Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Subclass of:

713 - Electrical computers and digital processing systems: support

Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
713185000 Using record or token 219
713183000 Solely password entry (no record or token) 89
713184000 PIN/password generator device 44
20110191591Transmitting Information Using Virtual Input Layout - Method and apparatus for information transmission are provided. A method for information transmission uses a virtual input layout to encrypt security information. The method uses a server to receive an access request from a user client and to generate a virtual input layout based on information of an actual input layout of the user client. Each key in the virtual input layout has a corresponding relationship with a respective key in the actual input layout, and at least some of the keys in the virtual input layout represent symbols or functions that are different from their corresponding keys in the actual input layout. The server sends the virtual input layout to the user client to be displayed, and subsequently receives from the user client a virtual security information entered by the user according to the virtual input layout displayed. The server then converts the virtual security information to obtain true security information.08-04-2011
20090193262SECURITY THRESHOLD ENFORCEMENT IN ANCHOR POINT-BASED DIGITAL RIGHTS MANAGEMENT - Digital rights management (DRM) can be effectively implemented through use of an anchor point and binding records within a user's anchor point domain. Assigning security levels to various components within an anchor point based DRM system and evaluating them against a security criterion provides additional protection against authorized access of the digital content. The content provider may specify the security criterion (e.g., a security level threshold), and the ability to use the digital content is denied or granted based on the ability of components to satisfy this criterion. For example, the ability to use a digital property instance is granted to a content handler that satisfies the security criterion and denied to a content handle that does not satisfy the security criterion.07-30-2009
20130031371Software Run-Time Provenance - An executing first computing module verifies the run-time provenance of an unverified second computing module. A signed certificate identifying an author of the second computing module is received at the first computing module. An association between the signed certificate and the second computing module is verified. A first provenance certificate and associated private key signed by the first computing module and identifying a runtime provenance of the second computing module is then generated, and the first provenance certificate is published to the second computing module. A chain of signed certificates, including provenance certificates and a static identification certificates, can be published. Each provenance certificate in the chain verifies the integrity of a layer of execution, and the plurality of static identification certificates identifies a respective author of the computing module associated with each layer of software. The provenance of the second computing module can be recursively traced through the published chain of certificates.01-31-2013
20130042117CRYPTOGRAPHIC DATA DISTRIBUTION AND REVOCATION FOR HANDHELD MEDICAL DEVICES - A method includes: receiving a revocation list from a remote data server at a configuration device. The revocation list includes N cryptographic certificates associated with N computer software entities, respectively, that are not to be executed by any of a group of medical devices including a handheld medical device. N is an integer greater than or equal to zero The method further includes receiving data from the handheld medical device at the configuration device. The data includes a cryptographic certificate that is associated with a given computer software entity that is presently installed in memory of the handheld medical device for execution by the handheld medical device. The method further includes comparing the cryptographic certificate with the revocation list; and selectively executing a protective function by the configuration device when the cryptographic certificate is the same as one of the N cryptographic certificates of the revocation list.02-14-2013
20100042846TRUSTED CARD SYSTEM USING SECURE EXCHANGE - A system for secure, role-based exchange of information between a client and providers of services is described. The system includes a client device having a memory that includes a portion of the data relating to the client, a user access component, and an enforcement agent. The system also includes a central server running an authentication methodology and a roles server. The central server includes the data relating to the client. The system further includes an interface device capable of communications with the central server and capable of communicative coupling with the client device. The system is operable to, upon a communicative coupling between the interface device and the client device, activate the user access method, in conjunction with the authentication method, to ensure that the client is the proper holder of the client device. The enforcement agent is operable with the roles server and user interface input from the client to define access rights to the client data for the providers of services, who also have access to the central server.02-18-2010
20090158047HIGH PERFORMANCE SECURE CACHING IN THE MID-TIER - In a multi-tier data server system, data from the first tier is cached in a mid-tier cache of the middle tier. Access control information from the first tier for the data is also cached within the mid-tier cache. Caching the security information in the middle tier allows the middle tier to make access control decisions regarding requests for data made by clients in the outer tier.06-18-2009
20130073862SECURE DATA EXCHANGE BETWEEN DATA PROCESSING SYSTEMS - A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.03-21-2013
20130073861SECURE DATA EXCHANGE BETWEEN DATA PROCESSING SYSTEMS - A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.03-21-2013
20120226911CONTROL OF ACCESS TO A SECONDARY SYSTEM - A method and system for controlling access of a user to a secondary system. The user is logged on a user system. A primary system sends a random string to a user system that is connected to the secondary system. The user is logged on the user system. The primary system receives from the user system first authentication information including an encryption of the random string by a private key of the user. The primary system generates a user-specific key consisting of the encryption of the random string. The primary system generates second authentication information from protected secondary authentication data stored in the primary system via application of the user-specific key to the protected secondary authentication data. The primary system provides the second authentication information to the secondary system to enable access of the user to the secondary system.09-06-2012
20120226910SECURITY DEVICE FOR ELECTRONICS - A lock and modular system for securing an electronic device. The system includes a device security module that couples to an electronic device and secures the electronic device to its location. A monitor module ensures that the device security module is coupled to the electronic device before a data security module allows the electronic device to operate. The monitor module may also require that the device security module be recognized before the electronic device will operate. If the device security module is coupled and recognized, the user is prompted to provide an encryption key. If the key is correct, the electronic device will operate. The user may have a limited number of attempts to provide the encryption key. If the user makes too many attempts, the electronic device is disabled and the data thereon destroyed. If the device security module is uncoupled during operation, the electronic device is shut down.09-06-2012
20130067234CONTEXT SENSITIVE DYNAMIC AUTHENTICATION IN A CRYPTOGRAPHIC SYSTEM - A system for performing authentication of a first user to a second user includes the ability for the first user to submit multiple instances of authentication data which are evaluated and then used to generate an overall level of confidence in the claimed identity of the first user. The individual authentication instances are evaluated based upon: the degree of match between the user provided by the first user during the authentication and the data provided by the first user during his enrollment; the inherent reliability of the authentication technique being used; the circumstances surrounding the generation of the authentication data by the first user; and the circumstances surrounding the generation of the enrollment data by the first user.03-14-2013
20120117387INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND COMPUTER READABLE MEDIUM - An information processing apparatus includes an accepting unit, a memory, an activating unit, and a controller. The accepting unit accepts first key information and second key information. The first key information includes performance information representing a performance and an identifier for identifying a device. The second key information includes the performance information and temporary use permission information. The memory stores the performance information in the first key information if the first key information is accepted and if the identifier is a predetermined identifier, and stores the temporary use permission information and the performance information in the second key information if the second key information is accepted. The activating unit activates the device with the performance represented by the performance information. The controller controls the activating unit to activate the device with the performance and then performs control to erase the performance information and the temporary use permission information.05-10-2012
20090006855Securely Computing a Similarity Measure - The present invention relates to a method and a system of securely computing a measure of similarity for at least two sets of data. A basic idea of the present invention is to securely compare two sets of encrypted data to determine whether the two sets of data resemble each other to a sufficient extent. If the measure of similarity complies with predetermined criteria, the two sets of data from which the encrypted sets of data originate are considered to be identical.01-01-2009
20090204819ADVERTISEMENT-BASED HUMAN INTERACTIVE PROOF - An arrangement for providing advertisement-based (“ad-based”) HIPs (human interactive proofs) is realized by using an advertisement as the basis of a HIP challenge that is readily solved by a user but is difficult for a computer-based application to solve. Users are accustomed to advertisements and can generally understand the content or message being delivered by them. But the typically complex mixture of graphics, colors, logos, texture, transparency, text, and other elements that may be utilized in a graphical advertisement provides the basis for an ad-based HIP challenge that is difficult to solve by a computer. In another illustrative example, audio comprising a slogan, musical jingle or ditty, spoken words, or other sounds (or combinations thereof) is used to convey an advertising message, while also providing the basis for an audio ad-based HIP.08-13-2009
20080294906Retrieval and Display of Encryption Labels From an Encryption Key Manager Certificate ID Attached to Key Certificate - A method, system and program in which a certificate identifier (ID) is associated with an encryption certificate. In certain embodiments, the certificate ID is stored in a cartridge memory (CM). Thus, keystore or key manager administrators can trace keystore locations, versions of keystores, etc. when a cart cannot locate a correct key. This certificate ID, as it is stored on the cartridge memory, is viewable by all.11-27-2008
20080288781SYSTEMS AND METHODS FOR SECURE PASSWORD CHANGE - Systems and methods for changing a user password are described. In one embodiment, the method includes determining at least one password equivalent value, determining a safe-to-transmit password value, determining a password change authentication value, transmitting, from a remote device to a controller, the password change authentication value and the safe-to-transmit password value, confirming the data integrity of the password change authentication value sent from the remote device to the controller, and storing a new password equivalent value.11-20-2008
20110283110Secure Communications - Systems and methods are described for communicating between a client machine and a server. A security token message may be transmitted from the server to the client machine. The security token message may include a first security token. The first security token may include a communication interaction identifier that identifies a communication interaction between the client machine and the server and an action request identifier that identifies an action request message capable of being sent from the client machine to the server to request that an action be performed on the server. An action request message including a second security token and transmitted in association with the communication interaction may be received at the server. When it is determined that the first security token matches the second security token, the requested action may be performed.11-17-2011
20110040979NETWORKED SECURE LOGON SYSTEM - A computer readable medium including encoded computer readable program code configured to be executed to perform a method for controlling access to a computing device is disclosed. The method comprises the steps of accessing a remote data store of secured login credentials; retrieving a set of secured login credentials from the remote data store; unsecuring the set of secured login credentials to create a set of unsecured login credentials on a local computing device; and supplying the set of unsecured login credentials to a login process that is configured to control access to the local computing device. Structures related to execution of the method are also provided.02-17-2011
20110289322PROTECTED USE OF IDENTITY IDENTIFIER OBJECTS - This invention states that any and all physical and virtual objects meeting certain criteria may be used as Identity-Identifier-Objects to authenticate people, businesses, organizations, as well as other physical or virtual objects. While accomplishing said task, this invention discloses objects, methods, and special data structures to hide said Identity-Identifier-Objects from exposure to the public, while being used in their intended roles. Additionally, the objects and methods introduced use ownership property of virtual and physical objects to control access and to implement access and licensing rights of physical and virtual objects. Numerous applications areas such as allocation of digital rights, licensing, notarization of digital signatures, and controlled use of personal photographs, fingerprints and other biometric identifier-objects are also illustrated.11-24-2011
20110289321METHOD AND APPARATUS FOR A NON-REVEALING DO-NOT-CONTACT LIST SYSTEM - A method and apparatus for a non-revealing do-not-contact list system in which a do-not-contact list of one-way hashed consumer contact information is provided to a set of one or more entities. The set of entities determine whether certain consumers wish to be contacted with the do-not-contact list without discovering actual consumer contact information.11-24-2011
20110191592Secure Access by a User to a Resource - A method for allowing user access to a resource includes a large number of arrays of elements which are generated and stored for each user for use in a series of log-in sessions. A user input token is calculated by identifying a subset of the array by a pattern of the elements in the array, combined in an operation on the elements selected using one or more mathematical, relational and/or logical operations. The arrays are stored in a table with the tokens calculated from those arrays and withdrawn in a random pattern for use in the sessions for that user. Each array includes multiple possible solutions including the actual solution using the pattern and calculation of that user and these other possible solutions act as hacker traps to indicate the presence of a hacker who has calculated a solution but found the wrong solution08-04-2011
20100281268Personalizing an Adaptive Input Device - Methods and systems for personalizing an adaptive input device having a dynamically updateable display region are provided herein. One exemplary method includes sending an identity data query from a server to a computing device operatively coupled to an adaptive input device. The method further includes receiving identity data at the server from the computing device. The identity data includes one or more of a user identifier, a role identifier, a device identifier and a content identifier. The method further includes retrieving profile data from a profile storage module of the server, the profile data being based on the identity data, and the profile data including one or more of device-specific settings, application-specific settings, and user-specific settings for the adaptive input device. The method further includes sending the profile data to the computing device to update the visual appearance of the display region.11-04-2010
20100023778Ticket Authorized Secure Installation And Boot - A method and apparatus for secure software installation to boot a device authorized by a ticket are described herein. A ticket request including a device identifier of the device is sent for the ticket which includes attributes for one or more components to boot the device into an operating state. The ticket is cryptographically validated to match the one or more components with corresponding attributes included in the ticket. If successfully matched, the one or more components are executed to boot the device.01-28-2010
20090313476METHOD AND APPARATUS FOR RESTRICTING USER ACCESS TO FIBER TO AN OPTIC NETWORK TERMINAL - In traditional networks, a user provides an authorization to establish a connection for services with an Optical Network Terminal (ONT) and an Optical Line Terminal (OLT). The ONT becomes vulnerable to unauthorized users because the ONT restricts access at an Internet Protocol level. An embodiment of the present invention includes a system that restricts user access to services by causing a ranging fault to disable an ONT from communicating upstream with the OLT in an event the user fails to provide a valid ONT level user authorization. In an event the ONT is in a ranged state and the user fails to provide a valid service level authorization, the system causes a service level fault to restrict the ONT from granting user access to the user to services. Thus, unauthorized users are prevented access to the ONT and increased security is achieved.12-17-2009
20120110338Protecting the Integrity and Privacy of Data with Storage Leases - Storage leases specify access restrictions and time periods, restricting access to their associated data during the storage lease time period. Storage leases may be assigned to individual data storage blocks or groups of data storage blocks in a data storage device. A data storage device may include any arbitrary number of different storage leases assigned to different portions of its data storage blocks. Storage lease-enabled devices may provide security certificates to verify that data access operations have been performed as requested and that their storage leases are being enforced. Storage lease-enabled devices compare storage lease information for data units with the current time using a clock isolated from access by storage clients or time certificates from one or more trusted time servers. Storage leases may be used in combination with backup applications, file systems, database systems, peer-to-peer data storage, and cloud storage systems.05-03-2012
20120110337METHOD AND SYSTEM FOR RESTRICTING EXECUTION OF VIRTUAL APPLICATIONS TO A MANAGED PROCESS ENVIRONMENT - Methods and systems for restricting the launch of virtual application files. In one embodiment, a launching application is signed with a digital signature. When the launching application launches a runtime engine and instructs it to execute an application file, the runtime engine determines whether an entity identifier associated with the launching application identifies an authorized entity. If the entity identifier identifies an authorized entity and the digital signature is valid, the runtime engine executes the application file. In another embodiment, a ticket is transmitted to the launching application along with an instruction to launch the application file. The ticket includes a digital signature and an expiration date. The launching application communicates the ticket to the runtime engine, which will execute the application file only if the digital signature is valid and a current date is not later than the expiration date.05-03-2012
20090094462SYSTEM AND METHOD FOR SELF POLICING OF AUTHORIZED CONFIGURATION BY END POINTS - A system, method, and program product is provided that distributes authorized changes to the organization's entities and has the individual computer systems police configuration changes. A system receives change approval packages, each of the change approval packages including authorized change identification data that identifies authorized changes to the system. The authorized change identification data are stored in a storage area of the system. Subsequently, a change package is received by the computer system. The change package includes a change to the computer system and metadata that identifies the change. The metadata is compared with the authorized change identification data. If the metadata matches one of the authorized change identification data, then the change is installed, otherwise the change is rejected.04-09-2009
20100125738SYSTEMS AND METHODS FOR TRANSFERRING INFORMATION - A system for transferring information that includes a collection module configured to authenticate a user identifier if the user identifier is unique in the system, the user identifier being related to identity of the user, generate an encrypted object based on at least the user identifier and at least one webpage identifier in accordance with an algorithm, each of the at least one webpage identifiers being related to the identity of one of at least one webpages of the user, retrieve the encrypted object from one of the at least one webpages based on one of the at least one webpage identifiers, identify the integrity of the retrieved encrypted object, a management module configured to generate at least one information card based on the at least one webpage identifier in accordance with predetermined rules, a memory module configured to store at least one of the said user identifiers, the at least one webpage identifier and the at least one information card, and a dispatch module configured to dispatch the at least one information card.05-20-2010
20100082998ACTIVE HIP - Computing services that unwanted entities may wish to access for improper, and potentially illegal, use can be more effectively protected by using Active HIP systems and methodologies. An Active HIP involves dynamically swapping one random HIP challenge, e.g., but not limited to, image, for a second random HIP challenge, e.g., but not limited to, image. An Active HIP can also, or otherwise, involve stitching together, or otherwise collecting and including, within Active HIP software, i.e., a HIP web page, to be executed by a computing device of a user seeking access to a HIP-protected computing service x number of software executables randomly selected from a pool of y number of software executables. The x number of software executables, when run, generates a random Active HIP key. If the generated Active HIP key accompanies a correct user response to the valid HIP challenge the system and/or methodology can assume with a degree of certainty that the current user is a legitimate human user and allow the current user access to the requested computing service.04-01-2010
20090055654SECURE ENTRY OF A USER-IDENTIFIER IN A PUBLICLY POSITIONED DEVICE - A method for secure entry of a user-identifier in a publicly positioned device can include establishing a private communications link between a user and the publicly positioned device; dividing the user-identifier into at least two portions; separately prompting the user for each portion of the user-identifier; prompting the user for a combination of random data and the user-identifier; and, discarding the random data from the combination. In the preferred embodiments, the publicly positioned device can have a visual interface through which the user can be visually prompted for the random data and the user-identifier. Alternatively, the publicly positioned device can have a telephone interface through which the user can be audibly prompted for the random data and the user-identifier. In the case of a visual display, the private communications link can be established by linking the publicly positioned device to active glasses having a shuttered display. The opening and closing of the shuttered display can be synchronized with the display of the prompts in the visual interface such that only the wearer of the active glasses can view the prompts. In the case of a telephone interface, an telephone operator system, for example an Interactive Voice Response system or a human operator, can provide the prompts audibly through the telephone interface.02-26-2009
20090228711Processor apparatus having a security function - A processor apparatus capable of operating in a security mode includes a hash value storage unit and a security control unit including a plurality of access authentication hash values. The hash value storage value stores a plurality of hash values including a user authentication hash value and a plurality of access authentication hash values. The security control unit checks whether a boot code transmitted from a boot memory and a hash value from among the hash values, which corresponds to the boot code, are identical, and determines whether a boot operation and a debugging operation of the processor apparatus are allowed and whether an external user is allowed to have access to a predetermined intellectual property (IP) block. The processor apparatus can ensure debugging, security for the processor itself or security for a predetermined block included in the processor apparatus.09-10-2009
20090276635CONTROLLING DISTRIBUTION AND USE OF DIGITAL WORKS - In order to efficiently prevent the save-and-restore attack on usage rights associated with digital work, these usage rights are protected by a hidden channel. In order to make it a difficult or expensive to manipulate the hidden channel, a device is proposed comprising: writing means (11-05-2009
20090287935COMMON ACCESS CARD HETEROGENEOUS (CACHET) SYSTEM AND METHOD - What is disclosed is a system and method that allows a secondary certificate authority to rely on one or more existing primary certificate authorities to establish identity of a user and provide identity certificates. The secondary certificate authority applies business rules to those identity certificates to establish a community of privilege, and then issues and maintains new privilege certificates without issuing new private keys or smart cards. The new privilege certificates bind the original identity, the sponsor, i.e., the primary certificate authority, and the privilege. The new privilege certificates can be used on a Public Key Infrastructures (PKI) transaction basis, for example, to grant access to unclassified and Multi-Level Secure (MLS) resources without further reference to the existing primary certificate authorities.11-19-2009
20080282090Virtual Property System for Globally-Significant Objects - Virtual property system for globally-significant objects across autonomous computing environments. Objects with global persistence and identity are instantiated by a plurality of their real-world claim-holders through authentication of a computer-readable object specification and owner identity. Owner may then claim benefit of the object across autonomous computing environments such as virtual worlds by authenticating his identity. Ownership transfer is accomplished through the current owner authenticating an ownership transfer document. When used in conjunction with the owner-proxy method, object transfer may occur without the distribution of ownership revocation lists.11-13-2008
20080313468Information terminal and user domain management method - When a user domain is to be segmented or a plurality of user domains are to be grouped, user domain management information before segmentation or grouping is inherited and stored as old-generation user domain management information. In addition, the domain generation of each of user domains after segmentation or grouping is updated to generate a domain key for the new generation. Furthermore, a list of terminals as domain members of the new-generation user domain, a list of rights objects as sharing targets, and a list of rights object excluded from the rights objects as sharing targets are generated. The generated new-generation domain key, the list of domain members, the list of rights objects as sharing targets, and the rights object invalidation list are additionally stored as new-generation user domain management information.12-18-2008
20100005312Mutually Excluded Security Managers - Techniques for controlling access to at least one resource are provided. At least one shared key and at least one private key unique to one or more resource sets are generated. Each of the one or more resource sets identify the at least one resource. The at least one shared key and the at least one private key are transmitted to a security access point. The security access point controls access to the at least one resource. At least one resource key is generated. The resource key is a cryptographic function of the at least one private key and at least one resource identifier. The at least one resource key and the at least one shared key are transmitted to one or more local security managers. Each of the one or more local security managers is assigned to manage one of the one or more resource sets. In accordance with one or more policies, the one or more local security managers generate at least one credential using the at least one resource key and the at least one shared key. The at least one credential is distributed to one or more authenticated clients. Further, the at least one credential is used to grant the one or more authenticated clients access to the one or more resource sets through the security access point.01-07-2010
20090138723Method of providing completely automated public turing test to tell computer and human apart based on image - Disclosed is a method of providing a completely automated public turing test to tell a computer and a human apart (CAPTCHA) based on image. The method comprises the steps of: storing a plurality of randomly-selected images by session when a request for a web page is received from a user client; providing the web page and a session ID to the user client; generating a test image by mixing the plurality of images when a request for a test image corresponding to the session ID is received from the user client; transmitting the generated test image to the user client; receiving at least one of first identification information inputted by the user about the test image from the user client; and comparing the first identification information with second identification information included in Meta information of the test image.05-28-2009
20090164795SYSTEM AND METHOD FOR PROVIDING PROGRAM CREDENTIALS - A system for providing a client's credentials to a computer program comprises a database remote from the client and a single signon server module. The single signon server module can receive a request for the client's credentials from the computer program, determine whether the client's credentials are stored in the database, and send the client's credentials from the database to the computer program in response to a determination that the client's credentials are stored in the database. The single signon server module can store the client's credentials in the database in response to a determination that the client's credentials are not stored in the database. The single signon server module can encrypt the client's credentials prior to storing the client's credentials in the database and can decrypt the client's credentials prior to sending the client's credentials to the computer program.06-25-2009
20090055653Computerized data management method and computerized data management system using the same - A computerized data management method and a computerized data management system using the same are provided. The computerized data management method is used for encrypting/decrypting a digital data of an electronic device. The computerized data management method comprises the following steps. Firstly, a user's facial characteristic is captured. Next, whether the user's facial characteristic matches with an encrypting-permission user's facial characteristic stored in a database is determined in an encrypting process. If the user's facial characteristic matches with the encrypting-permission user's facial characteristic stored in the database, then the user is allowed to encrypt a digital data. Then, whether the user's facial characteristic matches with a facial characteristic of a decrypting-permission user corresponding a digital data is determined in a decrypting process. If the user's facial characteristic matches with the facial characteristic of the decrypting-permission user corresponding the digital data, then the user is allowed to decrypt the digital data.02-26-2009
20090144553SYSTEM AND METHOD OF CONTROLLING ACCESS TO A DEVICE - A method of controlling access to a device. First information is provided. Second information is retrieved from the device. The first information is used to retrieve associated third information. A key is generated based on the second information and the third information. Access to the device is controlled by using the key.06-04-2009
20090024853METHOD, SYSTEM AND APPARATUS FOR ACCESSING A RESOURCE BASED ON DATA SUPPLIED BY A LOCAL USER - A method, comprising: acquiring candidate data in association with a request for accessing a resource, said candidate data comprising first data and second data; processing said first data with a first key in an attempt to effect decryption of said first data, thereby to obtain first processed data; processing the second data with a second key in an attempt to effect decryption of said second data, thereby to obtain second processed data; and granting said request if a pre-determined portion of said first processed data is derivable from said second processed data. The method may further comprise extracting from said first processed data a group identifier and said pre-determined portion of said first processed data, and effecting a comparison of said group identifier to a reference group identifier in order to conclude whether said first data has been successfully decrypted based on an outcome of said comparison.01-22-2009
20080263361Cryptographically strong key derivation using password, audio-visual and mental means - A security system that uses a cryptographic key derived from human interaction with media. The system employs a set of parameters that includes user responses to graphical media and/or audio data, among other parameters. The architecture adds a fourth dimension to the conventional authentication means in order to make at least an offline attack on the key much more difficult. In addition to a standard set of parameters such as password, salt (random bits inserted into the encryption process) and iteration count, the system further utilizes information in the form of “what the user does” by presenting and prompting the user to interact with media in some way. The media can include audio information, video information, and/or image information, for example.10-23-2008
20100199099User friendly Authentication and Login Method Using Multiple X509 Digital Certificates - A new login method enables user friendly login process using X.509 digital certificate. A special purpose web page plug-in enables such login capability by plug-and-play to any web site login page. Multifold certificate is composed of multiple certificates with each of them contains different amount of personal information (FIG. 08-05-2010
20110145588SYSTEM AND METHOD TO AUTHORIZE RESTRICTED FUNCTIONALITY - Embodiments of the invention are related to medical systems and methods for controlling authorization of restricted functionality, amongst other things. In an embodiment, the invention includes a medical system including an external medical device programmer comprising control circuitry and a wireless communications module for sending instructions selected from a set of instructions wirelessly to a specific implanted medical device. In an embodiment, the external medical device programmer can be configured to initiate a transfer of verifying data to a remote key authority requesting permission if the user input directs delivery of restricted instructions to the specific implanted medical device, the verifying data including information regarding the specific implanted medical device. Other embodiments are also included herein.06-16-2011
20090222669METHOD FOR CONTROLLING THE LOCATION INFORMATION FOR AUTHENTICATION OF A MOBILE STATION - The method is for authentication in a communication network. A mobile station and an authentication server give access to services in the network. A user of a mobile station first sends a request for a service or a password in a message from the mobile station. The authentication server controls the location information for the mobile station, and sends a password to the mobile station or grants access to the user as a reply to the request if the location information is accepted by the server.09-03-2009
20090210721METHOD AND SYSTEM FOR ENCRYPTED FILE ACCESS - A method and system for encrypted file access are provided. The method includes the steps of: receiving (08-20-2009
20100275032SYSTEM AND METHOD FOR CONTROLLING ACCESS TO A PORTABLE DEVICE - An apparatus, system, and method for controlling access to sensitive data in a wireless handset using password protection. The wireless handset comprises an input module, a memory module, a display module, and a control module. The input module is configured to manually receive one or more passwords that are input into the wireless handset and may be associated with a user-requested function. The memory module is configured to store the passwords associated with the user-requested function. The user-requested function comprises a messaging function selected from a messaging group consisting of IM, SMS, MMS, and user contacts data. The user-requested function has a plurality of user-specific data stored on the memory module. The display module displays the stored user-specific data. The control module controls the operation of the input module, the memory module and the display module. The control module controls access to the user-specific data by password protecting the user-specific data with an initial password received with the input module.10-28-2010
20100275033TOUCH SCREEN WITH USER INTERFACE ENHANCEMENT - The present invention is a graphical user interface in a computing device having a processor running an operating system and a display. The graphical user interface comprises a touch screen and a driver coupling the touch screen to the operating system. The driver can display a plurality of icons on the touch screen, or a plurality of screen images having at least one icon, with each of the icons associated with operations on the display and/or the touch screen. Other embodiments include the touch screen having unactivated and activated states, as well as the presence of an application programming interface that enables an application to display at least one image on the touch screen.10-28-2010
20080307234USE OF MOBILE COMMUNICATION NETWORK CREDENTIALS TO PROTECT THE TRANSFER OF POSTURE DATA - In one embodiment, a method for using credentials for a mobile node to protect the transfer of posture data is provided. A network access device receives a message from a mobile node for access to a network. The message includes posture data encrypted using credentials for the mobile node. The credentials may be found in a storage card that is used to identify the mobile node. The network access device determines decryption information for the mobile node. For example, the credentials for the mobile node may be stored in a home location register (HLR) and are retrieved. The posture data is then decrypted using the credentials. The posture data is processed in a network admission control procedure for allowing access to the network. For example, a policy for access to the network may be installed based on the posture data.12-11-2008
20090094463Double Authentication for Controlling Disruptive Operations on Storage Resources - A method, data processing system and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.04-09-2009
20120124386Method and System for Refreshing Content in a Storage Device - A method and system for refreshing content in a storage device are disclosed. In one embodiment, a content replication system authenticates to each of a plurality of storage devices in parallel without creating a unique secure channel with each respective storage device. After authenticating to each of the plurality of storage devices, the content replication system is permitted to write content to, but not read content from, each of the plurality of storage devices. The content replication system then writes content to each of the plurality of storage devices in parallel.05-17-2012
20100228986AUTHENTICATION SYSTEM AND METHOD USING ELECTRONIC TAGS - An authentication method of a prover device by a verifier device by means of cryptographic coupons is provided for, wherein a coupon comprises, on one hand, a pseudo-random number r09-09-2010
20120036368Data Processing System for Providing Authorization Keys - A computer-implemented method for providing authorization keys, where the method includes receiving a further asymmetrical, cryptographic key pair, where the further asymmetrical key pair is part of a key pair sequence, where the further asymmetrical key pair includes a further first and a further second authorization key; retrieving a ciphertext, where the ciphertext is associated with the key pair which immediately precedes the further key pair in the sequence of key pairs, where the ciphertext includes the initial first key encrypted with the second authorization key of the key pair which immediately precedes the further key pair in the sequence of key pairs; decrypting the initial first authorization key using the first authorization key of the key pair which immediately precedes the further key pair in the sequence of key pairs; generating a further ciphertext through encryption of the decrypted initial first authorization key using the second authorization key of the further key pair; and saving the further ciphertext.02-09-2012
20100217998System and Method for Managing Secure Registration of a Mobile Communications Device - In one embodiment, a method is provided for managing secure registration of a mobile communications device, the method comprising registering, at a network node, the mobile communications device using a first registration process, the first registration process requiring an authentication key associated with the mobile communications device; processing a request from the mobile communications device, the request including an indication that the mobile communications device is changing to a second registration process; and clearing the authentication key associated with the mobile communications device upon expiration of a time window.08-26-2010
20100211796Method and System for Automatic Login Initiated Upon a Single Action with Encryption - A method and system for secure automatic user login to a destination website in a single action, without the use of a file manager, cookies, or without storing user login information in a data folder having restricted access or that is external to the user PC. A user computer having a display, a mouse, and a browser is activated for establishing an Internet connection. The connection may be established from the user computer to the destination website with a single mouse click or a single touch on a displayed vendor icon or other symbol placed on a displayed graphic of the user PC display such as the desktop, task bar, or tool bar during a prior setup process. During the setup, an encrypted token is produced encrypting the user credential information. The encrypted token may be stored in the user data folder.08-19-2010
20100250954WEBSITE LOGIN PROCESSING METHOD AND APPARATUS - Disclosed is a website login processing method and apparatus. If a user tries to log in a website, a plurality of user information that are stored in a user computer are visually displayed to the user, such that the user selects one of the plurality of user information. A login process on the corresponding website is performed on the basis of an ID and a password selected by the user. An encryption key for the user information is generated using random numbers, and the login is validated using the encryption key. The user refers to the user information stored in the user computer and recognizes a list of websites that the user subscribes.09-30-2010
20110119494METHOD AND APPARATUS FOR SHARING LICENSES BETWEEN SECURE REMOVABLE MEDIA - A method and an apparatus for sharing a license between SRMs are disclosed. The method includes: a DRM agent obtains the license from a first SRM, and sets the license to a forwarding state locally; the DRM agent deducts one right of sharing the license; and the DRM agent sends the license to a second SRM. In the prior art, one moving right is deducted when the license moves from SRM1 to the device, and the other moving right is deducted when the license moves from the device to SRM2. By contrast, in the technical solution under the present invention, the license forwarded by the DRM agent is set to the forwarding state, and only one sharing right needs to be deducted, and therefore, the consumption of the sharing rights is reduced and the subscriber's rights are protected.05-19-2011
20090282257INFORMATION PROCESSING DEVICE, DISC, INFORMATION PROCESSING METHOD, AND PROGRAM - An information processing device includes: a usage permission requesting unit configured to read out data from an IC chip in which the usage control information of a disc recorded content to confirm the validity of the usage control information; and a usage execution unit configured to perform usage of the disc recorded content in accordance with a usage permission mode recorded in the usage control information on condition that the validity of the usage control information has been confirmed by the usage permission requesting unit.11-12-2009
20090327739KEY-BASED CONTENT MANAGEMENT AND ACCESS SYSTEMS AND METHODS - An exemplary method includes receiving data representative of a content instance over a network from an access device associated with a user, storing the content instance, encrypting the content instance in response to a command initiated by the user, providing a key configured to facilitate decryption of the encrypted content instance, transmitting data representative of the encrypted content instance to a requesting access device, receiving data representative of a request to access the key from the requesting access device over the network, and performing a predefined action related to the key in response to the request and in accordance with at least one access rule, the at least one access rule based on at least one of a user profile and an access device profile.12-31-2009
20080313469STATELESS METHODS FOR RESOURCE HIDING AND ACCESS CONTROL SUPPORT BASED ON URI ENCRYPTION - An apparatus and method are disclosed for enabling controlled access to resources at a resource provider server. The invention may encrypt or decrypt a portion of a uniform resource identifier (URI), according to a stateless method for hiding resources and/or providing access control support. Upon receipt of a URI having an encrypted portion, the invention decrypts the encrypted portion using a predetermined key to obtain a decrypted segment, extracts additional information from the decrypted segment and forms a decrypted URI, before the decrypted URI is forwarded to a resource producer server. The invention may also encrypt a URI from a resource provider server before it is sent to a client in response to a client request.12-18-2008
20090204820Method and apparatus for Account Management - A method and apparatus for on-line account management controls access to a computer such as a web server. The method and apparatus reduces interference from Internet bots while minimizing the impact on a legitimate user's use of a web site.08-13-2009
20100306548SYSTEM AND METHOD FOR SECURING THE LIFE-CYCLE OF USER DOMAIN RIGHTS OBJECTS - In a method for enabling support for backwards compatibility in a User Domain, in one of a Rights Issuer (RI) and a Local Rights Manager (LRM), a Rights Object Encryption Key (REK) and encrypted REK are received from an entity that generated a User Domain Authorization for the one of the RI and the LRM and the REK is used to generate a User Domain Rights Object (RO) that includes the User Domain Authorization and the encrypted REK.12-02-2010
20090037741Logging Off A User From A Website - Methods, systems, and computer program products are described for logging off a user from a website, including detecting through a browser a predefined exit channel for a website; detecting a user's leaving the website outside the predefined exit channel; and guiding browser operation toward the predefined exit channel.02-05-2009
20110029781SYSTEM, METHOD, AND APPARATUS FOR GRADUATED DIFFICULTY OF HUMAN RESPONSE TESTS - A server to implement human response tests of graduated difficulty can suppress access by spambots. The server includes a network interface and a test controller. The network interface connects the server to a network and facilitates electronic communications between the server and a client computer coupled to the network. The test controller is coupled to the network interface. The test controller implements a human response test with a level of difficulty on the client computer in response to an access request by the client computer. The level of difficulty of the human response test is dependent on a determination whether the access request is deemed to originate from a spambot.02-03-2011
20090313477DVR SERVER AND METHOD FOR CONTROLLING ACCESS TO MONITORING DEVICE IN NETWORK-BASED DVR SYSTEM - The present invention provides a Digital Video Recorder (DVR) server and a method for controlling access to a monitoring device in a network-based DVR system, which only performs a user authentication in the DVR server and allows a direct access to a video providing unit by using an authentication token acquired from the authentication procedure, so that traffic of the DVR server can be reduced to maintain security while providing a smooth monitoring service.12-17-2009
20110087889System and Method of Providing Security to an External Attachment Device - Systems and methods of providing security to an external Serial Advanced Technology Attachment (SATA) device are described herein. A controller is connected between the eSATA device and the computing device. On startup, the controller presents a first partition of eSata device as a Read Only Memory, e.g., CD-ROM, but at the same time it restricts access of the computing device to a second partition of the eSata device until receiving a valid identity authentication. The second partition is preferably encrypted with a key stored on a first partition. Decryption is performed in the controller as part of presenting the eSata device. The authentication process is preferably stored in the first partition and downloaded to the computing device on startup.04-14-2011
20110087888AUTHENTICATION USING A WEAK HASH OF USER CREDENTIALS - Methods and apparatus for logging into a computer. The computer receives a username and password. The computer determines whether a user with the username is authorized to access the computer. If so, the computer retrieves a weak cryptographic hash of the user's password and compares it to a weak cryptographic hash of the received password. The computer grants access if the weak cryptographic hashes are identical, and sends the username and password to a server. The server determines whether a user with the username has a server account. If so, the server retrieves a strong cryptographic hash of the user's password and compares it to a strong cryptographic hash of the received password. The server grants the user access to an account or service if the strong cryptographic hashes are identical.04-14-2011
20110072274DISTRIBUTED SYSTEM FOR MULTI-FUNCTION SECURE VERIFIABLE SIGNER AUTHENTICATION - A distributed multi-function secure system for verifiable signer authentication having a personal private key stored in a secure storage of a mobile device where the mobile device connects to a fragmented distributed signing engine by a secure protocol and is issued a signer certificate from a circle of trust certificate server to securely electronically sign documents.03-24-2011
20120303965SYSTEM FOR AND METHOD OF MANAGING ACCESS TO A SYSTEM USING COMBINATIONS OF USER INFORMATION - The present invention is directed to systems for and methods of controlling access to computer systems. A method in accordance with the present invention comprises performing a test that includes comparing input responses to randomly selected questions with corresponding pre-determined responses to the questions and granting access to the system in the event the test is passed. A first condition of passing the test is that each input response matches a corresponding pre-determined response. Once passing the test, the user is granted permissions to access data based on his position. For example, a corporate director generally has greater permissions than an engineer. Preferably, the user's permissions determine an encryption key and a decryption key that the user is able to use to access protected data.11-29-2012
20120303964PORTABLE TERMINAL, AND METHOD FOR SECURING DATA TRANSMITTED BETWEEN HARDWARE MODULES - Provided are a portable terminal and a method for securing data transmitted between hardware modules of the portable terminal. The portable terminal may include an input module to encrypt input data, using a first secure key, if the portable terminal operates in a secure mode, and a processing module to receive the data, and to decrypt the user input data encrypted using the first secure key, using a second secure key, the first key and the second key being a pair.11-29-2012
20110060911CONDITIONAL ACCESS APPARATUS - A conditional access apparatus receives a filter condition from another conditional access apparatus to set the filter condition to a filter unit 1 thereof. When key information meeting the above-mentioned filter condition is outputted from the filter unit 1, the conditional access apparatus informs the key information to the other conditional access apparatus, and also informs the filter condition set to the filter unit 1 by the key information control unit 3 to the other conditional access apparatus and acquires key information meeting the above-mentioned filter condition from the other conditional access apparatus.03-10-2011
20100281269Identification Based on Encrypted Biometric Data - A database comprising biometric data stored in encrypted form is managed by a management unit. It comprises a set of filters respectively associated with filter identifiers. A biometric data item is received at a management unit; next, said biometric data item is stored in an encrypted form at a given address in the database. Then keywords are obtained on the basis of a first set of hash functions and of the biometric data item. A subset of indexing filters is associated with each keyword by selecting, for each keyword, filters as a function of the respectively associated filter identifiers, of said keywords, and of a second set of hash functions; and the given address is associated with each of the filters of the subset of filters.11-04-2010
20110055583METHOD FOR EXCHANGING A 3D VIEW BETWEEN A FIRST AND A SECOND USER - The invention relates to a method for exchanging a 3D view between a first and a second user having both a piece of software for creating 3D views. A view is created by the first user. This view comprises an encrypted object, the first user being licensed for the encrypted object. This view is stored in a file by the first user. The encrypted object is encrypted and the result of this encryption is stored as encrypted data in the file. According to the invention, non-encrypted data defining the encrypted object is stored in the file in parallel to the encrypted data relating to the encrypted object. This non-encrypted data can be read by the second user, so that the second user can see the encrypted object if he has acquired a license for this object, or a basic representation of the encrypted object if he has not acquired a license.03-03-2011
20120173879SECURE TRANSFER OF DATA USING A FILE TRANSFER APPLICATION OVER A USB TRANSPORT LAYER - A media device includes a memory for storing a file transfer application and a storage device for storing content. The device also includes at least one processor and an input-output (I/O) interface over which the file transfer application transfers content. The device also includes a protocol stack that is executable by the processor. The protocol stack includes a file transfer application layer, a transport protocol layer that does not include native support for security, and a security emulation layer located between the file transfer application layer and the transport protocol layer. The security emulation layer is executed in the transport protocol layer.07-05-2012
20100332841Authentication Method and System - Disclosed are methods related to controlling user access to a first computer device, using a second computer device. One method comprises generating authentication data in accordance with a first algorithm and generating acceptable response data in accordance with a second algorithm using the authentication data and information shared with a second computer device. The authentication data is received at the second computer device, where response data is generated in accordance with the second algorithm using the shared information and the received authentication data. The response data generated by the second device is received at the first computer device and compared with the acceptable response data. Access to the first computer device is granted if the response data is identical to the acceptable response data.12-30-2010
20110126023Systems And Methods For Data Security - A system comprises a basic-input-output-system (“BIOS”), a disk drive, and a security system configured to prevent unauthenticated access to the disk drive. For each of at least two users out of a plurality of users, the BIOS authenticates the user based on the user's token. The BIOS also accesses secured data based on the authentication, and provides the secured data to the security system without input from the user.05-26-2011
20120311342FOCUS-BASED CHALLENGE-RESPONSE AUTHENTICATION - A method for authenticating an access attempt includes detecting an access attempt by a user device over a network. A challenge-response authentication is provided over the network to the user device. The challenge-response authentication includes an image having a plurality of image objects. The challenge-response authentication is operable to display the image such that at least one of the plurality of image objects is in focus and at least one of the plurality of image objects is not in focus. In response to providing the challenge-response authentication, an authentication response is received from the user device over the network, and it is determined whether the authentication response includes an indication of the at least one of the plurality of image objects that is in focus to determine whether to authenticate or deny the access attempt.12-06-2012
20110093719SENSITIVE DATA ALIASING - Database management and security is implemented in a variety of embodiments. In one such embodiment, data sets containing sensitive data elements are analyzed using aliases representing sensitive data elements. In another embodiment, the sensitive data elements are stored in an encrypted form for use from a secure access, while the alias is available for standard access.04-21-2011
20090300365Vehicle Diagnostic System Security with Memory Card - A method and system are provided to authenticate a software stored on a computing device such as vehicle diagnostic tool. The system generates and stores encrypted information such as a memory media and the media access control address of the vehicle diagnostic tool. The encrypted information can be sent to an authentication server which returns encrypted authentication information that is used to validate the software for a period of time.12-03-2009
20110138186METHOD OF CONTROLLING ACCESS TO A CONTACTLESS INTERFACE IN AN INTEGRATED CIRCUIT WITH TWO COMMUNICATION INTERFACES WITH CONTACT AND CONTACTLESS - A method of access control to a communication interface of an integrated circuit, includes intercepting an event transmitted between a communication interface and an application performed by the integrated circuit, and transmitting the intercepted event if a specific parameter of the application indicates that the application is authorized to use the communication interface.06-09-2011
20120042169ANTI-COUNTERFEITING ELECTRONIC DEVICE AND METHOD THEREOF - An anti-counterfeiting electronic device includes a function component assigned with an identification code ID and a processor. The processor generates a random code K02-16-2012
20120047369REVOKEABLE MSR PASSWORD PROTECTION - A microprocessor includes an MSR and fuses. The microprocessor encounters an instruction requesting access to the MSR and specifying the MSR address, performs a function of the specified MSR address and a value read from the fuses to generate a first result, encrypts the first result with a secret key to generate a second result, compares the second result with an instruction-specified password, and allows the instruction to access the MSR if the second result matches the password and otherwise denies access MSR. Manufacturing subsequent instances of the microprocessor with a different fuse value effectively revokes the password. Alternatively, a control register of the microprocessor may be written by system software to override the fuse value and thereby revoke the password. The function may be XOR or concatenation, the encryption may be AES, and the secret key is externally invisible.02-23-2012
20120005483Method for Image-Based Authentication - A method for authenticating user access to a restricted resource that presents a login screen with an image separated into sections. To login, the user triggers sections in a preset sequence that is set up at account creation. At account creation, a cryptographic hash function is applied to a chosen sequence of sections to generate the user's account code. Optionally, elements of the image and/or the user name are included. The user invokes the login screen when access to a restricted resource is desired. The user must change login settings if any parameters, such as a particular image, are elements of the account code. The user triggers the sections in the appropriate order. The cryptographic hash function is applied to the section sequence and any optional elements to generate the login code, which is compared to the stored account codes to either grant or deny access to the restricted resource.01-05-2012
20120017094MANAGING USER ACCOUNTS - The present disclosure relates to managing user accounts in one or more computer systems. In general, one aspect of the subject matter described in this specification can be embodied in methods that include the actions of storing on a client computing device a first cookie containing plaintext representations of one or more user identifications, and a second cookie containing encrypted versions of the one or more user identifications; updating the cookies in coordination with each other based on communications received from a central server system in response to actions by a user of the client computing device to log on or off of accounts managed by the computer server system; and mediating user access to data stored locally on the client computing device by using the first and second cookies and determining whether the data is associated with one of the user identifiers.01-19-2012
20110078455COMMUNICATION DEVICE, COMMUNICATION METHOD, INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, PROGRAM, AND COMMUNICATION SYSTEM - In one example embodiment, an information processing apparatus determines whether a target ID is a unique ID or a partial randomization ID that includes a first part being replaced by a different number and a second part being generated based on the unique ID. In response to the target ID being the partial randomization ID, the information processing apparatus generates an access key based on the second part of the partial randomization ID and a key. The information processing apparatus executes a mutual authentication process using the generated access key.03-31-2011
20120216045METHOD AND SYSTEM FOR INTEGRATED SECURING AND MANAGING OF VIRTUAL MACHINES AND VIRTUAL APPLIANCES - Method and system for the integrated securing and managing of virtual machines and virtual appliances are presented. Sealing the virtual appliance at the computer of a sender, verifying authenticity of the sender at a recipient computer and managing the execution of the VA are performed in a seamless fashion.08-23-2012
20120131349SECURE SOFTWARE PRODUCT IDENTIFIER FOR PRODUCT VALIDATION AND ACTIVATION - Systems, methods, and apparatus for generating and validating product keys. In some embodiments, a product key includes security information and identification information identifying at least one copy of a software product. The identifying information may be used to access validation information from at least one source other than the product key, and the validation information may be used to process the identification information and the security information to determine whether the product key is valid. In some further embodiments, the security information includes a first portion to be processed by a first validation authority using first validation information and a second portion to be processed by a second validation authority using second validation information, wherein the second validation information is stored separately from the first validation information.05-24-2012
20100205447METHOD OF INDIVIDUALLY FITTING A HEARING DEVICE OR HEARING AID - The present invention provides a method of providing parameters for the fitting process of individually shaped or customized hearing devices by collecting and storing fitting parameters during a fitting process by a local fitting computer; generating an individual encryption key related to the hearing device; sending the stored fitting parameters encrypted with the encryption key to a remote database; storing the encryption key in the memory of the hearing device; reading out the encryption key from the hearing device; reading out data from the remote database using the encryption. Thus, the privacy of the individual fitting data of a hearing device is secured.08-12-2010
20120137137METHOD AND APPARATUS FOR KEY PROVISIONING OF HARDWARE DEVICES - Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform.05-31-2012
20110185184METHOD AND DEVICE FOR ELECTRONICALLY CAPTURING A HANDWRITTEN SIGNATURE AND SAFEGUARDING BIOMETRIC DATA - A method and apparatus for encrypting an electronic document involves a computer having a first monitor and a signature capture apparatus configured to capture a handwritten signature on a second monitor. A hash sum of the electronic document generated in the computer is transmitted to the signature capture apparatus. The electronic document and the first hash sum thereof are displayed on the first monitor. The first hash sum is also displayed on the second monitor. After electronically capturing the handwritten signature, the signature data and the first hash sum are encrypted in the signature capture apparatus and then transmitted to the computer. The encrypted signature data, the first hash sum and the signed document are stored on a computer-readable medium.07-28-2011
20110185183PERIPHERAL DEVICE, NETWORK SYSTEM, COMMUNICATION PROCESSING METHOD - A peripheral device includes an interface for connection to a wired or wireless LAN, a local interface for wireless connection, and a control unit configured to check a legitimacy of a user based on a user-specific certificate stored in a communication-function-equipped device upon being accessed through the local interface by the communication-function-equipped device using near-field wireless communication, and to allow a predetermined process to be performed upon successful authentication of the legitimacy.07-28-2011
20100174911ANONYMOUS AUTHENTICATION SYSTEM AND ANONYMOUS AUTHENTICATION METHOD - A disclosed anonymous authentication system comprises a group management device, an authentication-subjected user device, a verification device and an authentication-subjected user identification device. A user previously registers a verification key in the group management device such that his signature can be verified. For authentication, the user generates his or her own signature using the authentication-subjected user device, and encrypts the signature using an encryption key of the group to generate authentication data. The verification device authenticates the signature in collaboration with a verification assistant who has a decryption key of the group. The authentication-subjected user identification device that has the decryption key of the group decrypts the authentication data as required to identify a user who is to be authenticated.07-08-2010
20120216044METHOD FOR AUTHENTICATING MOBILE DEVICE AND DISPLAY APPARATUS USING THE SAME, AND MOBILE DEVICE AUTHENTICATION SYSTEM - A method for authenticating a mobile device and a display apparatus using the same, and a mobile device authentication system are provided. In the method for authenticating the mobile device by the display apparatus, the display apparatus generates a code image in which information on the display apparatus is encrypted if the mobile device is sensed, displays the code image on a screen, receives information on the mobile device which is transmitted using the code image and authenticates the mobile device using the information on the mobile device. Accordingly, the user controls the display apparatus using the mobile device easily and intuitively.08-23-2012
20100011220AUTHENTICATION AND KEY AGREEMENT METHOD, AUTHENTICATION METHOD, SYSTEM AND DEVICE - An AKA method, and authentication method and related devices are disclosed so that a user card not supporting storing of a SQN can resist replay attacks during an AKA procedure. In an AKA method, a second device generates a fourth sequence number for a user according to system time of the second device if the second device determines that the fourth sequence number for the user is not stored in the second device and synchronizing a third sequence number of the user that is stored by a first device with the fourth sequence number by interacting with the first device. The second device and the first device may perform an anti-replay protection in authentication using the synchronized third sequence number and the fourth sequence numbers. In the AKA method, a terminal can generate a SQN based on the system time and a random number which makes the SQN value more random. Even if an attacker knows the time value or even controls the system time of the terminal, the attacker is unable to predict the SQN generated by the terminal so that a replay attack is improbable. The security is thus enhanced.01-14-2010
20100011219Secure Use of User Secrets on a Computing Platform - A computing platform (01-14-2010
20090044022Secure verification system - A secure verification system 02-12-2009
20110004768UNIT USING OS AND IMAGE FORMING APPARATUS USING THE SAME - A chip mountable on a replaceable unit used in an image forming job is disclosed. The chip includes a central processing unit (CPU) to perform at least one of authentication and cryptographic data communication with a main body of the image forming apparatus using an operating system (OS) of the CPU which operates separately from an OS of the image forming apparatus. With the use of such a configuration, security for a unit in which the chip is mounted can thereby be reinforced.01-06-2011
20120239938LOCAL STORAGE OF INFORMATION PEDIGREES - This disclosure describes techniques for dynamically assembling and utilizing a pedigree of a resource. A pedigree of a resource is a set of statements that describe a provenance of the resource. As described herein, a document may include local pedigree fragments and optionally one or more pointers to remote pedigree fragments not locally stored in the document. A pedigree fragment, generally, is a data structure that specifies a direct relationship between a first resource, e.g., a primary resource, and a second resource from which an asserted fact of the first resource is derived. Because a pedigree fragment specifies such direct relationships, a set of pedigree fragments may be used to assemble the complete pedigree of resource.09-20-2012
20120265996Permitting Access To A Network - Method and communication system for permitting access to a network via an access point, wherein the method comprises determining, at a first node of the communication system, at least one identifier of the access point. Using a predetermined encrypting function and the determined at least one identifier of the access point, access credentials are encrypted in such a way that the at least one identifier of the access point is required in order to decrypt the encrypted access credentials. The access credentials are for accessing the network via the access point. The encrypted access credentials are provided over the communication system to a second node of the communication system, and the second node determines the at least one identifier of the access point by communicating with the access point. The second node uses the determined at least one identifier of the access point to decrypt the encrypted access credentials using a predetermined decrypting function which corresponds to the predetermined encrypting function, and the second node uses the decrypted access credentials to access the network via the access point.10-18-2012
20110047387Method of Access Control and Corresponding Device - A computing device which includes an access control mechanism which is used to control access to keys which are used in cryptographic processes. Any application wishing to gain access to a key must first obtain authorisation from the access control mechanism. Authorised applications may access keys directly, without having to pass data through the access control mechanism.02-24-2011
20110239000PASSWORD-PROTECTED PHYSICAL TRANSFER OF PASSWORD-PROTECTED DEVICES - A method for password-protected physical transfer of password-protected devices including at a receiving location, generating at least one security file including an encrypted element generated using a one-way encryption function utilizing at least one secure code, transmitting the at least one security file to a shipping location at which the password-protected devices are located, at the shipping location, using at least one shipping location password, loading the at least one security file into at least one password-protected device, shipping the at least one password-protected device to the receiving location and at the receiving location, employing the at least one secure code to supply an input to the at least one password-protected device and employing the at least one security file to enable establishment of at least one receiving location password for the at least one password-protected device which replaces the at least one shipping location password.09-29-2011
20120089847METHOD OF OBTAINING AUTHORIZATION FOR ACCESSING A SERVICE - Methods and devices for obtaining authorization for a requestor to access a service are provided. In accordance with one embodiment, there is provided a method comprising receiving a requestor request for access to a service; sending an authorization request to one or more mobile devices associated with one or more authorizers on a first approval list; receiving an authorization response from the one or more mobile devices associated with the one or more authorizers on the first approval list; determining whether a predetermined level of authorization is received; and when the predetermined level of authorization is received, authorizing access to the service.04-12-2012
20120331302METHOD FOR AUTHENTICATING A PORTABLE DATA CARRIER - A method for authenticating a portable data carrier (12-27-2012
20110320822KEYED HUMAN INTERACTIVE PROOF PLAYERS - A human interactive puzzle (HIP) authorization architecture where keyed and animated puzzles are executed by HIP players which are distinct and obfuscated to the point where breaking a single player is a relatively costly operation. A key is created in response to a request for a service, a HIP player is created based on the key, and a small installation executable is created that expands during installation to produce a computationally expensive data structure on the client relative to verification of the solution at the server. Thus, copying of the player or relay of the puzzle to a third system requires more time than allowed to receive the solution at the server.12-29-2011
20100199098PROTECTING PRIVACY OF SHARED PERSONAL INFORMATION - Methods and apparatus are described to protect personal information by decoupling it from user identity. According to specific embodiments, this is accomplished by associating each user with an anonymous token that is decoupled from the user's identity. Personal information (e.g., a user's physical or geographic location) is stored in association with this anonymous token, with no apparent connection to the user. Those allowed to access the personal information—including the owner himself—are granted the ability through a variety of mechanisms to connect the anonymous token back to the owner. The personal information can then be retrieved by locating the data stored in association with the anonymous token in the data store.08-05-2010
20130013928Secure Credential Unlock Using Trusted Execution Environments - Computing devices utilizing trusted execution environments as virtual smart cards are designed to support expected credential recovery operations when a user credential, e.g., personal identification number (PIN), password, etc. has been forgotten or is unknown. A computing device generates a cryptographic key that is protected with a PIN unlock key (PUK) provided by an administrative entity. If the user PIN cannot be input to the computing device the PUK can be input to unlock the locked cryptographic key and thereby provide access to protected data. A computing device can also, or alternatively, generate a group of challenges and formulate responses thereto. The formulated responses are each used to secure a computing device cryptographic key. If the user PIN cannot be input to the computing device an entity may request a challenge. The computing device issues a challenge from the set of generated challenges. Upon receiving a valid response back, the computing device can unlock the secured computing device cryptographic key associated with the issued challenge and subsequently provide access to protected data.01-10-2013
20110145587INTEGRATED LOGIN INPUT APPARATUS AND METHOD IN PORTABLE TERMINAL - An apparatus and method in a portable terminal for an integrated login input are provided. The integrated login input method includes, displaying a plurality of images during registration of a password, displaying a plurality of images, selecting one of the plurality of displayed images, determining a coordinate system according to an encryption level to be set for the password and applying the determined coordinate system to the selected image, changing a tilt of the portable terminal by an angle and detecting the changed tilt, receiving a selection of the user on a region of the selected image, and combining the detected tilt and coordinates corresponding to the region where the user's selection is generated and registering the combination as the password.06-16-2011
20110246782Data Protection Systems and Methods - Systems and methods are provided for protecting electronic content from the time it is packaged through the time it is experienced by an end user. Protection against content misuse is accomplished using a combination of encryption, watermark screening, detection of invalid content processing software and hardware, and/or detection of invalid content flows. Encryption protects the secrecy of content while it is being transferred or stored. Watermark screening protects against the unauthorized use of content. Watermark screening is provided by invoking a filter module to examine content for the presence of a watermark before the content is delivered to output hardware or software. The filter module is operable to prevent delivery of the content to the output hardware or software if it detects a predefined protection mark. Invalid content processing software is detected by a monitoring mechanism that validates the software involved in processing protected electronic content. Invalid content flows can be detected by scanning the information passed across system interfaces for the attempted transfer of bit patterns that were released from an application and/or a piece of content management software.10-06-2011
20080222424Method And Apparatus For Path Concealment In Networks And Graphs - A method for data concealment between two parties in a system, including: permitting the system to solicit one or more data from a user; permitting the system to generate a traversed path in a graph by using the one or more data provided by the user to generate the traversed path; performing a sequence of computations; associating square matrices to each connected node of the plurality of nodes of the traversed path in the graph; initiating each of the sequence of computations with a random vector; performing matrix multiplications at each step in the sequence of computations; obtaining a result vector; using the result vector of a matrix and a vector product of each connected node of the plurality of nodes of the traversed path as a vector in a subsequent node in the traversed path; comparing an outcome of the sequence of computations to a value associated with the traversed path of a correct password.09-11-2008
20080222423SYSTEM AND METHOD FOR PROVIDING SECURE AUTHENTICATION OF DEVICES AWAKENED FROM POWERED SLEEP STATE - In one embodiment, a system wake-up vector points to a native OS wake-up routine. As the native OS awakens from sleep it passes the wake-up message to the appropriate device drivers. A hardware device whose security context to be restored hooks the appropriate driver in order to intercept and handle the wake-up message. In a second embodiment, a system wake-up vector is redirected to a device specific S3 wake-up subroutine that handles a resume from S3 prior to allowing the call of the native OS wake-up vector. This S3 wake-up subroutine challenges a user for authentication credentials or retrieves them from a hardware device. The supplied credentials are used directly or to decrypt an unlock key from an encrypted key in memory. The unlock key would then be used to unlock the hardware device or fed to the native OS for processing by a device driver capable of unlocking the hardware device.09-11-2008
20130097427Soft-Token Authentication System - A system for authenticating a user and his local device to a secured remote service with symmetrical keys, which utilizes a PIN from the user and a unique random value from the local device in such a way that prevents the remote service from ever learning the user's PIN, or a hash of that PIN. The system also provides mutual authentication, verifying to the user and local device that the correct remote service is being used. At the same time, the system protects against PIN guessing attacks by requiring communication with the said remote service in order to verify if the correct PIN is known. Also, the system works in such a way as to change the random value stored on the user's local device after each authentication session.04-18-2013
20130151858STORAGE DEVICE PROTECTION SYSTEM AND METHOD FOR LOCKING AND UNLOCKING STORAGE DEVICE - A storage device protection system including a protection control unit, a detection unit, an account/password input unit, an ID acquiring unit, and an encryption unit is provided. The detection unit determines whether a storage device and a key storage device are both coupled to a host. The account/password input unit receives an administrator ID and an administrator password. The ID acquiring unit obtains IDs of the storage device and the key storage device. The encryption unit encrypts the administrator ID, the administrator password, and the IDs of the storage device and the key storage device into encryption data. The protection control unit stores the encryption data into the key storage device and sets an access mode of the storage device as a protection status according to the administrator ID and the administrator password. Thereby, the storage device can be effectively unlocked by using the key storage device.06-13-2013
20120260100Method and System for USB with an Integrated Crypto Ignition Key - Methods and systems provide a USB memory stick protected by an attached CIK. This system includes a USB memory stick composed of a main body and a cap. The main body houses the memory for data storage as well as the encrypt/decrypt device and ancillary circuitry. The cap houses the CIK, simultaneously providing a storage mechanism for the CIK as well as keeping the CIK obscured from plain view and visual detection.10-11-2012
20120284526PERSONAL IDENTIFICATION NUMBER SECURITY ENHANCEMENT - A system for enhancing security of a personal identification number is configned for performing a method that includes receiving, from a first entity having an input permission, a first data structure into a HSM, wherein the first data structure maps a first many-to-one mapping between a first and a second PIN numeral system. The method also includes determining whether the content of the first data structure is valid, storing the first data structure in the HSM if the first data structure is valid and marking the stored first data structure as inactive. The method further includes activating the first data structure if a second data structure is input into the HSM by a second entity having an activation permission, wherein the first entity is different from the second entity, the first data structure is identical to the second data structure. The method additionally includes converting from the first to the second PIN numeral system responsive to the activated first data structure.11-08-2012
20110314294PASSWORD CHECKING - A method is disclosed for password checking. After input is received, a proposed password included in the input is parsed into symbols. At least one of the symbols includes two or more characters. A probably metric is determined based on a sequence of symbols. The probability metric is used to determine whether or not the password is secure.12-22-2011
20120030473UNIQUE BLOCK HEADER PATTERNS FOR MEDIA VERIFICATION - Authenticating the source of digital media is performed by using unique, randomly generated variably encoded frequency patterns to create mastering specific, profiles for sets end user media which can be verified by a manufacturer. A method for verifying the authenticity of an optical storage device includes the steps of: reading a randomly generated signature key value for the optical storage device; determining manufacturing information for the optical storage device; and matching read randomly generated signature key values and manufacturing information with known valid key the to determine the authenticity of the device.02-02-2012
20130198522SYSTEMS AND METHODS FOR FILE ACCESS AUDITING - Systems and methods for providing an auditing file system for theft-prone devices are disclosed. The auditing file system supports fine-grained file auditing: a user may obtain reliable, explicit evidence that no files have been accessed after a device's loss. A user may also disable future file access after a device's loss, even in the absence of device network connectivity. In one embodiment, files are encrypted locally but the encryption keys are stored remotely, so that an audit server is queried for encryption keys to access protected files. By configuring the audit server to refuse to return a particular file's key, the user can prevent new accesses after the device is lost.08-01-2013
20130198523METHOD AND APPARATUS FOR CHECKING FIELD REPLACEABLE UNIT, AND COMMUNICATION DEVICE - The present application provides a method and an apparatus for checking a field replaceable unit, and a communication device. The method for checking the field replaceable unit includes: obtaining key identifier information saved in a security memory module; and determining trustworthiness of the field replaceable unit according to the key identifier information saved in the security memory module and key identifier information directly obtained from the field replaceable unit. The present application may implement trustworthiness checking of the field replaceable unit, the implementation is simple, and the cost is low.08-01-2013
20120079278OBJECT SECURITY OVER NETWORK - The application to a security model to one or more objects that are located on a network. When an object is to be accessed, security data associated with the object is accessed and enforced against the object. For instance, the security data might be used to determine an authentication mechanism to use to authenticate the user or entity that is accessing the object. The security data might also correlated the authenticated user or entity to the authorized actions that may be performed by that entity on the object. The security data might also specify encryption policy regarding the object.03-29-2012
20120084570Remote Resources Single Sign On - Exemplary techniques for enabling single sign-on to an operating system configured to conduct a remote presentation session are disclosed. In an exemplary embodiment, a user credential can be encrypted using an encryption key generated by a remote presentation session server and sent to a client. The client can send the encrypted user credential to the remote presentation session server. The remote presentation session server can decrypt the user credential and use it to log a user into an operating system running on the remote presentation session server. In addition to the foregoing, other techniques are described in the claims, the detailed description, and the figures.04-05-2012
20130212399Travel Vault - A travel vault includes a system and method for backing up and retrieving an encrypted data file containing user identification and credential information held in the dedicated tamperproof module of a mobile device. During backup, the encrypted data file is locked by the user with a personal identification number (PIN) and stored on a server secured by an HSM (Hardware Security Module). The user may then later retrieve and re-provision the locked, encrypted data file containing the user's identification and credentials into another dedicated tamperproof mobile device, provided the user verifies his identity by providing the PIN used to lock the file, and/or verifies his identity through an out-of-band user authentication process.08-15-2013
20130212400DOUBLE AUTHENTICATION FOR CONTROLLING DISRUPTIVE OPERATIONS ON STORAGE RESOURCES - A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.08-15-2013