. The present disclosure prevents attackers from intercepting the temporary identity at the Ua interface and using the temporary identity to originate a re-authentication request at the Ub interface, thus protecting the BSF entity from attack and avoiding unnecessary load on the BSF entity and saving resources.09-27-2012
20090282238Secure handoff in a wireless local area network - A system and method including computing keying information by a server for authentication of devices accessing a wireless local area network and forwarding the keying information by the server to access points included in a security domain of the wireless local area network, wherein one of the access points is associated with a mobile device are described.11-12-2009
20100161964STORAGE COMMUNITIES OF INTEREST USING CRYPTOGRAPHIC SPLITTING - Methods and systems of presenting data in a secure data storage network are disclosed. One method includes defining a plurality of communities of interest, each community of interest capable of accessing data stored in a secure data storage network and including a plurality of users desiring access to a common set of data, wherein each of the plurality of communities of interest has a set of security rights. The method also includes associating each of the plurality of communities of interest with a different workgroup key. The method further includes, upon identification of a client device as associated with a user from among the plurality of users in a community of interest, presenting a virtual disk to the client device in accordance with the security rights, the virtual disk associated with the workgroup key associated with the community of interest and a volume containing the common set of data to the community of interest, the volume including a plurality of shares stored on a plurality of physical storage devices.06-24-2010
20110107085Authenticator relocation method for wimax system - A method is provided for Authenticator Relocation in a communication system applying an Extensible Authentication Protocol, or the like, which provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS. The method of the invention optionally allows secure refresh of the MSK.05-05-2011
20090327702Key Escrow Service - A key escrow service is described. In embodiment(s), the key escrow service maintains an escrow license that includes an escrow content key that is associated with protected media content which is distributed from a content distributor to a media device. A content key that is associated with the protected media content can be received from the content distributor, and the content key can then be encrypted with a public escrow key to generate the escrow content key. The escrow license can be generated to include the escrow content key, and the escrow content key can then be communicated back to the content distributor that provides a digital rights management (DRM) license to the media device. The DRM license can include both the escrow content key and the content key encrypted with a public key that corresponds to the media device.12-31-2009
20100228966CONTROL DEVICE, COMMUNICATION APPARATUS, CONTROL SYSTEM, CONTROL METHOD AND STORAGE MEDIUM - A control system which can control a function of a device depending on the result of authentication of an external device that exists outside the device and prevent others from using the device without permission is provided. The control system includes a control device (09-09-2010
20100161965Secure Credential Store - A credential store provides for secure storage of credentials. A credential stored in the credential store is encrypted with the public key of a user owning the credential. A first user may provide a credential owned by the first user to a second user. The first user may add credentials owned by the first user to the credential store. An administrator may manage users of the credential store without having the ability to provide credentials to those users.06-24-2010
20100153708Server Assisted Portable Device - A method for allowing or disallowing host access to data stored in a portable device is discussed. The method uses a password and network server. Access to the data is allowed if the password is correct and messages received from the server are positive. If the portable device receives a negative message from the server, then access is disallowed, even if the password is correct. In another embodiment of the invention, a password is provided to the portable device; the password is encrypted in the portable device, and sent to the network server. Upon requests for data from the host computer, the portable device encrypts the data and sends the encrypted data to the host computer. A network server receives an encryption of the password from the portable device, and if the password is correct, then the network server sends the decryption key for the data to the host computer.06-17-2010
20100228967METHOD OF ESTABLISHING SECURITY ASSOCIATION IN INTER-RAT HANDOVER - A method of establishing security association during handover between heterogeneous networks in a radio access system is disclosed. A method of establishing security association before handover with a target base station included in a heterogeneous radio access network is performed comprises transmitting a request message to a service base station, the request message requesting the service base station to transfer authentication related information of a mobile station to a target network authentication server; and receiving a response message from the service base station before the handover with the target base station is performed, the response message including security related information used in a target network.09-09-2010
20100217974CONTENT MANAGEMENT APPARATUS WITH RIGHTS - A content management system which carries out a process for allowing content data for reproducing content to be used in a second communication terminal in place of a first communication terminal includes an authentication unit that authenticates that the second communication terminal is a takeover terminal which is a communication terminal which takes over rights to use the content from the first communication terminal and a rights information transmission unit that, in the event that it is authenticated that the second communication terminal is the takeover terminal, transmits second rights information which is necessary in order to use the content data, and which is valid only for the second communication terminal, to the second communication terminal.08-26-2010
20100146261CONTROLLED ACTIVATION OF FUNCTION - A method of and system (06-10-2010
20100241850HANDHELD MULTIPLE ROLE ELECTRONIC AUTHENTICATOR AND ITS SERVICE SYSTEM - The present invention provides a handheld electronic authenticator and its service system that provide multiple dynamic authentication codes for authenticating with multiple service providers. The authenticator provides multiple dynamic authentication codes (e.g., including electronic signatures) for the multiple service providers, using an algorithm, secret key and dynamic variables chosen and maintained by the service provider.09-23-2010
20100235623Methods and systems for identity verification - The present invention relates to methods and systems for identity verification. The method includes transmitting from a customer system to a customer connector server an identity verification request containing identification information for an individual. At the customer connector server, at least one verification service required for the request is identified and a data manager server is selected for each service. A verification service request is transmitted to each data manager server. At each data manager server, at least one data access service is identified and one data connector server is selected for each service. A data accesss service request is transmitted to each data connector server. At least one data source is accessed from each data connector server for each request. The identification information provided is then verified against identity information stored within the at least one data source and a response is generated and communicated to the customer system.09-16-2010
20100235624METHOD AND APPARATUS FOR PROTECTING THE TRANSFER OF DATA - According to one embodiment, a conditional access (CA) control system comprises circuitry that is adapted to: (i) transmit information including a unique identifier assigned to a digital device and mating key generator values to the remote source, (ii) receive a mating key from the remote source, the mating key being based on the transmitted unique identifier and mating key generator values, the mating key being used to encrypt data used for scrambling either additional key information or program data prior to transmission to the digital device, and (iii) transmit the mating key generator values and the encrypted data to the digital device, the mating key generator values are used to regenerate the mating key in the digital device.09-16-2010
20100250921Authorizing a Login Request of a Remote Device - Exemplary systems and methods for managed authorization of a login request of a remote device are provided. A user of the remote device may be authorized to login by an authentication server before attempting to login. Upon receipt of a login request from the remote device, an authorization process is performed. Subsequently, a concatenation of data from the login request and a server response based on the determination of whether the remote device is authorized to login is generated. The server response may comprise instructions to authorize the login request, instructions to deny the login request, or instructions to destroy data stored by the remote device. Furthermore, the authentication server or the remote device may log the server response.09-30-2010
20100146262Method, device and system for negotiating authentication mode - The present disclosure discloses a method, device and system for negotiating authentication mode. A first negotiation request carrying an authentication mode supported by a terminal is sent to an authentication server, so that the authentication server determines and sends an authentication mode supported by both the authentication server and the terminal, where the authentication mode is determined according to an authentication mode supported by the authentication server and the authentication mode supported by the terminal in the first negotiation request. The authentication mode supported by both the authentication server and the terminal is received by the terminal from the authentication server. Therefore, according to the disclosure, a common authentication mode supported by both the authentication server and the terminal is negotiated before the authentication is performed.06-10-2010
20110113237KEY CAMOUFLAGING METHOD USING A MACHINE IDENTIFIER - A method is provided for generating a human readable passcode to an authorized user including providing a control access datum and a PIN, and generating a unique machine identifier for the user machine. The method further includes modifying the controlled access datum, encrypting the controlled access datum using the PIN and/or a unique machine identifier to camouflage the datum, and generating a passcode using the camouflaged datum and the PIN and/or the unique machine identifier. A mobile user device may be used to execute the method in one embodiment. The passcode may be used to obtain transaction authorization and/or access to a secured system or secured data. The unique machine identifier may be defined by a machine effective speed calibration derived from information collected from and unique to the user machine.05-12-2011
20090276622SECRET AUTHENTICATION SYSTEM - Authentication data is distributedly defined by a plurality of distributed data, including function data specifying a function. A portion of the distributed data is shared between an authenticated apparatus and an authenticating apparatus. The authenticated apparatus obtains verification data from the distributed data unshared with the authenticated apparatus, and transmits the verification data. The authenticating apparatus verifies authenticity of the authenticated apparatus, based on the verification data and the like received from the authenticated apparatus. The authenticated apparatus generates the distributed data containing predetermined control data, and transmits the distributed data to the authenticating apparatus. The authenticating apparatus extracts the control data from the distributed data containing the control data, and determines whether or not authentication is granted based on the control data.11-05-2009
20090327701ID Card Encryption - An ID card is authenticated. Encrypted data is read from a first security feature on the ID card. A value is computed based on the encrypted data. Unencrypted data is read from a second security feature on the ID card. The value and the unencrypted data is transmitted to an authentication center. An authentication message is received from the authentication center.12-31-2009
20110066846METHOD AND A SYSTEM OF HEALTHCARE DATA HANDLING - This invention relates to a method of healthcare data handling by a trusted agent possessing or having an access to decryption keys for accessing healthcare data. A request is received from a requestor requesting accessing healthcare data. A log is generated containing data relating to the request or the requestor or both. Finally, the requestor is provided with an access to the healthcare data.03-17-2011
20100268940METHOD AND APPARATUS FOR PORTABILITY OF A REMOTE SESSION - Examples of systems and methods are provided for facilitating establishing a remote session between a host device and a remote server. The system may facilitate establishing a first remote session between a client device and the remote server. The system may facilitate establishing a trusted relationship between the client device and the host device. The system may provide remote session login information from the client device to the host device to enable the host device to establish a second remote session with the remote server. The system may facilitate termination of the first remote session at the client device after the login information is provided to the host device.10-21-2010
20090319776TECHNIQUES FOR SECURE NETWORK COMMUNICATION - Techniques for secure network communication are provided. Credentials for a user along with a transparently generated secret are sent to a resource that the user desires to establish a secure communication session with. After successful authentication of the user, an initial sequence number for a first transaction of the session is set on a client of the user. Thereafter, with each transaction of the session the client supplies a new and unique sequence number to a server of the resource and uses the secret to encode and validate that transaction. The server of the resource does not permit any transaction that includes an invalid or previously used sequence number.12-24-2009
20090319778User authentication system and method without password - A Verified unit (VU) communicates with an Authenticating Unit (AU). The VU only provides the AU with the user's public key via RSA technology known in the art. The AU sends a character string to the VU requiring the VU to generate a digital signature which is sent to an Authority server (AS) to authenticate the digital signature information provided to the AU by the VU. If the AS authenticates the information it informs the AU and the AU will provide the VU's requested data to the VU.12-24-2009
20090319777DISTRIBUTED SUBSCRIBER MANAGEMENT SYSTEM - A distributed subscriber management system and method that controls access to a network preventing unauthorized traffic through the access network and providing centralized access control between user networks are disclosed. The controlled access is provided through the use of one of several technologies including user authentication, using PAP, CHAP, RADIUS, TACACS+. The method includes the steps of receiving a connection request from a user located on one of the User Networks; interrogating the user for userid and password information; encrypting the userid and password information; transmitting the encrypted information, via the access network, to an authentication server attached to one of a plurality of external networks; decrypting the information at the authentication server; and transmitting an authentication message from the authentication server of the external network to the access control node via the access network. Additionally, the method includes the step of challenging all data leaving the access control node.12-24-2009
20090113205METHOD AND APPARATUS FOR THE SECURE IDENTIFICATION OF THE OWNER OF A PORTABLE DEVICE - An authentication system is provided that includes a portable device and a decryption node. An individual uses the portable device, such as a portable device like a cell phone to compute a challenge and a response. The challenge and response is sent to a decryption node. In response, the decryption node computes a presumed response and compares the presumed response to the response of the portable device, in order to authenticate the individual associated with the portable device.04-30-2009
20100223459KEY DISTRIBUTION - Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network.09-02-2010
20090024844Terminal And Method For Receiving Data In A Network - Terminal and Method for Receiving Data in a Network In embodiments of the present invention, a method of processing data in a network is provided. In the method, a terminal receives data from the network and is operated in two states. In the first state, in which the terminal is connected to the network, the terminal causes the data to be usable. In the second state, in which the terminal is not connected to the network, the terminal causes the data to be unusable.01-22-2009
20120144189WLAN AUTHENTICATION METHOD, WLAN AUTHENTICATION SERVER, AND TERMINAL - An authentication method, a server, and a terminal for a wireless local area network (WLAN) are provided. The method includes: redirecting a Hypertext Transfer Protocol (HTTP) request message sent by a WLAN terminal to an address of a login webpage of a WLAN network and returning the redirected HTTP request message to the WLAN terminal; sending authentication request information carrying an International Mobile Subscriber Identity (IMSI) identifier of a Subscriber Identity Module (SIM) card sent by the WLAN terminal to an Authentication/Authorization/Accounting (AAA) server corresponding to the address of the login webpage of the WLAN network, such that the AAA server performs authentication based on the IMSI identifier.06-07-2012
20080229097Privacy-protecting integrity attestation of a computing platform - Systems, apparatus and methods for privacy-protecting integrity attestation of a computing platform. An example method for privacy-protecting integrity attestation of a computing platform (P) has a trusted platform module (TPM), and comprises the following steps. First, the computing platform (P) receives configuration values (PCR09-18-2008
20090037725CLIENT-SERVER OPAQUE TOKEN PASSING APPARATUS AND METHOD - In the computer client-server context, typically used in the Internet for communicating between a central server and user computers (clients), a method is provided for token passing which enhances security for client-server communications. The token passing is opaque, that is tokens as generated by the client and server are different and can be generated only by one or the other but can be verified by the other. This approach allows the server to remain stateless, since all state information is maintained at the client side. This operates to authenticate the client to the server and vice versa to defeat hacking attacks, that is, penetrations intended to obtain confidential information. The token as passed includes encrypted values including encrypted random numbers generated separately by the client and server, and authentication values based on the random numbers and other verification data generated using cryptographic techniques.02-05-2009
20090070579Information processing system and login method - Provided is an information processing system and a login method capable of simplifying login processing and also simplifying the entire configuration of the system.03-12-2009
20090070578Methods And Systems For Transmitting Secure Application Input Via A Portable Device - Methods and systems are described for transmitting secure application input via a portable device. In one embodiment, a method includes connecting a portable device to a communication bus of a computing device for exchanging information between the portable device and the computing device. The method further includes connecting the portable device to an input device for exchanging information between the portable device and the input device. The method still further includes transmitting input received from the input device connected to the portable device to the communication bus of the computing device. The input is directed to an application both associated with the portable device and instantiated into a runtime environment of the computing device. The application is further associated with an input component configured for allowing the application to only receive input transmitted via the portable device when the application is instantiated into the runtime environment of the computing device.03-12-2009
20100306530WORKGROUP KEY WRAPPING FOR COMMUNITY OF INTEREST MEMBERSHIP AUTHENTICATION - Methods and systems for managing a community of interest are disclosed. One method includes creating a workgroup key associated with a community of interest, and protecting one or more resources associated with the community of interest using the workgroup key. The method also includes encrypting the workgroup key using a public key associated with an administrator of the community of interest, the public key included with a private key in a public/private key pair associated with the administrator. The method further includes storing the encrypted workgroup key and associating the workgroup key with a user, thereby adding the user to the community of interest.12-02-2010
20100313013SYSTEMS AND METHODS FOR SECURE TRANSACTION MANAGEMENT AND ELECTRONIC RIGHTS PROTECTION - The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node. These techniques may be used to support an all-electronic information distribution, for example, utilizing the “electronic highway.”12-09-2010
20100325424System and Method for Secured Communications - A system for secured communications includes a control center, a network transceiver, an authentication server communicatively coupled between the control center and the network transceiver, and an extended trust device communicatively coupled between the authentication server and a client, the extended trusted device being configured to send a device identifier to the authentication server via the network transceiver, the device identifier being based on a combination of a user-configurable parameter and a non-user-configurable parameter of the extended trust device, wherein the authentication server is configured to determine access privilege of a client to the control center by authenticating the device identifier received from extended trust device.12-23-2010
20100332823MULTI-FUNCTIONAL PERIPHERAL, AUTHENTICATION SERVER AND SYSTEM - In a multi-functional peripheral capable of performing user authentication processing in cooperation with an authentication server and processing in cooperation with an external application, a user is able to easily access a screen of a previously used function immediately after logging in without necessity of switching a screen of the function of the multi-functional peripheral itself and a screen of the external application function.12-30-2010
20110010539Methods And Apparatus For Maintaining Secure Connections In A Wireless Communication Network - In one illustrative example, a method in a mobile communication device operating in a wireless local area network (WLAN) involves performing, via a wireless AP of the WLAN, a first authentication procedure with an authentication server for obtaining a first session key and a key lifetime value associated with the first session key; establishing a first secure connection with the wireless AP based on the first session key; setting a timer with an initial value that is less than or equal to the key lifetime value, and running the timer; communicating in a media session over the first secure connection with the wireless AP; and in response to an expiration of the timer during the media session: performing, during the media session, a second authentication procedure with the authentication server for obtaining a second session key; and establishing, during the media session, a second secure connection with the wireless AP using the second session key; and communicating in the media session over the second secure connection with the wireless AP. In another illustrative example, the method involves performing the second authentication procedure with the authentication server in response to identifying a request for establishing the media session, just prior to establishing the media session.01-13-2011
20110029769METHOD FOR USING TRUSTED, HARDWARE IDENTITY CREDENTIALS IN RUNTIME PACKAGE SIGNATURE TO SECURE MOBILE COMMUNICATIONS AND HIGH VALUE TRANSACTION EXECUTION - A method for trusted package digital signature based on secure, platform-bound identity credentials. The selection of a document to be electronically signed by a user via a computing device is made. A hash for the document is determined. The hash is encrypted with a private key of the user to create a digital signature. The document, an identification credential, and the digital signature are sent to a recipient computing device residing on a network. The identification credential comprises a digital file used to cryptographically bind a public key to specific trusted hardware attributes attesting to the identity and integrity of the trusted computing device. The trusted computing device includes a cryptographic processor.02-03-2011
20110029770RADIO COMMUNICATION SYSTEM AND AUTHENTICATION PROCESSOR SELECTION METHOD - The present invention applies to a radio communication system that has a subscriber authentication server provided with a plurality of authentication processors and first and second authentication verification apparatuses that carry out each of authentication requests for first and second authentications to the subscriber authentication server for the same subscriber. In this radio communication system, the subscriber authentication server, upon success of the first authentication, reports to the first authentication verification apparatus identification information of the authentication processor that carried out the first authentication, and the first authentication verification apparatus reports to the second authentication verification apparatus the identification information that was reported from the subscriber authentication server.02-03-2011
20110040964SYSTEM AND METHOD FOR SECURING DATA - The present invention provides a method for securing data distributed by a first user to at least one recipient user, comprising the steps of; responding to a request from the first user to encrypt the data with a key; and recording the location of the key in a database, wherein on the database receiving a request from the at least one recipient user for authorization, providing the key to the at least one recipient user upon authorization.02-17-2011
20110119484Systems and Methods for Securely Providing and/or Accessing Information - The invention is directed to a system for use with a first device in communication with a second device. The system includes a storage medium that is connectable with the first device, a hardened, stand alone, web browser stored on the storage medium, and client authentication data. The web browser uses the client authentication data to facilitate secure communication between the first device and the second device, and the first device communicates with a third device that provides configuration data that includes one or more approved addresses.05-19-2011
20100138651APPARATUS AND METHOD FOR SELECTING IP SERVICES - An apparatus and method for determining an authorized IP service for an access terminal during an establishment of a PPP connection. In an aspect of the disclosure, a data link is established with the access terminal, and a request to authenticate the access terminal is provided to an authentication/authorization server. During authentication, an IP Service Authorized Parameter is provided by the authentication/authorization server, the IP Service Authorized Parameter for indicating the authorized IP service for the access terminal. Thereby, a network layer protocol and a mobility protocol are each configured according to the authorized IP service that corresponds to the IP Service Authorized Parameter.06-03-2010
20100131756USERNAME BASED AUTHENTICATION AND KEY GENERATION - An apparatus and a method for an authentication protocol. A client generates a server unique identifier of a server prior to communicating with the server. An encrypted password generator module of the client calculates an encrypted password based on the server unique identifier, a username, and an unencrypted password. A communication request generator module of the client generates and sends a communication request to the server. The communication request includes a username, a client random string, a client timestamp, and a client MAC value. The client MAC value is computed over the username, the client random string, and the client timestamp, using the encrypted password as an encryption key.05-27-2010
20110087880REVOCATION OF CREDENTIALS IN SECRET HANDSHAKE PROTOCOLS - According to a general aspect, a computer-implemented method for a first user to verify an association with a second user through a secret handshake protocol includes maintaining information about a reusable identification handle for the first user, where the information about the reusable identification handle is provided by a trusted third party, maintaining information about a reusable credential for the first user, where the information about the reusable credential is provided by a trusted third party, and maintaining information about a matching reference for verifying an association with another user, where the information about the matching reference is provided by a trusted third party. Information based on the reusable identification handle and based on the reusable credential is transmitted to a potential peer. First information based on a reusable identification handle for the second user is received, and second information based on a reusable credential for the second user is received. A first comparison of a combination of the first information and the second information is performed with the matching reference to determine whether the second user's credentials match the first users matching reference. A second comparison of the first information with information published on a revocation list is performed to determine whether the second user's credentials have been revoked from usage. Based on the first comparison and the second comparison, a determination is made whether or not to verify the association of second user with the first user.04-14-2011
20090031125Method and Apparatus for Using a Third Party Authentication Server - A method and apparatus for a third party authentication server is described. The method includes receiving a record ID for a user, and a one-time key generated by the server and encrypted with a user's public key by the server. The method further includes receiving the user's authentication data from the client, and determining if the user's authentication data matches the record ID. If the authentication data matches the record ID, decrypting the one-time key with the user's private key, and returning the decrypted one-time key to the client.01-29-2009
20090055642Method, system and computer program for protecting user credentials against security attacks - A method, system and computer program is provided for protecting against one or more security attacks from third parties directed at obtaining user credentials on an unauthorized basis, as between a client computer associated with a user and a server computer is provided. The server computer defines a trusted Public Key Cryptography utility for use on the client computer. The Public Key Cryptography utility is operable to perform one or more cryptographic operations consisting of encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data. The user authenticates to the Public Key Cryptography utility, thereby invoking the accessing of user credentials associated with the user, as defined by the server computer. The Public Key Cryptography Utility facilitates the communication of the user credentials to the server computer, whether directly or indirectly via an authentication agent, the server computer thereby authenticating the user. In response, the server computer providing access to one or more system resources linked to the server computer to the user. The present invention also provides a series of methods enabling the server computer to authenticate the user by operation of the Public Key Cryptography utility and/or based on enrolment of the user and providing the Public Key Cryptography utility to the user.02-26-2009
20100031021METHOD FOR IMPROVED KEY MANAGEMENT FOR ATMS AND OTHER REMOTE DEVICES - A method, article, and system for providing an effective implementation of a data structure comprising instructions that are cryptographically protected against alteration or misuse, wherein the instructions further comprise a trusted block that defines specific key management policies that are permitted when an application program employs the trusted block in application programming interface (API) functions to generate or export symmetric cryptographic keys. The trusted block has a number of fields containing rules that provide an ability to limit how the trusted block is used, thereby reducing the risk of the trusted block being employed in unintended ways or with unintended keys.02-04-2010
20090313467FEDERATED IDENTITY BROKERING - A method, system and apparatus for federated identity brokering. In accordance with the present invention, a credential processing gateway can be disposed between one or more logical services and one or more service requesting clients in a computer communications network. Acting as a proxy and a trusted authority to the logical services, the credential processing gateway can map the credentials of the service requesting clients to the certification requirements of the logical services. In this way, the credential processing gateway can act as a federated identity broker in providing identity certification services for a multitude of different service requesting clients without requiring the logical services to include a pre-configuration for specifically processing the credentials of particular service requesting clients.12-17-2009
20100037046Credential Management System and Method - A centralized credential management system. Website credentials are stored at a vault storing at a vault. The website credentials are encrypted based upon a key not available to the vault and are for authenticating a user to a third party website. Through a client, a user authenticates to the vault and retrieves the encrypted website credentials and parameters and code for properly injecting the credentials into a website authentication form. The website credentials are decrypted at the client and injected into the authentication form using the parameters and code.02-11-2010
20090217033Short Authentication Procedure In Wireless Data Communications Networks - In a wireless communications network including at least one authenticator and at least one authentication server, wherein the authenticator is adapted to interact with the authentication server for authenticating supplicants in order to conditionally grant thereto access to the wireless communications network, a short authentication method for authenticating a supplicant, the method including: providing a shared secret, shared by and available at the supplicant and the authentication server; having the supplicant provide to the authenticator an authentication token, wherein the authentication token is based on the shared secret available thereat; having the authenticator forward the authentication token to the authentication server; having the authentication server ascertain an authenticity of the received authentication token based on the shared secret available thereat; in case the authenticity of the authentication token is ascertained, having the authentication server generate a first authentication key based on the shared secret available thereat, and provide the generated authentication key to the authenticator; having the supplicant generate a second authentication key based on the shared secret; and having the supplicant and the authenticator exploit the generated first and the second keys for communicating with each other. The short authentication method is particularly useful in situations of handoff of the supplicant from an authenticator to another.08-27-2009
20100070757SYSTEM AND METHOD TO AUTHENTICATE A USER UTILIZING A TIME-VARYING AUXILIARY CODE - A system and method to authenticate a user utilizing a time-varying auxiliary code. The code may be appended to a fixed password, but that is not required. The code is generated by a central electronic authentication system. The user retrieves it manually using a fungible communications device such as a telephone or a computer connected to the Internet. The user must learn the code because he inputs it manually, thereby authenticating himself. The present invention performs the same function as inventions with tokens, that is, it provides an extension to the PIN or password, but it eliminates the token and the synchronization required with such a token.03-18-2010
20100070759METHOD AND SYSTEM FOR AUTHENTICATING A USER BY MEANS OF A MOBILE DEVICE - The invention relates to a method for authenticating a user of a mobile device (03-18-2010
20100064134SECURE IDENTITY MANAGEMENT - The invention relates to a method for providing an identity-related information (IRI) to a requesting entity (03-11-2010
20100058053SYSTEM, METHOD AND SECURITY DEVICE FOR AUTHORIZING USE OF A SOFTWARE TOOL - The described embodiments relate generally to methods, systems and security devices for authorizing use of a software tool. Certain embodiments of the invention relate to a security device. The security device comprises at least one communication subsystem for enabling communication between the security device and a first external device, wherein the first external device has a software tool executable on the first external device. The security device further comprises a memory and processor coupled to the at least one communication subsystem and configured to control the at least one communication subsystem. The memory is accessible to the processor and stores a key for authorizing use of the software tool. The memory further stores program instructions which, when executed by the processor, cause the processor to execute a security application.03-04-2010
20110252230SECURE ACCESS TO A PRIVATE NETWORK THROUGH A PUBLIC WIRELESS NETWORK - A system, method and computer-program product for a client device to securely access a private network through a public wireless network. The system establishes a first network tunnel between the client device and a gateway of the public wireless network and then authenticates the client device with an authentication server of the private network using the first tunnel. The authentication is proxied by an authentication server of the public network. Once the authentication is successful, a second tunnel is established between the client device and a gateway of the private network for secure access by the client device to the private network.10-13-2011
20110252229SECURING PASSWORDS AGAINST DICTIONARY ATTACKS - Described herein are various technologies pertaining to constructions of a password-based authentication protocol that are configured to allow a user to register with and authenticate to an online service without the online service receiving a password or a deterministic function of the password of the user. When registering with an online service, a client computing device establishes a cryptographically strong random secret and stores an encryption of such secret with a data storage device. The storage device also never receives the password or a deterministic function of the password. When the user wishes to authenticate to the online service, the user employs her password to retrieve the encrypted secret from the storage device, decrypts such secret, and utilizes the decrypted secret to answer a cryptographically strong challenge provided to the user by the online service upon the online service receiving a username pertaining to such user.10-13-2011
20110154023Protected device management - A method, apparatus, system, and computer program product for management of storage devices protected by encryption, user authentication, and password protection and auditing schemes in virtualized and non-virtualized environments.06-23-2011
20110078437SIMPLIFYING ADDITION OF WEB SERVERS WHEN AUTHENTICATION SERVER REQUIRES REGISTRATION - An aspect of the present invention simplifies addition of new server systems which serve web pages to client systems, when an authentication server requires registration before providing authentication services. In an embodiment, a backend server is provided, which is registered with an authentication server. The server systems are implemented to redirect unauthorized access requests to the backend server, and the configurations performed during registration of the backend server system are used for authenticating a user and receiving an authentication result. The backend server communicates the authentication result and other information received from the authentication server to the server system. According to another aspect, such simplification is performed in a single sign-on (SSO) environment.03-31-2011
20110078438ENTITY BIDIRECTIONAL-IDENTIFICATION METHOD FOR SUPPORTING FAST HANDOFF - An entity bidirectional-identification method for supporting fast handoff involves three security elements, which includes two identification elements A and B and a trusted third party (TP). All identification entities of a same element share a public key certification or own a same public key. When any identification entity in identification element A and any identification entity in identification element B need to identify each other, if identification protocol has never been operated between the two identification elements that they belong to respectively, the whole identification protocol process will be operated; otherwise, interaction of identification protocol will be acted only between the two identification entities. Application of the present invention not only centralizes management of public key and simplifies protocol operation condition, but also utilizes the concept of security domain so as to reduce management complexity of public key, shorten identification time and satisfy fast handoff requirements on the premises of guaranteeing security characteristics such as one key for every pair of identification entities, one secret key for every identification and forward secrecy.03-31-2011
20110060903GROUP SIGNATURE SYSTEM, APPARATUS AND STORAGE MEDIUM - A group signature system according to one embodiment of the present invention comprises a group administrator apparatus, signer apparatuses and a verifier apparatus which can communicate with one another. Here, in a group signature method used by the apparatuses, a multiplication cyclic group or a bilinear group in which an order is unknown as in RSA is not used at all, but a multiplication cyclic group gG of a prime order q is only used, and representation parts k03-10-2011
20110060902VPN CONNECTION SYSTEM AND VPN CONNECTION METHOD - For establishing a VPN connection in the call-back type, a VPN server establishes an always-on connection through a unique protocol different from the electronic mail delivery system. A client generates a client authentication data used for the client authentication implemented by the VPN server, and establishes the relay server through the unique protocol to transmit the client authentication data. The relay server device relays the client authentication data to the VPN server through the unique protocol. The VPN server implements the client authentication based on the relayed data. The VPN server establishes the VPN connection with the client based on the result of the authentication.03-10-2011
20110016311METHOD FOR PREVENTING LAUNDERING AND REPACKAGING OF MULTIMEDIA CONTENT IN CONTENT DISTRIBUTION SYSTEMS - A method for distributing content in a content distribution system is disclosed which comprises the steps of: encrypting at a Content Packager a content using a content encryption key to generate an encrypted content; sending the content encryption key to a Licensing Authority; receiving from the Licensing Authority a distribution key containing an encryption of the content decryption key (K01-20-2011
20110213959METHODS, APPARATUSES, SYSTEM AND RELATED COMPUTER PROGRAM PRODUCT FOR PRIVACY-ENHANCED IDENTITY MANAGEMENT - A method and related apparatus include the steps of registering, from a client at a service providing network entity, first client-related identity information and, from the client at an identity providing network entity, second client-related identity information being different from the first client-related identity information and being generated based on the first client-related identity information. Key information is a secret of the client and identity information is related to the service providing network entity. A second method and related apparatus include the step of determining, at a service providing network entity, the first client-related identity information based on the second client-related identity information being received from the identity providing entity. Finally, a third method and related apparatus include the step of authenticating, towards the service providing network entity, the second client-related identity information being received from the client.09-01-2011
20110016310SECURE SERIAL INTERFACE WITH TRUSTED PLATFORM MODULE - A secure system having a Trusted Platform Module coupled between a peripheral device and a host. In operation, the Trusted Platform Module is provided to control communication between the peripheral device and the host.01-20-2011
20110010538METHOD AND SYSTEM FOR PROVIDING AN ACCESS SPECIFIC KEY - An access specific key is provided for securing of a data transfer between a mobile terminal and a node of an access net. For authentication of the mobile terminal, a authentication server generates a session key, from which a basic key is derived and transferred to an interworking-proxy-server. The interworking-proxy-server derives the access specific key from the transferred basis key and provides the key to the node of the access net.01-13-2011
20120204027AUTHENTICATION METHOD AND APPARATUS IN A COMMUNICATION SYSTEM - An authentication method and apparatus in a communication system are provided. In a method for authenticating a first node at a second authentication server in a communication system comprising the first node registered to a first authentication server and a second node registered to the second authentication server, an authentication request message requesting authentication of the first node is received from the second node, the authentication request message is transmitted to the first authentication server, and upon receipt of an authentication success message indicating successful authentication of the first node from the first authentication server, the authentication success message is transmitted to the second node.08-09-2012
20120204026PRIVACY-PRESERVING AGGREGATION OF TIME-SERIES DATA - A private stream aggregation (PSA) system contributes a user's data to a data aggregator without compromising the user's privacy. The system can begin by determining a private key for a local user in a set of users, wherein the sum of the private keys associated with the set of users and the data aggregator is equal to zero. The system also selects a set of data values associated with the local user. Then, the system encrypts individual data values in the set based in part on the private key to produce a set of encrypted data values, thereby allowing the data aggregator to decrypt an aggregate value across the set of users without decrypting individual data values associated with the set of users, and without interacting with the set of users while decrypting the aggregate value. The system also sends the set of encrypted data values to the data aggregator.08-09-2012
20080320298System and Method for Protecting Electronic Devices - An electronic safe includes apparatus ID codes of various electronic devices as well as security keys associated with the apparatus ID codes. In order for an electronic device to be operated, it must first make connection with the electronic safe in order to verify the security key. Once the security key is received and verified, the electronic device is enabled to perform its function. However, if the security key is not received or not verified, the electronic device is disabled until such time as the security key is received and verified. This would effectively render stolen electronic devices unusable and worthless.12-25-2008
20090138703Disabling Remote Logins Without Passwords - A method and apparatus for disabling password-less remote logins. In one embodiment, the method comprises receiving a remote login request at a first computing system from a user of a second computing system. Both of the first computing system and the second computing system mount home directories from a file sever. The request includes a public key associated with the user. An authorized key file associated with the user is located in the home directories. The authorized key file has zero length and owned by a root user of the file server. The method further comprises prompting the user of the second computing system for a password in response to the request.05-28-2009
20090063851ESTABLISHING COMMUNICATIONS - A method of establishing direct and secure communication between two wireless communications devices is disclosed. The wireless communications devices each have an existing trust relationship with an authentication server operable to authenticate access to a communication network on the basis of those existing trust relationships. The method comprises: (i) sending a communication request message directly from a first wireless communications device to a second wireless communications device; (ii) operating one of said wireless communication devices to request a symmetric encryption key from an authentication server; (iii) responsive to said request, operating said authentication server to: authenticate said one of said wireless communications devices on the basis of said existing trust relationship; generate said symmetric encryption key on successful authentication of said one of said wireless communications devices; and send said symmetric encryption key to said one of said wireless communications devices; (iv) responsive to receiving said symmetric encryption key, storing said symmetric encryption key at said one of said wireless communications devices and communicating it directly to the other wireless communications device; (v) securing direct communications between said wireless communications devices using said symmetric encryption key.03-05-2009
20110161658METHOD FOR ENABLING LIMITATION OF SERVICE ACCESS - A method for enabling limitation of service access, wherein a service provider offers at least one service and a user possesses multiple different digital identities that can be used to invoke or register with the service, access to the service requiring an account at a third party entity, the user registers his digital identities with the account and agrees on a secret with the third party entity, the method including: 06-30-2011
20110047372MASHAUTH: USING MASHSSL FOR EFFICIENT DELEGATED AUTHENTICATION - The present invention provides a method that allows the MashSSL protocol to be used to provide a secure and efficient way for delegated authentication. The invention allows services which already have an SSL infrastructure to reuse that infrastructure for delegated authentication, and to do so in a fashion where the cryptographic overhead is amortized across multiple users, and which provides the user with greater control of what information is shared on their behalf.02-24-2011
20100325425METHOD FOR AUTOMATIC WLAN CONNECTION BETWEEN DIGITAL DEVICES AND DIGITAL DEVICE THEREFOR - A method and apparatus for performing an automatic wireless connection with a second digital device by a first digital device is provided. The method includes acquiring, by the first input device, random information used for the wireless connection; checking a status of a Wireless Local Area Network (WLAN); storing the checked status; setting the WLAN to an Ad-hoc mode; setting a Service Set Identifier (SSID) of the WLAN using the random information; setting a security key of the WLAN using the random information; and setting an Internet Protocol (IP) address of the WLAN using the random information.12-23-2010
20110055554WIRELESS PERSONAL AREA NETWORK ACCESSING METHOD - A wireless personal area network accessing method is provided, the method includes that: a coordinator broadcasts a beacon frame, the beacon frame includes the information about whether the coordinator sends an authentication requirement, the beacon frame also includes the authentication supported by the coordinator and key management package when a device receipts the authentication requirement, the device receives the beacon frame, the authentication between the coordinator and the device is made by using a authentication method corresponding to the authentication supported by the coordinator and key management package, when the device determines that the coordinator and the device is directly made according to the authentication result, or the association between the coordinator and the device is made after making session key negotiation.03-03-2011
20110055553Method for controlling user access in sensor networks - A method for implement an energy-efficient user access control to wireless sensor networks is disclosed. A user creates a secret key and sending it to a sensor. The sensor builds a first MAC value by the secret key and sends it to the Key Distribution Center which builds a second MAC value and sending it to the sensor. The sensor decrypts the second MAC value to get a random number, and builds a third MAC value by the random number. The third MAC value is used by the user to authenticate the sensor.03-03-2011
20080256356SECURE MEDIA BROADCASTING USING TEMPORAL ACCESS CONTROL - Improved key management techniques are disclosed for temporal access control of one or more services in a computer network. For example, a method for providing access control in a client-server system includes the following steps. A client obtains an authorization key for a time interval. A server derives an encryption key corresponding to a given time and uses the encryption key to encrypt a message. The client derives a decryption key corresponding to the given time and decrypts the message.10-16-2008
20110264910COMMUNICATION CONTROL DEVICE, COMPUTER-READABLE MEDIUM, AND COMMUNICATION CONTROL SYSTEM - A virtual authentication proxy server includes an authentication request acceptance unit, a terminal authentication program transmission unit and an authentication result transmission unit. When an application server which cannot use an authentication server accepts a user ID and a password together with a use request from a terminal, the authentication request acceptance unit accepts the authentication request. The terminal authentication program transmission unit transmits a terminal authentication program to a terminal device. The authentication result transmission unit causes the terminal device to execute the terminal authentication program so as to cause the authentication server to execute authentication. The authentication result transmission unit receives the received authentication result from the terminal device and transmits the authentication result to the application server.10-27-2011
20100293370AUTHENTICATION ACCESS METHOD AND AUTHENTICATION ACCESS SYSTEM FOR WIRELESS MULTI-HOP NETWORK - Authentication access method and authentication access system for wireless multi-hop network. Terminal equipment and coordinator have the capability of port control, the coordinator broadcasts a beacon frame, and the terminal equipment selects an authentication and key management suite and transmits a connecting request command to the coordinator. The coordinator performs authentication with the terminal equipment according to the authentication and key management suite which is selected by the terminal equipment, after authenticated, transmits a connecting response command to the terminal equipment. The terminal equipment and the coordinator control the port according to the authentication result, therefore the authenticated access for the wireless multi-hop network is realized. The invention solves the security problem of the wireless multi-hop network authentication method.11-18-2010
20110126000METHOD FOR ACCESSING DATA SAFELY SUITABLE FOR ELECTRONIC TAG - A method for accessing data safely, which is suitable for the electronic tag with low performance, is provided. The method comprises the following steps: when performing a data writing process, the first read-write device encrypts the message MSG and then writes the message in the electronic tag; when performing a data reading process, the second read-write device sends a data request packet to the electronic tag; the electronic tag sends a data response packet to the second read-write device according to the data request packet; the second read-write device sends a key request packet to a trusted third party; the trusted third party verifies the validity of the identity of the second read-write device according to the key request packet, and sends a key response packet to the second read-write device upon the verification is passed; the second read-write device obtains the plain text of the electronic tag message MSG according to the key response packet. This invention can realize the safe access of the data of the electronic tag with low performance.05-26-2011
20110138172ENTERPRISE COMPUTER INVESTIGATION SYSTEM - A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network. It is emphasized that this abstract is provided to comply with the rules requiring an abstract which will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or the meaning of the claims.06-09-2011
20120311321DATA CERTIFICATION METHOD AND SYSTEM - A data certification system and method for signing electronic data with a digital signature in which a central server comprises a signature server and an authentication server. The signature server securely stores the private cryptographic keys of a number of users. The user contacts the central server using a workstation through the secure tunnel which is set up for the purpose. The user supplies a password or other token based on information previously supplied to the user by the authentication server through a separate authentication channel. The authentication server provides the signature server with a derived version of the same information through a permanent secure tunnel between the servers, which is compared with the one supplied by the user. If they match, data received from the user is signed with the user's private key.12-06-2012
20120311320Mobile Transaction Methods and Devices With Three-Dimensional Colorgram Tokens - A transaction security process includes authentication and identification parts for pushing an encrypted colorgram for user authentication and persona descriptors for user identification from a transaction server to a first personal trusted device. A decryption of the colorgram is displayed on the first personal trusted device. An image is captured by a second personal trusted device. An encryption of the image captured from the second personal trusted device is uploaded to the transaction server. The persona descriptors are used to build a composite rendering for identification of the first user to the second user. The second user clicks “OK” if they recognize the composite drawing as a reasonable persona of the first user.12-06-2012
20110145566Secret Encryption with Public or Delegated Comparison - Described is a technology comprising a system in which two distrusting parties can submit sets of encrypted keywords using two independent secret keys to a third party who can decide, using only public keys, if the underlying cleartext message of a cryptogram produced by one distrusting party matches that of a cryptogram produced by the other. The third party (e.g., a server) uses generator information corresponding to a generator of an elliptic curve group to determine whether the sets of encrypted keywords match each other. Various ways to provide the generator information based upon the generator are described. Also described is the use of one-ray randomization and two-way randomization as part of the system to protect against dictionary attacks.06-16-2011
20100100724SYSTEM AND METHOD FOR INCREASING THE SECURITY OF ENCRYPTED SECRETS AND AUTHENTICATION - In general, in one aspect, the invention relates to a method for accessing encrypted data by a client. The method includes receiving from the client by a server client information derived from a first secret wherein the client information is derived such that the server can not feasibly determine the first secret The method also includes providing to the client by the server intermediate data, which is derived responsive to the received client information, a server secret, and possibly other information. The intermediate data is derived such that the client cannot feasibly determine the server secret. The method also includes authenticating the client by a device that stores encrypted secrets and is configured not to provide the encrypted secrets without authentication. After the authenticating step, the method also includes providing the encrypted secrets to the client. The encrypted secrets 04-22-2010
20090300347SET MEMBERSHIP PROOFS IN DATA PROCESSING SYSTEMS - A method and apparatus for proving and a method and apparatus for verifying that a secret value is a member of a predetermined set of values. The proving mechanism receives a set of signatures which has respective values in the predetermined set signed using a private key. The proving mechanism sends to the verifying mechanism a commitment on the secret value of the proving mechanism. The proving mechanism and verifying mechanism then communicate to implement a proof of knowledge protocol demonstrating knowledge by the proving mechanism of a signature on the secret value committed to in the commitment, thus proving that the secret value is a member of the predetermined set.12-03-2009
20090292915NETWORK SYSTEM AND DEVICE SETTING METHOD OF NETWORK SYSTEM - Disclosed is a network system including: a provisioning server to provide setting information to a device newly connected to a network; and a mediating device to mediate information transmission between the device newly connected to the network and other device, wherein the mediating device includes: a communication function to communicate with the device newly connected to the network; an access control function to restrict access to the other device to a certain amount or less; and a data transfer function to transfer data, and when there is a transfer request of the setting information from the device newly connected to the network, the mediating device sends the transfer request to the provisioning server by restricted access based on the access control function, and when the setting information is sent from the provisioning server, the mediating device transfers the setting information to the device newly connected to the network.11-26-2009
20100031023METHOD AND SYSTEM FOR PROVIDING CENTRALIZED DATA FIELD ENCRYPTION, AND DISTRIBUTED STORAGE AND RETRIEVAL - An approach is provided for securely storing sensitive data values. A primary facility is provided that directly or indirectly receives requests from a requestor to store an actual data value. The primary facility obtains a replacement value associated with the actual value and encrypts the actual value, and the replacement value is transmitted to the requestor. The replacement and encrypted values are stored in a master copy database at the primary facility, and copies thereof are stored in distributed secondary databases. When the requestor needs an actual data value, the requestor transmits the replacement value either to the primary facility for retrieval of data from the master database, or to the secondary facility for retrieval from the respective secondary database. The chosen facility retrieves the encrypted value from its respective database using the replacement value, decrypts the encrypted value, and transmits the actual value back to the requestor.02-04-2010
20100031022SYSTEM AND METHOD FOR VERIFYING NETWORKED SITES - A system and method for indicating to a user that a networked site is authentic includes a verification application configured to send a request to verify the authenticity of the networked site together with identity information about the site to a verification server. The verification application has access to encrypted user-customized information that was previously selected by a user and is encrypted and stored focally on the end-user device. The verification server verifies whether the networked site is authentic and is further configured to enable decryption of the encrypted user-customized information when a networked site is verified as authentic, so that the user-customized information can be presented to the user.02-04-2010
20100017596System and method for managing authentication cookie encryption keys - There is provided a system and method for managing authentication cookie encryption keys. The system comprises a computing device including a memory with authentication data having a key identifier and encrypted data with a session identifier. The key identifier references a key having a validity period, the key capable of decrypting the authentication data. A processor of the computing device can respond to user requests for information by retrieving the authentication data and transmitting it to a server. The server can then authenticate the user by verifying the encrypted session identifier using the referenced key. There is also provided a method by which a key server can manage encryption keys. The key server receives an encryption key having a validity period, receives a validity request, confirms or rejects the validity of the encryption key, and automatically invalidates the encryption key upon expiration of the validity period.01-21-2010
20120017080METHOD FOR ESTABLISHING SAFE ASSOCIATION AMONG WAPI STATIONS IN AD-HOC NETWORK - The present invention discloses a method for establishing a security association among WAPI stations in an ad-hoc network, and the method comprises: when a security association between two stations in the ad-hoc network is to be established, one station STA01-19-2012
20120023325VIRTUAL PRIVATE NETWORK SYSTEM AND NETWORK DEVICE THEREOF - A virtual private network (VPN) system and a network device thereof are provided. The VPN system includes a first network device, a second network device, and an authentication server. The first network device provides an encrypted connection setup request message containing an authentication information to the second network device. The second network device receives the encrypted connection setup request message and forwards the authentication information to the authentication server to perform a first authentication process, so as to determine whether the first network device is authorized. If the first network device is authorized, the first network device and the second network device directly exchange a set of VPN arguments and perform a second authentication process through the exchange of the VPN arguments, so as to establish an IPSec VPN connection between the first network device and the second network device.01-26-2012
20120060025SERVICE PROVIDER INVOCATION - A service provider may provide one or more services to and/or for a client. Providing a service may involve receiving a service request including a security token at the service provider and determining whether the security token is valid. Providing the service may also involve determining a session security token if the security token is valid and generating a service response including the session security token. Providing the service may further involve receiving a service request including the session security token, determining whether the session security token is valid, and, if the session security token is valid, generating a second service response.03-08-2012
20120159155Direct Anonymous Attestation Scheme with Outsourcing Capability - A Direct Anonymous Attestation (DAA) scheme using elliptic curve cryptography (ECC) and bilinear maps. A trusted platform module (TPM) may maintain privacy of a portion of a private membership key from an issuer while joining a group. Moreover, the TPM can outsource most of the computation involved in generating a signature to a host computer.06-21-2012
20120159154AUTHENTICATING METHOD AND MOBILE TERMINAL FOR CODE DIVISION MULTIPLE ACCESS (CDMA) EVOLUTION TO PACKET DATA OPTIMIZED (EVDO) NETWORK - The successful authenticating of a Network Access Identifier (NAI) process is enabled by an authenticating method and a mobile terminal for a Code Division Multiple Access (CDMA) EVolution to packet Data Optimized (EVDO) network. The authenticating method for the EVDO network includes an NAI authenticating and a Challenge Handshake Authentication Protocol (CHAP) authenticating, in which the NAI authenticating method includes: when it is determined that the identifier supporting a Message-Digest 5 (MD5) authenticating method is stored in a User Identity Model (UIM) (S06-21-2012
20120159153Efficient Identity-Based Ring Signature Scheme With Anonymity And System Thereof - An identity-based ring signature authentication method provides an efficient identity-based ring signature method, which has a constant number of bilinear pairing computations independent the number of ring members in a verification process. The method does not use a special type of function, e.g., MapToPoint.06-21-2012
20120159152METHOD AND APPARATUS FOR SMART-KEY MANAGEMENT - A method and an apparatus for smart key management are disclosed. The apparatus for smart key management can receive a smart key duplicate request message from a user terminal, perform user authentication using terminal information or user information included in the smart key duplicate request message, duplicate a registered smart key corresponding to the terminal information or the user information if the result the user authentication is authentication success, and transmit the duplicated smart key to a target terminal using the target terminal information.06-21-2012
20110107086SECURE AUTHENTICATION AND PRIVACY OF DATA COMMUNICATION LINKS VIA DYNAMIC KEY SYNCHRONIZATION - A dynamic computer system security method and system using dynamic encryption and full synchronization between system nodes. A data record from a data stream created by a source user is encrypted with an initial dynamic session key. A new dynamic session key is generated based upon a data record and a previous dynamic session key. The new dynamic session key is then used to encrypt the next data record. A central authority is used to synchronize and authenticate both source and destination users with dynamic authentication keys. The central authority and users constantly regenerate new dynamic authentication keys. A child process is forked to ensure synchronization and authentication of dynamic authentication keys of each node upon a request for a secure communication establishment from a user. The central authority generates the initial dynamic session key with the current dynamic authentication key to begin a secure communication session.05-05-2011
20110107088SYSTEM AND METHOD FOR VIRTUAL TEAM COLLABORATION IN A SECURE ENVIRONMENT - A computing platform for facilitating dynamic connection and collaboration of users to transact services in a secure computing environment. The users include service providers and service requesters. The platform includes a registration module for registering users including service requesters and service providers, a connection module for connect users to form groups based on users' selective invitations to other users, and a collaboration module for creating a virtual secure data room for collaboration and sharing of encrypted data by the connected users in a user-friendly and transparent manner. The platform further comprises a transaction module for settling payments between the service requesters and the service providers based on completion of previously agreed project milestones.05-05-2011
20110107087APPARATUS AND METHOD FOR REFRESHING MASTER SESSION KEY IN WIRELESS COMMUNICATION SYSTEM - A Master Session Key (MSK) refresh in a wireless communication system is provided. A MSK refreshing method MSK includes when receiving a first Media Access Control (MAC) message including MSK refresh indication information from a Base Station (BS), generating, at a Mobile Station (MS), an Extended Master Session Key (EMSK)_Hash by applying a hash function to an EMSK and sending a second MAC message including the EMSK_Hash, sending, at the BS, a context request message including the EMSK_Hash to an Access Service Network GateWay (ASN-GW), sending, at the ASN-GW, an authentication request message including the EMSK_Hash to an authentication server, when receiving the authentication request message including the EMSK_Hash, confirming, at the authentication server, the same EMSK as the MS based on the EMSK_Hash, determining an MSK05-05-2011
20100095113Secure Content Distribution System - In accordance with one aspect of the invention, a system is provided that includes a database configured to store data according to a first encryption protocol such as an FDE HDD protocol. The data provided to the database is encrypted according to a second encryption protocol such as an AES protocol. A user selects a desired video through a server coupled to the database. Upon payment and selection by the user, a manager provides the a first key to the database so that the first encryption may be stripped from the selected video. The server couples to a remote content key server to obtain a second key to remove the second type of encryption. The resulting decrypted digitized video may then be burned to a DVD disc for distribution to the user.04-15-2010
20120131332Method and Apparatus for Authenticating Online Transactions Using a Browser - A computer-implemented method for authenticating a user using a service provider server and an authentication server, the user communicating with at least one of the service provider server and the authentication server using a user browser. The method includes requesting, using the user browser, the authenticating with the service provider server. The method also includes authenticating, using the user browser, a secure communication channel with the authentication server. The method also includes receiving, using the user browser, a Next Pre-Authentication Anchor (NPAA) value from the authentication server. The method additionally includes temporarily storing the Next Pre-Authentication Anchor (NPAA) value in a user browser cookie associated with the user browser, wherein the Next Pre-Authentication Anchor (NPAA) value is protected by employing Same Origin Policy (SOP).05-24-2012
20120166795SECURE APPLICATION ATTESTATION USING DYNAMIC MEASUREMENT KERNELS - Methods and apparatus to provide secure application attestation using dynamic measurement kernels are described. In some embodiments, secure application attestation is provided by using dynamic measurement kernels. In various embodiments, P-MAPS (Processor-Measured Application Protection Service), Secure Enclaves (SE), and/or combinations thereof may be used to provide dynamic measurement kernels to support secure application attestation. Other embodiments are also described.06-28-2012
20100082973Direct anonymous attestation scheme with outsourcing capability - A Direct Anonymous Attestation (DAA) scheme using elliptic curve cryptography (ECC) and bilinear maps. A trusted platform module (TPM) may maintain privacy of a portion of a private membership key from an issuer while joining a group. Moreover, the TPM can outsource most of the computation involved in generating a signature to a host computer.04-01-2010
20110185170COMMUNICATION WITH NON-REPUDIATION AND BLIND SIGNATURES - Apparatus, systems, and methods may operate to receive, at a trusted third party (TTP), a signed disguised message as a disguised receiver signature from a receiver that has signed a disguised message using a blind signature process to transform the disguised message into the signed disguised message. Additional activities may include sending, from the TTP, an undisguised version of the disguised message to the receiver, and the receiver signature to a sender of the undisguised version, after determining that the receiver signature is valid. Additional apparatus, systems, and methods are disclosed.07-28-2011
20100174900METHOD AND APPARATUS FOR AUTHENTICATING ONLINE TRANSACTIONS USING A BROWSER - A computer-implemented method for authenticating a user using a service provider server and an authentication server, the user communicating with at least one of the service provider server and the authentication server using a user browser. The method includes requesting, using the user browser, the authenticating with the service provider server. The method also includes authenticating, using the user browser, a secure communication channel with the authentication server. The method also includes receiving, using the user browser, a Next Pre-Authentication Anchor (NPAA) value from the authentication server. The method additionally includes temporarily storing the Next Pre-Authentication Anchor (NPAA) value in a user browser cookie associated with the user browser, wherein the Next Pre-Authentication Anchor (NPAA) value is protected by employing Same Origin Policy (SOP).07-08-2010
20120173872Secure Access to a Virtual Machine - A method for providing secure access to a virtual machine includes dispensing an image corresponding to a virtual machine from a management appliance to a distributed computing system such that the virtual machine is implemented by at least one of a plurality of interconnected physical computing devices in the distributed computing system; establishing a trusted relationship between the management appliance and the virtual machine; and providing a user with access to the virtual machine from the management appliance without further authentication credentials from the user.07-05-2012
20100299519METHOD FOR MANAGING WIRELESS MULTI-HOP NETWORK KEY - A method for managing wireless multi-hop network key is applicable to a security application protocol when a WAPI frame method (TePA, an access control method based on the ternary peer-to-peer identification) is applied in a concrete network containing a Wireless Local Area Network, a Wireless Metropolitan Area Network AN and a Wireless Personal Area Network. The key management method of the present invention includes the steps of key generation, key distribution, key storage, key modification and key revocation. The present invention solves the technical problems that the prior pre-share-key based key management method is not suitable for larger networks and the PKI-based key management method is not suitable for wireless multi-hop networks; the public-key system and the ternary structure are adopted, thereby the security and the performance of the wireless multi-hop networks are improved.11-25-2010
20120179906METHOD AND DEVICE FOR AUTHENTICATING PERSONAL NETWORK ENTITY - A method of authenticating a Personal Network Entity (PNE) is provided. The method includes transmitting a PNE serial number (SN07-12-2012
20120179905Methods and Systems for Distributing Cryptographic Data to Authenticated Recipients - A method for distributing cryptographic data to authenticated recipients includes receiving, by an access control management system, from a first client device, information associated with an encrypted data object. The method includes receiving, by the access control management system, from a second client device, a request for the information associated with the encrypted data object. The method includes verifying, by the access control management system, that a user of the second client device is identified in the received information associated with the encrypted data object. The method includes authenticating, by the access control management system, with an identity provider, the user of the second client device. The method includes sending, by the access control management system, to the second client device, the received information associated with the encrypted data object.07-12-2012
20120179904Remote Pre-Boot Authentication - A host computer cloud has a processor and supports a virtual machine. An agent under control of a user is in communication with the cloud over a network. A key management server is in communication with the cloud over a network. The cloud stores the virtual machine in the form of a virtual encrypted disk on a non-volatile storage medium. When commanded by the agent, the cloud requests a disk-wrapping key from the key management server and decrypts the encrypted disk using the disk-wrapping key.07-12-2012
20120179903COMPACT ATTRIBUTE FOR CRYPTOGRAPHICALLY PROTECTED MESSAGES - A system and associated method for verifying a signature of a signed message having a compact attribute. Components of the compact attribute of the signed message appear in a predefined order within the compact attribute, and are identified by an object identifier associated with the compact attribute. A processing flag and a security assertion are among the components of the compact message. The processing flag directs rules to process the security assertion. The security assertion is made by an authority trusted by both a sender and a recipient of the signed message. The recipient validates the signature of the signed message based on the processing flag and the security assertion recovered from the compact attribute.07-12-2012
20100275011METHOD AND APPARATUS FOR SECURE COMMUNICATIONS - The present invention provides a method and apparatus for a trusted service provider (TSP) which assists with the secure exchange of data across the public switched telephone network. Communications are routed via a TSP, which uses cryptographic techniques to conceal the identities (e.g., telephone numbers) of the call initiator and call recipient, thereby preventing traffic analysis attacks. The TSP also performs cryptographic handshakes with the call initiator and call recipient to authenticate callers. The TSP further provides cryptographic keying material which communicants may use to help protect communications and to directly authenticate and identify each other. Although the TSP is trusted to negotiate the connection and is involved in the process, the communicants can perform their own key agreement and authentication for protecting data routed via the TSP.10-28-2010
20100275009 METHOD FOR THE UNIQUE AUTHENTICATION OF A USER BY SERVICE PROVIDERS - The invention relates to a method for unique authentication of a user (U) by at least one service provider (SP), said method including a preliminary identity federation stage of federating an identity (user@sp) of said user for said service provider and an identity (user@idp) of the user (U) for an identity provider (IdP). According to the invention, said preliminary identity federation stage includes the steps of: the user (U) generating a user alias ([alias]) for that service provider (SP) and sending said identity provider (IdP) a masked alias ([alias]10-28-2010
20120233455REDUNDANT KEY SERVER ENCRYPTION ENVIONMENT - Provided are a computer program product, system and method for a redundant key server encryption environment. A key server receives from at least one remote key server public keys associated with the at least one remote key server. The key server receives a request for an encryption key from a requesting device and generates the encryption key for use by the requesting device to unlock a storage. The key server generates a first wrapped encryption key by encrypting the encryption key with a requesting device public key, a second wrapped encryption key by encrypting the encryption key with a public key associated with the key server, and at least one additional wrapped encryption key by encrypting the encryption key with the at least one public key provided by the at least one remote key server. The key server transmits the generated keys to the requesting device.09-13-2012
20120233456METHOD FOR SECURELY INTERACTING WITH A SECURITY ELEMENT - A method for secured interaction with a security module which is integrated into an end device, via an input device of the end device, the input device being reserved by a security application which is executable in a trustworthy region of the end device. Subsequently, first authentication data are input via the reserved input device. The security application derives from the first authentication data by a secret data stored in the trustworthy region second authentication data. The latter are subsequently encrypted by the security application and transferred to the security module and/or to a server. In the security module and/or the server the received, encrypted second authentication data are finally decrypted.09-13-2012
20100011207Service Oriented Architecture Device - A system for Service Oriented Architecture (SOA) communication includes a plurality of SOA nodes having a standardized hardware configuration, wherein the standardized hardware configuration includes an operating engine, an encryption module accessed by the operating engine, which provides security for message traffic, a compression module to compress and decompress the message traffic, a routing module accessed by the operating engine, to determine the routing of message types, incoming traffic routed to appropriate service clients, outbound traffic routed to appropriate SOA devices, a security module that authenticates and authorizes message traffic, and one or more network interfaces, and one or more networks over which the SOA nodes communicate with one another.01-14-2010
20120185692Secure cloud computing system - The present invention provides a method and apparatus for securing electronic systems, including computers, information appliances and communication devices. The invention in question addresses the problem of preventing compromise by severe attacks directed at the protected systems. A severe attack could mean any of the following: low level debugging, use of in-circuit emulators or logic analyzers, removal of silicon dice and inspection including by lapping and micro-photography, and other well-known methods of attack such as distributed denial of service. In order to protect systems and data from such severe attacks, a mechanism is required whose operation is irreparably altered by the attempt to understand its operation through such attacks. Moreover, the mechanism must cease operation instantly upon detection of any intrusion associated with an attack, whether by software or by hardware based means.07-19-2012
20120260088METHOD AND DEVICE FOR SECURELY TRANSMITTING DATA - Cryptographic methods are used at the application level, unlike known methods using point-to-point connections that can only be sufficiently secured at the transport level. Integrity protection and confidentiality protection of data are implemented at the application level for use in network technology.10-11-2012
20080301436METHOD AND APPARATUS FOR PERFORMING AUTHENTICATION BETWEEN CLIENTS USING SESSION KEY SHARED WITH SERVER - Provided is a method and apparatus for performing authentication between clients that complete authentication with a server. The method includes receiving first authentication information generated using the second session key from the server; receiving second authentication information generated using the second session key from the second client; and determining whether the authentication with the second client is successful using the first authentication information and the second authentication information.12-04-2008
20080301437Method of Controlling Access to a Scrambled Content - A method for access control to a digital scrambled content distributed to a set of installed reception terminals including one master terminal and at least one slave terminal dependent on the master terminal. In the method the slave terminal systematically or occasionally returns at least one item of information about the access condition to the master terminal through a point-to-point link, to enable the master terminal to control access of the slave terminal to the content.12-04-2008
20080301435Peer-to-peer security authentication protocol - A salt transmitted by a second node is received at a first node. The received salt is used to decrypt encrypted data. Optionally, authorization to access a service provided by the second node is received by the first node. In some cases the service includes access to one or more files.12-04-2008
20120265983METHOD AND APPARATUS FOR PROVIDING MACHINE-TO-MACHINE SERVICE - A method and an apparatus for providing Machine-to-Machine (M2M) service are provided. A method of providing service by an M2M device includes transmitting a request for service to a Network Security Capability (NSEC), the request for service comprising a identifier of a Device Servie Capability Layer (DSCL) of the M2M device, performing an Extensible Authentication Protocol (EAP) authentication with an M2M Authentication Server (MAS) via the NSEC, and generating, if the EAP authentication is successful, a service key using a Master Session Key (MSK), a first constant string, and the identifier of the DSCL.10-18-2012
20120265982METHOD, AUTHENTICATION SERVER, TERMINAL AND SYSTEM FOR IMPLEMENTING KEY MAPPING - The disclosure discloses a method for implementing key mapping applied to a Next Generation Network (NGN), which mainly includes: when a handoff of a terminal from an original network to a destination network is performed, an authentication server receiving a key material mapping request from the terminal, mapping an original key material in the original network to obtain a destination key material in the destination network, and setting up communication security between the terminal and the destination network. In addition, the disclosure further discloses an authentication server, a terminal and a system for implementing key mapping. By applying the solution of the disclosure, when the handoff of the terminal between different NGNs is performed, it is possible to improve the efficiency of session key generation and to reduce the time delay of the handoff of the terminal between the networks, and it is advantageous to reduce authentication signaling interaction and the load of the authentication server.10-18-2012
20100100725PROVIDING REMOTE USER AUTHENTICATION - Providing a remote computer user authentication service involves providing a reference to a user authentication service in a host server's source code (e.g., website source code). Further, integration code that may be used in an application programming interface (API) on the host server for interaction with a user authentication service can be provided. Additionally, a user interface (UI) for user authentication on the host server, and an authentication-test message on the host server using the UI may be provided. Also, providing authentication can comprise sending an authentication-request message to a mobile device designated by the user; and/or can comprise the user responding with information from the authentication-test message. The host server can be notified of the user's authentication after a correct response is received by the user authentication service.04-22-2010
20110231656SYSTEM AND METHODS FOR AUTHENTICATING A RECEIVER IN AN ON-DEMAND SENDER-RECEIVER TRANSACTION - A system and method are provided for authenticating a first device to a second device. This involves determining, at the directory, a secret key and a first set of images by communicating with the first device; receiving, at the directory, a transaction request from the second device to authenticate the first device; and generating, at the directory, a tag using said secret key and first information associated with said transaction request. This also involves selecting a second set of images from said first set of images according to said tag, and sending said second set of images from the directory to the second device. Moreover, using said first set of images, said secret key, and said information associated with said transaction request, the first device may select a third set of images that, when sent to the second device, may be used at the second device, in comparison to said second set of images, to authenticate the first device.09-22-2011
20120278612Authenticating Digitally Encoded Products without Private Key Sharing - A method and a corresponding system for authenticating software products are proposed. A digital certificate and a corresponding private key required to sign each product are stored on a server computer. Whenever a user needs to sign a product, he/she logs on a client computer and transmits a corresponding request to the server computer. The server computer verifies whether the request has been received from an authorized subject; for example, an address of the client computer and an identifier of the user are compared with a predefined list. If the result of the verification is positive, the product is signed and returned to the client computer. For this purpose, a script called on the server computer includes either an instruction passing the access password to a signing tool as a parameter or an instruction causing the signing tool to import the access password from a registry of the server computer.11-01-2012
20120089831Associating A Multi-Context Trusted Platform Module With Distributed Platforms - In one embodiment, the present invention includes a method for creating an instance of a virtual trusted platform module (TPM) in a central platform and associating the instance with a managed platform coupled to the central platform. Multiple such vTPM's may be instantiated, each associated with a different managed platform coupled to the central platform. The instances may all be maintained on the central platform, improving security. Other embodiments are described and claimed.04-12-2012
20120089830METHOD AND DEVICE FOR DIGITALLY ATTESTING THE AUTHENTICITY OF BINDING INTERACTIONS - Method for digitally attesting the authenticity of an interaction, comprising the steps of establishing a secure digital communication channel between a Universal Signature Assistant and a remote Attestation Appliance, sending an interaction request to a remote site, digitally receiving from the remote Attestation Appliance on the Universal Signature Assistant an attestation request for the authenticity of said interaction request, confirming or denying the authenticity of the interaction request by respectively accepting or rejecting the attestation request on said Universal Signature Assistant. Device for digitally attesting the authenticity of an interaction, comprising a Universal Signature Assistant comprising a CPU, a memory, a storage, a system bus, said CPU, the memory and the storage being connected to the system bus for communicating with each other, a display connected to the system bus for displaying information to a user, a user input device connected to the system bus for allowing the user entering information to the Universal Signature Assistant, a communication interface connected to the system bus for communicating with external devices, a reader for reading user identity information contained on an identity token and a software program stored in the storage for performing the method of the invention with the Universal Signature Assistant when the software program is run by the CPU.04-12-2012
20120331285PRIVACY-PROTECTING INTEGRITY ATTESTATION OF A COMPUTING PLATFORM - Systems, apparatus and methods for privacy-protecting integrity attestation of a computing platform. An example method for privacy-protecting integrity attestation of a computing platform (P) has a trusted platform module (TPM}, and comprises the following steps. First, the computing platform (P) receives configuration values (PCRI . . . PCRn). Then, by means of the trusted platform module (TPM}, a configuration value (PCRp) is determined which depends on the configuration of the computing platform (P). In a further step the configuration value (PCRp) is signed by means of the trusted platform module. Finally, in the event that the configuration value (PCRp) is one of the received configuration values (PCRI . . . PCRn), the computing platform (P) proves to a verifier (V) that it knows the signature (sign(PCRp}} on one of the received configuration values (PCRI . . . PCRn).12-27-2012
20110320808SYSTEM AND METHOD FOR INCORPORATING AN ORIGINATING SITE INTO A SECURITY PROTOCOL FOR A DOWNLOADED PROGRAM OBJECT - Disclosed herein are systems, methods, and non-transitory computer-readable storage media for verifying a digital object obtained from a remote host. A system configured to practice the method downloads a first object from a first remote source and presents the user with a first request to allow access to the first object. Upon user approval, a multitude of characteristics associated with the object are stored to facilitate future uses of the object. When a second object is downloaded from a second remote source, the system checks the database for a stored user approval. Access to the second object is allowed if the multitude of characteristics associated with the first and second objects match. If the system does not find a match, the user is presented with a second request to allow access to the object.12-29-2011
20120290832SYSTEM FOR CONDUCTING REMOTE BIOMETRIC OPERATIONS - System for conducting remote biometric operations that includes a biometric data reading device connected to a personal computer and configured to send said encrypted data to a remote data authentication centre for establishing a secure communications channel once the user identity has been verified by means of said biometric data. This invention refers to a remote biometric operations system that can be connected to a computer to carry out electronic banking and other similar operations with a certain degree of safety.11-15-2012
20100199086NETWORK TRANSACTION VERIFICATION AND AUTHENTICATION - A two-level authentication system is described supporting two-factor authentication that offers efficient protection for secure on-line web transactions. It includes a global unique identity (UID) provided either by an institute-issued/personal trusted device, or based on client computing platform hardware attributes, and generated using institution authorized private software, institution-authorized authentication proxy software, and an institution-generated credential code which is pre-stored in the token and only accessible by the institute-authorized authentication proxy software. The institution-authorized authentication proxy software uses the user's PIN and the trusted device's UID as input and verifies the user and device identities through institution-generated credential code which was pre-stored in the trusted device. Authentication is performed in two levels: the first authenticates the user and the trusted device locally; and the second authenticates the user remotely at the institution-owned authentication server. Various embodiments add extra levels of security, including one-time-password management.08-05-2010
20130013916Method and Apparatus for Verifiable Generation of Public Keys - The invention provides a method of verifiable generation of public keys. According to the method, a self-signed signature is first generated and then used as input to the generation of a pair of private and public keys. Verification of the signature proves that the keys are generated from a key generation process utilizing the signature. A certification authority can validate and verify a public key generated from a verifiable key generation process.01-10-2013
20100131755DISTRIBUTED SINGLE SIGN ON TECHNOLOGIES INCLUDING PRIVACY PROTECTION AND PROACTIVE UPDATING - Technologies for distributed single sign-on operable to provide user access to a plurality of services via authentication to a single entity. The distributed single sign-on technologies provide a set of authentication servers and methods for privacy protection based on splitting secret keys and user profiles into secure shares and periodically updating shares among the authentication servers without affecting the underlying secrets. The correctness of the received partial token or partial profiles can be verified with non-interactive zero-knowledge proofs.05-27-2010
20120151206METHODS FOR VERIFYING SYSTEM INTEGRITY - A request is received from a client for accessing a resource provided in a network, the request including credential data representing system integrity of at least one component running on the client. In response to the request, one or more credential identifiers identifying the credential data is transmitted to a management server that provisioned the client. Credential reference data is received from the management server based on the one or more credential identifiers. The client is authenticated based on a comparison of the credential data received from the client and credential reference data received from the management server.06-14-2012
20130019092System to Embed Enhanced Security / Privacy Functions Into a User ClientAANM LEVOW; ZACHARYAACI MOUNTAIN VIEWAAST CAAACO USAAGP LEVOW; ZACHARY MOUNTAIN VIEW CA US - A system and method for provisioning enhanced security/privacy functions into a user client to detect, warn, and avoid man in the middle attacks and to improve privacy and security of data transmitted across the Internet without certificate authorities.01-17-2013
20130024686SYSTEMS AND METHODS FOR SECURE COMMUNICATION USING A COMMUNICATION ENCRYPTION BIOS BASED UPON A MESSAGE SPECIFIC IDENTIFIER - An apparatus and methods of securely communicating a message between a first device and a second device using a message specific identifier is disclosed. The method begins by receiving an encryption key request from a sending device, where the encryption key request is based upon the message specific identifier, which is associated with a plurality of attributes associated with the message and the sending device. In more detail, the message specific identifier may be an information-based indicator that is unique with respect to the message and the sending device. The method parses the encryption key request and the message specific identifier to provide an intermediate argument used to enter a current random character set that is periodically generated and stored into memory. The intermediate argument helps identify which type of encryption method is desired for use in encryption key generation. An encryption key is constructed using the intermediate argument as an entry point to the current random character set. A data structure is stored associated with the message specific identifier, a random character set identifier for the current random character set, and an identifier of the encryption method used before the key is transmitted back to the device.01-24-2013
20130173911TASTE-BASED AUTHENTICATION TO SECURELY SHARE DATA - Examples are disclosed for transforming a multi-dimensional attribute value for a taste related to an area of interest for a user of a computing device and encrypting or decrypting a ciphertext using the transformed multi-dimensional attribute value in order to securely share data with another computing device.07-04-2013
20080256357METHODS AND APPARATUS FOR ACCESS CONTROL IN SERVICE-ORIENTED COMPUTING ENVIRONMENTS - Improved access control techniques for use in a service-oriented computing environment are disclosed. For example, one method for authenticating a client in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. At least one service of the plurality of services is invoked. State information is associated with the at least one service invoked. The state information is used to authenticate a client with at least one service. Further, a method for access control in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. A rule specification language is provided. At least one rule is specified using the rule specification language. A verification is performed to determine whether or not the client satisfies the at least one rule. The client is granted access to a service when the client satisfies the at least one rule.10-16-2008
20080229096Network identity management system and method - Users of Internet services (e.g., SKYPE messaging service, GOOGLETALK messaging service, AOL INSTANT MESSENGER messaging service, and MICROSOFT MESSENGER messaging service) that are initially identified using separate identifiers that may be associated with respective service providers (e.g., email addresses) can manage network identities using a single unified set of account information managed by a registry service. The registry authenticates the user's request(s) to bind a service provider identity to his or her personal registry user record. The registry internally associates the service provider identity to an internal unique identifier that is not exposed to subscribers. When a second user wishes to communicate with a first user, the second user provides any service provider identity that is believed to be associated with the first user to determine if the specified service provider identity appears to match the intended subscriber. If so, the second user may specify a nickname (unique to the second subscriber but not necessarily globally unique) to be associated internally within the registry with the internal unique identifier of the first subscriber as part of the second subscriber's user record. Later, even if the first subscriber has relinquished the service provider identity that was originally used to find the first subscriber, the second subscriber can still find the first subscriber by using the associate nickname without either subscriber ever knowing the internal unique identifier of the first subscriber.09-18-2008
20110246764USER AUTHENTICATION SYSTEM - An ID vault computer control program detects when a user's browser navigates to a third-party website that requires a user ID and password. If it hasn't done so already, it automatically requests a decryption key for a local encrypted vault file from a network server by supplying a personal identification number (PIN) from the user through the input device, a copy of the GUID, and a signature of GUID using a private key for the root certificate. If a decryption key is returned from the network server, the local encrypted vault file is unlocked and automatically supplies a corresponding user ID and password to log-on to the third-party website without the user.10-06-2011
20130179681System And Method For Device Registration And Authentication - Systems and methods for device registration and authentication are disclosed. In one embodiment, a method for authentication of a device may include (1) receiving, at a mobile device, a first credential; (2) transmitting, over a network, the first credential to a server; (3) receiving, from the server, a first key and a first value, the first value comprising a receipt for the first credential; (4) receiving, at the mobile device, a data entry for a second credential; (5) generating, by a processor, a second key from the data entry; (6) retrieving, by the mobile device, a third credential using the first key and the second key; (7) signing, by the mobile device, the first value with the third credential; and (8) transmitting, over the network, the signed third value to the server.07-11-2013
20080215878Service Management System and Method - The delivery of services is managed by a system that includes a portable device and a management apparatus which receives and decrypts a first identifier generated and encrypted by the portable device. One of the devices also digitally signs a second identifier, which is validated at the other device.09-04-2008
20130097419METHOD AND SYSTEM FOR ACCESSING E-BOOK DATA - Provided is a method for accessing e-book data, including: step A: e-book hardware establishes a connection with an electronic device and negotiates a reading key; step B: the electronic device downloads e-book data via a client, specifically is: firstly, the electric device establishes a connection with the client; the client sends a connection establishment request to a server; the server verifies the identification of the electronic device via the client; if the verification is not passed, then the access will be refused; if the verification is passed, then the server uses a downloaded key to encrypt the e-book data and sends the encrypted e-book data to the electronic device via the client; and step C: the electronic hardware establishes a connection with the electronic device, processes the encrypted e-book data using the downloaded key and/or the reading key, and the e-book hardware displays the e-book data. The method provided in the present embodiment not only enables the download and reading of the e-book to be more rapid but also protects the copyright of the e-book.04-18-2013
20130124854AUTHENTICATOR - According to one embodiment, a method for authenticating a device, wherein the device holds secret identification information, encrypted secret identification information, and key management information, and an authenticator holds an identification key, the method includes reading, by the authenticator, the encrypted secret identification information and the key management information from the device, and obtaining, by the authenticator, a family key by using the key management information, the family key being capable of being decrypted with the identification key. The method further includes obtaining, by the authenticator, the secret identification information by decrypting the encrypted secret identification information with the family key.05-16-2013
20130124855USING QR CODES FOR AUTHENTICATING USERS TO ATMS AND OTHER SECURE MACHINES FOR CARDLESS TRANSACTIONS - Systems, apparatus, methods, and computer program products for using quick response (QR) codes for authenticating users to ATMs and other secure machines for cardless transactions are disclosed. Embodiments of the present disclosure read an image displayed on a display of an external device using a mobile device associated with a user authorized to access a secure resource, decode transaction information encoded in the image, transmit the transaction information and an identifier of the mobile device from the mobile device to an authentication system, and grant access to the secure resource if the transaction information and the identifier satisfy an authentication test performed at the authentication system.05-16-2013
20130132716DATA COMMUNICATION APPARATUS, CONTROL METHOD THEREFOR, AND STORAGE MEDIUM STORING CONTROL PROGRAM THEREFOR - A data communication apparatus that is capable of improving operability when inputting authentication information. An authentication unit accepts authentication information inputted when a user logs in to the data communication apparatus and authenticates the user based on the accepted authentication information. A designation unit designates a file transmission destination that is inputted by the authenticated user. A transmission unit transmits a file to the transmission destination inputted. A registration unit registers the transmission destination of the file. A control unit prohibits registration of the authentication information at the time of registration of the transmission destination of the file when the accepted authentication information is used for file transmission, and permits registration of the authentication information at the time of registration of the transmission destination of the file when the inputted authentication information is not used for file transmission.05-23-2013
20130145150CODE SIGNING SYSTEM AND METHOD - A novel code signing system, computer readable media, and method are provided. The code signing method includes receiving a code signing request from a requestor in order to gain access to one or more specific application programming interfaces (APIs). A digital signature is provided to the requestor. The digital signature indicates authorization by a code signing authority for code of the requestor to access the one or more specific APIs. In one example, the digital signature is provided by the code signing authority or a delegate thereof. In another example, the code signing request may include one or more of the following: code, an application, a hash of an application, an abridged version of the application, a transformed version of an application, a command, a command argument, and a library.06-06-2013
20130145149AUTHENTICATION DEVICE, AUTHENTICATION METHOD AND COMPUTER READABLE MEDIUM - There is provided an authentication device in which a network access authenticating unit executes a first network access authentication process with a communication device; master key generator generates a first master key shared with the communication device in accordance with a result of the first network access authentication process; an application-oriented encryption key generator generates a first encryption key for an application, which is shared with the communication device, on the basis of the first master key; a master key identifier determiner determines an identifier of the first master key; and an application-oriented encryption key identifier determiner determines an identifier of the first encryption key for the application in accordance with the identifier of the first master key.06-06-2013
20130145148PASSCODE RESTORATION - A system method that includes providing a passcode to a user based on presentation of both a recovery key and an active token is described herein.06-06-2013
20110238981IMAGE FORMING APPARATUS, IMAGE PROCESSING SYSTEM, METHOD FOR CONTROLLING IMAGE PROCESSING SYSTEM, AND STORAGE MEDIUM - At an apparatus, a reading unit reads a document a generation unit and generates a content data from the document and an encryption unit performs encryption processing on the content data using an encryption key and a transmission unit, when an instruction for not using a service for performing processing on the content data provided by a server group and for storing the generated content data in the server group is received, transmits to the server group the content data on which the encryption processing has been performed, and, when an instruction for using the service is received, transmits to the server group the content data on which the encryption processing has not been performed.09-29-2011
20120260087METHOD AND SYSTEM FOR ESTABLISHING REAL-TIME TRUST IN A PUBLIC NETWORK - An authentication method sends an open request to a common directory server for a first key, the first key being a trusted embedded authentication common directory service key wrapped in a public key of a public-private key pair. The open request includes an authentication request value that identifies the open request as a verified setup directory service, the public key, an email address and a specified third additional out-of-band communication channel. The common directory server sends a first reply directly back to the directory server with a first half of the first key offset by a unique value and wrapped using the public key. A second reply is sent to the email address, which includes a second half of the first key offset by the first half of the first key. A third reply is sent to the specified third additional out-of-band channel, which includes the unique value.10-11-2012
20100318786Trusted Hardware Component for Distributed Systems - Techniques for utilizing trusted hardware components for mitigating the effects of equivocation amongst participant computing devices of a distributed system are described herein. For instance, a distributed system employing a byzantine-fault-resilient protocol—that is, a protocol intended to mitigate (e.g., tolerate, detect, isolate, etc.) the effects of byzantine faults—may employ the techniques. To do so, the techniques may utilize a trusted hardware component comprising a non-decreasing counter and a key. This hardware component may be “trusted” in that the respective participant computing device cannot modify or observe the contents of the component in any manner other than according to the prescribed procedures, as described herein. Furthermore, the trusted hardware component may couple to the participant computing device in any suitable manner, such as via a universal serial bus (USB) connection or the like.12-16-2010
20120284507PROTECTED AUTHORIZATION - One or more techniques and/or systems are provided for securely authorizing a client to consume data and/or services from a service provider server while mitigating burdensome requests made to a validation server. That is, validation data provided to a client from a validation server may be maintained on the client and at least some of that validation data can be used to subsequently authorize the client when the client attempts to consume data and/or services from the service provider server (e.g., download a song). However, the validation data is maintained on the client and/or provided to the service provider server in a manner that inhibits user tampering. In this manner, numerous requests for validation of the client need not be made from the service provider server to the validation server when a client requests content from the service provider server, while also inhibiting unauthorized consumptions of data by the client.11-08-2012
20130159701SECURING DIGITAL CONTENT SYSTEM AND METHOD - A system and method of encrypting digital content in a digital container and securely locking the encrypted content to a particular user and/or computer or other computing device is provided. The system uses a token-based authentication and authorization procedure and involves the use of an authentication/authorization server. This system provides a high level of encryption security equivalent to that provided by public key/asymmetric cryptography without the complexity and expense of the associated PKI infrastructure. The system enjoys the simplicity and ease of use of single key/symmetric cryptography without the risk inherent in passing unsecured hidden keys. The secured digital container when locked to a user or user's device may not open or permit access to the contents if the digital container is transferred to another user's device. The digital container provides a secure technique of distributing electronic content such as videos, text, data, photos, financial data, sales solicitations, or the like.06-20-2013
20130159699Password Recovery Service - According to aspects of the present invention there are provided methods and apparatus for enabling a user to secure and back-up an encryption key for use by a client device in encrypting and decrypting data, enabling the user to change a user secret previously used to secure the encryption key, and enabling a server to update the user secret with a new user secret for securing a previous user encrypted key. The new user encrypted key can be used by the client device for encrypting and decrypting data, including data encrypted and decrypted using the previous user encrypted key. The methods for enabling a user to secure and back-up the encryption key and enabling a user to change the user secret may be performed on the client device or a trusted third party or service provider device. The method for updating the user secret with a new user secret may be performed on a service operator server or system.06-20-2013
20130159700COMPUTER SYSTEM AND VOLUME MIGRATION CONTROL METHOD USING THE SAME - A computer system regarding which there is no possibility that data loss or data leakage will occur caused by volume migration is provided.06-20-2013
20130185551REVOCATION LIST UPDATE FOR DEVICES - In one embodiment, a method includes receiving a revocation request for revoking a model type of a device. A first computing device determines a list of device unit identifiers (UIDs) that are associated with the model type from a database. The device UIDs are for devices of the model type manufactured by a first entity. The method adds the list of device UIDs to a device revocation list and outputs the device revocation list to revoke a validity of secure information associated with devices associated with the list of device UIDs.07-18-2013
20130191632SYSTEM AND METHOD FOR SECURING PRIVATE KEYS ISSUED FROM DISTRIBUTED PRIVATE KEY GENERATOR (D-PKG) NODES - A system and method where the “dealer” of a split Master Secret becomes the Master Key Server, whose role is to initially compute the Master Secret, create and distribute shares of the Master Secret to two Distributed Private Key Generators (D-PKG), initialize and route the inter-process communication between the nodes, co-ordinate and computationally participate in the User System's IBE Private Key generation process.07-25-2013
20130198510USE OF APPLICATION IDENTIFIER AND ENCRYPTED PASSWORD FOR APPLICATION SERVICE ACCESS - To support authentication of a mobile device, an application server obtains an application identifier and password and creates an encrypted value by encrypting a combination of the password and a time-based value. The application server transmits the application identifier and encrypted value over a communication network to the mobile device as a credential, and the mobile device sends the credential over the network to a secure server providing an application assistance service. The secure server independently computes an encrypted value by encrypting the combination of the password and the time-based value. If the encrypted value from the received credential matches the encrypted value computed by the secure server, that server grants access to the assistance service for the mobile device.08-01-2013
20130205133STRONGLY AUTHENTICATED, THIRD-PARTY, OUT-OF-BAND TRANSACTIONAL AUTHORIZATION SYSTEM - A system and method to perform an out-of-band authenticated authorization of an activity. A requesting system initiates an authorization request for an activity which is signed using a key pair managed by a transaction server. The authorization request is asymmetrically encrypted for the intended authorizing system and is communicated to the server and stored. The authorizing system receives notification of the request and communicates with the transaction server to retrieve the request, decrypt it and verify the signature. The authorizing system interprets the request and generates an authorization response which is signed and encrypted such that only the requesting system can decrypt it. The response is communicated back to the transaction server which notifies the requesting system. The requesting system communicates with the server to retrieve the response, decrypt it, verify the signature and interpret the response to take action on the activity that initiated the request.08-08-2013
20120072715Authorizing Equipment on a Sub-Network - Systems and methods for authorizing a customer premise equipment (CPE) device to join a network through a network termination unit (NTU). The CPE device can send an encrypted connection request, and an authorization server can decrypt the connection request and provide a network membership key (NMK) associated with the CPE device to the NTU. The authorization server can encrypt the NMK associated with the CPE device using a device access key (DAK) associated with the NTU.03-22-2012
20120072714Methods and Systems for Secure Authentication of a User by a Host System - A method and system for securely logging onto a banking system authentication server so that a user credential never appears in the clear during interaction with the system in which a user's credential is DES encrypted, and the DES key is PKI encrypted with the public key of an application server by an encryption applet before being transmitted to the application server. Within the HSM of the application server, the HSM decrypts and re-encrypts the credential under a new DES key known to the authentication server, the re-encrypted credential is forwarded to the authentication server, decrypted with the new DES key known to the authentication server, and verified by the authentication server.03-22-2012
20120096259SYSTEM AND METHOD FOR PERFORMING MUTUAL AUTHENTICATION - A system and method for performing mutual authentication verifies a username and a password of a handheld device by a server, and verifies an identity of the server by the handheld device if the handheld device passes the username and password verification. The system and method further verifies an identity of the handheld device by the server if the identity of the server is valid, and gives an access authority to the handheld device if the identity of the handheld device is valid.04-19-2012
20130212377Method and System for a Certificate-less Authenticated Encryption Scheme Using Identity-based Encryption - A method of verifying public parameters from a trusted center in an identity-based encryption system prior to encrypting a plaintext message by a sender having a sender identity string may include: identifying the trusted center by a TC identity string, the trusted center having an identity-based public encryption key of the trusted center based on the TC identity string; determining if the sender has a sender private key and the public parameters for the trusted center including the public encryption key of the trusted center and a bilinear map; and verifying the public parameters using the TC identity string prior to encrypting the plaintext message into a ciphertext by comparing values of the bilinear map calculated with variables from the trusted center. The ciphertext may include a component to authenticate the sender once the ciphertext is received and decrypted by the recipient using the private key of the recipient.08-15-2013
20130212378METHOD FOR MANAGING KEYS IN A MANIPULATION-PROOF MANNER - A method manages keys in a manipulation-proof manner for a virtual private network. The method includes authenticating a communication terminal on an authentication server by use of a first key over a public network and providing a communication key, which is suitable for the communication over a virtual private network in the public network, for the authenticated communication terminal over the public network. The communication key in the communication terminal is encrypted by a second key, which is provided by a manipulation-protected monitoring device.08-15-2013

Patent applications in class Central trusted authority provides computer authentication

Patent applications in all subclasses Central trusted authority provides computer authentication