Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Tokens (e.g., smartcards or dongles, etc.)

Subclass of:

726 - Information security

726002000 - ACCESS CONTROL OR AUTHENTICATION

726003000 - Network

726005000 - Credential

Patent class list (only not empty are listed)

Deeper subclasses:

Entries
DocumentTitleDate
20120266229INTER-APPLICATION MANAGEMENT OF USER CREDENTIAL DATA - A system and apparatus for enhancing the functionality and utility of an authentication process for web applications is disclosed.10-18-2012
20130031620LOCALIZED NETWORK AUTHENTICATION AND SECURITY USING TAMPER-RESISTANT KEYS - The invention provides a secure Wi-Fi communications method and system. In an embodiment of the invention, unique physical keys, or tokens, are installed at an access point and each client device of the network. Each key comprises a unique serial number and a common network send cryptographic key and a common network receive cryptographic key used only during the authentication phase by all components on the LAN. Each client key further includes a secret cryptographic key unique to each client device. During authentication, two random numbers are generated per communications session and are known by both sides of the wireless channel. Only the random numbers are sent across the wireless channel and in each case these numbers are encrypted. A transposed cryptographic key is derived from the unique secret cryptographic key using the random numbers generated during authentication. Thus, both sides of the wireless channel know the transposed cryptographic key without it ever being transmitted between the two.01-31-2013
20090193511TWO-FACTOR USB AUTHENTICATION TOKEN - The present patent application discloses a USB token that advantageously mimics a human interface device such as a keyboard in interacting with a host computer, thus removing the need for pre-installation of a dedicated device driver. This is accomplished by requiring the host computer to direct the input of the attached human interface devices of the keyboard type, including the USB token, exclusively to the program interacting with the USB token, by using cryptographic algorithms based on a shared secret, which require less data to be transferred than PKI-based algorithms, and by employing an efficient encoding scheme that minimizes the time needed to exchange information with the USB token, and minimizes the probability of generating ambiguity with input that might legitimately be generated by other attached human interface devices. By using only symmetric encryption and the low-speed USB protocol, a single low-performance processor may be used, which results in a more cost-effective solution than PKI USB tokens emulating the combination of smart cards and smart card readers or USB tokens presenting themselves to the host computer as mass storage devices. The overall security is increased by adding a second authentication factor consisting of a static password entered by the user, and by limiting the number of valid token response that can be generated or retrieved in a usage session.07-30-2009
20090193510APPARATUS, AND AN ASSOCIATED METHODOLOGY, FOR FACILITATING AUTHENTICATION USING A DIGITAL MUSIC AUTHENTICATION TOKEN - An apparatus, and an associated methodology, for facilitating authentication of a user device to access content at another device. A music file is selected as digital music authentication token. Once selected, authentication data is encoded into the music file. Subsequently, when log-in and authentication procedures are performed, the music file is retrieved, and used pursuant to the authentication procedure.07-30-2009
20090193509SYSTEMS, METHODS AND COMPUTER PROGRAM PRODUCTS FOR GENERATING ANONYMOUS ASSERTIONS - Systems, methods and computer program products for generating anonymous assertions. Exemplary embodiments include a method for generating anonymous assertions, the method comprising engaging anonymous role authentication via one or more authenticator services, generating an assertion token on a trusted assertion device that is booted into a trusted configuration, and processing the assertion and validating a right of the user to make the assertion for the event.07-30-2009
20100011431METHODS AND APPARATUS FOR AUTHORIZING ACCESS TO DATA - In one embodiment, a method comprises receiving a request from a first party for access to controlled data, and providing access to the controlled data to a second party. The first party requests access to the controlled data and a token is provided to the first party. The token includes data associated with authorized access to the controlled data. A request for access to the controlled data including the token is later received from the second party, and access to the controlled data is provided to the second party.01-14-2010
20110202991PRESERVING PRIVACY WITH DIGITAL IDENTITIES - A privacy-preserving identity system is described herein that combines low disclosure tokens with an identity metasystem to allow proof of a user's identity and other claims about the user in a manner that preserves the user's privacy by avoiding disclosing unnecessary information about the user. A low or minimal disclosure token is a security token that encodes claims in such a way that (1) the token can be long-lived, (2) the token can be presented in an unlinkable manner, or (3) the user can minimally disclose the encoded information to respond to an unanticipated Relying Party policy. Using the privacy preserving system within an identity metasystem, users can obtain long-lived, low disclosure tokens from the Identity Provider and later present them to Relying Parties; thus improving both user' privacy and the system's scalability.08-18-2011
20110202990COMPUTER INFORMATION SECURITY SYSTEM AND OPERATION METHOD THEREOF - The present invention relates to a computer information security system and method, the system includes a connection device and a sensor. When the connection device plug in to the predetermined computer, the sensor and the connection device are conjoint, a first identification code can be stored to the computer through the connection device, and generated an initialization setting of the second identification code to the sensor through the connection device. Therefore, when the sensor is out of the predetermined range of the connection device, the connection device will control the computer for encoding to prevent unauthorized user to use the computer; when the sensor is located within the range of the predetermined range of the connection device, the connection device will automatically input the first identification code to the computer to enable the user to directly use the computer without inputting the first identification code to avoid the complicated procedure of inputting the first identification code when the user return to work on the computer, thus to reinforce the security to the information in the computer and to make the operation more convenient.08-18-2011
20080256615Method and apparatus for file sharing between a group of user devices with separately sent crucial portions and non-crucial portions - A communication system 10-16-2008
20130081128SYSTEM AND METHOD FOR PROVIDING A REST-BASED MANAGEMENT SERVICE IN A TRAFFIC DIRECTOR ENVIRONMENT - Described herein are systems and methods for providing software administration tools, for use in administering server configurations, such as in a traffic director or other type of server environment. In accordance with an embodiment, the system comprises a traffic director having one or more traffic director instances, which is configured to receive and communicate requests, from clients, to origin servers having one or more pools of servers. An administration server can be used to manage the traffic director, including a REpresentational State Transfer (REST) infrastructure and management service which maps REST calls to mbeans or other management components registered on the administration server, for use in managing the traffic director.03-28-2013
20130081127SMART CARD AND COMMUNICATION METHOD THEREOF - A smart card and a communication method thereof are provided. The smart card comprises a flexible electronic system and a card body. The flexible electronic system comprises a display circuit, a communication interface, a security module, code generator and a flexible display. The communication interface is used for communicating with a reader. The security module is used for transmitting security verification information to the reader. The code generator is electrically connected to the security module and used for generating a code. The flexible display is connected to the display circuit and used for displaying the code. The card body encapsulates the flexible electronic system. After an input device receives the inputted code, the reader transmits the inputted code and the security verification information to the confirmation server to confirm whether the inputted code and the security verification information are correct.03-28-2013
20080320577Personal Token With Parental Control - The invention relates to a personal token (in particular a SIM card), a system comprising a personal token and a communication device (in particular a cellular phone), and a method for parental control of the services of the communication device. The personal token of the invention comprises connection means for connecting to a communication device and parental control means, the parental control means controlling access of a controlled entity to the services offered by the communication device according to a set of rules stored in the personal token. The personal token also comprises rules modification means enabling the modification of the set of rules (access to the rules modification means being restricted to a controlling entity), and a web server, the rules modification means being accessible through at least one web page on the web server.12-25-2008
20130042314System and Method for Authenticating a User - According to one embodiment, a system including a memory and a processor is provided. The memory may be operable to store a plurality of accounts. Each account may be associated with a user and with a mobile device. The processor may be coupled to the memory and operable to receive user credentials, sent by a requesting user and originating from a requesting device, in conjunction with a request for authentication. The user credentials may include an account identifier. The processor may be further operable to retrieve, from the plurality of accounts, the account associated with the account identifier that matches the account identifier included in the user credentials. The processor may compare information included within the user credentials with information associated the account. If the information included within the user credentials matches the information associated with the account, the processor may send an authentication-confirmation message to a second device.02-14-2013
20100043066MULTIPLE SECURITY LAYERS FOR TIME-BASED NETWORK ADMISSION CONTROL - Embodiments of the present invention include a computer method of controlling access to a computer-based network comprising: (i) receiving an indication of an attempt to gain access to a computer-based network; (ii) applying a respective network access control policy to determine whether to allow the attempt to gain access to the computer-based network at each of multiple security layers; and (iii) allowing or blocking the attempt to gain access through the security layer to the computer-based network based on the application of the respective network access control policy at each security layer. Other embodiments include a computer method of controlling access to a computer-based network comprising: (a) scanning a host computer for viruses; (b) temporarily disabling a firewall of the host computer during an audit; and (c) shutting down high risk services running on the host computer.02-18-2010
20100325716Managing Access To A Document-Processing Device Using An Identification Token - A method and apparatus for accessing a document-processing device is provided. A request to access the document-processing device is received by the document-processing device. For example, the request may be a request to configure the document-processing device or a request to produce an electronic copy of a document. The document-processing device reads authentication data from an authentication token, which is a portable physical object associated with the user that issued the request. For example, the authentication token may be a proximity card, a common access card (CAC), a smart card, a credit card, a driver's license, or a cell phone. The document-processing device determines, based on the authentication data, whether the user has sufficient user access privileges to perform the request. If user has sufficient user access privileges to perform of the request, then the document-processing device performs the request.12-23-2010
20090158413METHOD AND APPARATUS FOR SECURE AND SMALL CREDITS FOR VERIFIABLE SERVICE PROVIDER METERING - A method and apparatus for obtaining access to services of service providers. In one embodiment, the method comprises requesting a desired service through a foreign service provider, generating a hash tree and generating a digital signature on a root value of the hash tree, sending the digital signature and the root value to the foreign service provider, providing one or more tokens to the foreign service provider with the next packet if the foreign service provider accepts the signature and continuing to use the service while the foreign service provider accepts tokens.06-18-2009
20100107234METHODS FOR PROTECTING AGAINST COOKIE-POISONING ATTACKS IN NETWORKED-COMMUNICATION APPLICATIONS - The present invention discloses methods, media, and gateways for protecting against cookie-poisoning attacks in networked-communication applications. Methods include the steps of: creating a protected gateway cookie, generated by a gateway, for a server cookie, generated by a server, wherein the server cookie is received by the gateway in an HTTP response message; and validating, by the gateway, that a client cookie from a client request has a corresponding gateway cookie with expected field values. Preferably, the field values include at least one field value selected from the group consisting of: a name, a hash value computed over the server cookie, a hash-function index, a timestamp, a nonce, a hash value computed over newly-generated values, a path, a domain, an expiration, and an HTTP-only value. Preferably, the gateway cookie is signed with a secret key. Most preferably, the secret key is generated by a secret seed.04-29-2010
20130047246APPARATUS AND METHOD FOR DETERMINING ENVIRONMENT INTEGRITY LEVELS - According to one embodiment, an apparatus may receive a resource token indicating that access to the resource has been requested. The apparatus may determine the value of an access value associated with at least one network token. The apparatus may then determine that the value of the access value is insufficient to grant access to the resource and determine that access to the resource over the network should be denied.02-21-2013
20130047247ACCESS MANAGEMENT SYSTEM, ACCESS MANAGEMENT METHOD, ACCESS MANAGEMENT SERVER, COOPERATION SERVER, AND COMPUTER-READABLE MEDIUM - A system includes an access management server and a cooperation server, wherein the access management server comprises issuance unit that issues a token corresponding to the managed user account in response to a request of the cooperation server, and deletion unit that deletes a user account, of the managed user accounts, which satisfies a predefined deletion condition, and the cooperation server comprises acquisition unit that acquires, when acquisition of a token corresponding to the user account managed by the access management server is requested by another server, if the deletion unit has not deleted the user account, an issued token corresponding to the user account, and to cause, if the deletion unit has already deleted the user account, the access management server to re-register the user account to acquire a token issued for the re-registered user account.02-21-2013
20130047243Apparatus and Method for Performing Session Validation - According to one embodiment, an apparatus may receive a first token indicating that access to the resource has been requested. The apparatus may determine at least one token-based rule based at least in part upon the first token, and determine that a plurality of tokens includes a second token associated with the at least one token-based rule. The apparatus may then generate a session token based at least in part upon the first token and the second token in response to the determination that the plurality of tokens includes the second token. The apparatus may terminate the session token based on a received third token.02-21-2013
20130047244Method and Apparatus for Session Validation to Access Third Party Resources - According to one embodiment, an apparatus may store a plurality of token-based rules. A token-based rule may facilitate access to a resource. The apparatus may further store a plurality of tokens. The apparatus may receive, from an entity, a first token indicating that access to the resource has been requested by a device through the entity and determine at least one token-based rule based at least in part upon the first token. The at least one token-based rule may condition access to the resource upon a second token. The second token may be associated with a subscriber identity module of the device. The apparatus may determine that the plurality of tokens includes the second token associated with the at least one token-based rule and generate a session token based at least in part upon the first token and the second token.02-21-2013
20130047245Apparatus and Method for Performing Session Validation to Access Confidential Resources - According to one embodiment, an apparatus may receive a first token indicating that access to a resource has been requested by a device. The first token may further indicate that the resource is a confidential resource. The apparatus may determine that a plurality of tokens includes a second token and generate a session token based at least in part upon the first token and the second token in response to the determination that the plurality of tokens includes the second token. The apparatus may receive a third token indicating an event affecting the risk associated with granting access to the resource and determine, based at least in part upon the at least one token-based rule, that access to the resource should be terminated in response to receiving the third token. The apparatus may then terminate the session token in response to the determination that access to the resource should be terminated.02-21-2013
20130047240Method and Apparatus for Token-Based Container Chaining - According to one embodiment, an apparatus may intercept a request to access a resource represented by a resource token. The apparatus may receive a hard token representing identification information of a device. The apparatus may determine, based at least in part upon the hard token and the resource token, at least one token-based rule specifying compliance criteria required to consume the resource. The apparatus may receive at least one token representing compliance information of the device in response to a request for compliance information of the device. The apparatus may then compare the compliance information against the compliance criteria to determine that the device is capable of consuming the resource. The apparatus may then generate a compliance token representing the determination that the device is capable of consuming the resource, and communicate the compliance token to facilitate the provisioning of a container to the device.02-21-2013
20130047242Apparatus and Method for Performing Real-Time Authentication Using Subject Token Combinations - According to one embodiment, an apparatus may receive a resource token associated with a resource indicating that access to the resource has been requested. The apparatus may determine at least one token-based rule based at least in part upon the resource token, wherein the at least one token-based rule may be associated with at least one subject token. The apparatus may then determine that the at least one subject token is not in the plurality of first subject tokens and the plurality of second subject tokens based at least in part upon the at least one token-based rule, and deny access to the resource.02-21-2013
20130047241Method and Apparatus for Token-Based Combining of Risk Ratings - According to one embodiment, an apparatus may store a plurality of tokens. The plurality of tokens may include a plurality of risk tokens. Each risk token may represent a risk rating. The risk rating may be a numerical value indicating a risk associated with granting a particular user access to a particular resource. The apparatus may identify a set of related risk tokens in the plurality of risk tokens, and generate a composite risk token that represents an arithmetic combination of the risk ratings represented by the set of related risk tokens. The apparatus may then use the composite risk token to facilitate the making of an access decision.02-21-2013
20090328177ENABLING PRIVATE DATA FEED - A method of generating a pre-authenticated link to access a private feed and providing access to the private feed using the pre-authenticated link. A request to access the private feed is received and a first user sending the request is authenticated. A token for the first user is generated when the first user is authorized to access the private feed. The token may identify the first user, the private feed and an owner of the private feed. The token may be embedded within a link and transmitted to the first user. A user is automatically authorized to access the private feed when the token is sent by the user using the link. The link automatically authenticates the first user and allows access to the private feed. The private feed may become inaccessible to the first user when the owner of the private feed revokes access of the first user.12-31-2009
20090106829Method and system for electronic reauthentication of a communication party - The present invention relates to a method for electronic reauthentication of a communication party (04-23-2009
20120192260System and method for user authentication by means of web-enabled personal trusted device - A system of token-based user authentication for the purpose of authorizing user access to protected resources, such as web applications, computer systems or computer controlled devices. The system utilizes a personal trusted device (PTD), which is owned and operated by one specific user, to establish secure communication channels that are subsequently used to pass user credentials to authentication service. Association of a PTD with servers controlling access to resources is performed by publishing and capturing unique tokens via sensors embedded in PTD, such as an optical camera.07-26-2012
20130061311SECURITY SYSTEM FOR CLOUD COMPUTING - Security system for cloud computing that will improve the security of users' authentications to cloud data and resources. User authentication to cloud resources requires analyzing confidence in the hardware used to transmit the authentication for access to the cloud data and/or resource. User authentication can be transmitted after the user confirms administrative rights and/or physical security control over the hardware used to transmit the authentication for access to the cloud data and/or resource. The hardware used to access the cloud data and/or resource can be analyzed for malicious code before the user authentication is transmitted. The authentication can be provided on a hardware token, and the system can execute on the hardware token to analyze hardware confidence and thereafter transmit the user authentication.03-07-2013
20130061312SECURITY TOKEN FOR SECURELY EXECUTING AN APPLICATION ON A HOST COMPUTER - The invention relates to a security token comprising a communication interface adapted to communicate with a host computer; a security module, comprising encryption based security features; a non volatile memory storing at least an application to be uploaded and executed in a host computer. The application makes use of the security features when executed in a host computer in communication with the communication interface. The security token is adapted to modify the content of the application as uploaded or its execution parameters at successive connexions of the security token to a host computer.03-07-2013
20130061309Per Process Networking Capabilities - Per process networking capability techniques are described. In one or more implementations, a determination is made as to whether access to a network capability is permitted for a process that is executed on the computing device based on a token that is associated with the process. The token has one or more security identifiers that reference one or more network capabilities described in a manifest. The access to the network capability is managed based on the determination.03-07-2013
20130061310SECURITY SERVER FOR CLOUD COMPUTING - A system, method, and server improving the security of accessing Internetworked computer resources, especially over public access connections, without requiring additional servers from either the resource provider or the authenticating user. User authentications are transmitted over data access connections over which users do not have administrative rights and/or physical security control. A resource request which includes user authentications can be encrypted on a user computer and transmitted over the internet or other data network over which the user has no administrative access or physical control. A security server receives the encrypted resource request, decrypts it, and forwards the resource request to a cloud computing resource.03-07-2013
20090271856RESTRICTED USE INFORMATION CARDS - A system and method for utilizing restricted user information cards is provided. An identity provider issues a restricted use information card responsive to a relying party's restricted use policy. The identity provider can issue security tokens associated with the restricted use information card that include a unique-id claim. A broker can act as an intermediary between a user and the relying party to protect the user's personal information but still uniquely identity the user to the relying party. The relying party, the identity provider, or the broker can be responsible for enforcing the restricted use policy.10-29-2009
20090271855COMPUTER BASED METHOD AND SYSTEM FOR REGISTERING A USER AT A SERVER COMPUTER SYSTEM - The invention provides a method for registering a user at a server computer system. A first interface is transmitted from the server computer system to a user computer system, the first interface having a field for entering a mobile telephone number. A mobile phone number entered into the field for the mobile phone number is received from the user computer system at the server computer system. A password is generated and transmitting from the server computer system to a mobile device having a mobile phone number corresponding to the mobile phone number received from the user computer system and a second interface is transmitted from the server computer system to the user computer system, the second interface including a field for entering the password. A follow-up message is transmitted from the server computer system to the mobile device if the password is not received from the user computer system at the server computer system within a predetermined period of time.10-29-2009
20120117638TECHNIQUE FOR CONTROLLING ACCESS BY A CLIENT ENTITY TO A SERVICE - A technique of controlling access by a client entity to a service in a communications network. Processing modules are interconnected in the network in order to supply the service to the client entity. A processing module implements an individual function of a chain of individual functions associated with the service. The access method includes the following steps implemented by an access control device associated with an access node giving access to the service, the device being referred to as a main device: receiving a chain of processing modules from the access node; sending, to a secondary access control device associated with a processing module of the chain, a request to access the processing module under consideration, the request including an access token negotiated between the main device and the client entity; receiving a response to the access request from the secondary device; and notifying the access node of the response.05-10-2012
20120117637MANAGEMENT OF MULTIPLE CONNECTIONS TO A SECURITY TOKEN ACCESS DEVICE - A security token access device, a user device such as a computing device or communications device, and a method for managing multiple connections between multiple user devices and the access device. The access device maintains connection information, including security information, for each user device securely paired with the access device. Each time a new user device is paired with the access device, the access device transmits a notification to the user devices already paired to the user device. A user may provide instructions to the access device to terminate a pairing with one of the user devices by overwriting at least a portion of the connection information associated with the designated user device. A user device may further request a listing of all user devices currently paired with the access device.05-10-2012
20120117636MANAGEMENT OF MULTIPLE CONNECTIONS TO A SECURITY TOKEN ACCESS DEVICE - An electronic device, system and method for automatically managing wireless connections with a plurality of other devices are provided. The electronic device may be a security token access device and may be adapted to wirelessly pair and optionally securely pair with other devices. Connection information, which may comprise security information, is maintained at the electronic device for each connected device. When a connected device becomes stale, the electronic device implements one or more steps to manage the stale device's connection.05-10-2012
20120117635SIMULACRUM OF PHYSICAL SECURITY DEVICE AND METHODS - A simulacrum security device and methods. In one embodiment, a simulacrum or likeness of a physical security device is provided for use in conjunction with a software emulation of the security device. In one implementation, a “faux SIM card” is provided that does not contain Subscriber Identification Module (SIM) information itself, but instead enables a user to download Electronic SIM (eSIM) information (e.g., from a network or eSIM server) which is loaded into a software emulation of a Universal Integrated Circuit Card (UICC) device. The faux card is printed with an activation code, scan pattern, or other activation or access information. The subscriber purchases the faux card, and enters the activation code into a device; the entered activation code enables the device to log onto a network, and download the appropriate eSIM data. Delivery of eSIM information as enabled by the faux card addresses deficiencies in existing SIM distribution schemes, provides users with an enhanced perception of security, and further addresses various legal requirements.05-10-2012
20130067555Method and Apparatus for Trust-Based, Fine-Grained Rate Limiting of Network Requests - A method and apparatus for fine-grained, trust-based rate limiting of network requests distinguishes trusted network traffic from untrusted network traffic at the granularity of an individual user/machine combination, so that network traffic policing measures are readily implemented against untrusted and potentially hostile traffic without compromising service to trusted users. A server establishes a user/client pair as trusted by issuing a trust token to the client when successfully authenticating to the server for the first time. Subsequently, the client provides the trust token at login. At the server, rate policies apportion bandwidth according to type of traffic: network requests that include a valid trust token are granted highest priority. Rate policies further specify bandwidth restrictions imposed for untrusted network traffic. This scheme enables the server to throttle untrusted password-guessing requests from crackers without penalizing most friendly logins and only slightly penalizing the relatively few untrusted friendly logins.03-14-2013
20110023103METHOD FOR READING ATTRIBUTES FROM AN ID TOKEN - The invention relates to a method for reading at least one attribute stored in an ID token (01-27-2011
20090265776AUTHENTICATION OF DATA COMMUNICATIONS - Methods and apparatus are provided for authenticating communications between a user computer and a server via a data communications network. A security device has memory containing security data, and security logic to use the security data to generate an authentication response to an authentication message received from the server in use. An interface device communicates with the security device. The interface device has a receiver for receiving from the user computer an authentication output containing the authentication message sent by the server to the user computer in use, and interface logic adapted to extract the authentication message from the authentication output and to send the authentication message to the security device. Includes a communications interface for connecting to the server via a communications channel bypassing the user computer. Either the security device or interface device sends the authentication response to the server via the communications channel bypassing the user computer.10-22-2009
20120272306AUTHENTICATION TICKET VALIDATION - An authentication ticket is validated to ensure authenticated communications between a client and an online service provider. In an embodiment an authentication request is received from a user agent associated with the client and the authentication request includes a set of identification information and a set of authentication information. Additionally, it is determined that the set of identification information and the set of authentication information are associated with a user and an authentication ticket is created including a user identification and an authentication, indicating to the online service provider that the user is authenticated to access one or more online services. Further, a validation token is embedded into the authentication ticket that provides enhanced verification that the access provided by the online service provider is authenticated.10-25-2012
20090013397Processor communication tokens - The invention provides a method of transmitting messages over an interconnect between processors, each message comprising a header token specifying a destination processor and at least one of a data token and a control token. The method comprises: executing a first instruction on a first one of the processors to generate a data token comprising a byte of data and at least one additional bit to identify that token as a data token, and outputting the data token from the first processor onto the interconnect as part of one of the messages. The method also comprises executing a second instruction on said first processor to generate a control token comprising a byte of control information and at least one additional bit to identify that token as a control token, and outputting the control token from the first processor onto the interconnect as part of one of the messages.01-08-2009
20090013396Secure music, video, audio, and other digital file downloading system and method using encoded plastic magnetic-type information card or smart card chip, or printed terminal receipt, or scratch off panel - A system and method for securely downloading music or other audio or video media in digital format (“Digital Download Media”) from one or more merchants, comprising an encoded plastic magnetic-type information card having an account or access number and other identification and access data encoded, embossed, or printed on the card and a centralized computer system that receives the encoded, embossed, or printed data and allows the cardholder to access and download via internet transmission the Digital Download Media from the centralized computer system. In another embodiment of the invention, a digital electronic chip is encased within the plastic card (a smart card chip) that securely contains the encrypted account or access number and other identification and access data used by the system for the securely downloading the Digital Downloading Media from one or more merchants. Also part of the method, consumers are given access to their respective remaining Digital Download Media values by internet access to the centralized computer system. In a further embodiment of the invention, consumers can, using point-of-sale terminal card-reading devices at multiple merchants, purchase additional units allowing the downloading of additional Digital Downloading Media corresponding to the amount loaded on the plastic card at the merchants' point-of-sale terminals.01-08-2009
20090007249SYSTEM AND METHOD FOR SELECTIVE AUTHENTICATION WHEN ACQUIRING A ROLE - A system, method, and program product is provided that provides authentication on a per-role basis in a Role-Based Access Control (RBAC) environment. When a user attempts to acquire a role, the improved RBAC system determines whether (a) no authentication is required (e.g., for a non-sensitive role such as accessing a company's product catalog), (b) a user-based authentication (e.g., password) is required, or (c) a role-based authentication (e.g., role-specific password is required).01-01-2009
20120240211POLICY-BASED AUTHENTICATION - A device receives a request to authenticate an end user of a user device based on a requested use of an application by the user device, and communicates with an authentication client, provided in the user device, to perform an authentication requested by the request. The device also generates a response to the request based on the communication with the authentication client, where the response indicates that the end user is or is not authenticated to use the application. The device further provides the response to an application server device hosting the application.09-20-2012
20110283347USING A TRUSTED TOKEN AND PUSH FOR VALIDATING THE REQUEST FOR SINGLE SIGN ON - Providing access to an enterprise application from a telecommunications device via a client, through a device server, and an intermediate application gateway (IAG), is disclosed. The server is communication with the client and the IAG. The IAG and client are in indirect communication via the server. The client is operative to request an enterprise application token from the IAG using a dataset comprising a device identifier and a user identifier, without concurrently prompting a user for the dataset. The IAG is operative to prepare a token in response to the request, and push the token to an e-mail address associated with the telecommunications device via the server's push proxy gateway. The client is operative to employ the token in communications addressed to an enterprise application via the server and the IAG. The IAG is operative to replace the token in each communication with identification information called for by the enterprise application.11-17-2011
20090150987SYSTEM AND METHOD FOR CONFIGURING ENVRIONMENTS OF PRIVATE SYSTEM USING SMART CARD IN PUBLIC SYSTEM - Provided is a system and method for configuring environments of a private system using a smart card in a public system. The system includes a smart card that stores owner identification information, system-environment and work-environment information, private data, and payment information; a public system that authenticates a user of the smart card by using the owner identification information of the smart card and reconfigures a system and work environment similar to the private system to perform work continuously ; a service providing sever that provides an installation program or substitute program required for configuring the latest work environment of the user; and a payment server that pay a usage charge for the public system connected to the smart card.06-11-2009
20080313724N-PORT ID VIRTUALIZATION (NPIV) PROXY MODULE, NPIV PROXY SWITCHING SYSTEM AND METHODS - Embodiments of an N-Port ID virtualization (NPIV) proxy module, NPIV proxy switching system, and methods are generally described herein. Other embodiments may be described and claimed. In some embodiments, login requests are distributed over a plurality of available N-ports to allow servers to be functionally coupled to F-ports of a plurality of fiber-channel (FC) switches. Fiber-channel identifiers (FCIDs) are assigned to the servers in response to the logon requests to provide single end-host operations for each of the servers.12-18-2008
20090064301System and Method for Browser Based Access to Smart Cards - A client-side application extension executable on a host computer from within a web-browser having the capability of executing at least one web-browser add-on to provide a user access to a smart card, connected to the host computer having a smart card resource manager, via the web-browser. The web-browser extension has instructions to direct the central processing unit to access data on the smart card via a web-browser and platform independent interface module and a web-browser and platform dependent wrapper module connected to the web-browser and platform independent interface module and to the smart card resource manager having a function processing module operable to receive a call to the at least one function for accessing data on the smart card and for transforming the function call into a corresponding call to the smart card resource manager.03-05-2009
20090037996Multi-Domain Secure Computer System - Disclosed is a hardware based secure multi-domain computer system. The system comprises a housing enclosing multiple separate, secure computer devices. The housing is preferably the size of a standard computer tower. It is preferred that at least three computer devices are disposed within the housing. Each of the computer devices operate on significantly less power than a standard computer. Preferably, each computer operates on no more than 50 Watts of power, more preferably on less than 35 Watts of power.02-05-2009
20110302646SYSTEM AND METHODS FOR ONLINE AUTHENTICATION - A method of authenticating a network client to a relying party computer via a computer server comprises the computer server receiving a transaction code from a token manager via a first communications channel. The network client is configured to communicate with a token manager which is configured to communicate with a hardware token interfaced therewith. The network client is also configured to communicate with the relying party computer and the computer server. The computer server also receives a transaction pointer from the relying party computer via a second communications channel that is distinct from the first communications channel. Preferably, the transaction pointer is unpredictable by the computer server. The computer server transmits an authorization signal to the relying party computer in accordance with a correlation between the transaction code and the transaction pointer. The authorization signal facilitates authentication of the network client to the relying party computer.12-08-2011
20090044260APPARATUS AND METHOD FOR SECURING DIGITAL DATA WITH A SECURITY TOKEN - A security token includes a wireless interface to communicate with a secured device. A cryptographic module generates cryptographic information, encrypts messages to the secured device, decrypts messages from the secured device and coordinates the encryption and decryption of data on the secured device.02-12-2009
20090138952METHOD FOR TRANSMITTING AND RECEIVING DATA OF A TERMINAL IN A COMMUNICATION SYSTEM AND COMMUNICATION TERMINAL THEREOF - A method for transmitting and receiving data of a terminal in a communication system and a communication terminal thereof are provided, which can minimize an exposure of authentication information. A communication terminal includes a rolling token generation unit for generating the rolling tokens; a memory for storing the generated rolling tokens; and a control unit for, if an authentication of the other terminal for performing a communication is completed, generating and transmitting a rolling token whenever a transmission to the other terminal is performed, and in case of receiving a specified rolling token from the other terminal, determining whether the rolling token currently received from the other terminal is identical to the rolling token most recently transmitted.05-28-2009
20110289576RUBBING ENCRYPTION ALGORITHM AND SECURITY ATTACK SAFE OTP TOKEN - The present disclosure proposes a secure way to generate the OTP code by way of a web browser. A user does not need any electronic device on hand to obtain OTP for 2FA login. A new Rubbing Encryption Algorithm (REAL) is proposed as the base technology. Implementation method of such web-based OTP token is presented and analyzed. It operates through a web-browser with a multiple REAL keys. It can be integrated into many secure Internet commerce applications as well. A system is provided for secure access to a software program or website. The system has a first entity with a computing device with a processor and a memory. The first entity provides a plurality of data items. The system also has a second entity with at least one display for displaying the plurality of data items. The data items are arranged in a predetermined format. The display also displays a prompt for a user identification and a prompt for a code. The second entity has a member with a transparent portion. The transparent portion comprises a periphery with a plurality of markings placed around the periphery. The markings point to a first direction or to an opposite second direction. The second entity overlays the member over the data items. The markings point to the plurality of data items to reveal a code. The code is input and permits access of the second entity to the computing device of the first entity.11-24-2011
20090276840UNIFIED ACCESS CONTROL SYSTEM AND METHOD FOR COMPOSED SERVICES IN A DISTRIBUTED ENVIRONMENT - A system, a computer device implemented method, and a computer readable article of manufacture for executing a computer implemented method for a unified access control for a plurality of composed services in a distributed computing environment without requiring repeated input of security certification. The method includes the steps of: acquiring a first role of a user in a first composed service; sending an invoking request by a processing unit of the first composed service to a second composed service; receiving the first role of the user in the first composed service and predefined role-role mapping relationships, and determining a second role of the user in the second composed service by a role determining component; and then sending the determined role in the second composed service by a role sending component to the second composed service, thereby providing unified access without requiring repeated input of security certification.11-05-2009
20110296513Location based security token - A third, location-based level of security is added to physical possession, and entry of an authorized passcode, of an authentication token (or security token) fob to provide added security based on a location of attempted access to a secure network resource. A current location of the location-based authentication token fob is obtained, and combined with an entered passcode, to form a passcode key. The passcode key is compared against pre-registered authorized passcode keys (including pre-registered authorized locations for use of the location-based authentication token) to determine authorization for access.12-01-2011
20080209533Method and system for online image security - An online application enables an end user to navigate to a web site, upload digital images, and to combine those images with words in a stylized template to create a user-generated story. A story is a web page, typically a collection of photos and words that are brought together by a stylized template that can be customized by the end user. Preferably, a given story is available from the site at a given location (at a URL) that may be private or public. A given story may be shared with other end users, published to other web sites or web logs, or maintained solely for one's own use. The invention also provides for multiple end users to collaborate to create a “shared” story.08-28-2008
20110296514METHOD FOR CREATING A PERSONALIZED INSIGNIA - The invention relates to a method for verifying access of a user of an online presence to a user site or a group site at the online presence through an identifier (12-01-2011
20110296512METHOD FOR READING ATTRIBUTES FROM AN ID TOKEN - The invention relates to a method for reading at least one attribute stored in an ID token where the ID token is associated with a user, having the following steps: the user is authenticated to the ID token, a first computer system is authenticated to the ID token, following successful authentication of the user and the first computer system to the ID token, the first computer system effects read access to the at least one attribute stored in the ID token in order to transmit the at least one attribute, when it has been signed, to a second computer system, where the authentication of the first computer system to the ID token is performed because of an attribute specification, which is received by the first computer system from a third computer system.12-01-2011
20080289022Internet business security system - An Internet business security system is disclosed. The business security system couples with a certificate issuer. The certificate issuer issues a smart card to a user. The system includes a reading apparatus for reading the smart card and generating a one-time password based on a PIN number of the user, a front process apparatus to receive the one-time password and providing service to the user when the one-time password is correct, and a rear process apparatus coupling with the front process apparatus. The rear process apparatus includes a pre-proof module to process the matter of proving the identification of the user and an authorization module to determine whether or not the one-time password is correct and then to authorize the user private data stored in the certificate issuer to a web site when the one-time password is correct.11-20-2008
20090187982Systems and methods for authenticating communications in a network medium - A system and method for sharing files securely includes server software on a first device configured to communicate with server software operating on one or more other preauthorized devices, such as a second device. The servers communicate with each other securely using cryptographic information exchanged during a preauthorization phase using a range-limited communication channel. The server on the first device obtains file information from the other preauthorized device(s) and combines the information with local file information from the first device. This combined file information is sent to client software operating on the machine, which presents the combined file information to users.07-23-2009
20100169962Method of Securely Logging Into Remote Servers - The invention relates to a system comprising a network device (NSC), a host computer (HOST) and a remote server remote (SRV). The host computer (HOST) and the network device (NSC) server are connectable through a network. The host computer (HOST) and the remote server (SRV) are connectable through the Internet. The smart network device (NSC) comprises a web server accessible from the host computer (HOST). The network device (NSC) is set to store a user's authentication credential. The host computer (HOST) is set to display a web page produced by the remote server (SRV) to the user. The remote server (SRV) is set to include a login link in said web page, the login link pointing to said web server. The web server is set to display a login page to the user on the host computer (HOST) when the user clicks on said login link, in order to authenticate the user. Upon authentication of the user, the network device (NSC) is set to send the user's authentication credential to the remote server (SRV) in order to authenticate the user to the remote server (SRV).07-01-2010
20100169961WIRELESS NETWORK MANAGEMENT PROCEDURE, STATION SUPPORTING THE PROCEDURE, AND FRAME FORMAT FOR THE PROCEDURE - Provided are a WLAN management procedure, a station supporting the procedure, and a frame format for the procedure. In the management procedure, a reporting station receives a event request frame including one or more event request elements each of which comprises an event type field for specifying the event type of an event request and an event response limit field for specifying the number of requested event report elements. And, in response to the event request frame, the reporting station transmits an event response frame including event report elements for the event type specified in the event type field as many as the number specified in the event response limit field.07-01-2010
20130219482METHOD FOR UNIQUELY ADDRESSING A GROUP OF NETWORK UNITS IN A SUB-NETWORK - In embodiments of the present disclosure improved capabilities are described for delivering a command to a group of computing devices, comprising sending a message from a controller to a first of a plurality of computing devices, wherein the plurality of computing devices are on the same network, and where the message includes a plurality of bit-wise addresses and a command. The message is then broadcast from the first of the plurality of computing devices to the remaining of the plurality of computing devices. The execution of the command amongst the executing each of the plurality of computer devices is made with low time-latency due to the near-simultaneous delivery of the message to the plurality of computing devices.08-22-2013
20110219440APPLICATION-LEVEL DENIAL-OF-SERVICE ATTACK PROTECTION - The gate guard filtering of incoming application-level requests on behalf of an application. Upon receiving an application request, a token found in the application request may be evaluated by the gate guard. This token may have been previously provided by the application, with instructions that future application requests by the client are to include the token. The gate guard classifies the incoming request as being a member of a subset of one or more application request classes. These identified request classes may be used to determine an admission policy to apply based on the particular subset of one or more request classes corresponding to the application request. The admission policy is then applied to the incoming application request to determine if the application request should be rejected or accepted. As another option, the application request may perhaps even be deferred for future determination of rejection or acceptance.09-08-2011
20110219439PROVIDING SUPPORT FOR MULTIPLE AUTHENTICATION CHAINS - A method and system to support multiple chains of authentication modules. The method may include receiving a user login request, and identifying multiple chains of authentication modules to be performed prior to allowing a user to login, where each chain of authentication modules is associated with a chain manager. The method further includes determining dependencies between chain managers, invoking the chain managers in the order defined by the dependencies, and09-08-2011
20110219441Contextual Query Revision - Apparatus, systems and methods for contextual query revision are disclosed. A current search query is received during a search session. The current search query includes one or more current search tokens. Potentially inaccurate search tokens are identified from the one or more current search tokens. A possible replacement token is identified based upon the potentially inaccurate search token. A group of related tokens is identified from query logs, and a modified search query is generated if the replacement token is not included in the related tokens.09-08-2011
20090193508METHODS, DEVICES, AND COMPUTER PROGRAM PRODUCTS FOR DISCOVERING AUTHENTICATION SERVERS AND ESTABLISHING TRUST RELATIONSHIPS THEREWITH - Using an authentication server to discover one or more additional authentication servers and to dynamically establish a trust relationship with the one or more additional authentication servers. The authentication server searches for the one or more additional authentication servers to discover one or more sources of authentication tokens, and inspects an incoming authentication request from the one or more additional authentication servers to determine if the request is carrying one or more authentication tokens from a newly discovered realm. Once the authentication server determines a newly discovered realm to be trustworthy, the authentication server receives a directory schema from the newly discovered realm and compares the received directory schema with a known directory schema retrieved by the authentication server to identify an intersection of the received directory schema and the known directory schema. The authentication server uses the intersection to identify a primary key, and to identify any unique information that is specific to either the authentication server or the newly discovered realm.07-30-2009
20100071047Authentication system, terminal and information processing device, having function of performing stable authentication - To provide an authentication system allowing stable determination as to whether a user is a registered user while saving user's trouble, an information processing device capable of data communication with a plurality of image forming apparatuses extracts an image forming apparatus connected to an IC card reader from the plurality of image forming apparatuses, based on reply signals transmitted from the plurality of image forming apparatuses, and transmits user account information of registered users to the extracted image forming apparatus. The image forming apparatus connectable to the IC card reader performs, if it is determined that the IC card reader is connected to the image forming apparatus, the authentication process based on the user account information of registered users received from the information processing device and on the information read by the IC card reader.03-18-2010
20100071046Method and System for Enabling Access to a Web Service Provider Through Login Based Badges Embedded in a Third Party Site - A system and method which may allow a user to login a web service provider from a third party site without leaking the user's login information to the third party site. A service request interceptor may authenticate the third party site to make sure that a service request is from a third party site registered with the web service provider or its associated sites, and then instruct a badging server to send an HTML markup to the third party site to enable a login page of the web service provider to be displayed as a pop up window, outside of the third party site. Before sending the instructions to the badging server, the service request interceptor may check whether the user has already logged in the web service provider, and authenticate a user to make sure that the user is registered with the web service provider. Since the user may interact with the web service provider directly, the third party site may be bypassed and users' credentials may be better protected.03-18-2010
20110271338Authentication Tokens For Use In Voice Over Internet Protocol Methods - Setup of a Voice over Internet Protocol (VoIP) call is initiated and an authentication token is received for the VoIP call that is set up, that indicates that the VoIP call is authorized. The authentication token is inserted into packets for the VoIP call. The packets, including the authentication token therein, are transmitted into an IP network. The authentication token may be placed in an IP version 6 (IPv6) flowID field.11-03-2011
20090150986User Authorization Using An Automated Turing Test - Methods, apparatus, and products are disclosed for user authorization using an automated Turing Test that include: selecting, by an automated Turing Test module, a challenge token, the challenge token including a challenge key; repeatedly at an Automated Turing Test pace: selecting, by the Automated Turing Test module, a portion of the challenge token in dependence upon predetermined selection criteria, and revealing, by Automated Turing Test module, only the selected portion of the challenge token to a user; receiving, by the Automated Turing Test module from the user, a user response; determining, by the Automated Turing Test module, whether the user response matches the challenge key; and authorizing, by the Automated Turing Test module, the user to access a resource if the user response matches the challenge key.06-11-2009
20080244722Method and apparatus for accepting a digital identity of a user based on transitive trust among parties - Method and apparatus for accepting a digital identity of a user based on transitive trust among parties are described. One aspect of the invention relates to managing a digital identity of a user. The digital identity is provided to a first party, where the digital identity includes a self-asserted claim. An acceptance token is obtained from the first party. The acceptance token purports authenticity of the self-asserted claim according to the first party. The digital identity and the acceptance token are provided to a second party to request validation of the self-asserted claim by the second party based on the acceptance token.10-02-2008
20100088754Authentication Method and Token Using Screen Light for Both Communication and Powering - An authentication token one side of which features an array of solar cells, of a very thin and flexible type, whereas the opposite side features a display device. The method consists in encoding into a sequence of bright images, interlaced with less bright ones, the code sent by the server. By placing the token in front of the portion of the screen displaying said encoding sequence, the light collected by the array of solar cells it is sufficient to generate the energy required for supplying the token's microprocessor, while the variation in brightness are decoded as to reconstruct the digital word representing the code sent by the server. Said code is then processed by the microprocessor to generate a One Time Password, OTP, then displayed on the display device. The user would then enter said OTP on the login page.04-08-2010
20100083362METHOD AND SYSTEM OF MANAGING AND ALLOCATING COMMUNICATION RELATED RESOURCES - A system and method for managing communication. The system and method applying to but not limited to settop boxes (STBs) and other devices used to interface services. The management including any number of features and processes associated with achieving Quality of Service (QoS) across different domains and according to network limitations associated with the same.04-01-2010
20110197271CARD BASED AUTHENTICATION SYSTEM AND METHOD FOR RELEASING STORED RENDERING JOBS - An authentication system and method for securely releasing a stored rendering job utilizing an electronically readable card. The electronically readable card can be registered by entering network credential at a user interface associated with a MFD and the card can be validated before storing the card details into a MFD database. The card can be swiped with respect to a card reader associated with the MFD in order to authenticate a user based on the stored credential via an authentication server. The MFD can be unlocked if the card is recognized in order to provide access to an appropriate service. The rendering jobs associated with the user can be displayed and released immediately based on user selection.08-11-2011
20100088753IDENTITY AND AUTHENTICATION SYSTEM USING ALIASES - An identity and authentication platform utilizes a data model that enables multiple identities such as e-mail addresses, mobile phone numbers, nicknames, gaming IDs, and other user IDs to be utilized as aliases which are unique sub-identities of a main account name. A user may utilize the aliases supported by the platform to project multiple different on-line identities while using the authentication credentials of the main account. The platform is configured to expose the aliases to various client applications and Internet-accessible sites and services such as e-mail, instant messaging, media sharing, gaming and social networks, and the like, to enable the implementation of a variety of usage scenarios that employ aliases.04-08-2010
20100083363BINDING ACTIVATION OF NETWORK-ENABLED DEVICES TO WEB-BASED SERVICES - A method for associating a networked device with an online service is provided. The networked device may be an appliance or other device that has limited input capabilities, making it difficult to to download information such as digital media files from an online service without having to input a significant amount of information using the device or appliance. The method begins by establishing communication with a service over a network. A claim token is received from the service over the network. The claim token is returned to the service over the network after the claim token has been bound to an authorized user of the service. In response to return of the claim token, a device identifier binds the networked device to an account with the service that is associated with the authorized user.04-01-2010
20110173690Broadcast Area Authentication - Systems, methods, apparatus, and computer program products are provided for authenticating local and remote devices associated with a broadcast area. For example, in one embodiment, a broadcast station can broadcast a first over-the-air broadcast that includes a token. A local device can scan for and identify the token in the first over-the-air broadcast it receives. The local device can then transmit the received token and user registration to an authentication server. The authentication server can use the token and user registration information to create a unique broadcast identifier. The authentication server can then transmit the unique broadcast identifier to the broadcast station and the local device. The broadcast station then broadcasts a second over-the-air broadcast that includes a unique broadcast identifier. Once the local device receives the unique broadcast identifier from the second over-the-air broadcast and the authentication server, it can be authenticated as being in the broadcast area.07-14-2011
20090288155DETERMINING AN IDENTITY OF A THIRD-PARTY USER IN AN SAML IMPLEMENTATION OF A WEB-SERVICE - One embodiment of the present invention provides a system that facilitates determining an identity of a third-party user in a Security Assertion Markup Language (SAML) implementation of a web-service. During operation, the system receives an SAML token profile web service request from the third-party user at the web-service. The system also receives a digital certificate designated by the SAML token profile web service request from the third-party user at the web-service. Next, the system analyzes the digital certificate to identify a third-party associated with the third-party user. The system then determines if the third-party is a trusted party. Next, the system receives one or more attributes associated with the third-party user at the web-service. The system then uses the attributes to identify the third-party user. Finally, the system performs a lookup in a user map to determine a user account that is associated with the third-party user.11-19-2009
20090199284METHODS FOR SETTING AND CHANGING THE USER CREDENTIAL IN INFORMATION CARDS - An identity provider issues information cards in which the credential type and/or the credential data is not specified at the time of issuance. A card selector installs the information cards and either prompts a user for the credential at the time of installation or afterwards. The card selector updates the credential type, the credential data, and/or authentication materials associated with an information card after the information card has been installed, and informs the identity provider about the credential type, credential data, and authentication materials before the information card is used.08-06-2009
20090089870System and method for validating interactions in an identity metasystem - An information processing system for a computing network in which information describing planned interactions between an identity selector and a relying party web site are provided to a validation service, compared with information a database, and a response returned to the identity selector.04-02-2009
20080209534Token based applicaions platform method, system and apparatus - A method that enables the mapping of token identity and token presentation context to invoke one or more applications that are associated with the given token and context is disclosed. The method enables the construction of a flexible and efficient token-in-context services platform.08-28-2008
20090119764Method and system for managing virtual objects in a network - A method and apparatus for managing virtual objects in a network is provided. The method includes creating a unique link between at least one virtual object and a physical token. The at least one virtual object is represented by a first set of distinct predefined properties and is associated with a data set. Further, the method includes maintaining information about the unique link between the at least one virtual object and the physical token and information about the first set of distinct predefined properties. Furthermore, the method includes regulating access to the at least one virtual object based on a second set of predefined properties and verification of the physical token.05-07-2009
20080276309System and Method for Securing Software Applications - A system and method for securing software applications installed on a computer network is disclosed. An authorized user is provided a digital credential and loads a secure access client onto a computerized device that can be connected to the network. The secure access client communicates with a secure access server within the network to authenticate the user and determine which applications the user is allowed to access. When the user sends a communication intended for a secured application, the secure access client intercepts the communication and uses cryptographic keys from the digital credential to encrypt and digitally sign the communication. The secure access server has access to cryptographic keys corresponding to those on the digital credential and is able to decrypt the communication and verify the digital credential. The decrypted message is then sent to an application server hosting the secured application.11-06-2008
20100146612METHOD AND APPARATUS FOR TRUST-BASED, FINE-GRAINED RATE LIMITING OF NETWORK REQUESTS - A method and apparatus for fine-grained, trust-based rate limiting of network requests distinguishes trusted network traffic from untrusted network traffic at the granularity of an individual user/machine combination, so that network traffic policing measures are readily implemented against untrusted and potentially hostile traffic without compromising service to trusted users. A server establishes a user/client pair as trusted by issuing a trust token to the client when successfully authenticating to the server for the first time. Subsequently, the client provides the trust token at login. At the server, rate policies apportion bandwidth according to type of traffic: network requests that include a valid trust token are granted highest priority. Rate policies further specify bandwidth restrictions imposed for untrusted network traffic. This scheme enables the server to throttle untrusted password-guessing requests from crackers without penalizing most friendly logins and only slightly penalizing the relatively few untrusted friendly logins.06-10-2010
20100100951Communication system and method - A method of authenticating a user terminal with an access node providing restricted access to a communication network is provided. The method comprises the user terminal transmitting a request for an authentication token to a trusted network node via an unrestricted channel on the access node, the request comprising a network identity for a user of the user terminal. The network node verifies the identity of the user using the network identity, generates an authentication token and transmits the authentication token to the user terminal via the unrestricted channel. The user terminal derives login information from the authentication token and provides the login information to the access node. The access node authenticates the login information and removes the restricted access such that the communication network can be accessed by the user terminal.04-22-2010
20090265775Proximity Based Authentication Using Tokens - The present invention relates to authenticating a mobile device using location information associated with the device. The present invention provides a mechanism for authenticating a mobile device based on location related information or a “logical location”, but without requiring an actual location. The mobile user device gathers tokens such as SIM data from other wireless devices using wireless communication between the user device and the other devices. A server determines whether these tokens match predetermined reference information, and if so authenticates the user device.10-22-2009
20080289023Method and System for Peer-to-Peer Authorization - An authorization mechanism within a peer-to-peer network is presented. A central server that operates a centralized data repository search engine within a peer-to-peer network performs authentication and authorization operations with respect to users that access its services. A user at a peer node reviews peer-to-peer search results that have been gathered and returned by the centralized search engine. When the user desires to retrieve a file from another peer node, the user's peer node must obtain an authorization token from the central server, which authenticates the user or has previously authenticated the user. The user's peer node then presents the authorization token along with a request to retrieve the file from the other peer node. After verifying the authorization token, the other peer node responds with the requested file. If the other peer node cannot verify the authorization token, then the other peer node denies access to the file.11-20-2008
20080289021SOFTWARE APPLICATION ACCESS METHOD AND SYSTEM - An access method and system. The method includes receiving from a first user, by a software application within a computing system, a request for access to the software application. The software application determines a first domain associated with a first current location of the user. The software application determines a home domain associated with the user. The software application retrieves a set of login process rules associated with a combination of the first domain and the home domain. The software application enforces the set of login process rules. The software application transmits results of enforcing the set of login process rules.11-20-2008
20080289020Identity Tokens Using Biometric Representations - An identity system and method uses biometric representation(s) in identity tokens. When a principal requests access to a relying party, the relying party may request an identity token containing a first claim about the principal and a biometric representation of the principal. An identity provider may then create the identity token, including a digital signature. The relying party may receive the identity token through a first channel and decode it. The relying party may also receive and use biometric information about the principal received through a second channel to verify the validity of the first claim at least in part through comparison of the biometric representation to the biometric information.11-20-2008
20080289019FRAMEWORK FOR AUTOMATED DISSEMINATION OF SECURITY METADATA FOR DISTRIBUTED TRUST ESTABLISHMENT - Methods, systems, and machine-readable media for disseminating security metadata from one distributed entity to another in an automated fashion are disclosed. According to one embodiment of the present invention, a computer-implemented method for distributing security metadata comprises receiving at a first service a request for security metadata, the request being received from a process associated with a second service. The method further comprises generating an identifier and security metadata for the second service, the identifier and the security metadata being unique to the second service, and storing the identifier and the security metadata in a first memory accessible to the first service. The identifier and the security metadata are then transmitted to the process associated with the second service and stored in a second memory. The second service is configured to access the security metadata stored in the second memory to encrypt a first communication and decrypt a second communication.11-20-2008
20080289018Security Device, Terminal Device, Gate Device, and Device - There are provided a secure device, a gate device, and a device providing a secure device such as an IC card capable of limiting an area where the card application function and the device function are realized. The secure device (11-20-2008
20080244721Techniques for Sharing Data - Techniques for sharing data between users in a manner that maintains anonymity of the users. Tokens are generated and provided to users for sharing data. A token comprises information encoding an identifier and an encryption key. A user may use a token to upload data that is to be shared. The data to be shared is encrypted using the encryption key associated with the token and the encrypted data is stored such that it can be accessed using the identifier associated with the token. A user may then use a token to access the shared data. The identifier associated with the token being used to access the shared data is used to access the data and the encryption key associated with the token is used to decrypt the data. Data is shared anonymously without revealing the identity of the users using the tokens.10-02-2008
20080276310Network Security System - A method of authenticating a transaction between a local device under control of a user and a remote server, comprising: determining a series of data specific to the local device; —determining a series of data specific to the user of the device; —transmitting the device specific data series and the user specific data series to a remote encryption engine; —generating at the remote encryption engine a series of unique, single-use data templates, each template comprising randomly selected items from the device specific data series and the user specific data series; the method further comprising, during authentication: —sending a data template from the engine to the local device; —using the data template to interrogate the local device for the device specific data items in the template; —using the data template to interrogate the user to provide the user specific data items in the template; and —comparing the data items provided by the local device and the user in response to interrogation to the data items used to create the template to authenticate the transaction.11-06-2008
20090320116FEDERATED REALM DISCOVERY - A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user's credentials before the user's secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user's home realm and provide realm information directing the user device to login at the home realm.12-24-2009
20080235780Secure Document Management System - A method for presenting a user with alternative document upload mechanisms includes receiving a user request for upload of a document. The user is presented with a graphical user interface containing a plurality of upload mechanisms. The user selects an upload mechanism which is received by a document management system. The document management system receives an electronic version of the document via the selected upload mechanism. The received document is routed in digitized format to an area of a secure electronic document storage system associated with the user.09-25-2008
20080244720Portable Device For Clearing Access - The invention relates to a portable device (10-02-2008
20080271131Configuring devices in a secured network - An exemplary method for configuring a device to enable it to become a member of an established network comprises reading, using a portable device, a first token of a networked device, obtaining configuration data based on the first token, reading a second token of a non-networked device, establishing a communication session with the non-networked device based on the second token, and providing the configuration data to the non-networked device to enable it to become a member of the same network as the networked device.10-30-2008
20080271130MINIMIZING CLIENT-SIDE INCONSISTENCIES IN A DISTRIBUTED VIRTUAL FILE SYSTEM - A method of minimizing inconsistencies seen by a client in a distributed virtual file system having multiple clients and a plurality of servers, by creating a token that identifies one of the plurality of servers for creating or modifying a file in the distributed virtual file system. The token has an expiry greater than a propagation time between the identified server and the plurality of servers.10-30-2008
20120198537UTILIZING A DISPERSED STORAGE NETWORK ACCESS TOKEN MODULE TO RETRIEVE DATA FROM A DISPERSED STORAGE NETWORK MEMORY - A method begins by a computing device determining that data is stored in dispersed storage network (DSN) memory and sending a data retrieval request to a DSN access token module regarding the data. The method continues with the DSN access token module generating a plurality of sets of data slice read requests and sending the plurality of sets of data slices read requests to the computing device. The method continues with, for a set of data slices read requests, the computing device sending the set of data slices read requests to the DSN memory, receiving data slices from the DSN memory, and sending the data slices to the DSN access token module. The method continues with the DSN access token module decoding the data slices to produce a decoded data segment and sending the decoded data segment to the computing device.08-02-2012
20090193507AUTHENTICATION MESSAGING SERVICE - In one embodiment an authentication server comprises one or more processors, and a memory module communicatively connected to the one or more processors. The memory module and comprises logic instructions which, when executed on the one or more processors configure the one or more processors to regulate access to a service in a communication network by performing operations, comprising receiving, in the authentication server, a first authentication token request for an authentication token, wherein the first authentication token request uniquely identifies a client computing device and a unique service, processing, in the authentication server, the first authentication token request, and transmitting an authentication token from the authentication token server to the client computing device when the first authentication token request is approved by the authentication server.07-30-2009
20090165111METHOD AND APPARATUS FOR SECURE MANAGEMENT OF DEBUGGING PROCESSES WITHIN COMMUNICATION DEVICES - A method, device and system for securely managing debugging processes within a communication device, such as a set top box or other multimedia processing device. For example, a security processor (SP) within the communication device manages the lifetime (LT) of any access token issued for use in activating debugging privileges within the communication device. The security processor authenticates an issued access token and securely delivers appropriate debug authorization information to the device controller. The security processor uses its secure, internal timer to count down the lifetime and update the remaining lifetime of the issued access token during the processing of each command by the security processor. In addition to securely managing the issuance of the access token and it's remaining lifetime, the updating process reduces any impact on the normal communications within the device. The method overcomes the issue of the communication device not having a secure internal clock.06-25-2009
20090183249TRUSTED STORAGE AND DISPLAY - A storage token has a display and a keyboard, or other input device, that allows a user to view a request to access a memory location and enter a response to the request. The display allows presentation of details of the request, such as a pathname to a requested memory location, metadata describing a cryptographic key for use in a transaction confirmation, and/or transaction details which are awaiting verification by a credential stored on the token. The storage token may also include a cryptographic engine and a secure memory allowing signing data returned in response to the request.07-16-2009
20090183248TWO-WAY ERROR CORRECTION FOR PHYSICAL TOKENS - The invention relates to a method of establishing a shared secret between two or more parties, based on a physical token, wherein helper data from both the enrolment and the authentication measurement is used in such a way that only response data reliable at both measurements is used to generate the shared secret. The generated shared secret is therefore identical to both parties to a high degree of certainty. The invention further relates to a system for generating such a shared secret, comprising a central database server and a terminal, or any one of them.07-16-2009
20130219481Cyberspace Trusted Identity (CTI) Module - The Cyberspace Trusted Identity (CTI) module provides secure storage of a cyberspace user's personal identity information and a security infrastructure to guarantee the integrity and privacy of a cyberspace transaction. When the owner of an electronic device registers their biometric samples on the CTI module the module becomes locked and the information stored on the module can only be accessed when the device owner provides a live biometric sample, which matches the registered biometric sample. When the CTI Module is registered under a trusted third party system; a Cyberspace Identification Trust Authority (CITA) system, the module provides a secure mechanism for storing a cyberspace user's digital identity tokens and for conducting safe and reliable cyberspace transactions between two cyberspace users. The CTI Module eliminates the need to carry man-made identity tokens, or the need to remember and/or openly exchange personal identity information, when conducting a cyberspace transaction.08-22-2013
20090165110DELEGATION IN LOGIC-BASED ACCESS CONTROL - Access to a resource may be controlled by a policy, such that a request to access the resource is either granted or denied based on what assertions have been made by various principals. To find the assertions that support a grant of access to the resource, a template may be created that defines the nature of assertions that would cause access to succeed. Assertions may be stored in the form of tokens. The template may be used to search an existing token store to find assertions that have been made, and/or to generate assertions that have not been found in the token store and that would satisfy the template. The assertions in the template may be created by performing an abductive reasoning process on an access query.06-25-2009
20080256617Centralized Identity Verification and/or Password Validation - Described is a system and method for validating a user's login information. A provider (e.g. a provider of goods and/or services) receives a login request from a customer that includes a token value. The provider passes the token value to a centralized identity verifier with which the customer is registered. The centralized identity verifier tests the token value and returns a notice of the results of the test to the provider.10-16-2008
20080256616UNIFIED AUTHENTICATION FOR WEB METHOD PLATFORMS - An authentication mechanism is provided for a web method platform that allows homogeneous access for different types of clients according to a bootstrapping procedure utilized to establish the session. Different clients can be assigned different levels of trust based in part on the bootstrapping procedure and/or information provided during the procedure. The bootstrapping procedure can produce a token that is used by the clients in subsequent requests to provide previous authentication or state information to the platform. The token can comprise a shared secret used to ensure integrity of communications in some cases, and the token can be opaque to the client. Tokens can expire and require a client to re-bootstrap to provide higher levels of authentication protection, and tokens can be shared among a plurality of application servers to facilitate effective handling of requests in a farmed environment.10-16-2008
20090138953USER CONTROLLED IDENTITY AUTHENTICATION - A system, method for user controlled identity authentication comprising: a) At least one central computer having at least one user within a user database having user data and at least one service provider within a service provider database with service provider data; b) At least one service provider having electronic communication with the central computer; c) At least one user having electronic devices capable of communications with the central computer and service provider; e) Providing a user with a set of controls within the central computer to customize privacy, security and authentication of the user data; f) Providing a set of access rights within the service provider data of the central computer having a set of transaction rules for the service provider.05-28-2009
20120198535SYSTEM AND METHOD FOR EMBEDDED AUTHENTICATION - Various systems and methods of embedded authentication are described herein. One method of the preferred embodiment can include receiving at an authentication server a transaction token from a host website, the host website including an embeddable interface and prompting a user challenge by the authentication server at the embeddable interface. The method of the preferred embodiment can also include creating a signed authentication token in response to a successful user challenge, and transmitting the signed authentication token from the authentication server to the embeddable interface.08-02-2012
20090025074UNIFORM MODULAR FRAMEWORK FOR A HOST COMPUTER SYSTEM - A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session.01-22-2009
20110225641Token Request Troubleshooting - A system and method for troubleshooting errors that occur during token requests. An identity provider generates a session ID and uses the session ID when logging events that occur during handling of the request. Multiple servers, processes, or threads may use the same session ID. The session ID may be sent with an error message to the requester. An ID of one or more servers that processed the request may also be sent to the requester. Upon receiving the error message, the requester may provide the error information to an administrator, who uses the information to retrieve associated logged events.09-15-2011
20110225642CONFIGURATION OF COMPUTER AND COMMUNICATION SYSTEMS RESPONSIVE TO PHYSICAL PRESENCE OF A USER AT A SITE - At a site that has spaces for users, a computer system receives a reservation for one of the users for one of the spaces. A user detection apparatus detects physical presence of the user at the site and transfers a presence indication. The computer system processes the presence indication to authorize the user and identify the reservation. In response, the computer system configures a communication system to route communications directed to the user to a communication device in the reserved space, configures a user computer in the reserved space to access a data network system based on a user profile for the user, and configures a graphic display in the reserved space to display an image associated with the one user.09-15-2011
20090205035INFO CARD SELECTOR RECEPTION OF IDENTITY PROVIDER BASED DATA PERTAINING TO INFO CARDS - A computer system accesses metadata about an information card. The metadata can be stored locally or remotely (for example, at an identity provider). A metadata engine can be used to generate data to be provided to the user from the metadata: this data can take any desired form, such as an advertisement, a state of the user's account, or a policy update, among other possibilities.08-13-2009
20090031408INTEGRITY PROTECTED SMART CARD TRANSACTION - Systems, methods, and technologies for configuring a conventional smart card and a client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN′ value based on a user-specified PIN and a modifier and using the PIN′ value for unlocking the smart card.01-29-2009
20090199285Systems and Methods for For Proxying Cookies for SSL VPN Clientless Sessions - The present application enables the enterprise to configure various policies to address various subsets of the traffic based on various information relating the client, the server, or the details and nature of the interactions between the client and the server. An intermediary deployed between clients and servers may establish an SSL VPN session between a client and a server. The intermediary may receiving a response from a server to a request of a client via the clientless SSL VPN session. The response may comprise one or more cookies. The intermediary may identify an access profile for the clientless SSL VPN session. The access profile may identify one or more policies for proxying cookies. The intermediary may determine, responsive to the one or more policies of the access profile, whether to proxy or bypass proxying for the client the one or more cookies.08-06-2009
20090199287SYSTEMS AND METHODS FOR CONDITIONAL ACCESS AND DIGITAL RIGHTS MANAGEMENT - Method and systems for migrating content from a first DRM system to a second DRM system. The content is licensed under a first license (L1) under the first DRM system and is licensed under a second license (L2) under the second DRM system, and the rights to the content under L2 are at least equal to the rights to the content under L1.08-06-2009
20090199286Method and appartus for network security using a router based authentication system - A router based authentication system provides packet level authentication of incoming data packets and eliminates the risk of having data packets come in to the network whose source cannot be authenticated. In Router Based Authentication System (RBAS), a prior art router is adapted with an authentication function that works in conjunction with a security function in the client. Alternatively, a new router can be built that embeds an authentication function. The router based authentication function includes: (i) an ability to receive a telephone call and verify the caller by comparing with pre-stored caller id, (ii) generate a random alphanumeric code, deliver to the caller, and save in the system, (iii) reject all packets from the client that do not have a passkey embedded in the header of the packet. The security function in the client includes (i) display of an authentication screen that may display a telephone number to a border or internal router of a computer network of a business and enables entry of the passkey made up of the telephone number of the user and the alphanumeric code, and (ii) a function that encrypts the passkey and inserts the passkey in the header of each outgoing data packet to the business.08-06-2009
20090049536SYSTEM AND METHOD FOR AUTHENTICATION - A system and method for authentication including verifying a password is disclosed. In one embodiment, the authentication system includes a first storage unit to store an authentication sequence and a read-only memory unit to store an authentication algorithm. A microcontroller is coupled to the first storage unit, the read-only memory unit, and is configured to be coupled to and uncoupled from a host. The microcontroller is configured to execute the authentication algorithm to verify a password with the authentication sequence, and to send an access request to a web server via the host if the authentication algorithm has verified the password with the authentication sequence.02-19-2009
20090064302System for secure internet access for children - A system and method for secure internet access by children that assigns each child a Safe Card Scanner with integral fingerprint scanner and a Caddy-Pilot for Kids (intelligent card reader and docking station) into which the Safe Card Scanner docks for biometric-secure internet access for children. Both the Safe Card Scanner and Caddy-Pilot for Kids have internal memory and device ID numbers stored therein. At registration each child is assigned a user ID corresponding with card ID number and a registration record is compiled including the assigned user ID and photo data plus the Safe Card Scanner and Caddy-Pilot for Kids ID numbers. Parents author a parental ruleset for their child and the ruleset is stored by a host ASP. The child then activates their Safe Card scanner by an initial fingerprint scan, a portion of which is stored locally on the Safe Card scanner (along with the assigned device ID number). Given a registered/activated Safe Card scanner, the child can access the internet from any web-enabled computer simply by plugging the Caddy-Pilot for Kids into the computer's USB port. The Caddy-Pilot for Kids automatically opens a browser program and loads the URL of the sponsoring ASP. The child than inserts their Safe Card scanner into the Caddy-Pilot for Kids, which automatically initiates a scan of their fingerprint, which instantaneously captures a portion of their fingerprint minutia and compares it to the minutia stored previously at enrollment activation, thereby authenticating that child as the authorized user of that Safe Card Scanner. Once a local authentication has taken place the Safe Card scanner checks the assigned user ID plus the Safe Card Scanner and Caddy-Pilot for Kids ID numbers to the registration record, authenticates the child user, and pre-loads the parental control ruleset. The child-users then have a restricted safe and secure but full internet experience including online shopping malls, Chat Rooms, Libraries, games, sports, etc.03-05-2009
20120079583OFFLOAD READS AND WRITES - Aspects of the subject matter described herein relate to offload reads and writes. In aspects, a requestor that seeks to transfer data sends a request for a representation of the data. In response, the requestor receives one or more tokens that represent the data. The requestor may then provide one or more of these tokens to a component with a request to write data represented by the one or more tokens. In some exemplary applications, the component may use the one or more tokens to identify the data and may then read the data or logically write the data without additional interaction with the requestor. Tokens may be invalidated by request or based on other factors.03-29-2012
20120198536UTILIZING A DISPERSED STORAGE NETWORK ACCESS TOKEN MODULE TO STORE DATA IN A DISPERSED STORAGE NETWORK MEMORY - A method for storing data begins with determining, by a computing device, where to store the data and continues with managing, by a dispersed storage network (DSN) access token module, a pairing between the DSN access token module and the computing device. The method continues with sending, by the computing device, at least a portion of the data to the DSN access token module and encoding, by the DSN access token module, the at least a portion of the data using a dispersed storage error encoding function to produce one or more sets of encoded data slices. The method continues with sending, by the DSN access token module, the one or more sets of encoded data slices and storage information to the computing device and sending, by the computing device, the one or more sets of encoded data slices to the DSN memory for storage therein.08-02-2012
20120198538MULTI-ENCLAVE TOKEN - A security token has multiple independent application enclaves, on which different application providers can install encryption keys and/or other data to authenticate a user of the token to their respective applications.08-02-2012
20090083843UNIQUE IDENTIFICATION OF ENTITIES OF AN INDUSTRIAL CONTROL SYSTEM - Systems and methods are provided for issuing unique identification credentials to a plurality of devices, and their constituent components, in an industrial control system. Identification credentials are granted by an identification authority and conveyed to each of the credentialed devices and/or component through an identity token. The identification credentials include (1) a unique device identifier, (2) an identification authority component identifier, and (3) an indication of the location of the identification authority component. To secure the issued credentials, such credentials are encrypted and the identification token can be embedded with biometrics features. Identification credentials provide for the following prominent features: (i) Secure access to a device form a client and (ii) determination a topology of a set of credentialed devices in an industrial control system. The topology is network agnostic and facilitates organizational modeling of processes in the industrial control system.03-26-2009
20080263649Personal Token and a Method for Controlled Authentication - The invention relates to a personal token (10-23-2008
20080263652REQUEST-SPECIFIC AUTHENTICATION FOR ACCESSING WEB SERVICE RESOURCES - Requests for access to Web service resources are evaluated based on the type of request that is received. Requests are not granted unless sufficient proof of authentication is provided to grant that request. An authentication service evaluates one or more factors to determine whether or not to authenticate the client. After being authenticated by the authentication service, proof of authentication is provided to the Web service, which grants access to the Web service resource.10-23-2008
20080263651Integrating operating systems with content offered by web based entities - Example embodiments are provided for integrating operating systems with content offered by internet based entities.10-23-2008
20080263650ENHANCED CROSS-SITE ATTACK PREVENTION - Efficient cross-site attack prevention, in which web pages are stored on a site, the web pages being organized into entry pages that do not accept input, and protected pages that are not entry pages. A request is received from a user application to receive a requested web page, the request including a referrer string indicative of a referring web page, and identification data. It is determined whether the requested web page is an entry page or a protected page, and it is further determined, if the requested web page is determined to be a protected page, if the user application is authorized based upon the identification data, and if the referring web page is stored on the site based upon the referrer string. The requested web page is transmitted to the user application if the user application is determined to be authorized and if the referring web page is determined to be stored on the site, and the request is redirected to an entry page if the user application is determined to be not authorized or if the referring web page is determined to be not stored on the site.10-23-2008
20110231923LOCAL AUTHENTICATION IN PROXY SSL TUNNELS USING A CLIENT-SIDE PROXY AGENT - A traffic management device (TMD), system, and processor-readable storage medium are directed towards reducing a number of login web pages served by a server device over an end-to-end encrypted connection. In one embodiment, a TMD intercepts and processes requests for content addressed to the server device. The TMD may serve a stored copy of a login page corresponding to the requested content to the client device. In response, the client device may submit login information associated with the login page to the TMD. The TMD may extract the login information from the submitted response and send a request to the server device to authenticate the client device based on the extracted login information. If the client device is authenticated, the TMD may transmit a ‘login successful’ page to the client device.09-22-2011
20110231922COMMUNICATION APPARATUS, WIRELESS COMMUNICATION SYSTEM, AND METHOD OF SETTING ASSOCIATION INFORMATION - A communication apparatus includes a first communication unit that performs a wireless communication with two storage media that store therein association information for establishing a wireless connection and user identification information for identifying a user, respectively, and receives the association information and the user identification from the two storage media; a determination unit that performs user authentication based on the user identification information, determines whether or not to validate the association information based on the user authentication, and if the association information is determined to be valid, sets the association information; and a second communication unit that establishes a wireless connection based on the association information set by the determination unit.09-22-2011
20110231921PLUGGABLE TOKEN PROVIDER MODEL TO IMPLEMENT AUTHENTICATION ACROSS MULTIPLE WEB SERVICES - A pluggable token provider model for message level authentication across multiple web services is provided. Web service and token provider implementations within a client application are separated from an actual component that operates the business logic to formulate and understand a web request. The web service components may request web services to be executed and supply the body for the web service message while a common framework maintains the web services metadata, which includes definitions associated with respective tokens. The framework may further maintain token provider implementations that actually fetch authentication tokens and perform the web requests.09-22-2011
20090193512SYSTEM AND METHOD FOR ADDRESSING A UNIQUE DEVICE FROM A COMMON ADDRESS BOOK - A method and system for addressing a unique device from an address book, the method having the steps of: receiving a message having a root token and a secondary token; checking whether the root token exists within the address book, if no, creating a record in the address book with the root and secondary token; and if yes, checking whether the secondary token exists within the address book, if yes, providing a representation of the unique device; and if no, storing the secondary token against the root token in the address book.07-30-2009
20090183250APPARATUS, SYSTEM, AND METHOD FOR TRANSFERRING AUTHORITY - In a system for transferring authority, a transfer token providing unit provides a transfer token to transfer a token of a first user to a third party based on a request from a first terminal. A releasing unit releases the transfer token provided by the transfer token providing unit. A utilizing transfer token providing unit provides, when a request to obtain the transfer token released by the releasing unit is received from a second terminal, a utilizing transfer token to make the requested transfer token available to a second user, and provides the utilizing transfer token to the second user.07-16-2009
20090100511METHOD AND APPARATUS FOR USE IN PERSONALIZING IDENTIFICATION TOKEN - According to some embodiments, a method comprises: storing, in a personalization token, information to personalize an identification token; issuing the personalization token to an account holder; and transmitting the information from the personalization token to the identification token using a wireless interface. According to some embodiments, apparatus comprises: a personalization token issued to an account holder, the personalization token comprising: information to personalize an identification token; and a wireless communication interface to transmit the information to the identification token.04-16-2009
20090165112METHODS AND APPARATUSES FOR USING CONTENT, CONTROLLING USE OF CONTENT IN CLUSTER, AND AUTHENTICATING AUTHORIZATION TO ACCESS CONTENT - Provided is a method of controlling use of content in a cluster by a source device, the method including receiving a request from a sync device to transmit content, authenticating an authorization of the sync device to access the content, and transmitting a stream of the content to the sync device. Thus, copyrights of content used by the source device or the sync device of the home network can be efficiently protected.06-25-2009
20090205036Secure information storage and delivery system and method - A system for secure information storage and delivery includes a vault repository that includes a secure vault associated with a user, wherein the secure vault is associated with a service level including at least one of a data type or a data size limit associated with the secure vault, the secure vault being adapted to receive and at least one data entry and securely store the at least one data entry if the at least one of a size or a type of the at least one data entry is consistent with the service level. A mobile vault server coupled to the vault repository creates a mobile vault on a mobile device based on the secure vault and is capable of authenticating the mobile device based on user authentication information. The mobile vault server includes a mobile device handler that communicates with the mobile device. A synchronization utility determines whether the at least one data entry on the secure vault is transferable to or storable on the mobile vault based on at least one of the size or the type of the at least one data entry and transfers the at least one data entry from the secure vault to a corresponding data entry on the mobile vault if the at least one data entry on the secure vault is determined to be transferable to or storable on the mobile vault.08-13-2009
20090205034System for Running Potentially Malicious Code - Systems and methods for creating a secure process on a web server can include creating an application manager process, and creating an application host process, the application host process being created under control of the application manager process. Example methods can also include restricting attributes of the application host process, and assigning a unique logon identifier to the application host process so that the application host process can only communicate with the application manager process.08-13-2009
20090222900AUTHENTICATION TICKET VALIDATION - Computer-readable media, systems, and methods for validating an authentication ticket to ensure authenticated communications between a client and an online service provider. In embodiments an authentication request is received from a user agent associated with the client and the authentication request includes a set of identification information and a set of authentication information. Additionally, it is determined that the set of identification information and the set of authentication information are associated with a user and an authentication ticket is created including a user identification and an authentication, indicating to the online service provider that the user is authenticated to access one or more online services. Further, a validation token is embedded into the authentication ticket that provides enhanced verification that the access provided by the online service provider is authenticated.09-03-2009
20090241178CARDSPACE HISTORY VALIDATOR - Before a relying party grants a client access to a resource, the last use of the security token by the client to access the resource of the relying party can be verified. Verification can be accomplished by comparing the last time the client sent the security token to the relying party with the last time the relying party received the security token from the client. If the last use of the security token is not verified, the possibility exists that the security token has been fraudulently used by a third party.09-24-2009
20100175120MULTI-LAYER DATA MAPPING AUTHENTICATION SYSTEM - A multi-layer data mapping authentication system has a real ID authentication server, a middle data mapping server and a terminal data mapping server. The real ID authentication server links to a private network and stores real IDs and the hidden codes, each of which corresponds to a unique real ID. The terminal data mapping server links to a public network and allows an end user to link so that the end user sends the terminal data mapping server a user's code and an one-time-password (OTP). Since the middle data mapping server links between the real ID authentication server and the terminal data mapping server, the end user only uses hidden code to generate the OTP and sends the user's code and the OTP to the public network. The terminal and middle data mapping servers are converts the user's code to the corresponding real ID of the end user in the private network to complete the authentication procedure. The real ID and hidden code is not sent at the public network and is not stolen.07-08-2010
20090254983METHOD AND APPARATUS FOR MANAGING TOKENS FOR DIGITAL RIGHTS MANAGEMENT - A method and apparatus for managing tokens for Digital Rights Management (DRM) in a terminal are provided. In the method, at least one token is acquired from a Rights Issuer (RI), and the token is moved to a Secure Removable Media (SRM) through a token move request message. The token can be shared by several terminals.10-08-2009
20100154047METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR MEDIA SESSION POLICY COMPLIANCE AUDITING AND ENFORCEMENT USING A MEDIA RELAY AND SESSION INITIATION PROTOCOL (SIP) SIGNALING - Methods, systems, and computer readable media for media session policy compliance auditing and enforcement using a media relay and session initiation protocol (SIP) signaling are provided. One method includes at a SIP policy server, receiving SIP signaling from a user agent client to obtain a policy for media session and, in response, generating at least one media session correlation token. At least a portion of the SIP policy server is implemented in hardware. The media session correlation token and the media policy are communicated to the user agent client and to a media relay. Identification information for the media relay is also communicated to the user agent client. At least a portion of the media relay is implemented in hardware. At the media relay, the media session correlation token is received and used to correlate and store usage information for the media session and to monitor compliance with the media policy.06-17-2010
20100162376AUTHENTICATION SYSTEM AND METHOD USING DEVICE IDENTIFICATION INFORMATION IN UBIQUITOUS ENVIRONMENT - An authentication system using device identification information in ubiquitous environment includes: an information reader for receiving authentication information of a user through at least one device of the user; a home gateway and an office gateway for registering the user authentication information received from the information reader, and performing service control through verification of authentication of the user; and an integrated authentication center for receiving the user authentication information from the home gateway and the office gateway by querying, in response to a request for the authentication of the user received from a specific system, and, when the respective pieces of the user authentication information are identical to each other, transmitting an authentication success message to the specific system.06-24-2010
20090260071SMART MODULE PROVISIONING OF LOCAL NETWORK DEVICES - A card-based mechanism can enable users to secure their network by limiting network access to devices to which a card is communicationally connected, the card having been previously provisioned by the user. A trusted computing device can be used to provision a card. Subsequently, the card can be communicationally connected to a card-provisionable device and can use the networking abilities of that device to authenticate itself to the trusted computing device. The card-provisionable device can then be granted access to the network. The card can also be used to provision the device with other information, such as device-specific settings. If necessary, either the card or the trusted computing device can revoke the network access rights of the card-provisionable device without affecting other devices on the network.10-15-2009
20080307516Secure neighbor discovery router for defending host nodes from rogue routers - In one embodiment, a method comprises receiving, by a router in a network, a router advertisement message on a network link of the network; detecting within the router advertisement message, by the router, an advertised address prefix and an identified router having transmitted the router advertisement message within the network; determining, by the router, whether the identified router is authorized to at least one of advertise itself as a router, or advertise the advertised address prefix on the network link; and selectively initiating, by the router, a defensive operation against the identified router based on the router determining the identified router is not authorized to advertise itself as a router, or advertise the advertised address prefix on the network link.12-11-2008
20080307517Method for Securely Associating Data with Http and Https Sessions - A computing system, method and product comprising a server, a mobile device comprising a client interconnected with the server via a data network, the client identified by a credential which is unavailable to the client and an intermediate node interconnected to the client and the server via the data network wherein the credential is available to the intermediate node. Upon reception of a service request from the client at a first server address the server redirects the client to transmit the service request to a second server address via the intermediate node together with a token, wherein the intermediate node appends a credential identifying the client to the redirected service request and the token and relays the redirected service request, the token and the credential to the second server address.12-11-2008
20100162377MASS STORAGE DEVICE WITH AUTOMATED CREDENTIALS LOADING - A portable mass storage device for use in two factor authentication systems and methods. A secure portable mass storage device protects content from being freely copied with security mechanisms and firmware. The security functionality also protects confidential user credentials and passwords, as well as algorithms and seeds needed for two factor authentication or asymmetric authentication methods. A client application residing in the mass storage device acts as both a password manager and an authentication manager that seamlessly performs the authentication procedures in the background while signing a user into various institutions of his choosing. A very high level of security is integrated into a mass storage device the user has for purposes other than two factor authentication, and the convenience of highly secure password management also comes in a convenient pocket sized package easy for the user to transport. This facilitates the acceptance of two factor authentication, and increases security for a wide variety of online transactions.06-24-2010
20100263038Portable electronic device and personal authentication system with non-rewritable attribute memory - A portable electronic device has an attribute memory such as a one-time programmable read-only memory that non-rewritably stores an original attribute characterizing an authenticatee. When the authenticatee uses the portable electronic device at an authentication terminal, the authenticatee inputs the same attribute to the authentication terminal. The input attribute is sent from the authentication terminal to the portable electronic device and compared with the original attribute in the portable electronic device. Alternatively, the original attribute is sent from the portable electronic device to the authentication terminal and compared with the input attribute in the authentication terminal. The use of a non-rewritable attribute memory improves the security of the authentication system.10-14-2010
20100186078Personal Portable Secured Network Access System - Authenticating a customer for access to a content server. The customer is biometrically authenticated to a secure terminal based on information stored in a secure personal storage device belonging to the customer. The customer is allowed access to the secure terminal after a successful authentication. The customer is authenticated to the content server based on account credentials stored on the secure personal storage device issued by the content server.07-22-2010
20100186077SYSTEM, CONTROLLER, AND METHOD THEREOF FOR TRANSMITTING DATA STREAM - A system, a controller, and a method thereof for transmitting data stream from a host to a peripheral device with a chip are provided. At least a part of a data stream is transmitted from the host to the peripheral device. Then, the host inerrably receives a response message generated by the chip by executing a plurality of read commands. The data stream and the response message have corresponding write tokens, and the write token of the data stream is compared with the write token of the response message to verify the accuracy of the response message.07-22-2010
20120124656Method and system for mobile device based authentication - In this specification, access may be provided to secure systems by authentication using mobile devices. Users may register a mobile device and password with an authentication system. To access a secure system, users may send a request with a registered phone number via SMS, internet or phone. In an embodiment, the authentication server system may send the token and the position of the password via SMS. Users may enter the authentication code comprising of the token and the password at the secure system. The secure system compares the authentication code with the stored authentication code to grant access to the secure system. Secure access may be used in credit card, pre-paid card, debit card or any other card transactions other financial transactions authentication, login authentication for a computer system and security access authentication.05-17-2012
20120198539Service Access Method, System and Device Based on WLAN Access Authentication - The present application discloses a service access method based on the WLAN access authentication, which includes: in the process of performing the WLAN access authentication, a WLAN portal server transmits a first Cookie to a terminal, which has passed the WLAN access authentication; the terminal requests to access the service of the application system, and the service authentication center associated with the application system determines the terminal has passed the WLAN access authentication according to the first Cookie; the associated service authentication center obtains the identity token of the terminal through the first Cookie; the associated service authentication center transmits the obtained identity token of the terminal to the application system; and according to the identity token of the terminal, the application system provides the service access for the terminal. By the method, after the terminal passes the WLAN access authentication, it can access the service provided by several application systems without the service authentication, thus improving the user experience and reducing the system overhead of the application system.08-02-2012
20100218245METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR MANAGING INTERCHANGE OF ENTERPRISE DATA MESSAGES - A system and method for enabling the interchange of enterprise data through an open platform is disclosed. This open platform can be based on a standardized interface that enables parties to easily connect to and use the network. Services operating as senders, recipients, and in-transit parties can therefore leverage a framework that overlays a public network.08-26-2010
20100186076METHOD AND SYSTEM OF PROVIDING SECURITY SERVICES USING A SECURE DEVICE - A secure portable electronic device for providing secure services when used in conjunction with a host computer. The secure portable device includes a read-only memory partition, a read/write memory partition, and a secure memory partition. The secure portable device includes instructions stored in the read-only partition including a host agent containing instructions executable by the host computer. The secure portable device also includes instructions stored in the secure memory partition. These instructions include a card agent containing instructions executable by central processing units secure portable electronic device, and includes a card agent communications module for communicating with the host agent; and a security module for accessing private information stored in the secure memory partition. The host agent includes a host agent communications module for communicating with the card agent and at least one function requiring use of private information stored in the secure memory partition of the portable device and operable to transmit a request to the card agent to perform a corresponding function requiring the use of private information stored on the portable device.07-22-2010
20090077645FRAMEWORK FOR NOTIFYING A DIRECTORY SERVICE OF AUTHENTICATION EVENTS PROCESSED OUTSIDE THE DIRECTORY SERVICE - Methods, systems and machine-readable media for authenticating an end user for a client application are disclosed. According to one embodiment of the invention, a method of authenticating an end user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures comprises receiving end user identity information and security information at the client application; sending a search request to the directory service for an entry associated with the end user identity information and, if a match is found, receiving a authentication token from the directory service associated with the end user identity information; comparing the received authentication token with the security information; if the authentication token matches the security information, sending a request to update the directory service to indicate that successful authentication of the end user has occurred; and if the authentication token does not match the security information, sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred.03-19-2009
20100235899DATA PROCESSING SYSTEM, CONTROLLER, AND METHOD THEREOF FOR SEARCHING FOR SPECIFIC MEMORY AREA - A data processing system, a controller, and a method for searching for a specific logical block are provided. Logical blocks are searched out from a peripheral unit, where data of the searched logical blocks are not yet stored in a cache memory of a master control unit. During searching for the logical blocks, a plurality of read commands are executed. The read commands are set to read data of a plurality of separated logical blocks of the peripheral unit respectively, such that the search time is shortened.09-16-2010
20090293112ON-LINE GENERATION AND AUTHENTICATION OF ITEMS - Value based tokens are generated for inclusion on a data carrier which may be applied to a media such as a coupon, bank note etc. The tokens are generated by a core system which communicates with application specific wrappers. The wrappers supply token parameters to the core that are specific to the application and the core generates the tokens, and stores them for later authentication. The core then encodes the tokens onto a data carrier under the control of the wrapper and distributes the tokens under the control of the wrapper. When a token is presented for validation, for example by a customer in a shop, the encoded data carrier is scanned and the token retrieved. It is passed back to the core by the wrapper for validation of its identification number and other parameters.11-26-2009
20100235900EFFICIENT TWO-FACTOR AUTHENTICATION - Methods, devices, and systems are provided for an efficient two-factor authentication process. In particular, a card challenge is combined with a user-provided password or similar user-based credential before a transformation of the data is performed. Once the combined challenge and user-provided credential have been transformed, the transformed data is used as a basis for authentication verification.09-16-2010
20100242104METHODS AND SYSTEMS FOR SECURE AUTHENTICATION - A system, device, method, program instructions, and means for securely authenticating a user, the method including mapping, by a one time code generating device in the possession of a user, a one time code onto a graphical representation of a positional array; displaying the one time code mapped onto the graphical representation of the positional array; determining an encoded personal identification number (PIN), the encoded PIN is based on the one time code mapped onto the graphical representation of the positional array and a static PIN known by the user; and authenticating the user based on the encoded PIN.09-23-2010
20100251352System and method for rendering a set of program instructions as executable or non-executable - A method and system for rendering a set of computer-readable program instructions on a user device as executable or non-executable. The user device or an intermediary device may transmit an access-token request including a device identifier to a server device. The server device determines whether the device identifier matches a registered device identifier, and if so, transmits an access-token to the user device, or to the intermediary device, which in turn transmits the access-token to the user device. The access-token includes an expiration indicator. Preferably, the expiration indicator is not expired when received by the user device, but expires some time after being received by the user device. The user device executes a first set of program instruction to determine whether the expiration indicator is expired, and if so, renders a second set of program instructions as non-executable, otherwise the second set of program instructions are rendered as executable.09-30-2010
20100212004METHOD AND APPARATUS FOR PROVIDING ENHANCED SERVICE AUTHORIZATION - An approach is provided for authorizing one or more services from service providers in a communications network. The approach includes receiving a request from a first service provider, the request having an associated primary token and a secondary token identifier, the secondary token identifier relating to resources of a second service provider. Based, at least in part, on the secondary token identifier, a secondary token is identified; and then the secondary token is sent to the first service provider, wherein the first service provider and the second service provider belong to different trust domains and the first service provider can use the secondary token to access resources of the second service provider.08-19-2010
20100199341Methods, Subscriber Server, and User Equipment for Facilitating Service Provision - A User Equipment (UE), a Home Subscriber Server (HSS), and methods are provided for facilitating access to a second service (e.g. IPTV, IP Television) when the user registers with a network for a first service (e.g. IMS, IP Multimedia Subsystem service, or 2G mobile service). For example, the user employs his mobile terminal to register for IMS service, then requests a security token for the provision of the second service. The network validates the user subscription and provides the security token associated with the 208-05-2010
20110113480CARRIER-GRADE PEER-TO-PEER (P2P) NETWORK, SYSTEM AND METHOD - A computing network, including: a plurality of peer computing devices including code, which when executed by a peer computing device causes the executing peer computing device to cooperate with at least one other of the peer computing devices; at least one server including code, which when executed by the at least one server locates at least one of the peer computing devices; and at least one mediator including code, which when executed by the at least on mediator collects information from at least some of the peer computing devices; wherein, the peer computing devices, at least one sever and at least one mediator are communicatively coupled via an at least carrier-grade telecommunications network being suitable for enhancing co-operation among the cooperating ones of the peer computing devices relative to best-efforts communications among the cooperating ones of the peer computing devices.05-12-2011
20100064360Token device that generates and displays one-time passwords and that couples to a computer for inputting or receiving data for generating and outputting one-time passwords and other functions - A token device that generates and displays one-time passwords and couples to a computer for inputting or receiving data for generating and outputting one-time passwords and performing other functions is provided. The token includes an interface for coupling to a computer. The token may also be coupled to any network that the computer may be connected to, when coupled to the computer. Data and information may be transmitted between the computer and token, and between the network and token, via the computer and interface. The data and information may include one-time password seeding, file transfer, authentication, configuration and programming of the token. The token must be seeded to generate and display one-time passwords. An original, or seed, value is loaded into the token. One-time passwords are subsequently generated or calculated, or both, from the seed value. Seeding of the token involving a counter, time, or time-related functions, may allow synchronization of the token with such functions. The token may support different authentication methods.03-11-2010
20090328180Granting Least Privilege Access For Computing Processes - Embodiments provide a security infrastructure that may be configured to run on top of an existing operating system to control what resources can be accessed by an applications and what APIs an application can call. Security decisions are made by taking into account both the current thread's identity and the current thread's call chain context to enable minimal privilege by default. The current thread context is captured and a copy of it is created to be used to perform security checks asynchronously. Every thread in the system has an associated identity. To obtain access to a particular resource, all the callers on the current thread are analyzed to make sure that each caller and thread has access to that resource. Only when each caller and thread has access to that resource is the caller given access to that resource.12-31-2009
20090328179IDENTIFICATION OF A SMART CARD ON A PLUG AND PLAY SYSTEM - Techniques for identifying a smart card in a plug and play system. The technique requires identifying a unique code identifier and loading a smart card minidriver according to the unique code identifier.12-31-2009
20090320119EXTENSIBLE CONTENT SERVICE FOR ATTRIBUTING USER-GENERATED CONTENT TO AUTHORED CONTENT PROVIDERS - A method and system allows a user to add content to a displayable content container (e.g., web page) that specifies at least one modifiable portion, where the modifiable portion is served by a server operated by one entity, but provided to the server by a service operated by another entity. The modifiable portion is attributable to the one entity and remaining content in the displayable content container is not editable by the users. Other features, such as user authentication mechanisms, are also described herein.12-24-2009
20090320118Security Token and Method for Authentication of a User with the Security Token - A security token includes (a) a personal data memory configured to store digital identity credentials related to personal data of a user; (b) an input appliance configured to check said personal data; (c) a key record data memory configured to store at least one identity credential of an authentication server or of an application operator; (d) a transmitter and receiver unit configured to create a secure channel directly or indirectly to said authentication server or application operator to handle said key record relating to said authentication server or application operator, respectively; (e) a control unit configured to control the transmitter and receiver unit and the key record data memory in view of said handling, wherein the control unit is configured to perform one of: interpreting, deciphering, creating, checking, renewing, withdrawing and further key record handling actions. A method for authentication of a user using the security token is also disclosed.12-24-2009
20090320117REMOTE SIGN-OUT OF WEB BASED SERVICE SESSIONS - Remote sign-out of web based service sessions. As a part of remote sign-out of web based service sessions, a user authentication token is accessed that is used to establish a web based service session and this user authentication token is stored in memory of an authentication server and returned in a cookie to the device. User access and deletion of the user authentication token from memory is accommodated using a device different from that which initially established the web based service session. Upon receipt of a browser request involving the user authentication token, it is determined whether the user authentication token is stored in memory. An access denial indication is provided to a web based service that indicates that the user authentication token is not stored in memory.12-24-2009
20090133111SYSTEM FOR CENTRALIZING PERSONAL IDENTIFICATION VERIFICATION AND ACCESS CONTROL - A computerized centralized access management system having an access card with personal identification information, a server in communication an access control computer having an access card reader, an add-on computer program stored in the access control computer to perform a method of reading the access card, retrieving personal identification information, transmitting personal information to the server, receiving an access record and notifying the access control computer whether or not to allow access for the individual according to said access record received from said server.05-21-2009
20120246710DYNAMIC, TEMPORARY DATA ACCESS TOKEN - Provided are techniques for generating a temporary data access token for a subset of data for a specific period of time for a non-registered user who did not register with a computer providing access to the subset of the data. In response to the non-registered user attempting to access the subset of data with the temporary data access token, it is determined whether the temporary data access token is valid for the subset of data based on the specified period of time. In response to the temporary data access token being valid, the subset of data is provided to the non-registered user. In response to the temporary data access token not being valid, access is denied to the subset of data by the non-registered user.09-27-2012
20090113534GENERIC INTERACTIVE CHALLENGES IN A DISTRIBUTED SYSTEM - A challenge mechanism in which a challenge is issued from one message processor to another. In generating the challenge, the message processor may select any one or more of a number of available interactive challenge types, where each type of challenge type might use different user-originated information. Upon receiving the challenge, the challengee message processor may identify the challenge type based on information provided in the challenge, and perform different actions depending on the challenge type. The challengee message processor then generates an appropriate challenge response, and issues that challenge response to the challenger message processor. The challenger message processor may then validate the challenge response.04-30-2009
20120144474METHOD OF PROTECTING ACCESS TO DATA ON A NETWORK - The invention is a method of managing access to a plurality of data from a server by a client through a point-to-point link. Each of the data is reachable through a set of URIs that belongs to an index list. The method comprises the step of inserting a request to a control message in the index list. The control message applies to a data reachable through one URI belonging to the index list.06-07-2012
20090037995System and Method For Authentication Of Users In A Secure Computer System - A system and method of authenticating a user in a secure computer system in which a client computer transmits to the secure computer system a request for a sign-on page, the computer system transmits to the client computer a prompt for a first user identifier, and in response to the prompt, the client computer transmits to the computer system a request including a first identifier, a second identifier stored in an object stored at the client computer and a plurality of request header attributes. The computer system includes a server software module that authenticates the first user identifier and the second user identifier, and compares the transmitted plurality of request header attributes with a plurality of request header attributes stored at the computer system and associated with the first and second user identifiers. If the first and second user identifiers are authenticated, and if the transmitted request header attributes match stored request header attributes, the server software module transmits a success message to the client computer to be viewed by the user, and the user is allowed to access the secure computer system. In one embodiment, each transmitted request header attribute is given a numerical weighted value and the comparison of request header attributes includes adding the assigned numerical values of matching attributes to arrive at a total value, then transmitting the success message to the client computer only if the total value of matching request header attributes is at least a certain predetermined numerical total.02-05-2009
20090037994SYSTEM AND METHOD FOR ORDERED CREDENTIAL SELECTION - A system and method for assisting in ordered credential selection is disclosed. In one embodiment, the system enables ordered credential selection for credentials associated with one or more digital identities. The system comprises a plurality of security tokens, with each security token comprising a claim associated with a digital identity and where at least two of the security tokens are different from each other. The system also comprises an ordering module and manager module. The ordering module imposes a preferential ordering on the security tokens in accordance with an ordering policy to select a preferred security token. The manager module transmits at least one security token in response to a request, where at least one of the security tokens transmitted by the manager module is the preferred security token.02-05-2009
20100306840DOCUMENT PROCESSING AUTOMATED SYSTEM AND IMAGE FORMING APPARATUS - It is facilitated to execute a workflow requiring user authentication. When an IC card reading/writing apparatus reads information recorded in an IC card owned by a user, an image forming apparatus transmits user credential information included in the read information to an authentication server. The authentication server performs authentication of the user based on the user credential information transmitted from the image forming apparatus. The image forming apparatus transmits workflow program information included in the information recorded in an authentication token and parameter information for the workflow program to an application server. The application server controls the image forming apparatus based on the workflow program information.12-02-2010
20100306838METHOD AND APPARATUS FOR COPY PROTECTING A DIGITAL ELECTRONIC DEVICE - A device and a method of authenticating an electronic device are described. The method may comprise transmitting a token value and a parameter value to the electronic device and selecting a private key within the electronic device using the parameter value. The token value may be processed with a method selected by the parameter value to generate a processed token. The processed token may be compared with an expected processed token and the electronic device may be authenticated if the processed token compares favorably with said expected processed token.12-02-2010
20100319064DIGITAL CONTENT ACQUISITION SYSTEM AND TECHNIQUES - A network- and/or client-side digital content acquisition system facilitates automatic and simplified transactions, between a user of a consumer electronic device (“CED”) and a digital content source, for authorizing access to digital content items (“DCIs”). Computer-readable visual symbols are associated with DCIs. A particular computer-readable visual symbol has a visual symbology, presented on a surface, which encodes information regarding DCIs, sources responsible for authorizing access to the DCIs, and consideration (if any) due from a user. A user of a particular CED identifies, and uses the CED to reproduce and decode, a particular computer-readable visual symbol. Upon reproduction and/or decoding, the CED automatically requests access to the DCI, and provides a security token that links the user and the CED, and automatically authorizes transfer of consideration (if any) due from the user. Upon authentication of the security token, the user automatically receives access to the DCI.12-16-2010
20130139241METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR BRIDGING USER AUTHENTICATION, AUTHORIZATION, AND ACCESS BETWEEN WEB-BASED AND TELECOM DOMAINS - Methods, systems, and computer readable media for bridging user authentication, authorization, and access between web-based and telecom domains are disclosed. In one example, a method includes issuing, to an application hosted in a web-based network, an access token associated with a user identifier subscribed to a telecommunications network, wherein the access token is issued in response to receiving telecommunications network credentials from a client device associated with the user identifier and receiving, at an over the top (OTT) proxy element in the telecommunications network from the application, the access token for requesting user data associated with the client device to be used to access the application. The method further includes retrieving the user data if the access token is valid a telecommunications network context condition is met and providing the user data to the application, wherein access to the application by the client device is based on the user data.05-30-2013
20110010765FORENSIC TOOLKIT AND METHOD FOR ACCESSING DATA STORED ON ELECTRONIC SMART CARDS - A tool kit for accessing data stored on an electronic SMART card is provided, the kit comprising a SMART card reader and recorder, at least one storage card, and a control card. The card reader and recorder is operative to read and copy the electronic SMART card onto the storage card, and to read the control card, the storage card comprising a storage card security key. The control card comprises code generation means operative to generate a control card security key, copying of the electronic SMART card onto the storage card being prevented unless the control card security key is verified against the storage card security key.01-13-2011
20110030045Methods and Systems for Controlling Access to Resources and Privileges Per Process - To control privileges and access to resources on a per-process basis, an administrator creates a rule that may be applied to modify a token of a process. The rule may include an application-criterion set and changes to be made to the groups and/or privileges of the token. The rule may be set as a policy within a group policy object (GPO), where a GPO is associated with one or more groups of computers or users. When a GPO containing a rule is applied to a computer, a driver installed on the computer may access the rule(s) anytime a logged-on user executes a process. If the executed process satisfies the criterion set of a rule, the changes contained within the rule are made to the process token, and the user has expanded and/or contracted access and/or privileges for only that process.02-03-2011
20110035794METHOD AND ENTITY FOR AUTHENTICATING TOKENS FOR WEB SERVICES - A method, a system, and an entity for authenticating tokens for web services are provided in the embodiments of the present invention. The present invention relates to a technology used for authenticating a user login token for web services. This helps address a problem in the conventional art, that is, tokens cannot be managed in a centralized manner. An entity for authenticating tokens is provided in the embodiments of the present to maintain tokes, where all WSPs are required to authenticate tokens through the entity for authenticating tokens, and return the authentication result to the WSR. The embodiments of the present invention are applicable in WSPs, such as the IdP, ID-WSF discovery service, and AP.02-10-2011
20110030047METHOD, APPARATUS AND SYSTEM FOR PROTECTING USER INFORMATION - A method and apparatus for protecting user information. The method includes receiving a request for accessing the user information from an application. When the request does not include an authorized token, the user is requested to temporally confirm the request for access. In response to the confirmation, a token is generated and the user on a mobile service platform is associated with the request for access by the token. The application is then allowed to access the user information based on the token associating the user with the request for accessing the user information from the application.02-03-2011
20110131642CLIENT-SERVER INPUT METHOD EDITOR ARCHITECTURE - In general, one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving an input method editor (IME) server request, the IME server request including one or more tokens and requesting that an IME server be instantiated, the IME server executing one or more IME functions based on a key event sent from an IME client, wherein the IME server is a stateful server that stores both requests and responses of a communication session between the IME server and the IME client, determining that the IME server can be instantiated in a restrictive environment based on the one or more tokens, and instantiating the IME server in the restrictive environment. Other embodiments of this aspect include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices.06-02-2011
20100146613SYSTEM AND METHOD FOR PROVIDING SILENT SIGN ON ACROSS DISTRIBUTED APPLICATIONS - A system and method is provided for a distributed computing system where a user can login to a client computer and access a number of different applications installed on web servers. These applications are then provided access to data in mainframe systems without a user having to enter mainframe user id or password information for gaining access to the mainframe system. The system and method can utilize a sign on object which is installed onto the client computer. The sign on object operates to obtain and transmit a security token which authorizes access to the mainframe system, and the security token does not require the use of the cookie data. This system and method can pass the security token through the web server and the web application in an encrypted form which limits security risks.06-10-2010
20110214173PROTECTING ACCOUNT SECURITY SETTINGS USING STRONG PROOFS - One or more strong proofs are maintained as associated with an account of a user. In response to a request to change a security setting of the account, an attempt is made to confirm the request by using one of the one or more strong proofs to notify the user. The change is permitted if the request is confirmed via one or more of the strong proofs, and otherwise the change to the security setting of the account is kept unchanged.09-01-2011
20090300747USER-PORTABLE DEVICE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM - A user-portable computing device configured as a smart card enables a user to carry identification information and to generate security tokens for use in authenticating the user to a service provider. The device includes memory for storing user identities as information cards that are exported to a host computer, presented to a user in visual form, and then selected for use in the authentication process. A security token service installed on the device issues a security token in response to a token request sent from the host computer that references the selected user identity. The security token service uses user attribute information stored on the user device to compose the claim assertions needed to issue the security token. The token is returned to the host computer and used to facilitate the authentication process.12-03-2009
20090313689Method, Device, And System For Network-Based Remote Control Over Contactless Secure Storages - A typical system environment comprises a terminal device, a secure storage subsystem, and an interconnectivity component. The terminal device has a network connectivity subsystem enabled for data connectivity with a wireless communications network. The secure storage subsystem has a secure storage memory for securely storing contents and is enabled for local RF connectivity through a local RF communication subsystem. The secure storage subsystem is operable as a contactless smartcard in accordance with any contactless technology. The interconnectivity component is adapted to enable communication of the secure storage subsystem through the network connectivity subsystem with the network. The interconnectivity component is further configured to detect that messages received from the network are destined for the secure storage subsystem and is configured to supply that identified messages to the secure storage subsystem. The messages enable exercising control over the secure storage subsystem in that the messages comprise one or more instructions to be processed by a secure memory controller of the secure storage subsystem.12-17-2009
20090328178TECHNIQUES TO PERFORM FEDERATED AUTHENTICATION - Techniques to perform federated authentication are described. An apparatus may comprise a resource server may have an authentication proxy component to perform authentication operations on behalf of a client. The authentication proxy component comprises an authentication handling module operative to receive an authentication request to authenticate the client using a basic authentication protocol. The authentication proxy component also comprises an authentication discovery module communicatively coupled to the authentication handling module, the authentication discovery module operative to discover an identity server for the client. The authentication proxy component further comprises an authentication manager module communicatively coupled to the authentication discovery module, the authentication manager module operative to retrieve authentication information from the identity server using an enhanced authentication protocol, and authenticate the client to access resource services using the authentication information. Other embodiments are described and claimed.12-31-2009
20090260072IDENTITY OWNERSHIP MIGRATION - Systems, computer-implemented methods, and computer-readable media for establishing an online account with a resource provider are provided. An authentication token including identification of a user from an authentication server is received. The identification of the user from the authentication token is utilized to establish an online account for the user with the resource provider. Additional credentialing information from the user for the online account is received. The additional information received from the user is associated with the online account for the user with the resource provider.10-15-2009
20090313688Method for Electronic Transaction by Mobile Messaging - A transactional process for a transaction with a user using an identification platform including (i) a registration stage including for the user, registering at the level of the platform, which registration includes at least supplying a telephone number of the user, and storing, at the level of the identification platform, at least one electronic token associated with the telephone number, as well as a transaction identifier associated with the transaction and with the electronic token; and (ii) a collection stage of the transaction including for the user, supplying a collection identifier to a collection terminal, and generating the transaction in the case of concordance between the collection identifier and the electronic token.12-17-2009
20090313687One time password - A token calculates a one time password by generating a HMAC-SHA-1 value based upon a key K and a counter value C, truncating the generated HMAC-SHA-1 value modulo 10̂Digit, where Digit is the number of digits in the one time password. The one time password can be validated by a validation server that calculates its own version of the password using K and its own counter value C′. If there is an initial mismatch, the validation server compensate for a lack of synchronization between counters C and C′ within a look-ahead window, whose size can be set by a parameter s.12-17-2009
20090217368SYSTEM AND METHOD FOR SECURE ACCOUNT RESET UTILIZING INFORMATION CARDS - New claim identifiers allow account reset and supplemental authorizations to be performed utilizing information cards. The new claim identifiers include claims for simple challenge questions, simple challenge answers, generated-challenge answers, and challenge methods. Each of the new claims can include a tuple. Methods of utilizing the new claim identifiers for account reset and supplemental authorization are also provided.08-27-2009
20110252466Intelligent remote device - An intelligent remote device equipped with a security token operatively coupled thereto is processing communications with a security token enabled computer system over a wireless private network. The intelligent remote device is adapted to emulate a local security device peripheral connected to the computer system. Multiple computer systems may be authenticated to using the intelligent remote device. Additionally, various secure communications connections mechanisms are described which are intended to augment existing security protocols available using wireless network equipment. Authentication of a user supplied critical security parameter is performed by the security token. The critical security parameter may be provided locally via the intelligent remote device or received from the wireless network and routed to the security token. Aural, visual or vibratory feedback may be provided to the user to signal a successful authentication transaction.10-13-2011
20110107410METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR CONTROLLING SERVER ACCESS USING AN AUTHENTICATION SERVER - An access request message is received at an authentication server computer, the access request message identifying an address of an access requesting client device. The authentication server authenticates the access request message and transmits an access authorization message from the authentication server computer to a blocking device that controls access to the protected server computer, the access authorization message identifying the address of the access requesting client device. Access to the protected server computer via the blocking device is controlled responsive to the access authorization message.05-05-2011
20110154467TOKENIZED DATA SECURITY - Provided are devices, methods, systems, computer readable storage media and other means for tokenizing data. In some examples, credit card numbers are tokenized using a pre-generated token map and absent the use of a networked database that stores a relatively large quantity of credit card numbers in a central location. The token map may be generated by a token map generator such that the token map can be used by a tokenizer to replace a portion of an account number with a token, and by a detokenizer to replace the token with the original portion of the account number. A pre-parser and parser may also be used to locate an account number and/or token in a message received over a network.06-23-2011
20110154466TOKENIZED DATA SECURITY - Provided are devices, methods, systems, computer readable storage media and other means for tokenizing data. In some examples, credit card numbers are tokenized using a pre-generated token map and absent the use of a networked database that stores a relatively large quantity of credit card numbers in a central location. The token map may be generated by a token map generator such that the token map can be used by a tokenizer to replace a portion of an account number with a token, and by a detokenizer to replace the token with the original portion of the account number. A pre-parser and parser may also be used to locate an account number and/or token in a message received over a network.06-23-2011
20110252467SYSTEM AND METHOD FOR TRUSTED COMMUNICATION - A trusted communication system and methods of ensuring trusted communications are provided. A trusted communication system may comprise: a first token identifying a first portable memory device, a second token identifying a second portable memory device, a database configured to store tokens and associations therebetween and a trusted communication server configured to (i) receive a request from a second client, said second client configured to operate with the second portable memory device, to allow said second client to access a first network resource related to a first client configured to operate with the first portable memory device, the request including the second token, and (ii) query the database to determine whether there is an association between the second token and the first token, wherein upon a determination that the database server contains an association between second token and the first token, the trusted communication server permits the second client access to the first network resource.10-13-2011
20120304273Tokenizing Sensitive Data - Included are embodiments for tokenizing sensitive data. Some embodiments of systems and/or methods are configured to receive sensitive data from a vendor, determine a token key for the vendor, and utilize a proprietary algorithm, based on the token key to generate a vendor-specific token that is associated with the sensitive data. Some embodiments include creating a token identifier that comprises data related to the token key sending the vendor-specific token and the token identifier to the vendor.11-29-2012
20110154465TECHNIQUES FOR ACCESSING DESKTOP APPLICATIONS USING FEDERATED IDENTITY - Techniques for extending federation services to access desktop applications are herein described. In addition to the foregoing, other aspects are described in the claims, drawings, and text forming a part of the present disclosure.06-23-2011
20110078780USER AUTHENTICATION SYSTEM AND METHOD FOR ENCRYPTION AND DECRYPTION - A system configured to authenticate a user for encryption or decryption includes a user authentication apparatus, a computer-readable medium operable to communicate with the user authentication apparatus, and an encryption and decryption computer communicating with the user authentication apparatus. The computer-readable medium may store user identifying information and encryption and decryption data. The encryption and decryption computer may be configured to receive an application programming interface (API) for interfacing with the user authentication apparatus and receive the user identifying information from the computer-readable medium via the API. A user may be authenticated based on the user identifying information and, once the user is authenticated, the encryption and decryption data may be read.03-31-2011
20110072503METHOD OF AUTHENTICATION FOR A WIRELESS ENABLED MEMORY CARD - A method of authentication for a memory card is disclosed. The method comprises using a wireless-enabled mobile telecommunication-enabled apparatus to wirelessly and directly detect and connect to the memory card, the memory card being wireless-enabled. A keypad of the wireless-enabled mobile telecommunication-enabled apparatus is used to enter and wirelessly send directly to the memory card at least one of a user name and an authentication code. A processor in the memory card compares the user name and/or authentication code with a stored user name and/or authentication code in the memory card. Upon the processor validating the user name and/or authentication code, the memory card is activated for use.03-24-2011
20110035793TRANSPARENT RECONNECTION - In the event of an unintentional interruption, a token issued by a host system to a client system is used to reestablish communications without disrupting applications on the client system. If the host system provided an Internet Protocol address to the client system to be used during the interrupted communications session, the host system reserves the communications address during an interruption in communications for a period sufficient to permit reestablishment of communications using the reserved address.02-10-2011
20110030046GUARDIAN MANAGEMENT SYSTEM - A computer-implemented method for allowing a guardian for a dependent to manage electronic services provided by a third party service provider to the dependent comprises the steps of: establishing an account for the dependent with the service provider by providing at least one item of dependent information; communicating the dependent information to a guardian management system; generating a token that is associated with the dependent information; storing the at dependent information and the token at the guardian management system; communicating the token to the service provider; storing the dependent information and the token at the service provider; communicating the token to the guardian; receiving at least one constraint on access to the service provider from the guardian; associating the at least one constraint with the token; and using the token to retrieve the at least one constraint when the dependent accesses the electronic services provided by the service provider.02-03-2011
20100325715BROWSER PLUG-IN FOR SECURE CREDENTIAL SUBMISSION - Described is a technology by which a plug-in (e.g., an ActiveX® control) instantiated by a web browser calls functions of a credential service to use a set of credential data (e.g., a card file) for logging into a website. If the credential service determines that a previously used card file for the website exists, a representation of that card file is displayed in the browser, and the data of that card file is used to obtain a token for logging in the user. If not found, an icon is presented instead, by which the user can select a user interface that allows selection of another card file that meets that meet the website's requirements.12-23-2010
20100299739METHOD, TERMINAL, APPARATUS, AND SYSTEM FOR DEVICE MANAGEMENT - A method, a terminal, an apparatus, and a system for device management (DM) are provided. Specifically, a DM terminal, a DM apparatus, a bootstrap method and system, a method for acquiring a device description framework (DDF), a terminal management method and system, a method and system for acquiring a management node property, a method and system for retrieving a management object (MO) address, a method for managing an execution mode of a command, a method for maintaining a management session, and a method for obtaining a terminal activated MO are provided. The bootstrap method includes the following steps. A terminal receives bootstrap information of a server. The bootstrap information includes a server identifier (ServerID) of the server. The terminal performs bootstrap or re-bootstrap according to the bootstrap information. Therefore, management effectiveness, efficiency, and communication traffic may be improved, so as to enhance efficiency and effectiveness management of the terminal by the server.11-25-2010
20080229401METHODS AND SYSTEMS FOR CONFIGURABLE SMARTCARD - An embodiment relates generally to a method of using a token. The method includes embedding the token with at least one action and detecting a presence of the token. The method also includes authenticating the token; and executing an applet in response to a valid authentication of the token.09-18-2008
20120204250Securing Unrusted Content For Collaborative Documents - A method and an apparatus that configure a sandbox document for secure presentation of a block of data stored in the sandbox document in response to an editing request from a client are described. A presentable content corresponding to a document may be sent to the client for editing. The document and the sandbox document may be separately addressable by separate paths of separate domains. The editing request may include the block of data to update the presentable content of the document. The updated presentable content may include a hyperlink to the sandbox document. The edited document and the sandbox document may allow secure presentation of the block of data within the updated presentable content of the edited document without a need to filter the block of data.08-09-2012
20090328181Service integration platform system and method for internet services - A service integration platform system includes an interface configured to receive a service request initiated by an Independent Software Vendor (ISV) and one or more processors configured to authenticate the service request and in the event that the service request is authenticated, route the service request to an Internet Service Provider (ISP) providing the service to be further processed. The service request is routed to a deployment environment provided by the ISP in the event that the service request is received on a deployment Universal Resource Identifier (URI) corresponding to the deployment environment; the service request is routed to a test environment provided by the ISP in the event that the service request is received on a test URI corresponding to the test environment.12-31-2009
20090241179Enabling peripheral communication in a local area network - In one embodiment, the present invention includes a component to be coupled to a peripheral device to enable the peripheral device to appear to be locally connected to a computer of a local area network, although the peripheral device is not physically connected to the computer. The component may include a first set of registers to store a mirrored copy of control register information present in a second set of registers of a host controller interface of the computer. Other embodiments are described and claimed.09-24-2009
20110258690SECURE HANDLING OF IDENTIFICATION TOKENS - A method for authentication includes, in a first computer (10-20-2011
20080313727Dynamic Discovery and Database Password Expiration Management - An approach that proactively manages login security data is provided. The system selects requesters of a software application resource. A privileged requester is used to request login security data pertaining to the selected requesters. The login security data that is received is compared to one or more parameters that indicate which action(s) should take place. Based on this comparison, one or more actions are taken on behalf of the selected requesters. One of the actions that can be taken is a grace period. One of the actions that can be taken is an automatic security setting update. Another action that can be taken is an automatic notification that automatically informs a user or application that a requestor's access to the resource is about to expire.12-18-2008
20080313726Integrated systems for simultaneous mutual authentication of database and user - In the field of user authentication, the present invention provides an integrated system for the mutual authentication of a system database and a registered user with a view to increasing the security of remote authentication and the prevention of “phishing/man-in-the-middle” attacks, by one of several alternative means including Code matching, PIN verification, Image reproduction and recognition, Signature and personal data verification, DNA verification and Biometric verification, in each case by means of the differential between variable Codes computed at the database from data recorded for that user and at a remote terminal from replicate data retrieved from a data carrying device. The Codes are derived from the recorded data and a simple algorithm such that the Codes are not predicable.12-18-2008
20080313725Computer system protection - Methods, systems, and computer program products for computer system protection are provided. Embodiments protect against unauthorized access to information on stolen and/or illegally transported computer systems. Embodiments include locking of functionalities within a computer system when the computer system moves outside a designated area. Embodiments include limiting access to functionalities within the computer system based on the location of the computer system. Embodiments of the present invention include allowing variable levels of access protection depending on the location of the computer system.12-18-2008
20110055913Multi-Level Authentication - Approaches for performing a multiple level authentication on an entity are provided. A primary authentication credential and a secondary authentication credential may be established for a user account. The primary authentication credential uniquely identifies a particular account of the software application. The secondary authentication credential uniquely identifies an entity, such as a user, application, or device, authorized to use the particular user account. Upon receiving a request to access the software application using the particular user account, a determination is made as to whether the request is accompanied by the primary authentication credentials and a secondary authentication credential associated with the particular user account. Upon determining that the request is accompanied by valid primary and secondary authentication credentials for the user account, limited access, based upon the secondary authentication credential, to the software application using the particular user account is granted.03-03-2011
20100313258IDENTIFYING SYNONYMS OF ENTITIES USING A DOCUMENT COLLECTION - Identifying synonyms of entities using a collection of documents is disclosed herein. In some aspects, a document from a collection of documents may be analyzed to identify hit sequences that include one or more tokens (e.g., words, number, etc.). The hit sequences may then be used to generate discriminating token sets (DTS's) that are subsets of both the hit sequences and the entity names. The DTS's are matched with corresponding entity names, and then used to create DTS phrases by selecting adjacent text in the document that is proximate to the DTS. The DTS phrases may be analyzed to determine whether the corresponding DTS is synonyms of the entity name. In various aspects, the tokens of an associated entity name that are present in the DTS phrases are used to generate a score for the DTS. When the score at least reaches a threshold, the DTS may be designated as a synonym. A list of synonyms may be generated for each entity name.12-09-2010
20080250486DESIGN STRUCTURE FOR LOCAL BLADE SERVER SECURITY - A design structure embodied in a machine readable storage medium for designing, manufacturing, and/or testing a design for a local blade server security is provided. The design structure includes a system capable of extracting authentication information for a local user from a USB keydrive inserted in the chassis of the blade server; comparing the extracted authentication information with predetermined authentication credentials; and granting access to one or more resources on the blade server if the extracted authentication information matches the predetermined authentication credentials; and denying access to one or more resources on the blade server if the extracted authentication information does not match the predetermined authentication credentials.10-09-2008
20120311689REDIRECTION USING TOKEN AND VALUE - A client is redirected by a relying party to the supporting entity (such as an identity or claims provider). The relying party also sends a cookie that includes a nonce, and another copy of the nonce in a redirection context (e.g., in a context string). The client then communicates with the supporting entity to facilitate the supporting service, whereupon the supporting entity sends a validation token back to the client evidencing completion of the supporting service. The supporting party also sends the nonce back as part of the redirection context (e.g., in a context string). The client then sends a followup service request that includes the cookie, the nonce returned by the supporting entity, and the validation token to the relying party. The relying party may compare the nonce in the cookie with the nonce returned by the supporting entity to verify that the request is valid.12-06-2012
20110138454SYSTEMS AND METHODS FOR FACILITATING USER AUTHENTICATION OVER A NETWORK - In accordance with embodiments of the present disclosure, systems and methods for facilitating network transactions include user authentication over a network by providing strong mutual authentication of client web application to server side application server, providing session encryption key negotiation after authentication to continue encryption during communication, and providing a high-level encryption technique referred to as an effective zero knowledge proof of identity (eZKPI) algorithm. In various implementations, the eZKPI algorithm is adapted to couple something the user Knows (e.g., a password or personal identification number) with something the user Has (e.g., a secure identification card) to create a stronger identity authentication proof for access to a mobile device and applications running on the mobile device.06-09-2011
20110093943AUTOMATIC ACCESS SYSTEM, HOST COMPUTER, DEVICE, RESPONSE DEVICE, REMOTE CODE READER SYSTEM, BARCODE READER, AUTOMATIC ACCESS METHOD, AUTHENTICATION METHOD, COMPUTER PROGRAM, AND RECORDING MEDIUM - A terminal 04-21-2011
20110167488SYSTEMS AND METHODS FOR LOCATION AWARE ACCESS CONTROL MANAGEMENT - Described herein are systems and methods for access control management, these generally being directed towards location aware access control management. Embodiments of the invention have been particularly developed for providing additional functionalities in access control systems having disconnected devices, and the present disclosure is primarily focused accordingly. For example, embodiments include access control devices configured to operate in conjunction with a GPS receiver or other source of geographical positional information, and methods associated with the use of such devices.07-07-2011
20110179478Method for secure transmission of sensitive data utilizing network communications and for one time passcode and multi-factor authentication - The invention is directed to a secure data transmission system and method for use in connection with potentially untrusted computer systems and data communication networks. The method involves transmission of sensitive data, such as authentication credentials, between at least two entities (for example, client and server systems and zero or more trusted token systems). This method utilizes symmetric encryption, shared secrets, and data strings composed of pseudo-random characters (also known as “tokens”) to authenticate entities to other entities and to securely transmit data between entities.07-21-2011
20110179477SYSTEM INCLUDING PROPERTY-BASED WEIGHTED TRUST SCORE APPLICATION TOKENS FOR ACCESS CONTROL AND RELATED METHODS - A target device may have a target application and a web application thereon, and a trust broker may generate an application token having associated therewith a state attribute having at least one of a hash digest and a property value assertion, and weighted trust score. The application token may correspond to a level of trustworthiness, in near real time, of a running application instance of the target application. A trust monitor may monitor an execution state of the target application, and an authentication broker may authenticate a user to the web application and based upon a web services query for remote verification of the target application. A network access enforcer may control access of an authenticated user to the target application, and a trust evaluation server may interrogate the target application and generate a trust score.07-21-2011
20090300746SYSTEM INTEGRATING AN IDENTITY SELECTOR AND USER-PORTABLE DEVICE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM - A combination includes a user-portable computing device, and an identity selector adapted for interoperable use with the user device. The user computing device includes a security token service that issues security tokens in reference to a portfolio of user identities stored as information cards on the user device. The issuance of security tokens employs user attribute information that is stored onboard the user device. The identity selector exports the information cards from the user device and determines which user identity satisfies a security policy promulgated by a relying party as part of an authentication process within the context of an online interaction. The identity selector generates a token request based on one of the eligible user identities, and forwards the token request to the user device to invoke the token issuance operation. The identity selector presents the issued security token to the relying party to comply with the security policy.12-03-2009
20090260073COMMUNICATION TERMINAL AND METHOD OF PROVIDING UNIFIED INTERFACE TO THE SAME - A communication terminal and a method of providing a unified natural language interface to the same are disclosed. The method includes: determining, when text information containing many characters is created, whether the text information conforms to one of preset grammatical constraints; extracting, when the text information conforms to one of the grammatical constraints, tokens of one or more of characters from the text information, and extracting, when the text information does not conform to one of the grammatical constraints, one or more characters having an attribute probability higher than a reference probability as a token; and analyzing the extracted tokens to, determine a function to handle the extracted tokens, and executing the determined function based on the extracted tokens.10-15-2009
20110191843UNIVERSAL DEVICE ID REGISTRY, BACK-END, AND SELF-VERIFICATION ARCHITECTURE - Modular devices consist of a user-interface shell and a detachable communication cartridge. The shell and cartridge both contain unique serial numbers, user-defined passwords, and secret authentication keys, which can be communicated to cartridges and shells, and to a network. A universal wireless device registry system stores serial numbers of integrated devices, device shells, and device cartridges, and other characteristics associated with devices such as secret keys, passwords, screen size, operating system, service usage, and supply chain information. This registry system is able to track communication devices all around the world and is connected to and shares information with computer servers controlled by service providers, manufacturers, and supply chain companies. When shells and cartridges communicate their numbers to the registry system, the registry system can authenticate shells and cartridges. Service providers can also track and control shells and cartridges (as well as devices) based on information from the registry system. Market research can be done using the information associated with each device on the registry system.08-04-2011
20110191841METHOD AND TRUSTED SERVICE MANAGER FOR PROVIDING FAST AND SECURE ACCESS TO APPLICATIONS ON AN IC CARD - A method for providing fast and secure access to MIFARE applications installed in a MIFARE memory (MM) being configured as a MIFARE Classic card or an emulated MIFARE Classic memory, comprises: keeping a repository (08-04-2011
20100058453IDENTIFICATION PROCESS OF APPLICATION OF DATA STORAGE AND IDENTIFICATION HARDWARE WITH IC CARD - The present invention relates to an identification process of application of data storage and identification hardware with IC (Integrated Circuit) card, and particularly to an IC card and within identification ICCID and GLN, which can be installed in a USB compatible flash memory, as identification hardware device. This can be as a useful authorization process of records companies or intellectual property owners. The hardware can also be used as storage media. Use non-duplication code in IC card and encryption system to ensure user authentication and data confidentiality on Internet or any other information system of computer. As using normal private key the invention is easy and convenient to use.03-04-2010
20100031336Peripheral Security Device - A peripheral security device is capable of being physically connected to a host terminal, on which is installed at least one software drive that is capable of permitting communication between said host terminal and a peripheral device with a human interface. This peripheral security device comprises a microprocessor capable of sending security data to the terminal during communication with the terminal. It is characterized in that the communication between the peripheral security device and the host terminal is managed at the level of the terminal via the software driver and simulates a communication between the peripheral device with a human interface and the host terminal.02-04-2010
20100024024Authentication System and Process - An authentication system including: (i) a user device, such as a mobile phone or media player, for storing random identification data for a user of the user device, and for processing entered token data to generate response data on the basis of the identification data; (ii) a client device, such as a personal computer, for use by the user to request a session, such as an online banking session, with a server system, for receiving the token data in response to the request, and for sending the response data to the server system; and (iii) a server of the server system, for storing the random identification data for the user, generating the token data for the client device on the basis of the identification data in response to the request, and for processing the response data to determine authentication for the client device for the session.01-28-2010
20100017867SELF-MANAGEMENT NETWORK ACCESS USING LOCALIZED ACCESS MANAGEMENT - The invention provides a method and system for locally tracking network usage and enforcing usage plans at a client device. In an embodiment of the invention, a unique physical key, or token, is installed at a client device of one or more networks. The key comprises a usage application and one or more access parameters designated the conditions and/or limits of a particular network usage plan. Upon initial connection to the network, the usage application grants or denies access to the network based on an analysis of the current values of the access parameters. Therefore, network usage tracking and enforcement is made simple and automatic without requiring any back-end servers on the network while still providing ultimate flexibility in changing billing plans for any number of users at any time.01-21-2010
20100017866SECURE USER INTERACTION USING VIRTUALIZATION - A first virtualization layer is inserted between (i) an operating system of a computer system, and (ii) at least first and second hardware devices of the computer system. Data is communicated between the first hardware device and the second hardware device, via the first virtualization layer, without exposing the data to the operating system.01-21-2010
20090077646SYSTEM AND METHOD FOR IDENTITY VERIFICATION - A system and method verify a user's identity in an Internet-related transaction. One system and method use a personal computer having identification information, a card reader, and a personal identification card having access information, to verify a user's identity using the access information and the identification information. Another system and method use a personal computer, a card reader, and a personal identification card having access information, wherein the card reader is included as part of a mouse coupled to the personal computer and wherein a user's identity is verified using the access information. Another system and method use a personal computer, a device coupled to the personal computer having identification information, a card reader, and a personal identification card having access information to verify a user's identity using the access information and the identification information. Another system and method use a personal computer, a fingerprint reader, a card reader, and a personal identification card having access information to verify a user's identity using the access information and the data of the fingerprint reader.03-19-2009
20110307948EXTENDING A CUSTOMER RELATIONSHIP MANAGEMENT EVENTING FRAMEWORK TO A CLOUD COMPUTING ENVIRONMENT IN A SECURE MANNER - A customer relationship management (CRM) eventing framework may be extended to a cloud computing environment. A listening channel may be opened between a service and a service bus in a cloud computing environment. The cloud computing environment may also include an authenticating service. Service information for the service may be registered with a CRM. The CRM may receive a request made by a requester. The request may trigger a request processing pipeline in an eventing framework. The CRM may post event data responsive to the request to the service bus. The service may receive the event data, process it and may send back a confirmation or response. The CRM may finally send a response to the requester.12-15-2011
20110307947FLEXIBLE END-POINT COMPLIANCE AND STRONG AUTHENTICATION FOR DISTRIBUTED HYBRID ENTERPRISES - Systems, methods and apparatus for accessing at least one resource hosted by at least one server of a cloud service provider. In some embodiments, a client computer sends authentication information associated with a user of the client computer and a statement of health regarding the client computer to an access control gateway deployed in an enterprise's managed network. The access control gateway authenticates the user and determines whether the user is authorized to access the at least one resource hosted in the cloud. If the user authentication and authorization succeeds, the access control gateway requests a security token from a security token service trusted by an access control component in the cloud and forwards the security token to the client computer. The client computer sends the security token to the access component in the cloud to access the at least one resource from the at least one server.12-15-2011
20110307949SYSTEM AND METHODS FOR ONLINE AUTHENTICATION - A method of authenticating a network client to a relying party computer via a computer server comprises the computer server receiving a transaction code from a token manager via a first communications channel. The network client is configured to communicate with a token manager which is configured to communicate with a hardware token interfaced therewith. The network client is also configured to communicate with the relying party computer and the computer server. The computer server also receives a transaction pointer from the relying party computer via a second communications channel that is distinct from the first communications channel. Preferably, the transaction pointer is unpredictable by the computer server. The computer server transmits an authorization signal to the relying party computer in accordance with a correlation between the transaction code and the transaction pointer. The authorization signal facilitates authentication of the network client to the relying party computer.12-15-2011
20120042371APPARATUS AND METHOD FOR RETRIEVING A BOARDING PASS - The subject matter discloses a computerized apparatus having a processor configured for providing an access to an authentication token, the authentication token is generated by a remote computing device, wherein a link to the remote computing device is embedded in a message sent to the computerized apparatus. the apparatus comprises a message detecting module configured for detecting the message; a transmitting module configured for sending a request to the remote computing device for receiving the authentication token, wherein the request is according to the link being extracted; a downloading module configured for downloading the authentication token being returned from the remote computing device; a storing module configured for storing the authentication token downloaded by the downloading module in a storage of the computerized device; and an access module configured for accessing the authentication token, stored in the storage, according to predetermined rules.02-16-2012
20090172797METHOD AND SYSTEM FOR SECURING APPLICATION PROGRAM INTERFACES IN UNIFIED EXTENSIBLE FIRMWARE INTERFACE - A method and system for securing an unified extensible firmware interface application program interface includes establishing a software hook for the application program interface during a pre-boot phase of a computing device and granting or denying access to the application program interface based on a comparison of a user token, which identifies the user, and an access control entry of an access control list associated with the application program interface.07-02-2009
20120060210REAUTHENTICATION TO A WEB SERVICE WITHOUT DISRUPTION - Authenticating internet application sessions. A method includes downloading client side code that when executed implements one or more client side modules including at least one module with message interception functionality. The method includes executing the client side code to implement the one or more client side modules. A request is sent to an internet application server. In response to the request, a message is received from the internet application server indicating that the request is not authorized. The message from the internet application server indicating that the request is not authorized is intercepted at the one or more client side modules. The one or more client side modules, as a result of the message indicating that the request is not authorized, send a request for authentication in a required format for authentication. Authentication is performed without losing user state associated with the request to the internet application server.03-08-2012
20100100952NETWORK AGGREGATOR - A device, system and method for aggregating resources, services or data across a network in which data and services from various source networks can be converted into an internal, aggregatable form (or vice versa) that can be sent to relevant properties or systems on request or through scheduling. The framework of the device, system and method permits scalability and potentially support any number of users, applications and services.04-22-2010
20120047568Digital Asset Management on the Internet - Techniques pertaining to managing digital assets and data stored in various third-party web services on the Internet are disclosed. A web platform based on web standards is constructed. A web driver containing specifications of a plurality of digital asset management feature plug-ins is provided. A third-party web service on the Internet implements the web driver by adding programming codes according to the specifications and returns the implemented web driver. The web platform registers the third-party web service by storing the web driver in a database. Any registered web services can be added to the web platform as virtual storage devices, or Smart Drives, by a user. Digital assets and data stored in various registered third-party web services can be directly managed or ported from one to the others through accessing corresponding Smart Drives without having to go through multiple logins.02-23-2012
20120210415METHOD, APPARATUS AND SYSTEM FOR PROVISIONING A PUSH NOTIFICATION SESSION - A system and method for provisioning a push notification session via a communications network between an application on a client terminal and a server corresponding to the application. In one aspect, a push provisioning entity transmits a message to the client terminal, whereby to configure the client terminal into a state in which it is able to request a push notification session with the server. An application on the client terminal can then request establishment of a push notification session by transmitting a push notification session request message to the push provisioning entity. The push provisioning entity generates a token for use in validating the push notification session, associates the generated token with the application and transmits the token to the application, which uses it to establish the push notification session.08-16-2012
20120005740SYSTEM AND METHOD FOR VERIFYING A SECURITY TOKEN - A policy description for a web service is received at a web service client. The policy description includes a predefined security policy constraint, requires that an application requesting execution of the web service also provide a security token generated by a security token service, and requires that the security token complies with the predefined security policy constraint. A message is generated that is compliant with the policy description for obtaining the security token. The message is sent to the security token service. The security token generated by the security token service is received in response to receipt of the message. The security token is compared against the predefined security policy constraint to verify compliance of the security token generated by the security token service against the predefined security policy constraint.01-05-2012
20120011579BIOMETRIC AUTHENTICATION DEVICE, BIOMETRIC AUTHENTICATION METHOD AND STORAGE MEDIUM - A biometric authentication device includes: a biometric information obtain portion obtaining biometric information of a user; a biometric condition determine portion determining good and bad of biometric condition of the user according to the biometric information of the user; a biometric matching portion performing a matching of registered biometric information registered in advance based on the biometric information; an alternate authentication portion performing an authentication based on information that is different from the biometric information; and an alternate authentication control portion switching validation and invalidation of the authentication by the alternate authentication portion according to a determination result of the biometric condition determine portion.01-12-2012
20120017269INVOCATION OF THIRD PARTY'S SERVICE - Invoking a computer implemented service includes receiving a request from a first user to access a service associated with a second user. The request is associated with a security token for the first user and an identity token for the second user. The acceptability of the security token is determined to authenticate the first user, and the acceptability of the identity token is determined to securely identify the second user. The first user is able to access the service associated with the second user conditioned on the security token being determined to be acceptable and the identity token being determined to be acceptable.01-19-2012
20120023567TOKEN VALIDATION FOR ADVANCED AUTHORIZATION - A server computer for implementing advanced authorization using token validation is provided. The server computer comprises a processor and a computer readable medium coupled to the processor comprising code executable by the processor for implementing a method. The method comprises receiving verification information that is based on a verification token associated with a client computer. The method further comprises receiving transaction information associated with a first transaction and receiving account information associated with a payment account used in the first transaction. A risk score associated with the first transaction is generated based on at least the verification information, the transaction information, and the account information.01-26-2012
20120023566Fraudulent Page Detection - A method of determining whether a page is a fraudulent page comprising the steps of: extracting a plurality of tokens from the page, (01-26-2012
20120066757ACCESSING DATA BASED ON AUTHENTICATED USER, PROVIDER AND SYSTEM - A method that includes authenticating an authentication system, a user, and a service provider, generating an access code based on a combination of data related to the authenticated user and data related to the authenticated service provider, and using the access code to access at least some of data storage locations is described herein.03-15-2012
20120159601Transition from WS-Federation Passive Profile to Active Profile - A server system sends a first credential request to a passive requestor at a client device. After sending the first credential request, the server system receives a credential for a user of the client device. If the credential is valid, the server system can provide the passive requestor with access to a resource provided by the server system. After providing the passive requestor with access to the resource, the server system provides an active requestor at the client device with access to the resource without sending a second credential request to the active requestor. Consequently, it may not be necessary for a user of the client device to provide credentials twice in order for the passive requestor and the active requestor to access the resource.06-21-2012
20120159604Method and System for Communication Between Devices - An embodiment of the present invention includes a system for communicating digital data from a preferably small battery powered device (e.g., key-chain or pocket-sized form-factor) to a personal electronic device (e.g., a smartphone such as an iPhone or a Nexus One). The communication mechanism of the present invention can be used as second factor authentication. The present invention can also be used as a key for accessing physical locations such as building. Alternatively, the present invention can be used as a manner for transmitting digital data to a personal electronic device such as a smart phone.06-21-2012
20120159605REMOTABLE INFORMATION CARDS - An accessor function interfaces among a client, a relying party, and an identity provider. The identity provider can “manage” personal (i.e., self-asserted) information cards on behalf of a user, making the personal information cards available on clients on which the personal information cards are not installed. The client can be an untrusted client, vulnerable to attacks such as key logging, screen capture, and memory interrogation. The accessor function can also asked as a proxy for the relying party in terms of invoking and using the information cards system, for use with legacy relying parties.06-21-2012
20120159603MOBILE OUT-OF-BAND AUTHENTICATION SERVICE - Certain embodiments enable authentication of an application session at a client machine by using authentication values and user-identification values that are received from a mobile communication device. The mobile communication device provides an out-of-band channel for validating the session and enables secure authentication for a variety of applications.06-21-2012
20120159602MOBILE MIDDLEWARE FOR GENERIC BOOTSTRAPPING ARCHITECTURE - A mobile terminal receives a Global Bootstrapping Architecture (GBA) authentication request from an application client, executing on a processor of the device, in non-standard GBA syntax. The mobile terminal converts the GBA authentication request into standard GBA syntax for a Universal Integrated Circuit Card (UICC) and sends the GBA authentication request having standard GBA syntax to the UICC. The mobile terminal receives, from the UICC, GBA authentication information responsive to the GBA authentication request, the GBA authentication information having standard GBA syntax, and converts, the GBA authentication information having standard GBA syntax into GBA authentication information having non-standard GBA syntax supported by the application client.06-21-2012
20110072502Method and Apparatus for Identity Verification - A method for identity verification includes receiving a request for proof of identity from a service provider and receiving biometric information associated with a user of a communication device. The method also includes determining that the received biometric information matches a biometric profile that contains biometric information associated with a registered user of the communication device. The method also includes unlocking a private key associated with the registered user in response to determining that the received biometric information matches a biometric profile and sending a request for a digital certificate that is signed with the private key associated with the registered user. The method further includes receiving the digital certificate that includes a public key associated with the registered user and satisfies the request for proof of identity. The method also includes with forwarding the digital certificate to the service provider.03-24-2011
20110078779Anonymous Preservation of a Relationship and Its Application in Account System Management - Disclosed is a system or method of using hash functions to preserve a relationship. A relationship is anonymously preserved by storing the hash result of a relationship token that comprises a finite set of values of a plurality of objects. Specifically, an account anonymous identifier of an account can be produced by hashing a relationship token that comprises identity information of an owner of said account. A party that has enough knowledge of an account owner can independently produces said account anonymous identifier and therefore, securely communicates with a specific account without prior communication or a password. An account owner can further prove his/her ownership of an account by submitting related documents and a relationship token that comprises his/her identity information to an account system.03-31-2011
20110107411SYSTEM AND METHOD FOR IMPLEMENTING A SECURE WEB APPLICATION ENTITLEMENT SERVICE - System and method for implementing a secure web application entitlement service are described. One embodiment of the system comprises a plurality of entitlement point records each comprising a unique identifier associated therewith such that each of the enforcement point records can be associated with an enforcement point within an application; an identity service (“IS”) configured to provide a first token for enabling a user to access the application; an access gateway configured to provide a second token, the second token including a list of at least a portion of the unique identifiers; an entitlement server (“ES”) configured to receive an entitlement request from the application, the entitlement request including the second token, the ES further configured to associate the entitlement request with a user-authenticated session in the IS; and a policy decision point (“PDP”) configured to receive the list of at least a portion of the unique identifiers and to render a decision on the entitlement request based at least in part on policy information associated with ones of the enforcement point records identified by the unique identifiers of the list and attribute information from the IS; wherein subsequent to the rendering of a decision by the PDP, the decision is communicated to the application.05-05-2011
20100095364METHOD, APPARATUS AND COMPUTER PROGRAM PRODUCT FOR PROVIDING SMART CARD SECURITY - An apparatus for providing smart card security may include a processor. The processor may be configured to determine, for a mobile terminal locked to a smart card, whether a temporary subscriber identifier is being read from the smart card or whether the mobile terminal is receiving a new temporary subscriber identifier from a network in communication with the mobile terminal, compare a network identifier associated with the temporary subscriber identifier to a network identifier included in a permanent subscriber identifier associated with the smart card in response to a determination that the temporary subscriber identifier is being read from the smart card, compare a network identifier associated with the new temporary subscriber identifier to a network identifier associated with a previous temporary subscriber identifier in response to a determination that the new temporary subscriber identifier is received from the network, and determine whether to invalidate the temporary subscriber identifier or the new temporary subscriber identifier based on a result of a respective one of the comparing operations.04-15-2010
20120124659System and Method for Providing Diverse Secure Data Communication Permissions to Trusted Applications on a Portable Communication Device - A system for providing first and second trusted applications diverse permission to communicate via a secure element. The system comprising first digital identifier and digital token operably associated with the first trusted application; a second digital identifier and digital token operably associated with the second trusted application. The system further includes a card services module that provides an application programming interface to the secure element supported by a secure data table including first and second sets of permissions. The card services module issues one or more commands to the secure element based on a first action requested by the first trusted application in conjunction with the presentation of the first digital token only if the one or more commands will not violate the first set of permissions. A method is also disclosed.05-17-2012
20120124658System and Method for Providing Secure Data Communication Functionality to a Variety of Applications on a Portable Communication Device - A system for providing an application associated with a portable communication device the ability to communicate via a secure element. The system has a digital identifier and digital token operably associated with the application; a card services module that provides an application programming interface to the secure element; and a secure data table associated with the card services module. The secure data table includes a list of trusted applications each identifiable by paired digital identifier and token. The card services module [includes] compares the identifier and the token with each of the identifier-token pairs in the table until a match indicates the application is trusted. The card services module issues commands to the secure element based on an action requested by a trusted application in conjunction with the presentation of the digital token. A method of providing an application with the ability to communicate via secure element is also disclosed.05-17-2012
20120124657AUTOMATED SECURITY TOKEN ADMINISTRATIVE SERVICES - This invention provides a system, method and computer program product to allow a user to access administrative security features associated with the use of a security token. The administrative security features provide the user the ability to unlock a locked security token, diagnose a security token, activate and deactivate a security token, request a replacement security token or temporary password or report the loss of a security token. The invention comprises a client application which integrates into the standard user login dialog associated with an operating system. A portion of the user dialog is linked to a remote server to access the administrative services.05-17-2012
20120131661BACK-END CONSTRAINED DELEGATION MODEL - A client can communicate with a middle tier, which can then, in turn, communicate with a back end tier to access information and resources on behalf of the client within the context of a system that can scale well. Each individual back end can establish a policy that defines which computing device can delegate to that back end. That policy can be enforced by a domain controller within the same administrative domain as the particular back end. When a middle tier requests to delegate to a back end, the domain controller to which that request was directed can either apply the policy, or, if the domain controller is in a different domain than the targeted back end, it can direct the middle tier to a domain controller in a different domain and can sign relevant information that the middle tier can utilize when communicating with that different domain controller.05-24-2012
20120131660USING CACHED SECURITY TOKENS IN AN ONLINE SERVICE - A security token service generates a security token for a user that is associated with a client and stores the full security token within a memory. The security token includes an identity claim that represents the identity of the generated security token. Instead of passing the entire security token back to the client, the identity claim is returned to the client. For each request the client makes to the service, the client passes the identity claim in the request instead of the full security token having all of the claims. The identity claim is much smaller then the full security token. When a computing device receives the identity claim within the request from the user, the identity claim is used to access the full security token that is stored in memory.05-24-2012
20120167194CLIENT HARDWARE AUTHENTICATED TRANSACTIONS - In one embodiment a controller comprises logic to receive a request for a credential to authenticate a user for a transaction, in response to a determination that a credential which satisfies the request resides on a memory module, execute an authentication routine to authenticate a user of the controller, in response to a successful authentication, retrieve the credential from the memory module, and provide a token to certify the credential in response to the request. Other embodiments may be described.06-28-2012
20120167195Security for a Personal Communication Device - Security is provided to a communication device configured to accept a physical key device. A public mode of operation is activated for the communication device when the physical key is not accepted by the personal communication device. The public mode of operation allows access to a first set of functions of the communication device, where the public mode of operation prohibits access to a second set of functions of the communication device. A personal mode of operation is activated for the communication device when the key is accepted by the personal communication device, where the personal mode of operation allows access to the first set of functions and the second set of functions of the communication device. A private mode may also be activated upon authentication of a user of the device, where the private mode allows access to a third set of functions.06-28-2012
20120254972TRUST SYSTEM - An illustrative embodiment of a computer-implemented process for delegating access to private data receives a request at a trusted server, forwards the received request to an untrusted third party application and invokes a transaction on a secure data store. The computer-implemented process further tokenizes data received from the secure data store by the trusted server, returns the tokenized data to the untrusted third party application, modifies the tokenized data by the untrusted third party application, requests the trusted server to send results to a requester and sends the results from the trusted server to the requester for display.10-04-2012
20120254971CAPTCHA METHOD AND SYSTEM - A CAPTCHA method executed by a CAPTCHA system is provided, comprising: receiving a CAPTCHA request comprising category information of an application service from an application server; responding to the application server with a token identifying the CAPTCHA request and a CAPTCHA image comprising a distorted advertisement word associated to the category information and a series of randomly generated and distorted characters, both the advertisement word and the characters being a CAPTCHA text intended to be typed by a user via a user equipment connected to the application server; receiving from the application server the token and a CAPTCHA answer submitted from the user equipment by the user; and verifying the token and the answer and returning to the application server a result of the verification. This provides an improved CAPTCHA system and method with better advertising effects and security.10-04-2012
20120254970METHOD AND APPARATUS FOR PROVIDING RECOMMENDATION CHANNELS - An approach is presented for providing recommendation channels. A recommendation platform receives an input for creating at least one recommendation channel, the input specifying at least one category. Next, the recommendation platform determines one or more tokens based, at least in part, on the at least one category, wherein at least one of the one or more tokens represents context information. Then, the recommendation platform determines to create the at least one recommendation channel based, at least in part, on the one or more tokens.10-04-2012
20110185415System and method for information exchange by means of web-enabled personal trusted device - A system and method for token-based information dispatch is proposed. The system establishes a link between a user via his/her personal trusted device (PTD) and a Publisher that publishes a request for information exchange in the form of a unique number (token), encoded in optical or radio frequency signal. The user PTD reads said signal, establishes a link with the Publisher, and authorizes exchange of information between the user, the Publisher, and the parties designated by the Publisher.07-28-2011
20120174207DISTRIBUTED SINGLE SIGN ON TECHNOLOGIES INCLUDING PRIVACY PROTECTION AND PROACTIVE UPDATING - Technologies for distributed single sign-on operable to provide user access to a plurality of services via authentication to a single entity. The distributed single sion-on technologies provide a set of authentication servers and methods for privacy protection based on splitting secret keys and user profiles into secure shares and periodically updating shares among the authentication servers without affecting the underlying secrets. The correctness of the received partial token or partial profiles can be verified with non-interactive zero-knowledge proofs.07-05-2012
20100175119Management of Access Authorization to Web Forums Open to Anonymous Users Within an Organization - A mechanism is provided for managing access authorization to forums open to anonymous users within an organization. A token distributor application provides a unique token to each member of a community or organization. The application is trusted by all members to not store an association between the authenticated user and the token when a token is assigned. The only control exerted by the token distributor is to block users who have already obtained a token from receiving another token. The communication tool or collaboration space may accept creation of a new anonymous identity, such as a nickname, to any individual supplying a token assigned by the token distributor application. An administrator may ban users by token. A banned user cannot access the communication tool or collaboration space using a nickname associated with a banned token.07-08-2010
20120222105SYSTEM AND METHOD FOR ESTABLISHING HISTORICAL USAGE-BASED HARDWARE TRUST - Establishing trust according to historical usage of selected hardware involves providing a usage history for a selected client device; and extending trust to a selected user based on the user's usage history of the client device. The usage history is embodied as signed statements issued by a third party or an authentication server. The issued statement is stored either on the client device, or on an authentication server. The usage history is updated every time a user is authenticated from the selected client device. By combining the usage history with conventional user authentication, an enhanced trust level is readily established. The enhanced, hardware-based trust provided by logging on from a trusted client may eliminate the necessity of requiring secondary authentication for e-commerce and financial services transactions, and may also be used to facilitate password recovery and conflict resolution in the case of stolen passwords.08-30-2012
20120174206SECURE COMPUTING ENVIRONMENT - Techniques and apparatus are provided for a secure computing environment. In particular, in some embodiments a secure computing environment is provide by requesting, by a processor, booting of a virtual machine on a first computing device. A hash value of the virtual machine is verified and it is determined whether an external storage device is present. The result of the verification is written to an environment variable. Additionally, it is determined if the external storage device is paired with the first computing device and the result of the determination is written to an environment variable. The virtual machine is then booted by the first computing device.07-05-2012
20120317632Method and Apparatus for a Token - A method and apparatus of using a token comprises receiving an indication of a presence of a nearby short-range terminal and waking up the token in response to receiving the indication. The method further comprises performing authentication between the token and the terminal, without requiring a user to directly interact with the token.12-13-2012
20120216268IDENTITY ASSERTION FRAMEWORK - Systems and methods for implementing an identity assertion framework to authenticate a user in a federation of security domains are provided. A first security token service (STS) is configured to receive a request for a first token from a consumer and to issue the first token to the consumer. The first STS is associated with a first security domain, and the first token is issued according to a first issuing policy of the first security domain. A service provider within a second security domain receives the first token and makes a determination whether the first token is invalid in the second security domain. A second STS receives the first token from the service provider, determines that the first token was issued by the first STS, and validates the first token according to a federation policy between the first security domain and the second security domain.08-23-2012
20110191842Authentication in a Communication Network - A method and apparatus for authentication in a communication network. A network node receives an initial request message from a user device, and sends an authentication message to an authentication node. In reply, the network node receives an expected response value and an authentication token from the authentication node. The expected response value is determined using a first shared secret known to the authentication node and the user and a second shared secret known to the authentication node and the user device, and the authentication token is determined using the second shared secret. The network node sends the authentication token from the network node to the user device, and in response receives a response value calculated using authentication token, the first shared secret and the second shared secret. The network node then determines if the response value matches the expected response value and, if so, authenticates the user.08-04-2011
20080216165Method and System for Providing On-Demand Media Streaming from a User's Own Library to a Receiving Device of the User - A system and method are provided for on-demand media streaming from a user's own media library to a user's receiving device that may be located in a different location from that where the media library is stored. The present invention provides an out-of-the box on-demand media server device that may be used by itself, in conjunction with a personal computer, or in conjunction with a personal home stereo system or video system. The on-demand media server includes security mechanisms that allow a user to establish a private server that only the user may communicate with and gain access to the user's media library. In one particular embodiment, a smart card or other removable media are used as a security device to ensure that access to the media files on the user's personal on-demand media streaming server is limited to the user. In addition, the system and method provides an on-demand conversion of the media in the user's personal media library to an appropriate format.09-04-2008
20100281530AUTHENTICATION ARRANGEMENT - A method, a proxy, a device, a system, and a computer program product for enabling authentication is provided. Authentication is enabled by receiving by a proxy a security token from an authentication provider, the security token including authentication information, receiving by the proxy an authentication request directed to the authentication provider or to the proxy, determining by the proxy whether the authentication information corresponds to the authentication request, and in case the authentication information corresponds to the authentication request, providing by the proxy the security token as a response to the authentication request.11-04-2010
20120260329MITIGATION OF APPLICATION-LEVEL DISTRIBUTED DENIAL-OF-SERVICE ATTACKS - A system and method, implementable using an authenticating device, are provided for authenticating requesting devices such as mobile devices and other communication devices over a network. At least one group shared secret is provisioned on a plurality of requesting devices, which are further provided with other authentication credentials such as a shared secret for full authentication by the authenticating device. When authentication is sought, the requesting device transmits a pre-authentication request comprising one of the group shared secrets to the authenticating device, which verifies that group shared secret. The group shared secrets may be stored in volatile memory at the authenticating device. If the group shared secret is verified, the authenticating device will authenticate that same device in response to a subsequent authentication request.10-11-2012
20130174244APPLICATIONS LOGIN USING A MECHANISM RELATING SUB-TOKENS TO THE QUALITY OF A MASTER TOKEN - Methods and systems allow a user to log in to a device so that a number of apps become accessible on the device without the user repeatedly logging in to each different app as the user launches multiple apps. A mechanism of providing a master token with a quality score and providing sub-tokens for each app that can use the sub-token and the score quality to evaluate the level of security provided by the initial login allows each app to skip its own login process and provides a level of enhanced efficiency and convenience for the user. A method includes authenticating a user; creating a master token on the user device; creating a sub-token of the master token for an app launched on the device; the app skipping the login process of the app in response to the sub-token so that the app proceeds directly to validating a transaction.07-04-2013
20100024025AUTHENTICATION SYSTEM AND AUTHENTICATION SERVER DEVICE - An account management server, when a device executing a service receives a card ID read from an ID card, sends back log-on data as a response, which is recorded in an account management DB in a way that associates the log-on data with the card ID. A user terminal, when reading the card ID from the ID card, transmits the card ID together with an account name of a user to an account management server. The account management server overwrites, with the received card ID, the card ID registered in the account management DB in a way that associates the card ID with the received account name or password.01-28-2010
20120185927Service Activation in a Passive Optical Network (PON) - An Optical Line Terminal (07-19-2012
20120084851TRUSTWORTHY DEVICE CLAIMS AS A SERVICE - Embodiments of the invention make the issuance of trustworthy device claims available to client devices as a service, so that a client device to which device claims are issues may use the device claims in relation to an attempt to access a network application. The service may conduct an assessment of the device's characteristics and/or state, characterize the results of this assessment in device claims, and issue the device claims to the device. The service may be accessible to a client device from outside administrative boundaries of an entity that makes a network application accessible, and thus may be useful to entities making network applications accessible in business-to-consumer (B2C) and business-to-business (B2B) topologies, such as over the publicly accessible Internet.04-05-2012
20120185928DEVICE REGISTRATION SYSTEM, DEVICE REGISTRATION SERVER, DEVICE REGISTRATION METHOD, DEVICE REGISTRATION PROGRAM, STORAGE MEDIUM, AND TERMINAL DEVICE - In a device registration system, user authentication and device authentication of a CE device are executed in a single session, and the user and the CE device are associated with each other if these authentications succeed. The CE device obtains information for user authentication from an IC card and portable memory, and sends the information and device authentication information to a device registration unit. The device registration unit sends the information for the user authentication to a user authentication unit, and the device authentication information to a device authentication unit. The user authentication unit executes a user authentication process and sends information of the user to the device registration unit if authentication succeeds. The device authentication unit executes a device authentication process and sends information of the device to the device registration unit if authentication succeeds. The device registration unit associates user information and device information with each other.07-19-2012
20120260327MULTI-BROWSER AUTHENTICATION - The content rendering capability of web browsers can be tested and compared across different web browsers. Testing with respect to restricted content is enabled utilizing a web browser to facilitate authentication. State information acquired by the web browser from a server can be employed to request restricted content for rendering by a number of target web browsers sought to be tested. Subsequently, representations of the restricted content produced by target web browsers can be rendered to a multi-browser display environment, for example.10-11-2012
20120227099THREE-STAGE, DOUBLE BLIND CREDIT RATING OF SECURITIES - Disclosed is a computer-implemented system and method for rating an asset, and, in embodiments, a system and method for performing a double-blind, three stage credit rating of a securitized instrument, such as without limitation, a commercial mortgage backed security or an asset thereof. The disclosed method utilizes a secure database structure which trifurcates information relating to the asset being rated into first, second, and third analytical stages. Asset information is distributed such that analysts at each stage have access to only that information which is relevant to the scope of the particular analytical stage being performed, while irrelevant and prejudicial information is withheld from the analyst. Unique access tokens are employed to control access to stage data and to maintain the integrity of the analytical process.09-06-2012
20120260328METHOD AND APPARATUS TO SCALE AUTHENTICATED FIREWALL TRAVERSAL USING TRUSTED ROUTING POINT - A Trusted Routing Point (TROP) generates a signaling message that includes an authorization token used to authorize a firewall to open a pinhole. The signaling message contains a first indicator that indicates whether a data field in the signaling message represents a source address of a media flow. The signaling message also includes a second indicator that indicates whether the firewall should derive the source address of the media flow from the data field. The authorization token is generated using a one-way hash function over information that may be included in the signaling message, including the first indicator and the second indicator.10-11-2012
20110113479PERSONAL TOKEN HAVING ENHANCED SIGNALING ABILITIES - The invention relates to a personal token including a microprocessor and a memory, said personal token storing and running a software entity which constitutes an end-point for communication over the internet. The software entity constitutes an end-point according to a signaling protocol over the internet and the signaling protocol is of the type intended when the session for real-time conferencing is initiated between end-points.05-12-2011
20120233685METHOD FOR AUTHENTICATION OF A REMOTE STATION USING A SECURE ELEMENT - Disclosed is a method for authentication of a remote station by a management station using a secure element. In the method, the remote station receives an identity request from the secure element. The identity request includes a first challenge provided to the secure element by the management station. The remote station forwards an identity response to the secure element. The identity response includes a response to the first challenge that is signed by a key of the remote station, and the signed response to the first challenge is for use by the management station to authenticate the remote station.09-13-2012
20120233684KEY DISTRIBUTION FOR UNCONNECTED ONE-TIME PASSWORD TOKENS - A system and method for distributing symmetric keys in a system including an end-user computer operated by an end-user, a service provider server of a service provider having a service provider identifier, and a manufacturer backend server operated by the manufacturer of the OTP token. The manufacturer backend server operates to verify one-time passwords generated by the OTP tokens and upon verifying the authenticity of the OTP token based on the generated passwords, transmitting the symmetric key to a service provider server or an authentication server. Other systems and methods are disclosed.09-13-2012
20080301792Common access card security and document security enhancement - Techniques and systems for maintaining a secure document replication environment based on information contained in CACs are disclosed. In one embodiment of the invention, a device such as an MFP, a printer, a scanner, a copier, or a fax machine comprises or is connected to a card reader. The device prevents users from using the device until the users have been authenticated. In order to authenticate himself to the device, a user inserts his CAC into the card reader. The device reads the user's digital certificate off of the user's CAC. The device determines whether the digital certificate is valid. If the digital certificate is not valid, then, in one embodiment of the invention, the device prevents the user from using any of the device's functions (e.g., printing, scanning, copying, faxing, etc.).12-04-2008
20110004929Flexible Token For Use In Content Delivery - An embodiment of a system for managing delivery of content to end users includes a semantics generator configured to generate name/value pair semantics for name/value pairs that can be included in flexible tokens, a semantics publisher configured to publish the name/value pair semantics in a menu, wherein the name/value pair semantics are selectable, a flexible token interpreter configured to interpret name/value pairs included in flexible tokens according to the name/value pair semantics, the flexible token interpreter further configured to determine responses to content requests based on the name/value pairs included in flexible tokens, and an edge server configured to generate token-dependent responses to content requests based on determined responses from the flexible token interpreter.01-06-2011
20120324559ESTABLISHING A SECURE CONNECTION BASED ON A JOINT GESTURE - During a transaction, an electronic device (such as a cellular telephone) captures a gesture performed by a user of the electronic device. This gesture is analyzed to determine salient features, such as accelerations of the electronic device during the gesture and associated time intervals. Then, the electronic device generates a token based on the salient features, and provides the token to a server. When a second token, associated with the token, is received by the server from a second electronic device, the server establishes a secure connection between the electronic device and the second electronic device.12-20-2012
20120324560TOKEN DATA OPERATIONS - In one embodiment, a host application may manage a data set maintained at a storage device using a token. A processor 12-20-2012
20120272307Multi-Factor Authentication Using A Smartcard - Methods and systems are provided for non-cryptographic capabilities of a token such as a smartcard to be used as an additional authentication factor when multi-factor authentication is required. Smartcards are configured to generate a transaction code each time a transaction is attempted by the smartcard. The transaction code is dynamic, changing with each transaction, and therefore is used as a one-time password. When a user attempts to access a service or application requiring at least two authentication factors, a secure processor is used to read transaction code from the smartcard. The secure processor establishes a secure communication with the remote computer hosting the service or application. The transaction code can then be encrypted prior to transmission over the public Internet, providing an additional layer of security.10-25-2012
20100251353USER-AUTHORIZED INFORMATION CARD DELEGATION - A system can include an authorization token provided by a user, the authorization token specifying user identification information to be made accessible by an information card host to a relying party, an information card stored at the information card host, and an identity token generated or requested by the information card host in response to a request for identity token from the relying party.09-30-2010
20120331539AUTHENTICATION SYSTEM, AUTHENTICATION METHOD, AND STORAGE MEDIUM FOR REALIZING A MULTITENANT SERVICE - In order to prevent leakage of data possessed by a tenant to other tenants in multitenant service, it is necessary to control access. However, the conventional access control method is designed and developed to meet a specified request. Thus, costs for a dedicated design, development, administration, and maintenance need to be considered. Such costs can be reduced by using role information for each of a plurality of services and determining whether to allow or not allow access in a uniform manner.12-27-2012
20100229232SUBSCRIPTION AND DEVICE OF CHARGE CONTROL - A method of providing service authorization by sending a message from a redirect server to a user terminal including an authorization token. The method includes detecting and removing the authorization token by a network gateway node from the message before forwarding the message to the user terminal.09-09-2010
20120102561TOKEN-BASED RESERVATIONS FOR SCSI ARCHITECTURES - A method for enabling reservations in SCSI architectures is disclosed herein. In one embodiment, such a method includes receiving a reservation request from a SCSI initiator. The method then generates a token in response to receiving the reservation request, stores the token, and transmits a copy of the token to the SCSI initiator. The SCSI initiator may attach this token to commands transmitted while the reservation is in place. Upon receiving a command from the SCSI initiator, the method compares the token attached to the command with the stored token. If the attached token and stored token match, the method processes the command. Otherwise, the command is not processed. A corresponding system and computer program product are also described herein.04-26-2012
20130014245REMOTABLE INFORMATION CARDS - An accessor function interfaces among a client, a relying party, and an identity provider. The identity provider can “manage” personal (i.e., self-asserted) information cards on behalf of a user, making the personal information cards available on clients on which the personal information cards are not installed. The client can be an untrusted client, vulnerable to attacks such as key logging, screen capture, and memory interrogation. The accessor function can also asked as a proxy for the relying party in terms of invoking and using the information cards system, for use with legacy relying parties.01-10-2013
20100132024Identifying attribute propagation for multi-tier processing - A multi-tier attribute tracking mechanism provides the ability to identify the end user credentials and other client information and attributes and assign them to database requests in an application server architecture. Disclosed configurations identify the processing unit, or thread, assigned by the operating system to service the incoming request from the user at the application tier. A matching of users to threads allows successive thread activity to be mapped back to the initiating user. Conventional interception of database access attempts at the application level (so called “server taps,” or staps) identified only the database user (the account in the database) and associated connection as the responsible user. By intercepting, or “tapping” the access request at the operating system level (using so-called kernel taps, or “ktaps”), the mechanism matches which application requests map to which database requests. With this matching, the database requests can be tagged with the user credentials which are known through the application request.05-27-2010
20110162058System and Method for Providing Convergent Physical/Logical Location Aware Access Control - According to one embodiment, a system for enforcing physical access control and logical access control may include a physical access control system, a logical access control system, a location detection system, and a convergence system. The convergence system may be communicatively coupled to the physical access control system, the logical access control system, and the location detection system and configured to: (i) receive information from the physical access control system regarding a physical access credential; (ii) receive information from the logical access control system regarding a logical access credential; (iii) receive information from the location detection system regarding a location of a location detection tag; and (iv) based on analysis of information regarding the physical access credential, information regarding the logical access credential, and the information regarding the location of the location detection tag, determine the approximate location of a person.06-30-2011
20130024927SYSTEM AND METHOD FOR AUTOMATICALLY ESTABLISHING NEW SESSION WITH INTERACTIVE SERVICE AFTER PREVIOUS SESSION EXPIRATION - A system includes a video display and a processor controlling the display. The processor accesses computer readable instructions to cause the processor to access a server associated with the service over a network responsive to viewer selection of a service. The processor then, without any viewer interaction, executes authentication with the server. Thereafter, responsive to successful authentication, the processor provides the service to a viewer at least in part by presenting an image associated with the service on the display. Responsive to the server indicating that a session for which the authentication is valid is expired, the processor automatically and without viewer input executes authentication with the server to establish a new session.01-24-2013
20080250485Guest Dongle and Method of Connecting Guest Apparatuses to Wireless Home Networks - The invention relates to a dongle (10-09-2008
20080235781SYSTEM AND METHOD FOR TRUSTED COMMUNICATION - A trusted communication system and methods of ensuring trusted communications are provided. A portable memory device is configured to resemble a character, and a client is configurable to operate specifically with that portable memory device. The client may allow a user to access network resources related to other clients belonging to other users having portable memory devices. Each portable memory device may have stored therein a unique token. A token from one portable memory device may be associated with a token of another portable memory device, e.g., by operating the first portable memory device with a client configured to operate with the second portable memory device. When two tokens are associated, the client configured to operate with a portable memory device having one of those tokens may access network resources related to another of those tokens.09-25-2008
20080229402WORMHOLE DEVICES FOR USABLE SECURE ACCESS TO REMOTE RESOURCE - A token has a memory, an interface allow connection to a host, and a processor. The processor, in response to user input for configuring a remote access connection, executes a first set of processing instructions to establish a trusted connection with the server host, exchanges credentials over the trusted connection to establish a secure connection with the server host over an untrusted connection, and defines configuration information for accessing user selected data or services. The processor, in response to user input received in a legacy environment, executes a second set of processing instructions that includes establishing, over an untrusted connection, a secure connection with the server host using the security credentials, configuring the secure connection for access to the data or services, making the data or services available in the legacy environment, and defends against attempted access to data or services available at the token other than the data or services made available in the legacy environment.09-18-2008
20080222714System and method for authentication upon network attachment - An information processing system for remote access computing comprising a network access server and a local authentication server is augmented with the capability for forwarding authentication requests by tunneling interactions between the requesting client and an identity provider.09-11-2008
20130179959Zero Token - Aspects of the subject matter described herein relate to a zero token. In aspects, a zero token may be used to represent one or more zeroes in an offload write command. A component receiving an offload write command with the zero token is free to write the zeroes in a variety of ways including, for example, changing data structures the component uses to represent the zeroes, issuing another command that writes zeroes, writing physical zeroes, and so forth. A component receiving an offload write command with the zero token does not need to verify that the zero token was obtained from a successful offload read or that the zero token is still valid. In response to an offload read request, a component may provide the zero token to represent all or a portion of the data associated with the offload read request.07-11-2013
20130179960METHOD OF COLLABORATIVE COMPUTING - A system and method for allowing for distributed interaction in a computing scenario is presented. The system is powered by SandTable software. First and Second items are respectively displayed on interactive screens of first and second surface computers. A first token is configured to be placed on the interactive screen of one of the computers and that computers reads its credentials. The SandTable software determines a first access level of the first token based on the credentials of the first token when it is placed on the surface computer. The first surface computer displays an image of an add item symbol when the first token is authenticated as a valid token. The SandTable software is configured to detect when the add item symbol is selected and to generate a menu of new items. SandTable creates a new item based on the new item selected from the menu.07-11-2013
20130179961INFORMATION PROCESSING SYSTEM CONTROL METHOD, INTERMEDIATE SERVICE DEVICE, AUTHENTICATION METHOD, AND STORAGE MEDIUM - Provided is a method for controlling an information processing system including a relay service device, an intermediate service device, and an authentication service device. The control method includes transmitting an authentication request from the intermediate service device to the intermediate service device; acquiring a first access token from the authentication service device that has made a success of authentication; storing the first access token; comparing the stored first access token with a second access token included in an execution request of an relation processing upon reception of the processing execution request from the relay service; and executing processing received from the intermediate service device when it is determined in the comparing that the first access token matches the second access token or not executing the processing when it is determined in the comparing that the first access token does not match the second access token.07-11-2013
20130179962Intelligent Network Streaming and Execution System for Conventionally Coded Applications - In a system that partitions an application program into page segments, a minimal portion of the application program is installed on a client system. The client prefetches page segments from the application server or the application server pushes additional page segments to the client. The application server begins streaming the requested page segments to the client when it receives a valid access token from the client. The client performs server load balancing across a plurality of application servers. If the client observes a non-response or slow response condition from an application server or license server, it switches to another application or license server.07-11-2013
20130145450AUDITABLE MULTICLAIM SECURITY TOKEN - The current invention provides a paradigm for securely transmitting messages using an auditable message token and associated protocol for recording information pertaining to events occurring with respect to transmission(s) of a message.06-06-2013
20130145451APPARATUS AND METHOD OF BINDING A REMOVABLE MODULE TO AN ACCESS TERMINAL - The described apparatus and methods may include a processor, a memory in communication with the processor, a removable module in communication with the processor and operable to store data, an initialization component executable by the processor and configured to initialize the removable module, and an authentication component executable by the processor and configured to: receive a command from the removable module to perform an authentication operation, wherein the command is a standard message having a command qualifier value or code that represents an authentication challenge; obtain a random value from the removable module in response to the command; calculate a response based on the random value and a terminal key stored in the memory; and transmit the response to the removable module.06-06-2013
20130091559Computer-Implemented Method for Mobile Authentication and Corresponding Computer System - In one embodiment of the present invention a computerized method includes receiving at a personal-mobile device a first communication, which includes information for requesting user verification for logging into an account of a user, via a computing device. The account is with a service provided by an application server. The method includes starting a personal-authentication application on the personal-mobile device in response to receiving the first communication, and receiving in the personal-authentication application a user verification for confirming logging into the account. The method includes logging into the account via the computing device based on receipt of the user verification. Embodiments of the present invention provide enhanced security for logging into an account that a user may have with a service by providing that a personal-mobile device, such as a mobile telephone, which is personal to a user, is configured as a security token for login to the account.04-11-2013
20130097689CREATION AND MANAGEMENT OF DIGITAL CONTENT AND WORKFLOW AUTOMATION VIA A PORTABLE IDENTIFICATION KEY - The present invention is directed towards a method and system for automating workflow. The method and system includes receiving data from a portable identification key communicatively coupled to a processing device to initiate automation processes. The profile information comprised in the data is accessed, the profile information including an identification of a user associated with the portable identification key. The method and system further includes retrieving one or more instructions and parameters associated with the identified user by the processing device to initiate an automated workflow session, and initiating the automated workflow session according to the one or more instructions and parameters.04-18-2013
20130097687SYSTEM AND METHOD FOR SECURE CONTENT SHARING AND SYNCHRONIZATION - A flexible content sharing system may comprise a network based application built on a client device using information from dissociated user experience component (UXC), application logic and execution layer (ALEL), and content distribution system (CDS) payloads. An ALEL engine may communicate a request from the network based application to a CDS module. The CDS module may interface the ALEL engine and a CDS server. The ALEL engine can act as a gate keeper and securely communicates requests from client devices to the CDS server. The CDS server is configured to manage and alert the ALEL of any enterprise policies that may be applicable to the client devices connected to the ALEL engine which, in turn, notifies the client devices to comply with the enterprise policies. The CDS server may synchronize any change made to the content by any of the client devices running network based applications.04-18-2013
20130097688SERVICE ORIENTED SECURE COLLABORATIVE SYSTEM FOR COMPARTMENTED NETWORKS - A system receives a request to store a document in a database, receives a user security token, analyzes the document to determine an adjudicated security level for the document, compares the user security token to the adjudicated security level, stores the document when the user security token is equal to the adjudicated security level, when the user security token is not equal to the adjudicated security level, queries the user as to whether the document should be stored with the adjudicated security level, receives a response to the query from the user, stores the document when the user agrees to store the document with the adjudicated security level, and when the user does not agree to store the document with the adjudicated security level, transmits a message to a security officer and quarantine the document.04-18-2013
20130097686INFORMATION PROCESSING SYSTEM, IMAGE PROCESSING APPARATUS, USER DEVICE, CONTROL METHOD, AND STORAGE MEDIUM - A mediation service accepts a coordination instruction for coordinating a web application server with a coordination device from a web browser, generates a script to be authenticated by an authentication method corresponding to the server, and transmits the generated script to the coordination destination service providing system indicated by the coordination instruction. The web browser transmits authentication information or an authentication token, which is obtained in response to an input operation on an authentication information input screen displayed by execution of the script, to the coordination device. Then, the coordination device receives and saves the authentication information or the authentication token.04-18-2013
20130104220System and method for implementing a secure USB application device - Systems and methods for implementing a secure USB token are described. In one aspect, the system for implementing a secure USB token, the system comprising: (1) a secure USB token including: a processor; a memory coupled to said processor; a communication port coupled to said processor, a secure element coupled to said processor, said secure element storing data for implementing a secure environment; one or more applications stored on said memory adapted to run on said memory and processor; and (2) a host device including: a processor; a memory coupled to said processor; a communication port coupled to said processor; and an agent displayed on the host device; wherein the agent launches one or more of the applications stored on the USB token, and wherein the agent prevents the host device from accessing the USB token's memory.04-25-2013
20130104221Group Formation Using Anonymous Broadcast Information - A number of devices co-located at a geographic location can broadcast and receive tokens. Tokens can be exchanged using a communication link having limited communication range. Tokens that are received by a device can be stored locally on the device and/or transmitted to a trusted service operating remotely on a network. In some implementations, the tokens can be stored with corresponding timestamps to assist a trusted service in matching or otherwise correlating the tokens with other tokens provided by other devices. The trusted service can perform an analysis on the tokens and timestamps to identify devices that were co-located at the geographic location at or around a contact time which can be defined by the timestamps. A group can be created based on results of the analysis. Users can be identified as members of the group and invited to join the group.04-25-2013
20130104219CENTRALIZED AUTHENTICATION FOR MULTIPLE APPLICATIONS - Network applications can provide network security without containing any security code or otherwise verifying the authenticity of each request that they receive for service. Instead, a single, centralized network authentication system can be placed between the network applications and all devices requesting for services from them. The authenticity of each request for service can then be verified by the centralized network authentication system before the request is passed to the network application to which it is directed. Responses from the network applications may also be channeled back to the systems that made the requests through the centralized network authentication system.04-25-2013
20100275253COMMUNICATION METHOD, COMMUNICATION SYSTEM, MOBILE NODE, AND COMMUNICATION NODE - There is provided a technique for reducing the number of messages handled in a Return Routability (RR) procedure for performing authentication between a mobile node (MN) and a peer communication node (CN). According to the technique, an MN 10-28-2010
20080209532Method For Implementing Access Domain Security of IP Multimedia Subsystem - The present invention discloses a method for implementing access domain security of IP multimedia subsystem (IMS). The method includes: configuring in advance at least one access domain security mechanism on a network device of the IMS network; after receiving a request message from a User Equipment (UE), the network device selecting an access domain security mechanism for the UE according to the configuration of itself or the received request message, and the IMS network performing security control on the access of UE according to the selected access domain security mechanism. The access domain security mechanism includes a user authentication mechanism or a type of a security channel. In this method, one or multiple access domain security mechanisms are configured beforehand on an HSS and/or a P-CSCF, and the HSS, the P-CSCF, or a UE will make a selection from the configured access domain security mechanisms based on practical situations, thereby making the implementation of IMS access domain security more flexible.08-28-2008
20120278876SYSTEM, METHOD AND BUSINESS MODEL FOR AN IDENTITY/CREDENTIAL SERVICE PROVIDER - A methodology, system and business model are disclosed for facilitating a fully automated electronic identity service between a group of consumers and a group of service providers. The system includes at least one servicer and associated computers and memories. A security token is issued to the consumer by an authority. The consumer then personalizes the token by having his or her civil credentials loaded onto the card. The card is serialized by the authority. When the consumer desires access to a service, the system with authenticate the identity of the consumer. Various levels of authentication can be achieved. The service providers will subscribe to system.11-01-2012
20130152185TRANSACTION PROVISIONING FOR MOBILE WIRELESS COMMUNICATIONS DEVICES AND RELATED METHODS - A mobile communications device may include a memory, a transceiver, and a controller coupled with the memory and the transceiver. The controller may be capable of receiving first authentication data from a security token via communication with the security token, where the first authentication data is associated with an account. The controller may also be capable of transmitting the first authentication data via the transceiver, and receiving second authentication data via the transceiver, where the second authentication data is also associated with the account. The controller may be further capable of storing the second authentication data in the memory, and transmitting a transaction request using the second authentication data.06-13-2013
20100299738CLAIMS-BASED AUTHORIZATION AT AN IDENTITY PROVIDER - Techniques are described herein for managing access to services (e.g., Web sites, applications, results of executable operations, etc.) that are provided by relying parties. A relying party is a processing system that relies on an identity provider to authenticate an entity (e.g., user or software application) that attempts to access a service provided by the relying party. The identity provider is a processing system that is configured to perform authentication and authorization operations with respect to the entity. The identity provider generates a claim that indicates access rights of the entity with respect to the relying party. The identity provider provides the claim to the relying party via a user system or via a direct or indirect link that bypasses the user system. The relying party determines whether to allow the entity to access the service based on the access rights indicated by the claim.11-25-2010
20100306839ENTITY BI-DIRECTIONAL IDENTIFICATOR METHOD AND SYSTEM BASED ON TRUSTABLE THIRD PARTY - An entity bi-directional identification method and system based on a trustable third party thereof are provided. The system comprises a first entity, which is for sending a first message to a second entity, sending a third message to a third entity after receiving a second message sent by the second entity, verifying the fourth message after receiving a fourth message sent by the third entity, sending a fifth message to the second entity after the verification is finished; the second entity, which is for receiving the first message sent by the first entity, sending the second message to the first entity, verifying the fifth message after receiving the fifth message sent by the first entity; the third entity, which is for receiving the third message sent by the first entity, checking if the first entity and the second entity are legal, implementing the pretreatment according to the checking result, sending the first entity the fourth message after the treatment is finished.12-02-2010
20130185784AUTHORITY DELEGATE SYSTEM, SERVER SYSTEM IN AUTHORITY DELEGATE SYSTEM, AND CONTROL METHOD FOR CONTROLLING AUTHORITY DELEGATE SYSTEM - An authority delegate system including a first server system to manage specific information, a second server system to provide a service, an authentication device, and a client operated by a first user who is authorized to use the service, includes a reception unit, a transmission unit, a management unit, a determination unit, and a provision unit. The reception unit receives an authorization token shared range for authorizing specific information usage. The transmission unit transmits to the client a setting screen for setting whether to permit users within the shared range to share the authorization token. The management unit manages the setting screen set shared range, and the authorization token issued by the authentication device. The provision unit provides, in response to determining that the second user is included in the shared range and confirmation that the authorization token is valid, the service to the second user using the specific information.07-18-2013
20130125228TIMESTAMP-BASED TOKEN REVOCATION - A token used when a first device authenticates itself to a third device may be associated with a token issue timestamp. Upon receipt of an indication that all previously issued tokens are to be revoked, a second device may store a revocation timestamp. Upon receiving, from the second device, a request for establishing conditions for a file transfer, from the first device, and an indication of a token issue timestamp associated with the request, the second device may compare the token issue timestamp to the revocation timestamp. Responsive to determining, based on the comparing, that the token issue timestamp precedes the revocation timestamp, the second device may deny the request.05-16-2013
20110314534Secured Execution Environments and Methods - A secured portable execution environment device could be provided by a business as a fee-based service, where a user selects applications that he wishes to license and methods of securing and backing up the execution environment. The device could be provided as a portable flash drive, which could then be plugged into any computer with any operating system to access the execution environment saved on the drive. When the user executes an application launcher on the flash drive and authenticates his identity, the application launcher allows the user to access secure applications saved on the flash drive and secure data saved in the application launcher environment.12-22-2011
20110314533IDENTITY BROKER CONFIGURED TO AUTHENTICATE USERS TO HOST SERVICES - Techniques are disclosed for an identity broker to authenticate users to a network device, system, or hosted application that uses certain legacy protocols for user authentication. For example, the identity broker may be configured to respond to a user authentication request from a network device formatted as a RADIUS or LDAP message. The identity broker may operate in conjunction with an identity provider to authenticate a user requesting access to a computing resource (e.g., to the network device, system, or hosted application).12-22-2011
20110321149SYSTEM AND METHOD FOR AUTHENTICATING A SOURCE OF RECEIVED ELECTRONIC DATA - A method for verifying and identifying users, and for verifying users' identity, by means of an authentication device capable of transmitting, receiving and recording audio or ultrasonic signals, and capable of converting the signals into digital data, and performing digital signal processing. Voice pattern(s) and user(s) information of one or more authorized user(s) are recorded and stored on the authentication device. User(s) identification is verified by inputting to the authentication device a vocal identification signal from a user, and comparing the voice pattern of the vocal identification signal with the recorded voice pattern(s) of the authorized user(s), and if a match is detected issuing an indication that the user is identified as an authorized user.12-29-2011
20110321148Methods And Systems For Providing a Token-Based Application Firewall Correlation - Token-based firewall functionality. A request is received for access to a resource from a remote user device, the request received by an application firewall. A token is associated with the request. The token and associated information are stored in an event correlator coupled with the application firewall. The token is associated with one or more subsequent actions by the resource in response to receiving the request. A response to the request including the token is generated. The response with the token is transmitted to the remote user device via the application firewall. The application firewall analyzes the response and determines an action to be taken on the response based on the token and the associated information.12-29-2011
20110321147DYNAMIC, TEMPORARY DATA ACCESS TOKEN - Provided are techniques for generating a temporary data access token for a subset of data for a specific period of time for a non-registered user who did not register with a computer providing access to the subset of the data. In response to the non-registered user attempting to access the subset of data with the temporary data access token, it is determined whether the temporary data access token is valid for the subset of data based on the specified period of time. In response to the temporary data access token being valid, the subset of data is provided to the non-registered user. In response to the temporary data access token not being valid, access is denied to the subset of data by the non-registered user.12-29-2011
20130191905SECURE DATA EXCHANGE BETWEEN DATA PROCESSING SYSTEMS - A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.07-25-2013
20120030745METHOD FOR CARRYING OUT AN APPLICATION WITH THE AID OF A PORTABLE DATA STORAGE MEDIUM - A method for carrying out an application with the help of a portable data carrier, wherein the data carrier includes two separated communication interfaces. According to the method, a user transmits via a first terminal specified input data for processing by the application to a server via a first data connection between the first terminal and the server. Then, authentication data for authenticating the application based on the input data of the server are transmitted via a second data connection between the server and the data carrier which is connected via the first communication interface with the first terminal, The authentication data are then transmitted from the data carrier via a third data connection to the second terminal. The third data connection is realized by means of the second communication interface. Finally, upon confirmation of the authentication data by the user via the first or second terminal confirmation data to the server are transmitted via at least the first or second data connection, whereupon the server executes the application.02-02-2012
20120030744Method of Managing Sensitive Data in an Electronic Token - A method of managing data in an electronic token includes an initial step of storing a first data into the electronic token and into a secured site. Secret data, intended to be initialized in the electronic token, is identified. Instructions and a subset of the first data are also identified, wherein the subset allows the secret data to be rebuilt by applying the instructions. A reference identifying the subset is sent to the electronic token. In the electronic token, the secret data is rebuilt from the first data and the reference by applying the instructions.02-02-2012
20120066758Online User Authentication - A user establishes a verified online identity, for example by providing an identity token and biometric information, and an assurance level is established for that identity for use in an authentication service. Different assurance levels may be provided based on the degree of verification of the user's identity, for example by social network scoring, credit references, or by means of the identity token and biometric information.03-15-2012
20120066756AUTHENTICATION SERVICE - A method that includes authenticating a party based on presentation of a token by the party is described herein.03-15-2012
20120096535One Time Password - A token calculates a one time password by generating a HMAC-SHA-1 value based upon a key K and a counter value C, truncating the generated HMAC-SHA-1 value modulo 10̂Digit, where Digit is the number of digits in the one time password. The one time password can be validated by a validation server that calculates its own version of the password using K and its own counter value C′. If there is an initial mismatch, the validation server compensate for a lack of synchronization between counters C and C′ within a look-ahead window, whose size can be set by a parameter s.04-19-2012
20130212666TOKENIZATION IN MOBILE ENVIRONMENTS - Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules.08-15-2013

Patent applications in class Tokens (e.g., smartcards or dongles, etc.)