Entries |
Document | Title | Date |
20080209206 | Apparatus, method and computer program product providing enforcement of operator lock - A data blob has an operator's certificate that specifies a network. The data blob is encrypted by the network using a private key that authenticates that a user device owns a MAC address. The network sends the encrypted data blob to the user device, which decrypts it using a private key that is locally stored in the user device. From that the user device obtains the operator's certificate, locks the user device to a network specified by the operator's certificate, and sends a response message signed with the private key. The network grants access to the user device based on the signed response message. Various embodiments and further details are detailed. This technique is particularly useful for a WiMAX or WLAN/WiFi network in which there is no SIM card to lock the device to the network. | 08-28-2008 |
20080215878 | Service Management System and Method - The delivery of services is managed by a system that includes a portable device and a management apparatus which receives and decrypts a first identifier generated and encrypted by the portable device. One of the devices also digitally signs a second identifier, which is validated at the other device. | 09-04-2008 |
20080229096 | Network identity management system and method - Users of Internet services (e.g., SKYPE messaging service, GOOGLETALK messaging service, AOL INSTANT MESSENGER messaging service, and MICROSOFT MESSENGER messaging service) that are initially identified using separate identifiers that may be associated with respective service providers (e.g., email addresses) can manage network identities using a single unified set of account information managed by a registry service. The registry authenticates the user's request(s) to bind a service provider identity to his or her personal registry user record. The registry internally associates the service provider identity to an internal unique identifier that is not exposed to subscribers. When a second user wishes to communicate with a first user, the second user provides any service provider identity that is believed to be associated with the first user to determine if the specified service provider identity appears to match the intended subscriber. If so, the second user may specify a nickname (unique to the second subscriber but not necessarily globally unique) to be associated internally within the registry with the internal unique identifier of the first subscriber as part of the second subscriber's user record. Later, even if the first subscriber has relinquished the service provider identity that was originally used to find the first subscriber, the second subscriber can still find the first subscriber by using the associate nickname without either subscriber ever knowing the internal unique identifier of the first subscriber. | 09-18-2008 |
20080229097 | Privacy-protecting integrity attestation of a computing platform - Systems, apparatus and methods for privacy-protecting integrity attestation of a computing platform. An example method for privacy-protecting integrity attestation of a computing platform (P) has a trusted platform module (TPM), and comprises the following steps. First, the computing platform (P) receives configuration values (PCR | 09-18-2008 |
20080244261 | SEPARATION OF LOGICAL TRUSTED PLATFORM MODULES WITHIN A SINGLE PHYSICAL TRUSTED PLATFORM MODULE - A device, method, and system are disclosed. In one embodiment, the device includes storage to contain more than one trust root, and logic to associate each command ordinal sent to the device with one of the trust roots. | 10-02-2008 |
20080244262 | ENHANCED SUPPLICANT FRAMEWORK FOR WIRELESS COMMUNICATIONS - The present disclosure provides a method that may be used in wireless communications. According to one exemplary embodiment, the method may include partitioning a first device into a user operating system including a supplicant client and a secure operating system including a supplicant core. The method may also include performing a user authentication process at the supplicant core. The method may further include transmitting user authentication data from the supplicant core to at least one wireless network and accessing the supplicant core from at least one additional device. Of course, additional embodiments, variations and modifications are possible without departing from this embodiment. | 10-02-2008 |
20080250240 | Remote Informed Watermark Detection System - A system and a method for secure remote informed watermark detection making use of a side-information. The system in overview comprises a remote detector and a server computing system wherein a database with side-information assigned to specific descriptors of data signals is stored at the server computing system and wherein a remote detector intending to identify the watermark of a data signal will derive the descriptor of the data signal and subsequently contact the trusted server computing system in order to obtain the necessary side-information for the informed watermark detection. | 10-09-2008 |
20080256356 | SECURE MEDIA BROADCASTING USING TEMPORAL ACCESS CONTROL - Improved key management techniques are disclosed for temporal access control of one or more services in a computer network. For example, a method for providing access control in a client-server system includes the following steps. A client obtains an authorization key for a time interval. A server derives an encryption key corresponding to a given time and uses the encryption key to encrypt a message. The client derives a decryption key corresponding to the given time and decrypts the message. | 10-16-2008 |
20080256357 | METHODS AND APPARATUS FOR ACCESS CONTROL IN SERVICE-ORIENTED COMPUTING ENVIRONMENTS - Improved access control techniques for use in a service-oriented computing environment are disclosed. For example, one method for authenticating a client in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. At least one service of the plurality of services is invoked. State information is associated with the at least one service invoked. The state information is used to authenticate a client with at least one service. Further, a method for access control in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. A rule specification language is provided. At least one rule is specified using the rule specification language. A verification is performed to determine whether or not the client satisfies the at least one rule. The client is granted access to a service when the client satisfies the at least one rule. | 10-16-2008 |
20080270786 | APPARATUS AND METHOD FOR DIRECT ANONYMOUS ATTESTATION FROM BILINEAR MAPS - A method and apparatus for direct anonymous attestation from bilinear maps. In one embodiment, the method includes the creation of a public/private key pair for a trusted membership group defined by an issuer; and assigning a unique secret signature key to at least one member device of the trusted membership group defined by the issuer. In one embodiment, using the assigned signature key, a member may assign a message received as an authentication request to prove membership within a trusted membership group. In one embodiment, a group digital signature of the member is verified using a public key of the trusted membership group. Accordingly, a verifier of the digital signature is able to authenticate that the member is an actual member of the trusted membership group without requiring of the disclosure of a unique identification information of the member or a private member key to maintain anonymity of trusted member devices. Other embodiments are described and claimed. | 10-30-2008 |
20080282084 | METHODS AND APPARATUS FOR SECURE OPERATING SYSTEM DISTRIBUTION IN A MULTIPROCESSOR SYSTEM - Methods and apparatus provide for: decrypting a first of a plurality of operating systems (OSs) within a first processor of a multiprocessing system using a private key thereof, the plurality of OSs having been encrypted by a trusted third party, other than a manufacturer of the multiprocessing system, using respective public keys, each paired with the private key; executing an authentication program using the first processor to verify that the first OS is valid; and executing the first OS on the first processor. | 11-13-2008 |
20080288773 | SYSTEM AND METHOD FOR AUTHENTICATION OF A COMMUNICATION DEVICE - A system and method for authentication of a communication device is disclosed. A system that incorporates teachings of the present disclosure may include, for example, a communication device having a controller element to compute a shared secret key based at least in part on a communication device (CD) private key and a cryptography algorithm, wherein the CD private key is stored in an identity module of the communication device and is unknown to an authentication center, and wherein the communication device is authenticated by the authentication center based at least in part on the shared secret key. Additional embodiments are disclosed. | 11-20-2008 |
20080288774 | Contact Information Retrieval System and Communication System Using the Same - There is described a communication system allowing communication over one or more communication networks. The communication system includes a domain name server storing a zone data file for a domain associated with a first party, the zone data file including contact information associated with the first party, the contact information including a plurality of electronic communication identifiers associated with the first party with each electronic communication identifier being associated with a corresponding communication protocol. An access granting system enables the first party to grant a second party access to one or more of the plurality of electronic communication identifiers. In particular, the access granting system encrypts one or more electronic communication identifiers to generate encrypted contact information, stores the encrypted contact information in the zone data file in association with a sub-domain of the domain associated with the first party, and provides the second party with access to the identity of said sub-domain. | 11-20-2008 |
20080301435 | Peer-to-peer security authentication protocol - A salt transmitted by a second node is received at a first node. The received salt is used to decrypt encrypted data. Optionally, authorization to access a service provided by the second node is received by the first node. In some cases the service includes access to one or more files. | 12-04-2008 |
20080301436 | METHOD AND APPARATUS FOR PERFORMING AUTHENTICATION BETWEEN CLIENTS USING SESSION KEY SHARED WITH SERVER - Provided is a method and apparatus for performing authentication between clients that complete authentication with a server. The method includes receiving first authentication information generated using the second session key from the server; receiving second authentication information generated using the second session key from the second client; and determining whether the authentication with the second client is successful using the first authentication information and the second authentication information. | 12-04-2008 |
20080301437 | Method of Controlling Access to a Scrambled Content - A method for access control to a digital scrambled content distributed to a set of installed reception terminals including one master terminal and at least one slave terminal dependent on the master terminal. In the method the slave terminal systematically or occasionally returns at least one item of information about the access condition to the master terminal through a point-to-point link, to enable the master terminal to control access of the slave terminal to the content. | 12-04-2008 |
20080307220 | VIRTUAL CLOSED-CIRCUIT COMMUNICATIONS - A virtual closed circuit supports transactions between businesses and consumers. More generally, techniques are disclosed for supporting a secure, non-public, business-to-consumer communication link suitable for use with financial transactions and other data communications related thereto. The communication link may be deployed in a desktop widget or other application to integrate communications and interactions with various authenticated online businesses. | 12-11-2008 |
20080320298 | System and Method for Protecting Electronic Devices - An electronic safe includes apparatus ID codes of various electronic devices as well as security keys associated with the apparatus ID codes. In order for an electronic device to be operated, it must first make connection with the electronic safe in order to verify the security key. Once the security key is received and verified, the electronic device is enabled to perform its function. However, if the security key is not received or not verified, the electronic device is disabled until such time as the security key is received and verified. This would effectively render stolen electronic devices unusable and worthless. | 12-25-2008 |
20090006842 | Sealing Electronic Data Associated With Multiple Electronic Documents - The description generally provides for systems and methods for a mobile communication network. Archives of seals can be sealed to protect the integrity of the seals and facilitate validation in the event a sealing party's sealed registration document is revoked. A document can be sealed multiple times to nest seals within other seals. Specific evidentiary metadata can be included by the sealing party. A main document including or associated with other documents can be sealed as a collection of documents. The seal of the main document can include external references to the files included in the main document to verify the external files were not changed or altered. | 01-01-2009 |
20090006843 | METHOD AND SYSTEM FOR PROVIDING A TRUSTED PLATFORM MODULE IN A HYPERVISOR ENVIRONMENT - A method is presented for implementing a trusted computing environment within a data processing system. A hypervisor is initialized within the data processing system, and the hypervisor supervises a plurality of logical, partitionable, runtime environments within the data processing system. The hypervisor reserves a logical partition for a hypervisor-based trusted platform module (TPM) and presents the hypervisor-based trusted platform module to other logical partitions as a virtual device via a device interface. Each time that the hypervisor creates a logical partition within the data processing system, the hypervisor also instantiates a logical TPM within the reserved partition such that the logical TPM is anchored to the hypervisor-based TPM. The hypervisor manages multiple logical TPM's within the reserved partition such that each logical TPM is uniquely associated with a logical partition. | 01-01-2009 |
20090013176 | APPLICATION LEVEL INTEGRATION IN SUPPORT OF A DISTRIBUTED NETWORK MANAGEMENT AND SERVICE PROVISIONING SOLUTION - An integrated data network management and data service provisioning environment is provided. The integrated environment includes legacy software application code and current software application code each augmented with code portions enabling exchange of information therebetween via an interworking layer. A facility for participation in and interacting with the integrated environment is also provided. A man-machine interface is integrated across different applications which themselves may be executed on different computers to provide a seamless exchange of information. The advantages are derived from enhanced usage efficiencies in providing data network management and service provisioning solutions. The interworking layer also provides for security enforcement across applications participating in the integrated environment. | 01-08-2009 |
20090024844 | Terminal And Method For Receiving Data In A Network - Terminal and Method for Receiving Data in a Network In embodiments of the present invention, a method of processing data in a network is provided. In the method, a terminal receives data from the network and is operated in two states. In the first state, in which the terminal is connected to the network, the terminal causes the data to be usable. In the second state, in which the terminal is not connected to the network, the terminal causes the data to be unusable. | 01-22-2009 |
20090031125 | Method and Apparatus for Using a Third Party Authentication Server - A method and apparatus for a third party authentication server is described. The method includes receiving a record ID for a user, and a one-time key generated by the server and encrypted with a user's public key by the server. The method further includes receiving the user's authentication data from the client, and determining if the user's authentication data matches the record ID. If the authentication data matches the record ID, decrypting the one-time key with the user's private key, and returning the decrypted one-time key to the client. | 01-29-2009 |
20090037725 | CLIENT-SERVER OPAQUE TOKEN PASSING APPARATUS AND METHOD - In the computer client-server context, typically used in the Internet for communicating between a central server and user computers (clients), a method is provided for token passing which enhances security for client-server communications. The token passing is opaque, that is tokens as generated by the client and server are different and can be generated only by one or the other but can be verified by the other. This approach allows the server to remain stateless, since all state information is maintained at the client side. This operates to authenticate the client to the server and vice versa to defeat hacking attacks, that is, penetrations intended to obtain confidential information. The token as passed includes encrypted values including encrypted random numbers generated separately by the client and server, and authentication values based on the random numbers and other verification data generated using cryptographic techniques. | 02-05-2009 |
20090037726 | SECURE VERIFICATION USING A SET-TOP-BOX CHIP - One or more methods and systems of authenticating or verifying a set-top-box chip in a set-top-box are presented. In one embodiment, a set-top-box incorporates a set-top-box chip used to decode or decrypt media content provided by a cable television operator or carrier. The set-top-box chip incorporates a decryption circuitry, a compare circuitry, a hash function circuitry, a key generation circuitry, a back channel return circuitry, a linear feedback shift register, a timer reset circuitry, a modify enable status circuitry, a one time programmable memory, and a non-volatile memory. The cable TV carrier validates a set-top-box chip used in a set-top-box by way of a verification sequence that requires a successful verification by the set-top-box chip. | 02-05-2009 |
20090044007 | Secure Communication Between a Data Processing Device and a Security Module - A method of creating a secure link between a data processing device (MOB) and a security module (USIM), the data processing device being adapted to communicate with a security module storing a secret data item (k) necessary for the execution by the device of a data processing task, the data processing device and the security module being adapted to communicate with a telecommunications network (RES), wherein the method comprises the steps of: identifying the data processing device (MOB) and the module (USIM) for which a secure link is to be set up in order to send said secret data item (k) from the module to the device; a step of delivering an encryption key (K) in which a trusted server (SC) connected to the telecommunications network delivers an encryption key (K) both to the module (USIM) and to the data processing device (MOB) that have been identified; an encryption step in which said secret data item (k) is encrypted in the module by means of said encryption key (K); a transmission step in which the result of the encryption step is sent by the module (USIM) that has been identified to the device (MOB) that has been identified; and a decryption step in which the device (MOB) decrypts the result that has been received by means of said encryption key (K) that has been received and obtains said secret data item (k). | 02-12-2009 |
20090055642 | Method, system and computer program for protecting user credentials against security attacks - A method, system and computer program is provided for protecting against one or more security attacks from third parties directed at obtaining user credentials on an unauthorized basis, as between a client computer associated with a user and a server computer is provided. The server computer defines a trusted Public Key Cryptography utility for use on the client computer. The Public Key Cryptography utility is operable to perform one or more cryptographic operations consisting of encrypting/decrypting data, authenticating data, and/or authenticating a sender, decrypting and/or verifying data. The user authenticates to the Public Key Cryptography utility, thereby invoking the accessing of user credentials associated with the user, as defined by the server computer. The Public Key Cryptography Utility facilitates the communication of the user credentials to the server computer, whether directly or indirectly via an authentication agent, the server computer thereby authenticating the user. In response, the server computer providing access to one or more system resources linked to the server computer to the user. The present invention also provides a series of methods enabling the server computer to authenticate the user by operation of the Public Key Cryptography utility and/or based on enrolment of the user and providing the Public Key Cryptography utility to the user. | 02-26-2009 |
20090063850 | MULTIPLE FACTOR USER AUTHENTICATION SYSTEM - The present invention describes a method and a system for multi-level authentication of a user and a server. The user registration process in the invention enables user to personalize the web page of the server. Further, the user authentication takes place in a multi-step process including entering credentials such as user ID, subset of user's password, subset of shared secret and a One Time Password (OTP). The system of the present invention provides various means of entering the said credentials which prevents phishing attacks. | 03-05-2009 |
20090063851 | ESTABLISHING COMMUNICATIONS - A method of establishing direct and secure communication between two wireless communications devices is disclosed. The wireless communications devices each have an existing trust relationship with an authentication server operable to authenticate access to a communication network on the basis of those existing trust relationships. The method comprises: (i) sending a communication request message directly from a first wireless communications device to a second wireless communications device; (ii) operating one of said wireless communication devices to request a symmetric encryption key from an authentication server; (iii) responsive to said request, operating said authentication server to: authenticate said one of said wireless communications devices on the basis of said existing trust relationship; generate said symmetric encryption key on successful authentication of said one of said wireless communications devices; and send said symmetric encryption key to said one of said wireless communications devices; (iv) responsive to receiving said symmetric encryption key, storing said symmetric encryption key at said one of said wireless communications devices and communicating it directly to the other wireless communications device; (v) securing direct communications between said wireless communications devices using said symmetric encryption key. | 03-05-2009 |
20090070578 | Methods And Systems For Transmitting Secure Application Input Via A Portable Device - Methods and systems are described for transmitting secure application input via a portable device. In one embodiment, a method includes connecting a portable device to a communication bus of a computing device for exchanging information between the portable device and the computing device. The method further includes connecting the portable device to an input device for exchanging information between the portable device and the input device. The method still further includes transmitting input received from the input device connected to the portable device to the communication bus of the computing device. The input is directed to an application both associated with the portable device and instantiated into a runtime environment of the computing device. The application is further associated with an input component configured for allowing the application to only receive input transmitted via the portable device when the application is instantiated into the runtime environment of the computing device. | 03-12-2009 |
20090070579 | Information processing system and login method - Provided is an information processing system and a login method capable of simplifying login processing and also simplifying the entire configuration of the system. | 03-12-2009 |
20090077373 | SYSTEM AND METHOD FOR PROVIDING VERIFIED INFORMATION REGARDING A NETWORKED SITE - A system and method are disclosed for presenting a message relating to a networked site on an end-user device, the message preferably originating from a third party that is not a provider of the site. The end-user device receives a message blob containing the message and associated verification information when the networked site is accessed. A verification application then sends a request to verify the authenticity of a message blob to a verification server. If the verification server verifies that the message blob is authentic based on the verification information, presentation of the site-specific information on the end-user device is enabled. | 03-19-2009 |
20090100260 | Location source authentication - A method and system to validate the source of the location data, such that access to location based service is protected based on a location. When the source of the location data is verified, an authentication, and/or a temporary key pair are generated for the computational device to successfully get the location based service. Moreover, the Location Based Service is assured of providing service to the computational device only at the authorized location. A method and system for managing access to the location based service is also disclosed. A request is received to authenticate the source of the location either by the computational device or by the location based service provider. Access to the location based service is granted when the location is an authorized location. Once access is granted, the temporary key pair is used for successful transactions. Moreover, the validity of the location source is constantly validated by expiring the temporary key pair with time duration. | 04-16-2009 |
20090100261 | METHOD AND SYSTEM FOR MEDIATION OF AUTHENTICATION WITHIN A COMMUNICATION NETWORK - A method, a system, and a computer software product provide mediation of authentication within a communication network. The method comprises the steps of sending a request to mediate authentication between a first node | 04-16-2009 |
20090100262 | APPARATUS AND METHOD FOR DETECTING DUPLICATION OF PORTABLE SUBSCRIBER STATION IN PORTABLE INTERNET SYSTEM - An apparatus and method for detecting duplication of a portable subscriber station (PSS) in a portable Internet system are provided. A master key of a PSS and a master key of an AAA server are identically updated whenever the PSS succeeds in authentication. It is possible to determine whether the PSS is duplicated or not by comparing the master key of the PSS with the master key of the AAA server during an authentication procedure. In addition, it is possible to find out whether duplication for the corresponding PSS is made by a user's own volition or by a third party by additionally performing an authentication procedure which requires an input of a password for a PSS which is doubted as duplicated. | 04-16-2009 |
20090113205 | METHOD AND APPARATUS FOR THE SECURE IDENTIFICATION OF THE OWNER OF A PORTABLE DEVICE - An authentication system is provided that includes a portable device and a decryption node. An individual uses the portable device, such as a portable device like a cell phone to compute a challenge and a response. The challenge and response is sent to a decryption node. In response, the decryption node computes a presumed response and compares the presumed response to the response of the portable device, in order to authenticate the individual associated with the portable device. | 04-30-2009 |
20090125715 | METHOD AND APPARATUS FOR REMOTELY AUTHENTICATING A COMMAND - A system that remotely authenticates a command is presented. During operation, an authentication system receives the command from an intermediary system, wherein the command is to be executed on a target system. Next, the authentication system authenticates the intermediary system. If the intermediary system is successfully authenticated, the authentication system authenticates the command using a private key for the authentication system to produce an authenticated command. Next, the authentication system sends the authenticated command to the intermediary system, thereby enabling the intermediary system to send the authenticated command to the target system so that the target system can use a public key for the authentication system to verify and execute the command. | 05-14-2009 |
20090138703 | Disabling Remote Logins Without Passwords - A method and apparatus for disabling password-less remote logins. In one embodiment, the method comprises receiving a remote login request at a first computing system from a user of a second computing system. Both of the first computing system and the second computing system mount home directories from a file sever. The request includes a public key associated with the user. An authorized key file associated with the user is located in the home directories. The authorized key file has zero length and owned by a root user of the file server. The method further comprises prompting the user of the second computing system for a password in response to the request. | 05-28-2009 |
20090144539 | HEADEND SYSTEM FOR DOWNLOADABLE CONDITIONAL ACCESS SERVICE AND METHOD OF OPERATING THE SAME - A method of operating a headend system for a downloadable conditional access service, the method including: receiving, by an Authentication Proxy (AP) server, basic authentication information from a Downloadable Conditional Access System (DCAS) host, the basic authentication information being required to authenticate the DCAS host; transmitting, by the AP server, the basic authentication information to an external trusted authority device which authenticates the DCAS host; generating, by the AP server, a session key for encrypting/decrypting a secure micro client using a session key sharing factor; obtaining, by the AP server, download-related information of the secure micro client from a DCAS Provisioning Server (DPS); and commanding, by the AP server, an Integrated Personalization System (IPS) server to download the secure micro client to the DCAS host based on the download-related information, the secure micro client being encrypted by the session key. | 06-04-2009 |
20090158028 | DRM METHOD AND DRM SYSTEM USING TRUSTED PLATFORM MODULE - The present invention relates to a terminal apparatus including a trusted platform module (TPM) and a DRM method using the same. The terminal apparatus receives information on a validity period from a server, uses the TPM generates a public key including the information on the validity period, transmits the public key to the server, receives encoded digital contents from the server, and uses the TPM to decode the received digital contents. | 06-18-2009 |
20090158029 | MANUFACTURING UNIQUE DEVICES THAT GENERATE DIGITAL SIGNATURES - A method of manufacturing devices that generate digital signatures such that each device may be reliably and uniquely identified includes creating a public-private key pair within each device during manufacture; exporting only the public key from the device; retaining the private key within the device against the possibility of divulgement thereof by the device; and securely linking said exported public key with other information within the environment of the manufacture of the device, whereby each device is securely bound with its respective public key. A database of PuK-linked account information of users is maintained. The PuK-linked account information for each user includes a public key of such a device; information securely linked with the public key during manufacture; and third-party account identifiers, each of which identifies an account to a third-party of the user maintained with the third-party that has been associated with the user's public key by the third-party. | 06-18-2009 |
20090164774 | METHODS AND SYSTEMS FOR SECURE CHANNEL INITIALIZATION - Methods and systems for secure channel initialization between a client network element and a server network element are disclosed. In accordance with one embodiment of the present disclosure, the method includes: sending a secure channel initialization request from the client network element to the server network element; receiving the secure channel initialization request at the server network element; creating a server credential and a client credential at the server network element; and sending a secure channel initialization response from the server network element to the client network element, the secure channel initialization response including the server credential and the client credential, wherein said server credential and said client credential are used to establish a secure session. | 06-25-2009 |
20090164775 | Broadband computer system - A broadband computer system comprising a network, a client computer comprising a secure log-on means, a user interaction means, a display means, processing means and client data storage means, wherein applications used on the client computer are stored on the client data storage means; a server connected to the network comprising a secure log-on verification means and server data storage means, wherein the secure log-on means communicates with the secure log-on verification means across the network to authenticate a user and, after authentication, the processing means of the client computer provides a suite of applications for use by the user and wherein any user data required by the suite of applications is provided across the network by the server data storage means. | 06-25-2009 |
20090187759 | SYSTEMS, METHODS, AND COMPUTER READABLE MEDIA FOR APPLICATION-LEVEL AUTHENTICATION OF MESSAGES IN A TELECOMMUNICATIONS NETWORK - Systems, methods, and computer readable media for application-level authentication in a telecommunications network are disclosed. According to one aspect, the subject matter described herein includes a method for application-level authentication of messages in a telecommunications network. The method includes, at a node in a telecommunications network, receiving, from a personal communications device having a user, a message requiring application-level authentication, the message including information associated with the user and incorporating first authentication information associated with the user, the first authentication information being provided from a source that is not the user of the personal communications device. A request for second authentication information associated with the user is sent to an authentication server. Second authentication information associated with the user is received from the authentication server, and the authenticity of the message is determined based on the second authentication information associated with the user. | 07-23-2009 |
20090198996 | SYSTEM AND METHOD FOR PROVIDING CELLULAR ACCESS POINTS - A system and method for providing a identity association between a subscriber in a private network and a provider over a public network is described. The system and method include a subscriber security gateway in the private network, the subscriber security gateway providing policy enforcement and signaling between the private network and the provider over the public network and at least one digital key associated with the provider and readable by the subscriber security gateway and operable to provide a identity association with the provider. A network device in the private network, the network device operable to establish a trusted media channel between the provider and the network device using the public network as a result of the signaling and policy enforcement at the subscriber security gateway using the digital keys, and a security gateway in the provider network, the security gateway including a registry for authenticating the user using the digital key and for maintaining a record of the subscriber's relationship with the provider. | 08-06-2009 |
20090198997 | System and method for secure electronic communication services - A system, method and software module for secure electronic communication services, wherein a public key ( | 08-06-2009 |
20090198998 | Method and apparatus of ensuring security of communication in home network - Provided are a method and apparatus to ensuring communication security between a control apparatus and a controlled apparatus in a home network. The control apparatus in the home network establishes a registration Secure Authenticated Channel (SAC) with the controlled apparatus by using a Transport Layer Security Pre-Shared Key ciphersuites (TLS-PSK) protocol implemented by using a Product Identification Number (PIN) of the controlled apparatus input from a user, shares a private key with the controlled apparatus via the registration SAC, and uses services of the controlled apparatus via a service SAC established by using the TLS-PSK protocol implemented by using the shared private key to easily implement a framework ensuring communication security in the home network. | 08-06-2009 |
20090198999 | SYSTEM AND METHOD FOR DISTRIBUTING KEYS IN A WIRELESS NETWORK - A technique for improving authentication speed when a client roams from a first authentication domain to a second authentication domain involves coupling authenticators associated with the first and second authentication domains to an authentication server. A system according to the technique may include, for example, a first authenticator using an encryption key to ensure secure network communication, a second authenticator using the same encryption key to ensure secure network communication, and a server coupled to the first authenticator and the second authenticator wherein the server distributes, to the first authenticator and the second authenticator, information to extract the encryption key from messages that a client sends to the first authenticator and the second authenticator. | 08-06-2009 |
20090204806 | CERTIFYING DEVICE, VERIFYING DEVICE, VERIFYING SYSTEM, COMPUTER PROGRAM AND INTEGRATED CIRCUIT - An authentication system that can show having an authentic computer program, can certify the authenticity of itself, and can verify the certification. The authentication system is composed of a terminal (requesting device) and a card (verifying device). The card stores secret information to be used by the terminal, and an update program for the terminal. The card verifies authenticity of the terminal using information obtained from the terminal. When it judges that the terminal is authentic, the card outputs the secret information to the terminal. When it judges that the terminal is not authentic, the card outputs the update program. With this structure, the terminal is forced to update the program when it attempts to use the secret information. | 08-13-2009 |
20090204807 | ABSTRACTION FUNCTION FOR MOBILE HANDSETS - Handset, computer software and method for protecting sensitive network information, available in the handset, from disclosure to an unauthorized server, by using an abstraction function module, the handset being connected to a network. The method includes receiving at the abstraction function module an encoding key from an abstraction server; receiving at the abstraction function module a request from a client or application for providing the sensitive network information from a control plane module of the handset, wherein the client or application resides in a user plane module, which is different from the control plane module, the sensitive network information is stored in the control plane module of the handset, and both the control plane module and the user plane module reside in the handset; retrieving by the abstraction function module the requested sensitive network information from the control plane module; encrypting, by the abstraction function module, the retrieved sensitive network information based on the received encoding key; and providing the encrypted sensitive network information to the client or application in the user plane module. | 08-13-2009 |
20090204808 | Session Key Security Protocol - Exchanging information in a multi-site authentication system. A network server receives, from an authentication server, a request by a client computing device for a service provided by the network server along with an authentication ticket. The authentication ticket includes: a session key encrypted by a public key associated with the network server, message content encrypted by the session key, and a signature for the encrypted session key and the encrypted message content. The signature includes address information of the network server. The network server identifies its own address information in the signature to validate the signature included in the authentication ticket and verifies the authentication ticket content based on the signature included in the authentication ticket. The network server decrypts the encrypted session key via a private key associated with the second network server and decrypts the encrypted message content via the decrypted session key. | 08-13-2009 |
20090210699 | METHOD AND APPARATUS FOR SECURE NETWORK ENCLAVES - Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature. The server may also provide the client with new session keys and/or new client session identifiers using server-generated derivation keys if desired, protecting these with the client authorization key. | 08-20-2009 |
20090210700 | COMPUTER SYSTEM FOR JUDGING WHETHER TO PERMIT USE OF DATA BASED ON LOCATION OF TERMINAL - There is provided a computer system comprising a storage system, a terminal, a management server and the terminal, and a positioning module for identifying a location of the terminal. The terminal identifies the location of the terminal by the positioning module in a case of using the data, transmits terminal information including the identified location of the terminal to the management server; and transmits a usage request for the data to the management server. The management server judges whether or not use of the data is to be permitted based on the terminal information, and transmits permit information including usage conditions for the data to the terminal in a case where the use of the data is to be permitted. The terminal selects at least one of the volatile storage area and the nonvolatile storage area based on the usage conditions, and stores the copy of the data therein. | 08-20-2009 |
20090217033 | Short Authentication Procedure In Wireless Data Communications Networks - In a wireless communications network including at least one authenticator and at least one authentication server, wherein the authenticator is adapted to interact with the authentication server for authenticating supplicants in order to conditionally grant thereto access to the wireless communications network, a short authentication method for authenticating a supplicant, the method including: providing a shared secret, shared by and available at the supplicant and the authentication server; having the supplicant provide to the authenticator an authentication token, wherein the authentication token is based on the shared secret available thereat; having the authenticator forward the authentication token to the authentication server; having the authentication server ascertain an authenticity of the received authentication token based on the shared secret available thereat; in case the authenticity of the authentication token is ascertained, having the authentication server generate a first authentication key based on the shared secret available thereat, and provide the generated authentication key to the authenticator; having the supplicant generate a second authentication key based on the shared secret; and having the supplicant and the authenticator exploit the generated first and the second keys for communicating with each other. The short authentication method is particularly useful in situations of handoff of the supplicant from an authenticator to another. | 08-27-2009 |
20090222656 | SECURE ONLINE SERVICE PROVIDER COMMUNICATION - Computer-readable media, systems, and methods for encrypting communications between a client and an online service provider to ensure the communications are secure. In embodiments an authentication request is received from a user agent associated with the client and the authentication request includes identification information and authentication information. Additionally, it is determined that the identification and authentication information are associated with a user. An authentication ticket is created that includes a user identification and an authentication and indicates to the online service provider that the user is authenticated to access one or more services. Further, a session key is generated and an encrypted session key is embedded into the authentication ticket. The session key is encrypted and the private key is known only to the online service provider and the public key is known at least by an authentication server. | 09-03-2009 |
20090259839 | SECURITY AUTHENTICATION SYSTEM AND METHOD - Authentication system and method are provided. The authentication system includes: a server configured to provide at least two security levels and configured to transmit one of at least two security modules corresponding to the security level of a user terminal, via communications network, to the user terminal based, at least in part, upon an environment of the user terminal; and an authentication server communicatively linked with the server and configured to perform a user authentication in response to a user authentication request from the user terminal. Accordingly, various hackings can be prevented and the user authentication can be accomplished with user's convenience and security. | 10-15-2009 |
20090259840 | Systems and methods for authenticating an electronic message - Systems and methods are disclosed for authenticating electronic messages. A data structure is generated by a computer server which allows for the authentication of the contents and computer server identity of a received electronic message and provides a trusted stamp to authenticate when the message was sent. Data which can authenticate the message, the computer server identity, and the time the message was sent is included into a data structure which is called an Electronic PostMark (EPM). | 10-15-2009 |
20090271617 | PRIVACY PROTECTED COOPERATION NETWORK - A computerized method and apparatus are established to identify a subject of common interest among multiple parties without releasing the true identity of any subject. Furthermore, a computerized network provides different parties at different locations with a mechanism to conduct cooperative activities concerning such a subject of common interest without exposing that subject to possible identity theft. | 10-29-2009 |
20090271618 | ATTESTATION OF COMPUTING PLATFORMS - A method and apparatus for attesting the configuration of a computing platform to a verifier. A signature key (SK) is bound to the platform and bound to a defined configuration of the platform. A credential (C(SK), C | 10-29-2009 |
20090276620 | Client authentication during network boot - A secure mechanism for performing a network boot sequence and provisioning a remote device may use a private key of a public key/private key encryption mechanism to generate a command by a server and have the command executed by the device. The command may be used to verify the authenticity of the remote device, and may be used to establish ownership of the device. After authenticity and, in some cases ownership is established, bootable software may be downloaded and executed. The remote device may be provisioned with software applications. One mechanism for performing the initial encrypted commands is through a Trusted Platform Module. In many embodiments, the public key for the initial encrypted communication may be provided through a trusted second channel. | 11-05-2009 |
20090276621 | SECRET AUTHENTICATION SYSTEM - An authenticated apparatus generates scrambled data from key data and authentication data, such that another key data, which configures the product data, or authentication data is obtained through back-calculation of the product data by using the authentication data or key data, the scrambled data including the product data and the like generated by multiplying the authentication data indicative of the authenticated apparatus's or a user's authenticity by the key data. The authenticated apparatus generates verification data through an operation of the authentication data, key data, or scrambled data, and transmits the verification data and scrambled data to an authenticating apparatus. The authenticating apparatus then verifies authenticity of the authenticated apparatus based on the verification data and scrambled data received from the authenticated apparatus and each authenticated apparatus's or each user's authentication data stored in the authenticating apparatus. | 11-05-2009 |
20090276622 | SECRET AUTHENTICATION SYSTEM - Authentication data is distributedly defined by a plurality of distributed data, including function data specifying a function. A portion of the distributed data is shared between an authenticated apparatus and an authenticating apparatus. The authenticated apparatus obtains verification data from the distributed data unshared with the authenticated apparatus, and transmits the verification data. The authenticating apparatus verifies authenticity of the authenticated apparatus, based on the verification data and the like received from the authenticated apparatus. The authenticated apparatus generates the distributed data containing predetermined control data, and transmits the distributed data to the authenticating apparatus. The authenticating apparatus extracts the control data from the distributed data containing the control data, and determines whether or not authentication is granted based on the control data. | 11-05-2009 |
20090276623 | Enterprise Device Recovery - An administrator of an enterprise can recover a user secure storage device in conjunction with a third-party service without the administrator knowing a user secure storage device password. The administrator secure storage device is communicatively coupled with a host computer. A user secure storage device is communicatively coupled with a host computer. The administrator secure storage device is authenticated to the third-party service. One or more decryptions are performed on an encrypted portion of data with an enterprise private key and a shared administrator private key to produce information associated with the user secure storage device password. The administrator is logged into the user secure storage device using the information associated with the user secure storage device password without the administrator knowing the user secure storage device password. | 11-05-2009 |
20090282238 | Secure handoff in a wireless local area network - A system and method including computing keying information by a server for authentication of devices accessing a wireless local area network and forwarding the keying information by the server to access points included in a security domain of the wireless local area network, wherein one of the access points is associated with a mobile device are described. | 11-12-2009 |
20090282239 | SYSTEM, METHOD AND PROGRAM PRODUCT FOR CONSOLIDATED AUTHENTICATION - A first computer sends a request to the second computer to access the application. In response, the second computer determines that the user has not yet been authenticated to the application. In response, the second computer redirects the request to a third computer. In response, the third computer determines that the user has been authenticated to the third computer. In response, the third computer authenticates the user to the application. In response, the second computer returns a session key to the third computer for a session between the application and the user. The session has a scope of the second computer or the application but not a scope of a domain. In response to the authentication of the user to the second application and receipt by the third computer of the session key from the second computer for a session between the user and the second computer or the application, the third computer generates another session key with a scope of the domain and sends the domain-scope session key to the first computer. The first computer sends another request to the application with the domain-scope session key. | 11-12-2009 |
20090287921 | MOBILE DEVICE ASSISTED SECURE COMPUTER NETWORK COMMUNICATION - Mobile device assisted secure computer network communications embodiments are presented that employ a mobile device (e.g., a mobile phone, personal digital assistant (PDA), and the like) to assist in user authentication. In general, this is accomplished by having a user enter a password into a client computer which is in contact with a server associated with a secure Web site. This password is integrated with a secret value, which is generated in real time by the mobile device. The secret value is bound to both the mobile device's hardware and the secure Web site being accessed, such that it is unique to both. In this way, a different secret value is generated for each secure Web site accessed, and another user cannot impersonate the user and log into a secure Web site unless he or she knows the password and possesses the user's mobile device simultaneously. | 11-19-2009 |
20090287922 | PROVISION OF SECURE COMMUNICATIONS CONNECTION USING THIRD PARTY AUTHENTICATION - The present invention relates to communications, and in particular though not exclusively to forming a secure connection between two untrusted devices. The present invention provides a method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb). The method comprises receiving a request from the first device at the authentication server; the authentication server and the first device both generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) sent from the authentication server to the first device; the authentication server and the second device both generating a second device key (K_B) using the second device shared secret data in response to a second device random number (RANDb) sent from the authentication server to the second device; and the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A). | 11-19-2009 |
20090292915 | NETWORK SYSTEM AND DEVICE SETTING METHOD OF NETWORK SYSTEM - Disclosed is a network system including: a provisioning server to provide setting information to a device newly connected to a network; and a mediating device to mediate information transmission between the device newly connected to the network and other device, wherein the mediating device includes: a communication function to communicate with the device newly connected to the network; an access control function to restrict access to the other device to a certain amount or less; and a data transfer function to transfer data, and when there is a transfer request of the setting information from the device newly connected to the network, the mediating device sends the transfer request to the provisioning server by restricted access based on the access control function, and when the setting information is sent from the provisioning server, the mediating device transfers the setting information to the device newly connected to the network. | 11-26-2009 |
20090300347 | SET MEMBERSHIP PROOFS IN DATA PROCESSING SYSTEMS - A method and apparatus for proving and a method and apparatus for verifying that a secret value is a member of a predetermined set of values. The proving mechanism receives a set of signatures which has respective values in the predetermined set signed using a private key. The proving mechanism sends to the verifying mechanism a commitment on the secret value of the proving mechanism. The proving mechanism and verifying mechanism then communicate to implement a proof of knowledge protocol demonstrating knowledge by the proving mechanism of a signature on the secret value committed to in the commitment, thus proving that the secret value is a member of the predetermined set. | 12-03-2009 |
20090313466 | Managing User Access in a Communications Network - A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network. | 12-17-2009 |
20090313467 | FEDERATED IDENTITY BROKERING - A method, system and apparatus for federated identity brokering. In accordance with the present invention, a credential processing gateway can be disposed between one or more logical services and one or more service requesting clients in a computer communications network. Acting as a proxy and a trusted authority to the logical services, the credential processing gateway can map the credentials of the service requesting clients to the certification requirements of the logical services. In this way, the credential processing gateway can act as a federated identity broker in providing identity certification services for a multitude of different service requesting clients without requiring the logical services to include a pre-configuration for specifically processing the credentials of particular service requesting clients. | 12-17-2009 |
20090319776 | TECHNIQUES FOR SECURE NETWORK COMMUNICATION - Techniques for secure network communication are provided. Credentials for a user along with a transparently generated secret are sent to a resource that the user desires to establish a secure communication session with. After successful authentication of the user, an initial sequence number for a first transaction of the session is set on a client of the user. Thereafter, with each transaction of the session the client supplies a new and unique sequence number to a server of the resource and uses the secret to encode and validate that transaction. The server of the resource does not permit any transaction that includes an invalid or previously used sequence number. | 12-24-2009 |
20090319777 | DISTRIBUTED SUBSCRIBER MANAGEMENT SYSTEM - A distributed subscriber management system and method that controls access to a network preventing unauthorized traffic through the access network and providing centralized access control between user networks are disclosed. The controlled access is provided through the use of one of several technologies including user authentication, using PAP, CHAP, RADIUS, TACACS+. The method includes the steps of receiving a connection request from a user located on one of the User Networks; interrogating the user for userid and password information; encrypting the userid and password information; transmitting the encrypted information, via the access network, to an authentication server attached to one of a plurality of external networks; decrypting the information at the authentication server; and transmitting an authentication message from the authentication server of the external network to the access control node via the access network. Additionally, the method includes the step of challenging all data leaving the access control node. | 12-24-2009 |
20090319778 | User authentication system and method without password - A Verified unit (VU) communicates with an Authenticating Unit (AU). The VU only provides the AU with the user's public key via RSA technology known in the art. The AU sends a character string to the VU requiring the VU to generate a digital signature which is sent to an Authority server (AS) to authenticate the digital signature information provided to the AU by the VU. If the AS authenticates the information it informs the AU and the AU will provide the VU's requested data to the VU. | 12-24-2009 |
20090327700 | METHOD AND SYSTEM FOR VIRTUALIZATION OF TRUSTED PLATFORM MODULES - A method, an apparatus, a system, and a computer program product is presented for virtualizing trusted platform modules within a data processing system. A virtual trusted platform module along with a virtual endorsement key is created within a physical trusted platform module within the data processing system using a platform signing key of the physical trusted platform module, thereby providing a transitive trust relationship between the virtual trusted platform module and the core root of trust for the trusted platform. The virtual trusted platform module can be uniquely associated with a partition in a partitionable runtime environment within the data processing system. | 12-31-2009 |
20090327701 | ID Card Encryption - An ID card is authenticated. Encrypted data is read from a first security feature on the ID card. A value is computed based on the encrypted data. Unencrypted data is read from a second security feature on the ID card. The value and the unencrypted data is transmitted to an authentication center. An authentication message is received from the authentication center. | 12-31-2009 |
20090327702 | Key Escrow Service - A key escrow service is described. In embodiment(s), the key escrow service maintains an escrow license that includes an escrow content key that is associated with protected media content which is distributed from a content distributor to a media device. A content key that is associated with the protected media content can be received from the content distributor, and the content key can then be encrypted with a public escrow key to generate the escrow content key. The escrow license can be generated to include the escrow content key, and the escrow content key can then be communicated back to the content distributor that provides a digital rights management (DRM) license to the media device. The DRM license can include both the escrow content key and the content key encrypted with a public key that corresponds to the media device. | 12-31-2009 |
20100005289 | Methods and apparatus for protecting digital content - A processing system to serve as a source device for protected digital content comprises a processor and control logic. When used by the processor, the control logic causes the processing system to generate cipher data, based at least in part on (a) a session key and (b) at least one constant value obtained from a certificate authority. The processing system may use the cipher data to encrypt data, and the processing system may transmit the encrypted data to a receiving device via a wireless connection. Other embodiments are described and claimed. | 01-07-2010 |
20100005290 | METHOD OF IDENTITY PROTECTION, CORRESPONDING DEVICES AND COMPUTER SOFTWARES - A method is provided for authenticating a client terminal with an authentication server. The client terminal holds an authentication certificate. The method includes the following phases: obtaining at least once encryption parameter by the client terminal; encrypting the authentication certificate by the client terminal, based on the at least one encryption parameter, delivering an encrypted authentication certificate; transmitting the encrypted authentication certificate to the server, obtaining the at least one encryption parameter by the server; obtaining the at east one encryption parameter by the server; decrypting the encrypted authentication certificate, based on the at least one encrypting parameter, authenticating and delivering an authentication assertion if the authentication is positive. | 01-07-2010 |
20100011207 | Service Oriented Architecture Device - A system for Service Oriented Architecture (SOA) communication includes a plurality of SOA nodes having a standardized hardware configuration, wherein the standardized hardware configuration includes an operating engine, an encryption module accessed by the operating engine, which provides security for message traffic, a compression module to compress and decompress the message traffic, a routing module accessed by the operating engine, to determine the routing of message types, incoming traffic routed to appropriate service clients, outbound traffic routed to appropriate SOA devices, a security module that authenticates and authorizes message traffic, and one or more network interfaces, and one or more networks over which the SOA nodes communicate with one another. | 01-14-2010 |
20100017596 | System and method for managing authentication cookie encryption keys - There is provided a system and method for managing authentication cookie encryption keys. The system comprises a computing device including a memory with authentication data having a key identifier and encrypted data with a session identifier. The key identifier references a key having a validity period, the key capable of decrypting the authentication data. A processor of the computing device can respond to user requests for information by retrieving the authentication data and transmitting it to a server. The server can then authenticate the user by verifying the encrypted session identifier using the referenced key. There is also provided a method by which a key server can manage encryption keys. The key server receives an encryption key having a validity period, receives a validity request, confirms or rejects the validity of the encryption key, and automatically invalidates the encryption key upon expiration of the validity period. | 01-21-2010 |
20100031021 | METHOD FOR IMPROVED KEY MANAGEMENT FOR ATMS AND OTHER REMOTE DEVICES - A method, article, and system for providing an effective implementation of a data structure comprising instructions that are cryptographically protected against alteration or misuse, wherein the instructions further comprise a trusted block that defines specific key management policies that are permitted when an application program employs the trusted block in application programming interface (API) functions to generate or export symmetric cryptographic keys. The trusted block has a number of fields containing rules that provide an ability to limit how the trusted block is used, thereby reducing the risk of the trusted block being employed in unintended ways or with unintended keys. | 02-04-2010 |
20100031022 | SYSTEM AND METHOD FOR VERIFYING NETWORKED SITES - A system and method for indicating to a user that a networked site is authentic includes a verification application configured to send a request to verify the authenticity of the networked site together with identity information about the site to a verification server. The verification application has access to encrypted user-customized information that was previously selected by a user and is encrypted and stored focally on the end-user device. The verification server verifies whether the networked site is authentic and is further configured to enable decryption of the encrypted user-customized information when a networked site is verified as authentic, so that the user-customized information can be presented to the user. | 02-04-2010 |
20100031023 | METHOD AND SYSTEM FOR PROVIDING CENTRALIZED DATA FIELD ENCRYPTION, AND DISTRIBUTED STORAGE AND RETRIEVAL - An approach is provided for securely storing sensitive data values. A primary facility is provided that directly or indirectly receives requests from a requestor to store an actual data value. The primary facility obtains a replacement value associated with the actual value and encrypts the actual value, and the replacement value is transmitted to the requestor. The replacement and encrypted values are stored in a master copy database at the primary facility, and copies thereof are stored in distributed secondary databases. When the requestor needs an actual data value, the requestor transmits the replacement value either to the primary facility for retrieval of data from the master database, or to the secondary facility for retrieval from the respective secondary database. The chosen facility retrieves the encrypted value from its respective database using the replacement value, decrypts the encrypted value, and transmits the actual value back to the requestor. | 02-04-2010 |
20100037046 | Credential Management System and Method - A centralized credential management system. Website credentials are stored at a vault storing at a vault. The website credentials are encrypted based upon a key not available to the vault and are for authenticating a user to a third party website. Through a client, a user authenticates to the vault and retrieves the encrypted website credentials and parameters and code for properly injecting the credentials into a website authentication form. The website credentials are decrypted at the client and injected into the authentication form using the parameters and code. | 02-11-2010 |
20100058053 | SYSTEM, METHOD AND SECURITY DEVICE FOR AUTHORIZING USE OF A SOFTWARE TOOL - The described embodiments relate generally to methods, systems and security devices for authorizing use of a software tool. Certain embodiments of the invention relate to a security device. The security device comprises at least one communication subsystem for enabling communication between the security device and a first external device, wherein the first external device has a software tool executable on the first external device. The security device further comprises a memory and processor coupled to the at least one communication subsystem and configured to control the at least one communication subsystem. The memory is accessible to the processor and stores a key for authorizing use of the software tool. The memory further stores program instructions which, when executed by the processor, cause the processor to execute a security application. | 03-04-2010 |
20100064134 | SECURE IDENTITY MANAGEMENT - The invention relates to a method for providing an identity-related information (IRI) to a requesting entity ( | 03-11-2010 |
20100070757 | SYSTEM AND METHOD TO AUTHENTICATE A USER UTILIZING A TIME-VARYING AUXILIARY CODE - A system and method to authenticate a user utilizing a time-varying auxiliary code. The code may be appended to a fixed password, but that is not required. The code is generated by a central electronic authentication system. The user retrieves it manually using a fungible communications device such as a telephone or a computer connected to the Internet. The user must learn the code because he inputs it manually, thereby authenticating himself. The present invention performs the same function as inventions with tokens, that is, it provides an extension to the PIN or password, but it eliminates the token and the synchronization required with such a token. | 03-18-2010 |
20100070758 | Group Formation Using Anonymous Broadcast Information - A number of devices co-located at a geographic location can broadcast and receive tokens. Tokens can be exchanged using a communication link having limited communication range. Tokens that are received by a device can be stored locally on the device and/or transmitted to a trusted service operating remotely on a network. In some implementations, the tokens can be stored with corresponding timestamps to assist a trusted service in matching or otherwise correlating the tokens with other tokens provided by other devices. The trusted service can perform an analysis on the tokens and timestamps to identify devices that were co-located at the geographic location at or around a contact time which can be defined by the timestamps. A group can be created based on results of the analysis. Users can be identified as members of the group and invited to join the group. | 03-18-2010 |
20100070759 | METHOD AND SYSTEM FOR AUTHENTICATING A USER BY MEANS OF A MOBILE DEVICE - The invention relates to a method for authenticating a user of a mobile device ( | 03-18-2010 |
20100082972 | Method to allow targeted advertising on mobile phones while maintaining subscriber privacy - An apparatus in one example has: a trusted advertising server operatively coupled to at least one terminal of a subscriber; and a trusted database having respectively at least one profile for the at least one terminal; wherein the trusted advertising server effects sending of one or more advertisements to the terminal based on the profile of the terminal without revealing an identity of the subscriber. The trusted advertising server has a trusted role and an advertising role. The trusted role is to securely maintain the at least one profile, and the advertising role is to receive target demographics for a particular advertiser or advertising broker, to match advertisements to the at least one terminal based on the respective profile in the trusted database, and to deliver the selected advertisements to the at least one terminal based on the respective profile in the trusted database. | 04-01-2010 |
20100082973 | Direct anonymous attestation scheme with outsourcing capability - A Direct Anonymous Attestation (DAA) scheme using elliptic curve cryptography (ECC) and bilinear maps. A trusted platform module (TPM) may maintain privacy of a portion of a private membership key from an issuer while joining a group. Moreover, the TPM can outsource most of the computation involved in generating a signature to a host computer. | 04-01-2010 |
20100088506 | METHOD AND SYSTEM FOR PROVIDING A REL TOKEN - The embodiments relate to a method for providing at least one REL (Rights Expression Language) token, the REL-token or tokens being provided in a message by a MIME (Multipurpose Internet Mail Extension) protocol. | 04-08-2010 |
20100095113 | Secure Content Distribution System - In accordance with one aspect of the invention, a system is provided that includes a database configured to store data according to a first encryption protocol such as an FDE HDD protocol. The data provided to the database is encrypted according to a second encryption protocol such as an AES protocol. A user selects a desired video through a server coupled to the database. Upon payment and selection by the user, a manager provides the a first key to the database so that the first encryption may be stripped from the selected video. The server couples to a remote content key server to obtain a second key to remove the second type of encryption. The resulting decrypted digitized video may then be burned to a DVD disc for distribution to the user. | 04-15-2010 |
20100100724 | SYSTEM AND METHOD FOR INCREASING THE SECURITY OF ENCRYPTED SECRETS AND AUTHENTICATION - In general, in one aspect, the invention relates to a method for accessing encrypted data by a client. The method includes receiving from the client by a server client information derived from a first secret wherein the client information is derived such that the server can not feasibly determine the first secret The method also includes providing to the client by the server intermediate data, which is derived responsive to the received client information, a server secret, and possibly other information. The intermediate data is derived such that the client cannot feasibly determine the server secret. The method also includes authenticating the client by a device that stores encrypted secrets and is configured not to provide the encrypted secrets without authentication. After the authenticating step, the method also includes providing the encrypted secrets to the client. The encrypted secrets | 04-22-2010 |
20100100725 | PROVIDING REMOTE USER AUTHENTICATION - Providing a remote computer user authentication service involves providing a reference to a user authentication service in a host server's source code (e.g., website source code). Further, integration code that may be used in an application programming interface (API) on the host server for interaction with a user authentication service can be provided. Additionally, a user interface (UI) for user authentication on the host server, and an authentication-test message on the host server using the UI may be provided. Also, providing authentication can comprise sending an authentication-request message to a mobile device designated by the user; and/or can comprise the user responding with information from the authentication-test message. The host server can be notified of the user's authentication after a correct response is received by the user authentication service. | 04-22-2010 |
20100100726 | System and method for unlocking content associated with media - There is presented a system and method for unlocking a content associated with media. In one aspect, the method comprises identifying the media, generating an authentication key using at least one key data from a set of key data contained in the media, determining an address in the media of at least one content unit corresponding respectively to each of the at least one key data used to generate the authentication key; requesting the at least one content unit by providing the address; receiving user data in response to the requesting; comparing the user data with the at least one key data used to generate the authentication key; and unlocking the content associated with the media if the user data matches the authentication key. | 04-22-2010 |
20100100727 | ENCRYPTION AND AUTHENTICATION SYSTEMS AND METHODS - Methods, apparatus, and systems are disclosed for, among other things, passphrase input using secure delay, passphrase input with characteristic shape display, user authentication with non-repeated selection of elements with a displayed set of elements, document authentication with embedding of a digital signature stamp within a graphical representation of the electronic document wherein the stamp comprises digits of a digital signature, and sub-hash computation using secure delay. | 04-22-2010 |
20100106963 | System and method for secure remote computer task automation - A system includes a third party authority in communication with a client computer and a target computer. The third party authority is configured to receive a request including authentication information and an access request from the client computer. The third party authority is configured to authenticate the client computer based on the authentication information and to process the access request to grant the client computer access to the target computer to perform a task on the target computer, the access request including the task. The third party authority is further configured to send an access token to the client computer to access the target computer to perform the task, to receive the access token from the target computer for validation, to validate the received access token based on the request for the target computer to process the task, and to grant the target computer permission to process the task upon validation. | 04-29-2010 |
20100106964 | AUTHENTICATION TERMINAL, AUTHENTICATION SERVER, AND AUTHENTICATION SYSTEM - In registration, a feature array x[i] obtained by client is basis-transformed into array X[i], transformed with a transformation filter array K[i] into a template array T[i] to be registered in the client. In authentication, the feature array y[i] is basis-transformed into an array Y[i] after inversely sorting and applied to filter K by computation V[i]=Y[i]K[i]. The server obtains array e[i]=Enc (T[i]), and the client obtains e′[i]=Enc (Σ | 04-29-2010 |
20100115265 | System And Method For Enhanced Network Entrance Into A Wireless Network - In one embodiment, a method for wireless communication includes providing, at a base station, access to a network to a preferred endpoint. The method includes sending, at the base station, at least one cryptographic parameter to the preferred endpoint. In addition, the method includes receiving, at the base station, a plurality of ranging codes from the preferred endpoint. The plurality of ranging codes are received after the base station has ceased providing the preferred endpoint access to the network. Also, the method includes determining, at the base station, that the plurality of received ranging codes correspond to a plurality of ranging codes of a predetermined set of ranging codes. The predetermined set of ranging codes is determined utilizing the at least one cryptographic parameter. Further, the method includes providing, at the base station, an entrance to the network to the preferred endpoint in response to determining that the plurality of received ranging codes correspond to the plurality of ranging codes of the predetermined set of ranging codes. | 05-06-2010 |
20100125731 | METHOD FOR SECURELY MERGING MULTIPLE NODES HAVING TRUSTED PLATFORM MODULES - Method, apparatus and computer program product are provided for operating a plurality of computer nodes while maintaining trust. A primary computer node and at least one secondary computer node are connected into a cluster, wherein each of the clustered computer nodes includes a trusted platform module (TPM) that is accessible to software and includes security status information about the respective computer node. Each clustered computer node is then merged into a single node with only the TPM of the primary computer node being accessible to software. The TPM of the primary computer node is updated to include the security status information of each TPM in the cluster. Preferably, the step of merging is controlled by power on self test (POST) basic input output system (BIOS) code associated with a boot processor in the primary node. | 05-20-2010 |
20100131755 | DISTRIBUTED SINGLE SIGN ON TECHNOLOGIES INCLUDING PRIVACY PROTECTION AND PROACTIVE UPDATING - Technologies for distributed single sign-on operable to provide user access to a plurality of services via authentication to a single entity. The distributed single sign-on technologies provide a set of authentication servers and methods for privacy protection based on splitting secret keys and user profiles into secure shares and periodically updating shares among the authentication servers without affecting the underlying secrets. The correctness of the received partial token or partial profiles can be verified with non-interactive zero-knowledge proofs. | 05-27-2010 |
20100131756 | USERNAME BASED AUTHENTICATION AND KEY GENERATION - An apparatus and a method for an authentication protocol. A client generates a server unique identifier of a server prior to communicating with the server. An encrypted password generator module of the client calculates an encrypted password based on the server unique identifier, a username, and an unencrypted password. A communication request generator module of the client generates and sends a communication request to the server. The communication request includes a username, a client random string, a client timestamp, and a client MAC value. The client MAC value is computed over the username, the client random string, and the client timestamp, using the encrypted password as an encryption key. | 05-27-2010 |
20100138651 | APPARATUS AND METHOD FOR SELECTING IP SERVICES - An apparatus and method for determining an authorized IP service for an access terminal during an establishment of a PPP connection. In an aspect of the disclosure, a data link is established with the access terminal, and a request to authenticate the access terminal is provided to an authentication/authorization server. During authentication, an IP Service Authorized Parameter is provided by the authentication/authorization server, the IP Service Authorized Parameter for indicating the authorized IP service for the access terminal. Thereby, a network layer protocol and a mobility protocol are each configured according to the authorized IP service that corresponds to the IP Service Authorized Parameter. | 06-03-2010 |
20100146261 | CONTROLLED ACTIVATION OF FUNCTION - A method of and system ( | 06-10-2010 |
20100146262 | Method, device and system for negotiating authentication mode - The present disclosure discloses a method, device and system for negotiating authentication mode. A first negotiation request carrying an authentication mode supported by a terminal is sent to an authentication server, so that the authentication server determines and sends an authentication mode supported by both the authentication server and the terminal, where the authentication mode is determined according to an authentication mode supported by the authentication server and the authentication mode supported by the terminal in the first negotiation request. The authentication mode supported by both the authentication server and the terminal is received by the terminal from the authentication server. Therefore, according to the disclosure, a common authentication mode supported by both the authentication server and the terminal is negotiated before the authentication is performed. | 06-10-2010 |
20100146263 | METHOD AND SYSTEM FOR SECURE AUTHENTICATION - The invention relates to a method of authentication for a provider comprising requesting a verification system for authentication of a transaction initiated by a user by transmitting to the verification system details of the transaction initiated; requesting the user to authenticate the transaction on a mobile device by transmitting to the user mobile device details of the transaction; validating the authentication request received from the verification system on the mobile device and prompting the user to enter a personal identification number, displaying to the user transaction details on receiving a valid personal identification number and requesting user to authenticate transaction; generating on receiving user authentication an authentication parameter for transmission to the verification system; and authenticating the transaction to the provider on receiving a valid authentication parameter from user mobile device. | 06-10-2010 |
20100153707 | Systems and Methods for Real-Time Verification of A Personal Identification Number - The present invention is directed to improved methods and systems for verifying a person's personal identification data. In one embodiment, the system includes programmatic modules stored on computer readable media. The programmatic modules receive login credentials from a computing device and verify credentials, generate and communicate a request form for accessing personal identification data associated with a person, receive input data from a computing device in response to a request form, test input data in relation to a minimum required data set for requesting personal identification data, format input data into an electronic request in accordance with a predefined format, store, search, and identify a consent form, which establishes a valid consent by a person to access personal identification data, associate the electronic request for a person's personal identification data with a consent form, and transmit the electronic request in accordance with a predefined format to another computing device. | 06-17-2010 |
20100153708 | Server Assisted Portable Device - A method for allowing or disallowing host access to data stored in a portable device is discussed. The method uses a password and network server. Access to the data is allowed if the password is correct and messages received from the server are positive. If the portable device receives a negative message from the server, then access is disallowed, even if the password is correct. In another embodiment of the invention, a password is provided to the portable device; the password is encrypted in the portable device, and sent to the network server. Upon requests for data from the host computer, the portable device encrypts the data and sends the encrypted data to the host computer. A network server receives an encryption of the password from the portable device, and if the password is correct, then the network server sends the decryption key for the data to the host computer. | 06-17-2010 |
20100153709 | Trust Establishment From Forward Link Only To Non-Forward Link Only Devices - In the present system three methods are provided for establishing trust between an accessory device and a host device, without placing trust in the device/host owner, so that content protection for subscriber-based mobile broadcast services is provided. That is, a secure link may be established between the accessory device and the host device so when the accessory device receives encrypted content via a forward link only network, the accessory device may decrypt the content at the forward link only stack and then re-encrypt it or re-secure it using the master key or some other derived key based on the master key (or the session key) and then send it to the host device which can decrypt it play it back. | 06-17-2010 |
20100161964 | STORAGE COMMUNITIES OF INTEREST USING CRYPTOGRAPHIC SPLITTING - Methods and systems of presenting data in a secure data storage network are disclosed. One method includes defining a plurality of communities of interest, each community of interest capable of accessing data stored in a secure data storage network and including a plurality of users desiring access to a common set of data, wherein each of the plurality of communities of interest has a set of security rights. The method also includes associating each of the plurality of communities of interest with a different workgroup key. The method further includes, upon identification of a client device as associated with a user from among the plurality of users in a community of interest, presenting a virtual disk to the client device in accordance with the security rights, the virtual disk associated with the workgroup key associated with the community of interest and a volume containing the common set of data to the community of interest, the volume including a plurality of shares stored on a plurality of physical storage devices. | 06-24-2010 |
20100161965 | Secure Credential Store - A credential store provides for secure storage of credentials. A credential stored in the credential store is encrypted with the public key of a user owning the credential. A first user may provide a credential owned by the first user to a second user. The first user may add credentials owned by the first user to the credential store. An administrator may manage users of the credential store without having the ability to provide credentials to those users. | 06-24-2010 |
20100161966 | MUTUAL AUTHENTICATION APPARATUS AND METHOD IN DOWNLOADABLE CONDITIONAL ACCESS SYSTEM - A mutual authentication method in a Downloadable Conditional Access System (DCAS) is provided. The mutual authentication method may receive authentication-related information about authentication between an authentication unit and a security module (SM) from a Trusted Authority (TA), generate an authentication session key using the authentication-related information, transmit the authentication session key by the authentication unit to the SM through a Cable Modem Termination System (CMTS), and control a Conditional Access System (CAS) software to be downloaded to the SM from the authentication unit, when the authentication is completed by the authentication session key. | 06-24-2010 |
20100161967 | Method and system for dynamically implementing an enterprise resource policy - A rules evaluation engine that controls user's security access to enterprise resources that have policies created for them. This engine allows real time authorization process to be performed with dynamic enrichment of the rules if necessary. Logging, alarm and administrative processes for granting or denying access to the user are also realized. The access encompasses computer and physical access to information and enterprise spaces. | 06-24-2010 |
20100169640 | Method and system for enterprise network single-sign-on by a manageability engine - A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers. | 07-01-2010 |
20100174900 | METHOD AND APPARATUS FOR AUTHENTICATING ONLINE TRANSACTIONS USING A BROWSER - A computer-implemented method for authenticating a user using a service provider server and an authentication server, the user communicating with at least one of the service provider server and the authentication server using a user browser. The method includes requesting, using the user browser, the authenticating with the service provider server. The method also includes authenticating, using the user browser, a secure communication channel with the authentication server. The method also includes receiving, using the user browser, a Next Pre-Authentication Anchor (NPAA) value from the authentication server. The method additionally includes temporarily storing the Next Pre-Authentication Anchor (NPAA) value in a user browser cookie associated with the user browser, wherein the Next Pre-Authentication Anchor (NPAA) value is protected by employing Same Origin Policy (SOP). | 07-08-2010 |
20100191959 | Secure microprocessor and method - A method and reconfigurable computer architecture protect binary opcode, or other data and instructions by providing an encryption capability integrated into an instruction issue unit of a protected processor. Opcodes are encrypted at their source, and encrypted opcodes from authorized users are then delivered to a CPU and decrypted “inside” the CPU. Access into the CPU is prevented. Each form of code or data selected for protection is protected from unauthorized viewing or access. Commonly, the binary executable, or object, code is selected for protection. However, protected information could also include source code or data sets or both. Encrypting opcodes will result in making unique opcodes for each processor. Encryption keys and hidden opcode algorithms provide further security. | 07-29-2010 |
20100199086 | NETWORK TRANSACTION VERIFICATION AND AUTHENTICATION - A two-level authentication system is described supporting two-factor authentication that offers efficient protection for secure on-line web transactions. It includes a global unique identity (UID) provided either by an institute-issued/personal trusted device, or based on client computing platform hardware attributes, and generated using institution authorized private software, institution-authorized authentication proxy software, and an institution-generated credential code which is pre-stored in the token and only accessible by the institute-authorized authentication proxy software. The institution-authorized authentication proxy software uses the user's PIN and the trusted device's UID as input and verifies the user and device identities through institution-generated credential code which was pre-stored in the trusted device. Authentication is performed in two levels: the first authenticates the user and the trusted device locally; and the second authenticates the user remotely at the institution-owned authentication server. Various embodiments add extra levels of security, including one-time-password management. | 08-05-2010 |
20100217974 | CONTENT MANAGEMENT APPARATUS WITH RIGHTS - A content management system which carries out a process for allowing content data for reproducing content to be used in a second communication terminal in place of a first communication terminal includes an authentication unit that authenticates that the second communication terminal is a takeover terminal which is a communication terminal which takes over rights to use the content from the first communication terminal and a rights information transmission unit that, in the event that it is authenticated that the second communication terminal is the takeover terminal, transmits second rights information which is necessary in order to use the content data, and which is valid only for the second communication terminal, to the second communication terminal. | 08-26-2010 |
20100223459 | KEY DISTRIBUTION - Methods and systems are provided for trusted key distribution. A key distribution or an identity service acts as an intermediary between participants to a secure network. The service provisions and manages the distribution of keys. The keys are used for encrypting communications occurring within the secure network. | 09-02-2010 |
20100228966 | CONTROL DEVICE, COMMUNICATION APPARATUS, CONTROL SYSTEM, CONTROL METHOD AND STORAGE MEDIUM - A control system which can control a function of a device depending on the result of authentication of an external device that exists outside the device and prevent others from using the device without permission is provided. The control system includes a control device ( | 09-09-2010 |
20100228967 | METHOD OF ESTABLISHING SECURITY ASSOCIATION IN INTER-RAT HANDOVER - A method of establishing security association during handover between heterogeneous networks in a radio access system is disclosed. A method of establishing security association before handover with a target base station included in a heterogeneous radio access network is performed comprises transmitting a request message to a service base station, the request message requesting the service base station to transfer authentication related information of a mobile station to a target network authentication server; and receiving a response message from the service base station before the handover with the target base station is performed, the response message including security related information used in a target network. | 09-09-2010 |
20100235623 | Methods and systems for identity verification - The present invention relates to methods and systems for identity verification. The method includes transmitting from a customer system to a customer connector server an identity verification request containing identification information for an individual. At the customer connector server, at least one verification service required for the request is identified and a data manager server is selected for each service. A verification service request is transmitted to each data manager server. At each data manager server, at least one data access service is identified and one data connector server is selected for each service. A data accesss service request is transmitted to each data connector server. At least one data source is accessed from each data connector server for each request. The identification information provided is then verified against identity information stored within the at least one data source and a response is generated and communicated to the customer system. | 09-16-2010 |
20100235624 | METHOD AND APPARATUS FOR PROTECTING THE TRANSFER OF DATA - According to one embodiment, a conditional access (CA) control system comprises circuitry that is adapted to: (i) transmit information including a unique identifier assigned to a digital device and mating key generator values to the remote source, (ii) receive a mating key from the remote source, the mating key being based on the transmitted unique identifier and mating key generator values, the mating key being used to encrypt data used for scrambling either additional key information or program data prior to transmission to the digital device, and (iii) transmit the mating key generator values and the encrypted data to the digital device, the mating key generator values are used to regenerate the mating key in the digital device. | 09-16-2010 |
20100241850 | HANDHELD MULTIPLE ROLE ELECTRONIC AUTHENTICATOR AND ITS SERVICE SYSTEM - The present invention provides a handheld electronic authenticator and its service system that provide multiple dynamic authentication codes for authenticating with multiple service providers. The authenticator provides multiple dynamic authentication codes (e.g., including electronic signatures) for the multiple service providers, using an algorithm, secret key and dynamic variables chosen and maintained by the service provider. | 09-23-2010 |
20100250921 | Authorizing a Login Request of a Remote Device - Exemplary systems and methods for managed authorization of a login request of a remote device are provided. A user of the remote device may be authorized to login by an authentication server before attempting to login. Upon receipt of a login request from the remote device, an authorization process is performed. Subsequently, a concatenation of data from the login request and a server response based on the determination of whether the remote device is authorized to login is generated. The server response may comprise instructions to authorize the login request, instructions to deny the login request, or instructions to destroy data stored by the remote device. Furthermore, the authentication server or the remote device may log the server response. | 09-30-2010 |
20100268939 | METHOD AND APPARATUS FOR AUTHENTICATION OF A REMOTE SESSION - Examples of systems and methods are provided for facilitating establishing a remote session between a host device and a remote server. The system may facilitate establishing a trusted relationship between a client device and the host device. The system may provide remote session login information to the host device to enable the host device to establish a first remote session with the remote server. The system may launch a second remote session with the remote server using the login information. | 10-21-2010 |
20100268940 | METHOD AND APPARATUS FOR PORTABILITY OF A REMOTE SESSION - Examples of systems and methods are provided for facilitating establishing a remote session between a host device and a remote server. The system may facilitate establishing a first remote session between a client device and the remote server. The system may facilitate establishing a trusted relationship between the client device and the host device. The system may provide remote session login information from the client device to the host device to enable the host device to establish a second remote session with the remote server. The system may facilitate termination of the first remote session at the client device after the login information is provided to the host device. | 10-21-2010 |
20100268941 | REMOTE-SESSION-TO-GO METHOD AND APPARATUS - Examples of systems and methods are provided for communication and for facilitating establishing a remote session between a client device and a remote server. The system may facilitate establishing a trusted relationship between the client device and a host device. The system may be configured to receive login information from the host device for a first remote session established between the host device and the remote server. The system may facilitate continuing the first remote session previously established between the host device and the remote server as a continued remote session between the client device and the remote server. | 10-21-2010 |
20100275009 | METHOD FOR THE UNIQUE AUTHENTICATION OF A USER BY SERVICE PROVIDERS - The invention relates to a method for unique authentication of a user (U) by at least one service provider (SP), said method including a preliminary identity federation stage of federating an identity (user@sp) of said user for said service provider and an identity (user@idp) of the user (U) for an identity provider (IdP). According to the invention, said preliminary identity federation stage includes the steps of: the user (U) generating a user alias ([alias]) for that service provider (SP) and sending said identity provider (IdP) a masked alias ([alias] | 10-28-2010 |
20100275010 | Method of Authentication of Users in Data Processing Systems - A method of authentication of users in a data processing system is provided. The method includes a “Challenge” univocally associated with a user to be authenticated; processing the “Challenge” to generate an expected answer code, to be compared with an answer code that the user has to provide for authentication; encoding the generated “Challenge” for obtaining an image displayable through a display device; sending the image containing the “Challenge” to the user; displaying the image containing the “Challenge”; through a user device provided with an image-capturing device, optically capturing the displayed image; through the user device, processing the captured image for extracting from the captured image the “Challenge”, and subsequently processing the obtained “Challenge” for generating the answer code; receiving the answer code from the user and comparing it to the expected answer code; and, in case of positive comparison, authenticating the user. One among the actions of generating a “Challenge” and an expected answer code, and the action of processing the captured image that generates the answer code exploit secret information univocally associated with the user. | 10-28-2010 |
20100275011 | METHOD AND APPARATUS FOR SECURE COMMUNICATIONS - The present invention provides a method and apparatus for a trusted service provider (TSP) which assists with the secure exchange of data across the public switched telephone network. Communications are routed via a TSP, which uses cryptographic techniques to conceal the identities (e.g., telephone numbers) of the call initiator and call recipient, thereby preventing traffic analysis attacks. The TSP also performs cryptographic handshakes with the call initiator and call recipient to authenticate callers. The TSP further provides cryptographic keying material which communicants may use to help protect communications and to directly authenticate and identify each other. Although the TSP is trusted to negotiate the connection and is involved in the process, the communicants can perform their own key agreement and authentication for protecting data routed via the TSP. | 10-28-2010 |
20100281252 | ALTERNATE AUTHENTICATION - A user may utilize an existing digital identity to authorize the user's access to security-enabled device operations, where the security-enabled device comprises a cryptographic chip. The device can receive a user authentication token from the digital user identification service, which authenticates a user's identity. Further, the security-enabled device can validate the user authentication token, and provide the user access to device security operations on the security-enabled device if the user authentication token is successfully validated, allowing the user to reset their security access information for the device. | 11-04-2010 |
20100293370 | AUTHENTICATION ACCESS METHOD AND AUTHENTICATION ACCESS SYSTEM FOR WIRELESS MULTI-HOP NETWORK - Authentication access method and authentication access system for wireless multi-hop network. Terminal equipment and coordinator have the capability of port control, the coordinator broadcasts a beacon frame, and the terminal equipment selects an authentication and key management suite and transmits a connecting request command to the coordinator. The coordinator performs authentication with the terminal equipment according to the authentication and key management suite which is selected by the terminal equipment, after authenticated, transmits a connecting response command to the terminal equipment. The terminal equipment and the coordinator control the port according to the authentication result, therefore the authenticated access for the wireless multi-hop network is realized. The invention solves the security problem of the wireless multi-hop network authentication method. | 11-18-2010 |
20100299519 | METHOD FOR MANAGING WIRELESS MULTI-HOP NETWORK KEY - A method for managing wireless multi-hop network key is applicable to a security application protocol when a WAPI frame method (TePA, an access control method based on the ternary peer-to-peer identification) is applied in a concrete network containing a Wireless Local Area Network, a Wireless Metropolitan Area Network AN and a Wireless Personal Area Network. The key management method of the present invention includes the steps of key generation, key distribution, key storage, key modification and key revocation. The present invention solves the technical problems that the prior pre-share-key based key management method is not suitable for larger networks and the PKI-based key management method is not suitable for wireless multi-hop networks; the public-key system and the ternary structure are adopted, thereby the security and the performance of the wireless multi-hop networks are improved. | 11-25-2010 |
20100306530 | WORKGROUP KEY WRAPPING FOR COMMUNITY OF INTEREST MEMBERSHIP AUTHENTICATION - Methods and systems for managing a community of interest are disclosed. One method includes creating a workgroup key associated with a community of interest, and protecting one or more resources associated with the community of interest using the workgroup key. The method also includes encrypting the workgroup key using a public key associated with an administrator of the community of interest, the public key included with a private key in a public/private key pair associated with the administrator. The method further includes storing the encrypted workgroup key and associating the workgroup key with a user, thereby adding the user to the community of interest. | 12-02-2010 |
20100313013 | SYSTEMS AND METHODS FOR SECURE TRANSACTION MANAGEMENT AND ELECTRONIC RIGHTS PROTECTION - The present invention provides systems and methods for secure transaction management and electronic rights protection. Electronic appliances such as computers equipped in accordance with the present invention help to ensure that information is accessed and used only in authorized ways, and maintain the integrity, availability, and/or confidentiality of the information. Such electronic appliances provide a distributed virtual distribution environment (VDE) that may enforce a secure chain of handling and control, for example, to control and/or meter or otherwise monitor use of electronically stored or disseminated information. Such a virtual distribution environment may be used to protect rights of various participants in electronic commerce and other electronic or electronic-facilitated transactions. Distributed and other operating systems, environments and architectures, such as, for example, those using tamper-resistant hardware-based processors, may establish security at each node. These techniques may be used to support an all-electronic information distribution, for example, utilizing the “electronic highway.” | 12-09-2010 |
20100318786 | Trusted Hardware Component for Distributed Systems - Techniques for utilizing trusted hardware components for mitigating the effects of equivocation amongst participant computing devices of a distributed system are described herein. For instance, a distributed system employing a byzantine-fault-resilient protocol—that is, a protocol intended to mitigate (e.g., tolerate, detect, isolate, etc.) the effects of byzantine faults—may employ the techniques. To do so, the techniques may utilize a trusted hardware component comprising a non-decreasing counter and a key. This hardware component may be “trusted” in that the respective participant computing device cannot modify or observe the contents of the component in any manner other than according to the prescribed procedures, as described herein. Furthermore, the trusted hardware component may couple to the participant computing device in any suitable manner, such as via a universal serial bus (USB) connection or the like. | 12-16-2010 |
20100325424 | System and Method for Secured Communications - A system for secured communications includes a control center, a network transceiver, an authentication server communicatively coupled between the control center and the network transceiver, and an extended trust device communicatively coupled between the authentication server and a client, the extended trusted device being configured to send a device identifier to the authentication server via the network transceiver, the device identifier being based on a combination of a user-configurable parameter and a non-user-configurable parameter of the extended trust device, wherein the authentication server is configured to determine access privilege of a client to the control center by authenticating the device identifier received from extended trust device. | 12-23-2010 |
20100325425 | METHOD FOR AUTOMATIC WLAN CONNECTION BETWEEN DIGITAL DEVICES AND DIGITAL DEVICE THEREFOR - A method and apparatus for performing an automatic wireless connection with a second digital device by a first digital device is provided. The method includes acquiring, by the first input device, random information used for the wireless connection; checking a status of a Wireless Local Area Network (WLAN); storing the checked status; setting the WLAN to an Ad-hoc mode; setting a Service Set Identifier (SSID) of the WLAN using the random information; setting a security key of the WLAN using the random information; and setting an Internet Protocol (IP) address of the WLAN using the random information. | 12-23-2010 |
20100332823 | MULTI-FUNCTIONAL PERIPHERAL, AUTHENTICATION SERVER AND SYSTEM - In a multi-functional peripheral capable of performing user authentication processing in cooperation with an authentication server and processing in cooperation with an external application, a user is able to easily access a screen of a previously used function immediately after logging in without necessity of switching a screen of the function of the multi-functional peripheral itself and a screen of the external application function. | 12-30-2010 |
20110010538 | METHOD AND SYSTEM FOR PROVIDING AN ACCESS SPECIFIC KEY - An access specific key is provided for securing of a data transfer between a mobile terminal and a node of an access net. For authentication of the mobile terminal, a authentication server generates a session key, from which a basic key is derived and transferred to an interworking-proxy-server. The interworking-proxy-server derives the access specific key from the transferred basis key and provides the key to the node of the access net. | 01-13-2011 |
20110010539 | Methods And Apparatus For Maintaining Secure Connections In A Wireless Communication Network - In one illustrative example, a method in a mobile communication device operating in a wireless local area network (WLAN) involves performing, via a wireless AP of the WLAN, a first authentication procedure with an authentication server for obtaining a first session key and a key lifetime value associated with the first session key; establishing a first secure connection with the wireless AP based on the first session key; setting a timer with an initial value that is less than or equal to the key lifetime value, and running the timer; communicating in a media session over the first secure connection with the wireless AP; and in response to an expiration of the timer during the media session: performing, during the media session, a second authentication procedure with the authentication server for obtaining a second session key; and establishing, during the media session, a second secure connection with the wireless AP using the second session key; and communicating in the media session over the second secure connection with the wireless AP. In another illustrative example, the method involves performing the second authentication procedure with the authentication server in response to identifying a request for establishing the media session, just prior to establishing the media session. | 01-13-2011 |
20110016310 | SECURE SERIAL INTERFACE WITH TRUSTED PLATFORM MODULE - A secure system having a Trusted Platform Module coupled between a peripheral device and a host. In operation, the Trusted Platform Module is provided to control communication between the peripheral device and the host. | 01-20-2011 |
20110016311 | METHOD FOR PREVENTING LAUNDERING AND REPACKAGING OF MULTIMEDIA CONTENT IN CONTENT DISTRIBUTION SYSTEMS - A method for distributing content in a content distribution system is disclosed which comprises the steps of: encrypting at a Content Packager a content using a content encryption key to generate an encrypted content; sending the content encryption key to a Licensing Authority; receiving from the Licensing Authority a distribution key containing an encryption of the content decryption key (K | 01-20-2011 |
20110022836 | Method and apparatus for securing the privacy of a computer network - A method and apparatus for secure access to a computer network and for safeguarding the confidentiality and privacy of data stored and distributed by the network is disclosed. The method and apparatus addresses both limiting access to the computer network to those who are authorized to have access as well as the privacy of the information stored in the network. | 01-27-2011 |
20110022837 | Method and Apparatus For Performing Secure Transactions Via An Insecure Computing and Communications Medium - The present invention comprises a user interface hardware implementation and associated method for providing a means to achieve secure transactions between a human user and a remote computing facility or service, wherein the transaction is performed such that intermediate nodes, including the human user's primary computation device (e.g. personal computer, cellphone, etc.) need not be trustworthy while still preserving the privacy and authenticity of communications between the human user and remote computing facility or service. | 01-27-2011 |
20110029769 | METHOD FOR USING TRUSTED, HARDWARE IDENTITY CREDENTIALS IN RUNTIME PACKAGE SIGNATURE TO SECURE MOBILE COMMUNICATIONS AND HIGH VALUE TRANSACTION EXECUTION - A method for trusted package digital signature based on secure, platform-bound identity credentials. The selection of a document to be electronically signed by a user via a computing device is made. A hash for the document is determined. The hash is encrypted with a private key of the user to create a digital signature. The document, an identification credential, and the digital signature are sent to a recipient computing device residing on a network. The identification credential comprises a digital file used to cryptographically bind a public key to specific trusted hardware attributes attesting to the identity and integrity of the trusted computing device. The trusted computing device includes a cryptographic processor. | 02-03-2011 |
20110029770 | RADIO COMMUNICATION SYSTEM AND AUTHENTICATION PROCESSOR SELECTION METHOD - The present invention applies to a radio communication system that has a subscriber authentication server provided with a plurality of authentication processors and first and second authentication verification apparatuses that carry out each of authentication requests for first and second authentications to the subscriber authentication server for the same subscriber. In this radio communication system, the subscriber authentication server, upon success of the first authentication, reports to the first authentication verification apparatus identification information of the authentication processor that carried out the first authentication, and the first authentication verification apparatus reports to the second authentication verification apparatus the identification information that was reported from the subscriber authentication server. | 02-03-2011 |
20110035583 | AUTHENTICATION APPARATUS, AUTHENTICATION SYSTEM, AUTHENTICATION METHOD AND COMPUTER READABLE MEDIUM - An authentication apparatus includes an accepting unit and an instructing unit. The accepting unit accepts a request, which requests to issue an authentication medium for a second user, from a first user who is authenticated. The instructing unit instructs to issue the authentication medium for the second user. | 02-10-2011 |
20110035584 | SECURE REMOTE SUBSCRIPTION MANAGEMENT - A method and apparatus are disclosed for performing secure remote subscription management. Secure remote subscription management may include providing the Wireless Transmit/Receive Unit (WTRU) with a connectivity identifier, such as a Provisional Connectivity Identifier (PCID), which may be used to establish an initial network connection to an Initial Connectivity Operator (ICO) for initial secure remote registration, provisioning, and activation. A connection to the ICO may be used to remotely provision the WTRU with credentials associated with the Selected Home Operator (SHO). A credential, such as a cryptographic keyset, which may be included in the Trusted Physical Unit (TPU), may be allocated to the SHO and may be activated. The WTRU may establish a network connection to the SHO and may receive services using the remotely managed credentials. Secure remote subscription management may be repeated to associate the WTRU with another SHO. | 02-10-2011 |
20110040964 | SYSTEM AND METHOD FOR SECURING DATA - The present invention provides a method for securing data distributed by a first user to at least one recipient user, comprising the steps of; responding to a request from the first user to encrypt the data with a key; and recording the location of the key in a database, wherein on the database receiving a request from the at least one recipient user for authorization, providing the key to the at least one recipient user upon authorization. | 02-17-2011 |
20110047372 | MASHAUTH: USING MASHSSL FOR EFFICIENT DELEGATED AUTHENTICATION - The present invention provides a method that allows the MashSSL protocol to be used to provide a secure and efficient way for delegated authentication. The invention allows services which already have an SSL infrastructure to reuse that infrastructure for delegated authentication, and to do so in a fashion where the cryptographic overhead is amortized across multiple users, and which provides the user with greater control of what information is shared on their behalf. | 02-24-2011 |
20110055553 | Method for controlling user access in sensor networks - A method for implement an energy-efficient user access control to wireless sensor networks is disclosed. A user creates a secret key and sending it to a sensor. The sensor builds a first MAC value by the secret key and sends it to the Key Distribution Center which builds a second MAC value and sending it to the sensor. The sensor decrypts the second MAC value to get a random number, and builds a third MAC value by the random number. The third MAC value is used by the user to authenticate the sensor. | 03-03-2011 |
20110055554 | WIRELESS PERSONAL AREA NETWORK ACCESSING METHOD - A wireless personal area network accessing method is provided, the method includes that: a coordinator broadcasts a beacon frame, the beacon frame includes the information about whether the coordinator sends an authentication requirement, the beacon frame also includes the authentication supported by the coordinator and key management package when a device receipts the authentication requirement, the device receives the beacon frame, the authentication between the coordinator and the device is made by using a authentication method corresponding to the authentication supported by the coordinator and key management package, when the device determines that the coordinator and the device is directly made according to the authentication result, or the association between the coordinator and the device is made after making session key negotiation. | 03-03-2011 |
20110060902 | VPN CONNECTION SYSTEM AND VPN CONNECTION METHOD - For establishing a VPN connection in the call-back type, a VPN server establishes an always-on connection through a unique protocol different from the electronic mail delivery system. A client generates a client authentication data used for the client authentication implemented by the VPN server, and establishes the relay server through the unique protocol to transmit the client authentication data. The relay server device relays the client authentication data to the VPN server through the unique protocol. The VPN server implements the client authentication based on the relayed data. The VPN server establishes the VPN connection with the client based on the result of the authentication. | 03-10-2011 |
20110060903 | GROUP SIGNATURE SYSTEM, APPARATUS AND STORAGE MEDIUM - A group signature system according to one embodiment of the present invention comprises a group administrator apparatus, signer apparatuses and a verifier apparatus which can communicate with one another. Here, in a group signature method used by the apparatuses, a multiplication cyclic group or a bilinear group in which an order is unknown as in RSA is not used at all, but a multiplication cyclic group gG of a prime order q is only used, and representation parts k | 03-10-2011 |
20110066846 | METHOD AND A SYSTEM OF HEALTHCARE DATA HANDLING - This invention relates to a method of healthcare data handling by a trusted agent possessing or having an access to decryption keys for accessing healthcare data. A request is received from a requestor requesting accessing healthcare data. A log is generated containing data relating to the request or the requestor or both. Finally, the requestor is provided with an access to the healthcare data. | 03-17-2011 |
20110078437 | SIMPLIFYING ADDITION OF WEB SERVERS WHEN AUTHENTICATION SERVER REQUIRES REGISTRATION - An aspect of the present invention simplifies addition of new server systems which serve web pages to client systems, when an authentication server requires registration before providing authentication services. In an embodiment, a backend server is provided, which is registered with an authentication server. The server systems are implemented to redirect unauthorized access requests to the backend server, and the configurations performed during registration of the backend server system are used for authenticating a user and receiving an authentication result. The backend server communicates the authentication result and other information received from the authentication server to the server system. According to another aspect, such simplification is performed in a single sign-on (SSO) environment. | 03-31-2011 |
20110078438 | ENTITY BIDIRECTIONAL-IDENTIFICATION METHOD FOR SUPPORTING FAST HANDOFF - An entity bidirectional-identification method for supporting fast handoff involves three security elements, which includes two identification elements A and B and a trusted third party (TP). All identification entities of a same element share a public key certification or own a same public key. When any identification entity in identification element A and any identification entity in identification element B need to identify each other, if identification protocol has never been operated between the two identification elements that they belong to respectively, the whole identification protocol process will be operated; otherwise, interaction of identification protocol will be acted only between the two identification entities. Application of the present invention not only centralizes management of public key and simplifies protocol operation condition, but also utilizes the concept of security domain so as to reduce management complexity of public key, shorten identification time and satisfy fast handoff requirements on the premises of guaranteeing security characteristics such as one key for every pair of identification entities, one secret key for every identification and forward secrecy. | 03-31-2011 |
20110087880 | REVOCATION OF CREDENTIALS IN SECRET HANDSHAKE PROTOCOLS - According to a general aspect, a computer-implemented method for a first user to verify an association with a second user through a secret handshake protocol includes maintaining information about a reusable identification handle for the first user, where the information about the reusable identification handle is provided by a trusted third party, maintaining information about a reusable credential for the first user, where the information about the reusable credential is provided by a trusted third party, and maintaining information about a matching reference for verifying an association with another user, where the information about the matching reference is provided by a trusted third party. Information based on the reusable identification handle and based on the reusable credential is transmitted to a potential peer. First information based on a reusable identification handle for the second user is received, and second information based on a reusable credential for the second user is received. A first comparison of a combination of the first information and the second information is performed with the matching reference to determine whether the second user's credentials match the first users matching reference. A second comparison of the first information with information published on a revocation list is performed to determine whether the second user's credentials have been revoked from usage. Based on the first comparison and the second comparison, a determination is made whether or not to verify the association of second user with the first user. | 04-14-2011 |
20110107085 | Authenticator relocation method for wimax system - A method is provided for Authenticator Relocation in a communication system applying an Extensible Authentication Protocol, or the like, which provides replay protection and mitigates the rogue ASN-GW problem during relocation of the Anchor Authentication, and without conducting re-authentication of the MS. The method of the invention optionally allows secure refresh of the MSK. | 05-05-2011 |
20110107086 | SECURE AUTHENTICATION AND PRIVACY OF DATA COMMUNICATION LINKS VIA DYNAMIC KEY SYNCHRONIZATION - A dynamic computer system security method and system using dynamic encryption and full synchronization between system nodes. A data record from a data stream created by a source user is encrypted with an initial dynamic session key. A new dynamic session key is generated based upon a data record and a previous dynamic session key. The new dynamic session key is then used to encrypt the next data record. A central authority is used to synchronize and authenticate both source and destination users with dynamic authentication keys. The central authority and users constantly regenerate new dynamic authentication keys. A child process is forked to ensure synchronization and authentication of dynamic authentication keys of each node upon a request for a secure communication establishment from a user. The central authority generates the initial dynamic session key with the current dynamic authentication key to begin a secure communication session. | 05-05-2011 |
20110107087 | APPARATUS AND METHOD FOR REFRESHING MASTER SESSION KEY IN WIRELESS COMMUNICATION SYSTEM - A Master Session Key (MSK) refresh in a wireless communication system is provided. A MSK refreshing method MSK includes when receiving a first Media Access Control (MAC) message including MSK refresh indication information from a Base Station (BS), generating, at a Mobile Station (MS), an Extended Master Session Key (EMSK)_Hash by applying a hash function to an EMSK and sending a second MAC message including the EMSK_Hash, sending, at the BS, a context request message including the EMSK_Hash to an Access Service Network GateWay (ASN-GW), sending, at the ASN-GW, an authentication request message including the EMSK_Hash to an authentication server, when receiving the authentication request message including the EMSK_Hash, confirming, at the authentication server, the same EMSK as the MS based on the EMSK_Hash, determining an MSK | 05-05-2011 |
20110107088 | SYSTEM AND METHOD FOR VIRTUAL TEAM COLLABORATION IN A SECURE ENVIRONMENT - A computing platform for facilitating dynamic connection and collaboration of users to transact services in a secure computing environment. The users include service providers and service requesters. The platform includes a registration module for registering users including service requesters and service providers, a connection module for connect users to form groups based on users' selective invitations to other users, and a collaboration module for creating a virtual secure data room for collaboration and sharing of encrypted data by the connected users in a user-friendly and transparent manner. The platform further comprises a transaction module for settling payments between the service requesters and the service providers based on completion of previously agreed project milestones. | 05-05-2011 |
20110113237 | KEY CAMOUFLAGING METHOD USING A MACHINE IDENTIFIER - A method is provided for generating a human readable passcode to an authorized user including providing a control access datum and a PIN, and generating a unique machine identifier for the user machine. The method further includes modifying the controlled access datum, encrypting the controlled access datum using the PIN and/or a unique machine identifier to camouflage the datum, and generating a passcode using the camouflaged datum and the PIN and/or the unique machine identifier. A mobile user device may be used to execute the method in one embodiment. The passcode may be used to obtain transaction authorization and/or access to a secured system or secured data. The unique machine identifier may be defined by a machine effective speed calibration derived from information collected from and unique to the user machine. | 05-12-2011 |
20110119484 | Systems and Methods for Securely Providing and/or Accessing Information - The invention is directed to a system for use with a first device in communication with a second device. The system includes a storage medium that is connectable with the first device, a hardened, stand alone, web browser stored on the storage medium, and client authentication data. The web browser uses the client authentication data to facilitate secure communication between the first device and the second device, and the first device communicates with a third device that provides configuration data that includes one or more approved addresses. | 05-19-2011 |
20110126000 | METHOD FOR ACCESSING DATA SAFELY SUITABLE FOR ELECTRONIC TAG - A method for accessing data safely, which is suitable for the electronic tag with low performance, is provided. The method comprises the following steps: when performing a data writing process, the first read-write device encrypts the message MSG and then writes the message in the electronic tag; when performing a data reading process, the second read-write device sends a data request packet to the electronic tag; the electronic tag sends a data response packet to the second read-write device according to the data request packet; the second read-write device sends a key request packet to a trusted third party; the trusted third party verifies the validity of the identity of the second read-write device according to the key request packet, and sends a key response packet to the second read-write device upon the verification is passed; the second read-write device obtains the plain text of the electronic tag message MSG according to the key response packet. This invention can realize the safe access of the data of the electronic tag with low performance. | 05-26-2011 |
20110138172 | ENTERPRISE COMPUTER INVESTIGATION SYSTEM - A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network. It is emphasized that this abstract is provided to comply with the rules requiring an abstract which will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or the meaning of the claims. | 06-09-2011 |
20110145565 | FEDERATED AUTHENTICATION FOR MAILBOX REPLICATION - A data replication mechanism is proposed that relies on existing federation infrastructure enabling distributed authentication instead of storing and using explicit credentials for a remote forest. The data replication mechanism requests a federation token with data replication capabilities targeted to the remote forest and passes this token to the remote forest in lieu of explicit credentials. | 06-16-2011 |
20110145566 | Secret Encryption with Public or Delegated Comparison - Described is a technology comprising a system in which two distrusting parties can submit sets of encrypted keywords using two independent secret keys to a third party who can decide, using only public keys, if the underlying cleartext message of a cryptogram produced by one distrusting party matches that of a cryptogram produced by the other. The third party (e.g., a server) uses generator information corresponding to a generator of an elliptic curve group to determine whether the sets of encrypted keywords match each other. Various ways to provide the generator information based upon the generator are described. Also described is the use of one-ray randomization and two-way randomization as part of the system to protect against dictionary attacks. | 06-16-2011 |
20110154023 | Protected device management - A method, apparatus, system, and computer program product for management of storage devices protected by encryption, user authentication, and password protection and auditing schemes in virtualized and non-virtualized environments. | 06-23-2011 |
20110161658 | METHOD FOR ENABLING LIMITATION OF SERVICE ACCESS - A method for enabling limitation of service access, wherein a service provider offers at least one service and a user possesses multiple different digital identities that can be used to invoke or register with the service, access to the service requiring an account at a third party entity, the user registers his digital identities with the account and agrees on a secret with the third party entity, the method including:
| 06-30-2011 |
20110185170 | COMMUNICATION WITH NON-REPUDIATION AND BLIND SIGNATURES - Apparatus, systems, and methods may operate to receive, at a trusted third party (TTP), a signed disguised message as a disguised receiver signature from a receiver that has signed a disguised message using a blind signature process to transform the disguised message into the signed disguised message. Additional activities may include sending, from the TTP, an undisguised version of the disguised message to the receiver, and the receiver signature to a sender of the undisguised version, after determining that the receiver signature is valid. Additional apparatus, systems, and methods are disclosed. | 07-28-2011 |
20110191578 | Method for digital identity authentication - In a preferred embodiment of the invention, an authenticating device ( | 08-04-2011 |
20110197059 | SECURING OUT-OF-BAND MESSAGES - Securing an out-of-band message from a server to a mobile computing device. After requesting a service ticket from a trusted third party (e.g., via a pre-existing ticketing infrastructure), the requested service ticket and a shared secret are obtained from the trusted third party via a first channel. The mobile computing device thereafter sends the service ticket with the shared secret to a server via a second channel. The server encrypts a message (e.g., an SMS message) using the shared secret. The mobile computing device receives the encrypted message from the server via a third channel that is out-of-band relative to the first channel. The encrypted message is decrypted via the shared secret and the decrypted message is provided to a user of the mobile computing device. In some embodiments, the message includes commands for controlling the mobile computing device. | 08-11-2011 |
20110197060 | Externally Managed Security and Validation Processing Device - An externally managed security and validation processing device includes a cryptographic processing subsystem configured for performing security or validation services; an application interface configured for communicating security or validation services with an application system; and a secure management interface configured for communicating information, including configuration information for the cryptographic processing system for performing said security or validation services, with a service profile system external to the apparatus without passing said configuration information through the application system. The service profile system can typically also migrate security services provided by one apparatus to another apparatus. | 08-11-2011 |
20110202758 | APPARATUS FOR PROVIDING SECURITY OVER UNTRUSTED NETWORKS - A network security apparatus adapted to provide for secure communications across data networks, including untrusted networks. In one embodiment, the security apparatus comprises one or more components disposed within the software stack of a computerized device, the components including an association process adapted to establish security associations between devices on the network, and an encryption key generation process adapted to generate one or more encryption keys. In one variant, the keys are specifically for use with temporary or ad hoc security associations. The one or more keys are exchanged according to a key exchange protocol after the device is authenticated or authenticates another device. In one implementation, the device comprises a portable device such as a laptop computer. | 08-18-2011 |
20110213959 | METHODS, APPARATUSES, SYSTEM AND RELATED COMPUTER PROGRAM PRODUCT FOR PRIVACY-ENHANCED IDENTITY MANAGEMENT - A method and related apparatus include the steps of registering, from a client at a service providing network entity, first client-related identity information and, from the client at an identity providing network entity, second client-related identity information being different from the first client-related identity information and being generated based on the first client-related identity information. Key information is a secret of the client and identity information is related to the service providing network entity. A second method and related apparatus include the step of determining, at a service providing network entity, the first client-related identity information based on the second client-related identity information being received from the identity providing entity. Finally, a third method and related apparatus include the step of authenticating, towards the service providing network entity, the second client-related identity information being received from the client. | 09-01-2011 |
20110231656 | SYSTEM AND METHODS FOR AUTHENTICATING A RECEIVER IN AN ON-DEMAND SENDER-RECEIVER TRANSACTION - A system and method are provided for authenticating a first device to a second device. This involves determining, at the directory, a secret key and a first set of images by communicating with the first device; receiving, at the directory, a transaction request from the second device to authenticate the first device; and generating, at the directory, a tag using said secret key and first information associated with said transaction request. This also involves selecting a second set of images from said first set of images according to said tag, and sending said second set of images from the directory to the second device. Moreover, using said first set of images, said secret key, and said information associated with said transaction request, the first device may select a third set of images that, when sent to the second device, may be used at the second device, in comparison to said second set of images, to authenticate the first device. | 09-22-2011 |
20110238981 | IMAGE FORMING APPARATUS, IMAGE PROCESSING SYSTEM, METHOD FOR CONTROLLING IMAGE PROCESSING SYSTEM, AND STORAGE MEDIUM - At an apparatus, a reading unit reads a document a generation unit and generates a content data from the document and an encryption unit performs encryption processing on the content data using an encryption key and a transmission unit, when an instruction for not using a service for performing processing on the content data provided by a server group and for storing the generated content data in the server group is received, transmits to the server group the content data on which the encryption processing has been performed, and, when an instruction for using the service is received, transmits to the server group the content data on which the encryption processing has not been performed. | 09-29-2011 |
20110246764 | USER AUTHENTICATION SYSTEM - An ID vault computer control program detects when a user's browser navigates to a third-party website that requires a user ID and password. If it hasn't done so already, it automatically requests a decryption key for a local encrypted vault file from a network server by supplying a personal identification number (PIN) from the user through the input device, a copy of the GUID, and a signature of GUID using a private key for the root certificate. If a decryption key is returned from the network server, the local encrypted vault file is unlocked and automatically supplies a corresponding user ID and password to log-on to the third-party website without the user. | 10-06-2011 |
20110252229 | SECURING PASSWORDS AGAINST DICTIONARY ATTACKS - Described herein are various technologies pertaining to constructions of a password-based authentication protocol that are configured to allow a user to register with and authenticate to an online service without the online service receiving a password or a deterministic function of the password of the user. When registering with an online service, a client computing device establishes a cryptographically strong random secret and stores an encryption of such secret with a data storage device. The storage device also never receives the password or a deterministic function of the password. When the user wishes to authenticate to the online service, the user employs her password to retrieve the encrypted secret from the storage device, decrypts such secret, and utilizes the decrypted secret to answer a cryptographically strong challenge provided to the user by the online service upon the online service receiving a username pertaining to such user. | 10-13-2011 |
20110252230 | SECURE ACCESS TO A PRIVATE NETWORK THROUGH A PUBLIC WIRELESS NETWORK - A system, method and computer-program product for a client device to securely access a private network through a public wireless network. The system establishes a first network tunnel between the client device and a gateway of the public wireless network and then authenticates the client device with an authentication server of the private network using the first tunnel. The authentication is proxied by an authentication server of the public network. Once the authentication is successful, a second tunnel is established between the client device and a gateway of the private network for secure access by the client device to the private network. | 10-13-2011 |
20110264910 | COMMUNICATION CONTROL DEVICE, COMPUTER-READABLE MEDIUM, AND COMMUNICATION CONTROL SYSTEM - A virtual authentication proxy server includes an authentication request acceptance unit, a terminal authentication program transmission unit and an authentication result transmission unit. When an application server which cannot use an authentication server accepts a user ID and a password together with a use request from a terminal, the authentication request acceptance unit accepts the authentication request. The terminal authentication program transmission unit transmits a terminal authentication program to a terminal device. The authentication result transmission unit causes the terminal device to execute the terminal authentication program so as to cause the authentication server to execute authentication. The authentication result transmission unit receives the received authentication result from the terminal device and transmits the authentication result to the application server. | 10-27-2011 |
20110271099 | AUTHENTICATION SERVER AND METHOD FOR GRANTING TOKENS - An authentication server and method are provided for generating tokens for use by a mobile electronic device for accessing a service. Communications between the device and the authentication server are through a relay. A memory stores a secret shared with a service server from which the service is provided. A processor is configured to generate the token using the shared secret and based on a reliance on the relay to ensure that the device has authorization to access the service. One or more computer readable medium having computer readable instructions stored thereon that cause the device to obtain proof of authorization to access the service is also provided. The instructions implement a method comprising: outputting via a wireless connection to a relay a request addressed to an authentication server for a token and receiving the token from the authentication server via the relay. | 11-03-2011 |
20110289313 | Ticket Authorization - A method for issuing tickets in a communication system comprising a plurality of nodes that are capable of establishing a communication connection between two or more clients, the method comprising a first client transmitting to a ticket-issuing service a request for a ticket authorizing the first client to establish a communication connection with a second client, the ticket-issuing service determining if the first client is authorized to establish the requested communication connection and if the first client is determined to be authorized to establish the requested communication connection, the ticket-issuing service transmitting to the first client one or more tickets designating the second client which authorizes the first client to establish the requested connection with the second client by means of one or more of the plurality of nodes. | 11-24-2011 |
20110289314 | PROXY AUTHENTICATION NETWORK - A Proxy Authentication Network includes a server that stores credentials for subscribers, along with combinations of devices and locations from which individual subscribers want to be authenticated. Data is stored in storage: the storage can be selected by the subscriber. The data stored in the storage, which can be personally identifiable information, can be stored in an encrypted form. The key used to encrypt such data can be divided between the storage and server. In addition, third parties can store portions of the encrypting key. Subscribers can be authenticated using their credentials from recognized device/location combinations; out-of-band authentication supports authenticating subscribers from other locations. Once authenticated, a party can request that the encrypted data be released. The portions of the key are then assembled at the storage. The storage then decrypts the data, generates a new key, and re-encrypts the data for transmission to the requester. | 11-24-2011 |
20110296170 | TOLERANT KEY VERIFICATION METHOD - A tolerant key verification method is provided. The tolerant key verification method comprises the following steps. A first key is generated instantly according to first characteristic values from a user terminal and is transmitted to a verification server to perform a comparison. When a data in the verification server matches the first key, the verification server makes no response and asks a network-service server to provide a network service to the user terminal. When the data doesn't match the first key, the verification server makes no response. When no data is available, the verification server makes no response and asks a message server to send a key-regeneration signal to the user terminal such that the user terminal generates a second key instantly according to second characteristic values. The verification server saves the second key and asks the network-service server to provide the network service to the user terminal. | 12-01-2011 |
20110302410 | SECURE DOCUMENT DELIVERY - A method, machine-readable medium, and server to create a key, set an expiration event for the key to expire, send the key to a first client device to encrypt the document, authenticate a second client device that is in receipt of the encrypted document, delete the key if the expiration event has occurred, and send the key from to the authenticated second client device to decrypt the document if the expiration event has not yet occurred. For one embodiment, the key is used by client devices for encryption and decryption of the document only and is not otherwise accessible to the client devices. For one embodiment, the server facilitates sending the encrypted document to the second client device but does not retain a copy of the encrypted document. | 12-08-2011 |
20110320808 | SYSTEM AND METHOD FOR INCORPORATING AN ORIGINATING SITE INTO A SECURITY PROTOCOL FOR A DOWNLOADED PROGRAM OBJECT - Disclosed herein are systems, methods, and non-transitory computer-readable storage media for verifying a digital object obtained from a remote host. A system configured to practice the method downloads a first object from a first remote source and presents the user with a first request to allow access to the first object. Upon user approval, a multitude of characteristics associated with the object are stored to facilitate future uses of the object. When a second object is downloaded from a second remote source, the system checks the database for a stored user approval. Access to the second object is allowed if the multitude of characteristics associated with the first and second objects match. If the system does not find a match, the user is presented with a second request to allow access to the object. | 12-29-2011 |
20120017080 | METHOD FOR ESTABLISHING SAFE ASSOCIATION AMONG WAPI STATIONS IN AD-HOC NETWORK - The present invention discloses a method for establishing a security association among WAPI stations in an ad-hoc network, and the method comprises: when a security association between two stations in the ad-hoc network is to be established, one station STA | 01-19-2012 |
20120023325 | VIRTUAL PRIVATE NETWORK SYSTEM AND NETWORK DEVICE THEREOF - A virtual private network (VPN) system and a network device thereof are provided. The VPN system includes a first network device, a second network device, and an authentication server. The first network device provides an encrypted connection setup request message containing an authentication information to the second network device. The second network device receives the encrypted connection setup request message and forwards the authentication information to the authentication server to perform a first authentication process, so as to determine whether the first network device is authorized. If the first network device is authorized, the first network device and the second network device directly exchange a set of VPN arguments and perform a second authentication process through the exchange of the VPN arguments, so as to establish an IPSec VPN connection between the first network device and the second network device. | 01-26-2012 |
20120060025 | SERVICE PROVIDER INVOCATION - A service provider may provide one or more services to and/or for a client. Providing a service may involve receiving a service request including a security token at the service provider and determining whether the security token is valid. Providing the service may also involve determining a session security token if the security token is valid and generating a service response including the session security token. Providing the service may further involve receiving a service request including the session security token, determining whether the session security token is valid, and, if the session security token is valid, generating a second service response. | 03-08-2012 |
20120072714 | Methods and Systems for Secure Authentication of a User by a Host System - A method and system for securely logging onto a banking system authentication server so that a user credential never appears in the clear during interaction with the system in which a user's credential is DES encrypted, and the DES key is PKI encrypted with the public key of an application server by an encryption applet before being transmitted to the application server. Within the HSM of the application server, the HSM decrypts and re-encrypts the credential under a new DES key known to the authentication server, the re-encrypted credential is forwarded to the authentication server, decrypted with the new DES key known to the authentication server, and verified by the authentication server. | 03-22-2012 |
20120072715 | Authorizing Equipment on a Sub-Network - Systems and methods for authorizing a customer premise equipment (CPE) device to join a network through a network termination unit (NTU). The CPE device can send an encrypted connection request, and an authorization server can decrypt the connection request and provide a network membership key (NMK) associated with the CPE device to the NTU. The authorization server can encrypt the NMK associated with the CPE device using a device access key (DAK) associated with the NTU. | 03-22-2012 |
20120089830 | METHOD AND DEVICE FOR DIGITALLY ATTESTING THE AUTHENTICITY OF BINDING INTERACTIONS - Method for digitally attesting the authenticity of an interaction, comprising the steps of establishing a secure digital communication channel between a Universal Signature Assistant and a remote Attestation Appliance, sending an interaction request to a remote site, digitally receiving from the remote Attestation Appliance on the Universal Signature Assistant an attestation request for the authenticity of said interaction request, confirming or denying the authenticity of the interaction request by respectively accepting or rejecting the attestation request on said Universal Signature Assistant. Device for digitally attesting the authenticity of an interaction, comprising a Universal Signature Assistant comprising a CPU, a memory, a storage, a system bus, said CPU, the memory and the storage being connected to the system bus for communicating with each other, a display connected to the system bus for displaying information to a user, a user input device connected to the system bus for allowing the user entering information to the Universal Signature Assistant, a communication interface connected to the system bus for communicating with external devices, a reader for reading user identity information contained on an identity token and a software program stored in the storage for performing the method of the invention with the Universal Signature Assistant when the software program is run by the CPU. | 04-12-2012 |
20120089831 | Associating A Multi-Context Trusted Platform Module With Distributed Platforms - In one embodiment, the present invention includes a method for creating an instance of a virtual trusted platform module (TPM) in a central platform and associating the instance with a managed platform coupled to the central platform. Multiple such vTPM's may be instantiated, each associated with a different managed platform coupled to the central platform. The instances may all be maintained on the central platform, improving security. Other embodiments are described and claimed. | 04-12-2012 |
20120096259 | SYSTEM AND METHOD FOR PERFORMING MUTUAL AUTHENTICATION - A system and method for performing mutual authentication verifies a username and a password of a handheld device by a server, and verifies an identity of the server by the handheld device if the handheld device passes the username and password verification. The system and method further verifies an identity of the handheld device by the server if the identity of the server is valid, and gives an access authority to the handheld device if the identity of the handheld device is valid. | 04-19-2012 |
20120110324 | METHOD AND APPARATUS FOR SENDING A KEY ON A WIRELESS LOCAL AREA NETWORK - A method and an apparatus for sending a key on a Wireless Local Area Network (WLAN) is provided. In a scenario where an Access Server is separate from an Access Controller, the Access Controller may send a master key of a specified WLAN station to the AC and trigger the AC to agree with the station on a transient key. The method includes: when receiving the master key of the WLAN station sent from an AAA server, searching a station information table for an IP address of an AC associated with the station; sending a message to the AC to instruct the AC to perform a 4-way handshake with the station to agree on a transient key, where the third message carries the master key of the station, a 4-way handshake triggering bit, and a MAC address of the WLAN station. | 05-03-2012 |
20120110325 | METHOD, DEVICE AND MOBILE TERMINAL FOR CHALLENGE HANDSHAKE AUTHENTICATION PROTOCOL AUTHENTICATION - A method, apparatus and mobile terminal for a Challenge Handshake Authentication Protocol (CHAP) authenticating in a CDMA Evolution to packet Data Optimized (EVDO) network are provided in the present invention. It makes the authentication process of EVDO network be successful, even though an authentication server does not support the Message Digest 5 (MD5) authentication method. The CHAP authentication method includes: receiving a CHAP authentication request which contains a first key value and is sent by an authentication server; when confirming that an identifier supporting MD5 authentication method is stored in the user identify module, calling MD5 authentication method to calculate a first authentication key value with the first key value, and sending the first authentication key value to the authentication server to authenticate; when receiving a CHAP re-authentication request which contains a second key value and is returned by the authentication server according to the first authentication key value after the authentication is failure, calling the Cellular Authentication and Voice Encryption (CAVE) authentication method to calculate a second authentication key value with the second key value, and sending the second authentication key value to the authentication server to authenticate. | 05-03-2012 |
20120117379 | METHODS FOR HANDLING REQUESTS BETWEEN DIFFERENT RESOURCE RECORD TYPES AND SYSTEMS THEREOF - A method, computer readable medium, and device for handling requests between different resource record types includes receiving at a traffic management device a first resource record type from one or more server devices in response to a request from a client device. The traffic management device validates the first resource record type, and creates a second resource record type corresponding to the first resource record type after the validating. Signing the second resource record type at the traffic management device is carried out for servicing the request from the client device. | 05-10-2012 |
20120117380 | Method for Granting Authorization to Access a Computer-Based Object in an Automation System, Computer Program, and Automation System - An identifier is determined for a control program, and the identifier is encrypted based on a private digital key associated with a control and monitoring unit of the automation system to grant authorization to access a computer-based object in an automation system. A first service of the automation system is provided based on the computer-based object, and a second service of the automation system is provided based on the control program. The encrypted identifier is decrypted when being transmitted to an authentication service and is verified by the authentication service. If the verification process has been successful, the authentication service transmits a temporarily valid token to the second service. When the control program requests access to the computer-based object, the token is transmitted to the first service for checking purposes. The control program is granted access to the computer-based object if the result of the checking process is positive. | 05-10-2012 |
20120131331 | System And Method For End To End Encryption - Systems and methods for end-to-end encryption are disclosed. According to one embodiment, a method for device registration includes (1) an application executed by a computer processor receiving a user password from a user; (2) using the computer processor, the application combining the user password and a password extension; (3) using the computer processor, the application cryptographically processing the combined user password and password extension, resulting cryptographic public information; and (4) providing the cryptographic public information to a server. The user password is not provided to the server. In another embodiment, a method for user authentication includes (1) using a computer processor, receiving a login page from a server; (2) sending a Hash-based Message Authentication Code to the server; and (3) receiving an authentication from the server. In one embodiment, the login page may include a transkey and a value B. | 05-24-2012 |
20120131332 | Method and Apparatus for Authenticating Online Transactions Using a Browser - A computer-implemented method for authenticating a user using a service provider server and an authentication server, the user communicating with at least one of the service provider server and the authentication server using a user browser. The method includes requesting, using the user browser, the authenticating with the service provider server. The method also includes authenticating, using the user browser, a secure communication channel with the authentication server. The method also includes receiving, using the user browser, a Next Pre-Authentication Anchor (NPAA) value from the authentication server. The method additionally includes temporarily storing the Next Pre-Authentication Anchor (NPAA) value in a user browser cookie associated with the user browser, wherein the Next Pre-Authentication Anchor (NPAA) value is protected by employing Same Origin Policy (SOP). | 05-24-2012 |
20120144189 | WLAN AUTHENTICATION METHOD, WLAN AUTHENTICATION SERVER, AND TERMINAL - An authentication method, a server, and a terminal for a wireless local area network (WLAN) are provided. The method includes: redirecting a Hypertext Transfer Protocol (HTTP) request message sent by a WLAN terminal to an address of a login webpage of a WLAN network and returning the redirected HTTP request message to the WLAN terminal; sending authentication request information carrying an International Mobile Subscriber Identity (IMSI) identifier of a Subscriber Identity Module (SIM) card sent by the WLAN terminal to an Authentication/Authorization/Accounting (AAA) server corresponding to the address of the login webpage of the WLAN network, such that the AAA server performs authentication based on the IMSI identifier. | 06-07-2012 |
20120151206 | METHODS FOR VERIFYING SYSTEM INTEGRITY - A request is received from a client for accessing a resource provided in a network, the request including credential data representing system integrity of at least one component running on the client. In response to the request, one or more credential identifiers identifying the credential data is transmitted to a management server that provisioned the client. Credential reference data is received from the management server based on the one or more credential identifiers. The client is authenticated based on a comparison of the credential data received from the client and credential reference data received from the management server. | 06-14-2012 |
20120159152 | METHOD AND APPARATUS FOR SMART-KEY MANAGEMENT - A method and an apparatus for smart key management are disclosed. The apparatus for smart key management can receive a smart key duplicate request message from a user terminal, perform user authentication using terminal information or user information included in the smart key duplicate request message, duplicate a registered smart key corresponding to the terminal information or the user information if the result the user authentication is authentication success, and transmit the duplicated smart key to a target terminal using the target terminal information. | 06-21-2012 |
20120159153 | Efficient Identity-Based Ring Signature Scheme With Anonymity And System Thereof - An identity-based ring signature authentication method provides an efficient identity-based ring signature method, which has a constant number of bilinear pairing computations independent the number of ring members in a verification process. The method does not use a special type of function, e.g., MapToPoint. | 06-21-2012 |
20120159154 | AUTHENTICATING METHOD AND MOBILE TERMINAL FOR CODE DIVISION MULTIPLE ACCESS (CDMA) EVOLUTION TO PACKET DATA OPTIMIZED (EVDO) NETWORK - The successful authenticating of a Network Access Identifier (NAI) process is enabled by an authenticating method and a mobile terminal for a Code Division Multiple Access (CDMA) EVolution to packet Data Optimized (EVDO) network. The authenticating method for the EVDO network includes an NAI authenticating and a Challenge Handshake Authentication Protocol (CHAP) authenticating, in which the NAI authenticating method includes: when it is determined that the identifier supporting a Message-Digest 5 (MD5) authenticating method is stored in a User Identity Model (UIM) (S | 06-21-2012 |
20120159155 | Direct Anonymous Attestation Scheme with Outsourcing Capability - A Direct Anonymous Attestation (DAA) scheme using elliptic curve cryptography (ECC) and bilinear maps. A trusted platform module (TPM) may maintain privacy of a portion of a private membership key from an issuer while joining a group. Moreover, the TPM can outsource most of the computation involved in generating a signature to a host computer. | 06-21-2012 |
20120166795 | SECURE APPLICATION ATTESTATION USING DYNAMIC MEASUREMENT KERNELS - Methods and apparatus to provide secure application attestation using dynamic measurement kernels are described. In some embodiments, secure application attestation is provided by using dynamic measurement kernels. In various embodiments, P-MAPS (Processor-Measured Application Protection Service), Secure Enclaves (SE), and/or combinations thereof may be used to provide dynamic measurement kernels to support secure application attestation. Other embodiments are also described. | 06-28-2012 |
20120173872 | Secure Access to a Virtual Machine - A method for providing secure access to a virtual machine includes dispensing an image corresponding to a virtual machine from a management appliance to a distributed computing system such that the virtual machine is implemented by at least one of a plurality of interconnected physical computing devices in the distributed computing system; establishing a trusted relationship between the management appliance and the virtual machine; and providing a user with access to the virtual machine from the management appliance without further authentication credentials from the user. | 07-05-2012 |
20120179903 | COMPACT ATTRIBUTE FOR CRYPTOGRAPHICALLY PROTECTED MESSAGES - A system and associated method for verifying a signature of a signed message having a compact attribute. Components of the compact attribute of the signed message appear in a predefined order within the compact attribute, and are identified by an object identifier associated with the compact attribute. A processing flag and a security assertion are among the components of the compact message. The processing flag directs rules to process the security assertion. The security assertion is made by an authority trusted by both a sender and a recipient of the signed message. The recipient validates the signature of the signed message based on the processing flag and the security assertion recovered from the compact attribute. | 07-12-2012 |
20120179904 | Remote Pre-Boot Authentication - A host computer cloud has a processor and supports a virtual machine. An agent under control of a user is in communication with the cloud over a network. A key management server is in communication with the cloud over a network. The cloud stores the virtual machine in the form of a virtual encrypted disk on a non-volatile storage medium. When commanded by the agent, the cloud requests a disk-wrapping key from the key management server and decrypts the encrypted disk using the disk-wrapping key. | 07-12-2012 |
20120179905 | Methods and Systems for Distributing Cryptographic Data to Authenticated Recipients - A method for distributing cryptographic data to authenticated recipients includes receiving, by an access control management system, from a first client device, information associated with an encrypted data object. The method includes receiving, by the access control management system, from a second client device, a request for the information associated with the encrypted data object. The method includes verifying, by the access control management system, that a user of the second client device is identified in the received information associated with the encrypted data object. The method includes authenticating, by the access control management system, with an identity provider, the user of the second client device. The method includes sending, by the access control management system, to the second client device, the received information associated with the encrypted data object. | 07-12-2012 |
20120179906 | METHOD AND DEVICE FOR AUTHENTICATING PERSONAL NETWORK ENTITY - A method of authenticating a Personal Network Entity (PNE) is provided. The method includes transmitting a PNE serial number (SN | 07-12-2012 |
20120185692 | Secure cloud computing system - The present invention provides a method and apparatus for securing electronic systems, including computers, information appliances and communication devices. The invention in question addresses the problem of preventing compromise by severe attacks directed at the protected systems. A severe attack could mean any of the following: low level debugging, use of in-circuit emulators or logic analyzers, removal of silicon dice and inspection including by lapping and micro-photography, and other well-known methods of attack such as distributed denial of service. In order to protect systems and data from such severe attacks, a mechanism is required whose operation is irreparably altered by the attempt to understand its operation through such attacks. Moreover, the mechanism must cease operation instantly upon detection of any intrusion associated with an attack, whether by software or by hardware based means. | 07-19-2012 |
20120191971 | METHOD AND DEVICES FOR SECURE COMMUNICATIONS IN A TELECOMMUNICATIONS NETWORK - A secure communications method is provided for use in a telecommunications network, wherein a transaction between an entity A and an entity B of the network comprises: entity A sending an authorization request to an Authorization Server S, in which request the entity A identifies itself and authenticates itself; the entity A declares to the Authorization Server its intention to communicate with a certain entity B; the Authorization Server determines a secret key that it shares with the entity B; the Authorization Server generates a session key and sends it to the entity A; the session key being a one-way function of the secret key and also being a function of an integer (transaction number) allocated to the transaction; the Authorization Server also generates a transaction identifier that is a function depending at least on the transaction number in non-invertible manner. | 07-26-2012 |
20120198228 | SYSTEM AND METHOD FOR DIGITAL USER AUTHENTICATION - A method according to preferred embodiment can include receiving a request at a server from a private key module associated with a first user device; directing a request for a first portion of the private key from the server to a second user device; and in response to a successful user challenge creating a first portion of a digital signature and a second portion of a digital signature at the server. The method of the preferred embodiment can further include combining the first portion of the digital signature and the second portion of the digital signature; and delivering the digital signature to the first user device. The method of the preferred embodiment can function to secure the digital signature process by splitting or dividing the user's private key into two or more portions, each of which require independent authorization from the user in order to create the digital signature. | 08-02-2012 |
20120204026 | PRIVACY-PRESERVING AGGREGATION OF TIME-SERIES DATA - A private stream aggregation (PSA) system contributes a user's data to a data aggregator without compromising the user's privacy. The system can begin by determining a private key for a local user in a set of users, wherein the sum of the private keys associated with the set of users and the data aggregator is equal to zero. The system also selects a set of data values associated with the local user. Then, the system encrypts individual data values in the set based in part on the private key to produce a set of encrypted data values, thereby allowing the data aggregator to decrypt an aggregate value across the set of users without decrypting individual data values associated with the set of users, and without interacting with the set of users while decrypting the aggregate value. The system also sends the set of encrypted data values to the data aggregator. | 08-09-2012 |
20120204027 | AUTHENTICATION METHOD AND APPARATUS IN A COMMUNICATION SYSTEM - An authentication method and apparatus in a communication system are provided. In a method for authenticating a first node at a second authentication server in a communication system comprising the first node registered to a first authentication server and a second node registered to the second authentication server, an authentication request message requesting authentication of the first node is received from the second node, the authentication request message is transmitted to the first authentication server, and upon receipt of an authentication success message indicating successful authentication of the first node from the first authentication server, the authentication success message is transmitted to the second node. | 08-09-2012 |
20120233455 | REDUNDANT KEY SERVER ENCRYPTION ENVIONMENT - Provided are a computer program product, system and method for a redundant key server encryption environment. A key server receives from at least one remote key server public keys associated with the at least one remote key server. The key server receives a request for an encryption key from a requesting device and generates the encryption key for use by the requesting device to unlock a storage. The key server generates a first wrapped encryption key by encrypting the encryption key with a requesting device public key, a second wrapped encryption key by encrypting the encryption key with a public key associated with the key server, and at least one additional wrapped encryption key by encrypting the encryption key with the at least one public key provided by the at least one remote key server. The key server transmits the generated keys to the requesting device. | 09-13-2012 |
20120233456 | METHOD FOR SECURELY INTERACTING WITH A SECURITY ELEMENT - A method for secured interaction with a security module which is integrated into an end device, via an input device of the end device, the input device being reserved by a security application which is executable in a trustworthy region of the end device. Subsequently, first authentication data are input via the reserved input device. The security application derives from the first authentication data by a secret data stored in the trustworthy region second authentication data. The latter are subsequently encrypted by the security application and transferred to the security module and/or to a server. In the security module and/or the server the received, encrypted second authentication data are finally decrypted. | 09-13-2012 |
20120239926 | OBFUSCATED AUTHENTICATION SYSTEMS, DEVICES, AND METHODS - Embodiments of the present invention are directed toward authentication systems, devices, and methods. Obfuscated executable instructions may encode an authentication procedure and protect an authentication key. The obfuscated executable instructions may require communication with a remote certifying authority for operation. In this manner, security may be controlled by the certifying authority without regard to the security of the electronic device running the obfuscated executable instructions. | 09-20-2012 |
20120246464 | METHOD, SYSTEM AND APPARATUS FOR PROTECTING A BSF ENTITY FROM ATTACK - A method, system and apparatus for protecting a bootstrapping service function (BSF) entity from attack includes: a first temporary identity and a second temporary identity are generated after a BSF entity performs a mutual authentication with a user equipment (UE) by using an initial temporary identity sent from the UE; the BSF entity receives a re-authentication request carrying the first temporary identity from the UE; and the UE sends a service request carrying the second temporary identity to a network application function (NAF) entity. The present disclosure prevents attackers from intercepting the temporary identity at the Ua interface and using the temporary identity to originate a re-authentication request at the Ub interface, thus protecting the BSF entity from attack and avoiding unnecessary load on the BSF entity and saving resources. | 09-27-2012 |
20120260087 | METHOD AND SYSTEM FOR ESTABLISHING REAL-TIME TRUST IN A PUBLIC NETWORK - An authentication method sends an open request to a common directory server for a first key, the first key being a trusted embedded authentication common directory service key wrapped in a public key of a public-private key pair. The open request includes an authentication request value that identifies the open request as a verified setup directory service, the public key, an email address and a specified third additional out-of-band communication channel. The common directory server sends a first reply directly back to the directory server with a first half of the first key offset by a unique value and wrapped using the public key. A second reply is sent to the email address, which includes a second half of the first key offset by the first half of the first key. A third reply is sent to the specified third additional out-of-band channel, which includes the unique value. | 10-11-2012 |
20120260088 | METHOD AND DEVICE FOR SECURELY TRANSMITTING DATA - Cryptographic methods are used at the application level, unlike known methods using point-to-point connections that can only be sufficiently secured at the transport level. Integrity protection and confidentiality protection of data are implemented at the application level for use in network technology. | 10-11-2012 |
20120265982 | METHOD, AUTHENTICATION SERVER, TERMINAL AND SYSTEM FOR IMPLEMENTING KEY MAPPING - The disclosure discloses a method for implementing key mapping applied to a Next Generation Network (NGN), which mainly includes: when a handoff of a terminal from an original network to a destination network is performed, an authentication server receiving a key material mapping request from the terminal, mapping an original key material in the original network to obtain a destination key material in the destination network, and setting up communication security between the terminal and the destination network. In addition, the disclosure further discloses an authentication server, a terminal and a system for implementing key mapping. By applying the solution of the disclosure, when the handoff of the terminal between different NGNs is performed, it is possible to improve the efficiency of session key generation and to reduce the time delay of the handoff of the terminal between the networks, and it is advantageous to reduce authentication signaling interaction and the load of the authentication server. | 10-18-2012 |
20120265983 | METHOD AND APPARATUS FOR PROVIDING MACHINE-TO-MACHINE SERVICE - A method and an apparatus for providing Machine-to-Machine (M2M) service are provided. A method of providing service by an M2M device includes transmitting a request for service to a Network Security Capability (NSEC), the request for service comprising a identifier of a Device Servie Capability Layer (DSCL) of the M2M device, performing an Extensible Authentication Protocol (EAP) authentication with an M2M Authentication Server (MAS) via the NSEC, and generating, if the EAP authentication is successful, a service key using a Master Session Key (MSK), a first constant string, and the identifier of the DSCL. | 10-18-2012 |
20120278612 | Authenticating Digitally Encoded Products without Private Key Sharing - A method and a corresponding system for authenticating software products are proposed. A digital certificate and a corresponding private key required to sign each product are stored on a server computer. Whenever a user needs to sign a product, he/she logs on a client computer and transmits a corresponding request to the server computer. The server computer verifies whether the request has been received from an authorized subject; for example, an address of the client computer and an identifier of the user are compared with a predefined list. If the result of the verification is positive, the product is signed and returned to the client computer. For this purpose, a script called on the server computer includes either an instruction passing the access password to a signing tool as a parameter or an instruction causing the signing tool to import the access password from a registry of the server computer. | 11-01-2012 |
20120284507 | PROTECTED AUTHORIZATION - One or more techniques and/or systems are provided for securely authorizing a client to consume data and/or services from a service provider server while mitigating burdensome requests made to a validation server. That is, validation data provided to a client from a validation server may be maintained on the client and at least some of that validation data can be used to subsequently authorize the client when the client attempts to consume data and/or services from the service provider server (e.g., download a song). However, the validation data is maintained on the client and/or provided to the service provider server in a manner that inhibits user tampering. In this manner, numerous requests for validation of the client need not be made from the service provider server to the validation server when a client requests content from the service provider server, while also inhibiting unauthorized consumptions of data by the client. | 11-08-2012 |
20120290832 | SYSTEM FOR CONDUCTING REMOTE BIOMETRIC OPERATIONS - System for conducting remote biometric operations that includes a biometric data reading device connected to a personal computer and configured to send said encrypted data to a remote data authentication centre for establishing a secure communications channel once the user identity has been verified by means of said biometric data. This invention refers to a remote biometric operations system that can be connected to a computer to carry out electronic banking and other similar operations with a certain degree of safety. | 11-15-2012 |
20120297184 | CLOUD COMPUTING METHOD AND SYSTEM - Methods and systems integrating sensitive or private data with cloud computing resources while mitigating security, privacy and confidentiality risks associated with cloud computing. In one embodiment, a computer network system includes a firewall separating a public portion of the computer network from an on-premises portion of the computer network, a database storing private data behind the firewall, and a user device connected with the computer network. The user device accesses an application hosted in the public portion of the computer network. In response, the application generates return information. The user device receives the return information and generates a request for private data based on at least a portion of the returned information. The request is transmitted to the database which generates a response including the requested private data. The response is transmitted in an encrypted form from the database via the computer network to the user device. | 11-22-2012 |
20120297185 | MAINTAINING PRIVACY FOR TRANSACTIONS PERFORMABLE BY A USER DEVICE HAVING A SECURITY MODULE - A method and system for maintaining privacy for transactions performable by a user device having a security module with a privacy certification authority and a verifier are disclosed. The system includes an issuer providing an issuer public key; a user device having a security module for generating a first set of attestation-signature values; a privacy certification authority computer for providing an authority public key and issuing second attestation values; and a verification computer for checking the validity of the first set of attestation signature values with the issuer public key and the validity of a second set of attestation-signature values with the authority public key, the second set of attestation-signature values being derivable by the user device from the second attestation values, where it is verifiable that the two sets of attestation-signature values relate to the user device. | 11-22-2012 |
20120297186 | ROUTE OPTIMIZATION WITH LOCATION PRIVACY SUPPORT - The invention relates to a method for route optimisation of packet switched data transmissions between a first mobile node and a second mobile node in a mobile communication system comprising a plurality of access networks. The method comprises the step of transmitting return routability protocol packets and data packets. The return routability protocol packets and data packets are analysed, and at least part of an address comprised in headers of the return routability protocol packets and data packets is removed. | 11-22-2012 |
20120311320 | Mobile Transaction Methods and Devices With Three-Dimensional Colorgram Tokens - A transaction security process includes authentication and identification parts for pushing an encrypted colorgram for user authentication and persona descriptors for user identification from a transaction server to a first personal trusted device. A decryption of the colorgram is displayed on the first personal trusted device. An image is captured by a second personal trusted device. An encryption of the image captured from the second personal trusted device is uploaded to the transaction server. The persona descriptors are used to build a composite rendering for identification of the first user to the second user. The second user clicks “OK” if they recognize the composite drawing as a reasonable persona of the first user. | 12-06-2012 |
20120311321 | DATA CERTIFICATION METHOD AND SYSTEM - A data certification system and method for signing electronic data with a digital signature in which a central server comprises a signature server and an authentication server. The signature server securely stores the private cryptographic keys of a number of users. The user contacts the central server using a workstation through the secure tunnel which is set up for the purpose. The user supplies a password or other token based on information previously supplied to the user by the authentication server through a separate authentication channel. The authentication server provides the signature server with a derived version of the same information through a permanent secure tunnel between the servers, which is compared with the one supplied by the user. If they match, data received from the user is signed with the user's private key. | 12-06-2012 |
20120331285 | PRIVACY-PROTECTING INTEGRITY ATTESTATION OF A COMPUTING PLATFORM - Systems, apparatus and methods for privacy-protecting integrity attestation of a computing platform. An example method for privacy-protecting integrity attestation of a computing platform (P) has a trusted platform module (TPM}, and comprises the following steps. First, the computing platform (P) receives configuration values (PCRI . . . PCRn). Then, by means of the trusted platform module (TPM}, a configuration value (PCRp) is determined which depends on the configuration of the computing platform (P). In a further step the configuration value (PCRp) is signed by means of the trusted platform module. Finally, in the event that the configuration value (PCRp) is one of the received configuration values (PCRI . . . PCRn), the computing platform (P) proves to a verifier (V) that it knows the signature (sign(PCRp}} on one of the received configuration values (PCRI . . . PCRn). | 12-27-2012 |
20130013916 | Method and Apparatus for Verifiable Generation of Public Keys - The invention provides a method of verifiable generation of public keys. According to the method, a self-signed signature is first generated and then used as input to the generation of a pair of private and public keys. Verification of the signature proves that the keys are generated from a key generation process utilizing the signature. A certification authority can validate and verify a public key generated from a verifiable key generation process. | 01-10-2013 |
20130019092 | System to Embed Enhanced Security / Privacy Functions Into a User ClientAANM LEVOW; ZACHARYAACI MOUNTAIN VIEWAAST CAAACO USAAGP LEVOW; ZACHARY MOUNTAIN VIEW CA US - A system and method for provisioning enhanced security/privacy functions into a user client to detect, warn, and avoid man in the middle attacks and to improve privacy and security of data transmitted across the Internet without certificate authorities. | 01-17-2013 |
20130024686 | SYSTEMS AND METHODS FOR SECURE COMMUNICATION USING A COMMUNICATION ENCRYPTION BIOS BASED UPON A MESSAGE SPECIFIC IDENTIFIER - An apparatus and methods of securely communicating a message between a first device and a second device using a message specific identifier is disclosed. The method begins by receiving an encryption key request from a sending device, where the encryption key request is based upon the message specific identifier, which is associated with a plurality of attributes associated with the message and the sending device. In more detail, the message specific identifier may be an information-based indicator that is unique with respect to the message and the sending device. The method parses the encryption key request and the message specific identifier to provide an intermediate argument used to enter a current random character set that is periodically generated and stored into memory. The intermediate argument helps identify which type of encryption method is desired for use in encryption key generation. An encryption key is constructed using the intermediate argument as an entry point to the current random character set. A data structure is stored associated with the message specific identifier, a random character set identifier for the current random character set, and an identifier of the encryption method used before the key is transmitted back to the device. | 01-24-2013 |
20130031359 | METHOD AND SYSTEM FOR MODULAR AUTHENTICATION AND SESSION MANAGEMENT - Modular authentication and session management involves the use of discrete modules to perform specific tasks in a networked computing environment. There may be a separate authentication server that verifies the identity of the user and an authorization client that grants various levels of access to users. There may also be an authentication client that receives an initial request from a requesting application and forwards the request to the authentication server to verify the identity of the use. The authorization client may then be invoked to provide the necessary level of access. The use of discrete modules allows multiple business applications to use the same modules to perform user authentication tasks, thus alleviating the unnecessary multiplication of code. | 01-31-2013 |
20130036301 | Distributed Cryptographic Management for Computer Systems - A distributed cryptographic management system can include: a central key management service accessible through the network and having a database associated therewith; an approval module programed to receive approval for any client machines connectable to the network and applications associated with the client machines, the database storing records for the client machines, and a key management domain being defined by all approved client machines and applications; and an agent module programmed to provide key management agents, wherein the key management agents are transferable and installable on any of the approved client machines and applications within the key management domain. | 02-07-2013 |
20130046971 | AUTHENTICATION METHOD, SYSTEM AND DEVICE - An authentication method, system and device are provided by the embodiments of the present invention. Said method includes the following steps: an Application Server (AS) receives an AS access request, which carries a user identifier, transmitted by a User Equipment (UE); the AS generates a key generation request based on the user identifier and transmits it to a network side; the AS receives the key transmitted by the network side, and authenticates the UE according to the key. In the present invention, generating the key between a terminal without a card and the AS is implemented, and the AS authenticates the UE using the generated key, and the security of the data transmission is improved. | 02-21-2013 |
20130054960 | SYSTEMS AND METHODS FOR APPLICATION IDENTIFICATION - Systems and methods for application identification in accordance with embodiments of the invention are disclosed. In one embodiment, a user device includes a processor and memory configured to store an application, a session manager, an application identifier, and at least one shared library, and the processor is configured by the session manager to communicate the application identifier and the application identifier data to an authentication server and permit the execution of the application in response to authentication of the application by the authentication server. | 02-28-2013 |
20130054961 | AUTHENTICATOR, AUTHENTICATEE AND AUTHENTICATION METHOD - According to one embodiment, an authenticator which authenticates an authenticatee, which stores first key information (NKey) that is hidden, includes a memory configured to store second key information (HKey) which is hidden, a random number generation module configured to generate random number information, and a data generation module configured to generate a session key (SKey) by using the second key information (HKey) and the random number information. The authenticator is configured such that the second key information (HKey) is generated from the first key information (NKey) but the first key information (NKey) is not generated from the second key information (HKey). | 02-28-2013 |
20130061040 | SYSTEMS AND METHODS FOR PROTECTING ALTERNATIVE STREAMS IN ADAPTIVE BITRATE STREAMING SYSTEMS - Systems and methods for performing adaptive bitrate streaming using alternative streams of protected content in accordance with embodiments of the invention are described. One embodiment includes a processor, and non-volatile storage containing an encoding application. In addition, the encoding application configures the processor to: receive source content; obtain common cryptographic information; encode the source content as a plurality of streams including a plurality of alternative streams of content; and protect the plurality of alternative streams of content using the common cryptographic information. | 03-07-2013 |
20130067216 | IN-MARKET PERSONALIZATION OF PAYMENT DEVICES - Systems and methods for remotely personalizing payment devices for consumers are described. In an embodiment, a system includes a MOTAPS server computer that provides data preparation functions and a trusted service provider (TSP) personalization server computer. The system also includes a service provider computer operably coupled to the TSP personalization server computer, and a remote personalization device (RPD) operably coupled to the service provider computer. The RPD transmits personalization requests, receives personalization data, and personalizes a payment device before providing the personalized payment device to a consumer. | 03-14-2013 |
20130067217 | SYSTEM AND METHOD FOR PROTECTING ACCESS TO AUTHENTICATION SYSTEMS - A system and method for protecting access to authentication systems. A mediator may accept original authentication credentials from a client, may process the authentication credentials to provide processed authentication credentials and may forward the processed authentication credentials to an authentication system. Processing original authentication credentials may include encrypting at least one portion of original authentication credentials. | 03-14-2013 |
20130073843 | Network Security Content Checking - Methods, apparatus, and programs for a computer for network security content checking: in particular ones which simplify the critical element of a content checker so it can be trusted and implemented in logic. | 03-21-2013 |
20130080768 | SYSTEMS AND METHODS FOR SECURE COMMUNICATIONS USING AN OPEN PEER PROTOCOL - A cryptographic system and method for providing secure peer to peer communications over a network. The invention includes systems and methods for generating unique keys in a key-space, using a third party authentication system to provide identities for owners of those keys, proving the ownership of the keys, using a distributed database for establishing any kind of secure communication between two or more parties, and using the ownership of the keys in the key-space to establish secure communications | 03-28-2013 |
20130080769 | SYSTEMS AND METHODS FOR SECURING NETWORK COMMUNICATIONS - Secure communications may be established amongst network entities for performing authentication and/or verification of the network entities. For example, a user equipment (UE) may establish a secure channel with an identity provider, capable of issuing user identities for authentication of the user/UE. The UE may also establish a secure channel with a service provider, capable of providing services to the UE via a network. The identity provider may even establish a secure channel with the service provider for performing secure communications. The establishment of each of these secure channels may enable each network entity to authenticate to the other network entities. The secure channels may also enable the UE to verify that the service provider with which it has established the secure channel is an intended service provider for accessing services. | 03-28-2013 |
20130086376 | SECURE INTEGRATED CYBERSPACE SECURITY AND SITUATIONAL AWARENESS SYSTEM - An integrated cyber security system for an organization, such as a governmental or private organization, is disclosed. The security system is installable across an organization and configured to monitor and protect against cyberspace or electronic data vulnerabilities. The security system includes a situational awareness application configurable to receive one or more definitions describing known electronic data access points associated with the organization. The system also includes a communication security system providing cryptographic communications among each of a plurality of users affiliated with the organization and configured to establish a plurality of communities of interest. The system also includes a reporting module configured to generate a plurality of reports based on information gathered across the organization from the situational awareness application and communicate one or more of the plurality of reports to one or more of the communities of interest. | 04-04-2013 |
20130097419 | METHOD AND SYSTEM FOR ACCESSING E-BOOK DATA - Provided is a method for accessing e-book data, including: step A: e-book hardware establishes a connection with an electronic device and negotiates a reading key; step B: the electronic device downloads e-book data via a client, specifically is: firstly, the electric device establishes a connection with the client; the client sends a connection establishment request to a server; the server verifies the identification of the electronic device via the client; if the verification is not passed, then the access will be refused; if the verification is passed, then the server uses a downloaded key to encrypt the e-book data and sends the encrypted e-book data to the electronic device via the client; and step C: the electronic hardware establishes a connection with the electronic device, processes the encrypted e-book data using the downloaded key and/or the reading key, and the e-book hardware displays the e-book data. The method provided in the present embodiment not only enables the download and reading of the e-book to be more rapid but also protects the copyright of the e-book. | 04-18-2013 |
20130117557 | CLOUD COMPUTING SYSTEM AND CLOUD SERVER MANAGING METHOD THEREOF - A cloud computing system is disclosed. The cloud computing system includes a management server that manages a plurality of servers and distributes service resources. Each of the servers corresponds to one of a secure server type and a general server type, and the secure server type of server decrypts an encrypted code provided from a client. | 05-09-2013 |
20130124854 | AUTHENTICATOR - According to one embodiment, a method for authenticating a device, wherein the device holds secret identification information, encrypted secret identification information, and key management information, and an authenticator holds an identification key, the method includes reading, by the authenticator, the encrypted secret identification information and the key management information from the device, and obtaining, by the authenticator, a family key by using the key management information, the family key being capable of being decrypted with the identification key. The method further includes obtaining, by the authenticator, the secret identification information by decrypting the encrypted secret identification information with the family key. | 05-16-2013 |
20130124855 | USING QR CODES FOR AUTHENTICATING USERS TO ATMS AND OTHER SECURE MACHINES FOR CARDLESS TRANSACTIONS - Systems, apparatus, methods, and computer program products for using quick response (QR) codes for authenticating users to ATMs and other secure machines for cardless transactions are disclosed. Embodiments of the present disclosure read an image displayed on a display of an external device using a mobile device associated with a user authorized to access a secure resource, decode transaction information encoded in the image, transmit the transaction information and an identifier of the mobile device from the mobile device to an authentication system, and grant access to the secure resource if the transaction information and the identifier satisfy an authentication test performed at the authentication system. | 05-16-2013 |
20130132716 | DATA COMMUNICATION APPARATUS, CONTROL METHOD THEREFOR, AND STORAGE MEDIUM STORING CONTROL PROGRAM THEREFOR - A data communication apparatus that is capable of improving operability when inputting authentication information. An authentication unit accepts authentication information inputted when a user logs in to the data communication apparatus and authenticates the user based on the accepted authentication information. A designation unit designates a file transmission destination that is inputted by the authenticated user. A transmission unit transmits a file to the transmission destination inputted. A registration unit registers the transmission destination of the file. A control unit prohibits registration of the authentication information at the time of registration of the transmission destination of the file when the accepted authentication information is used for file transmission, and permits registration of the authentication information at the time of registration of the transmission destination of the file when the inputted authentication information is not used for file transmission. | 05-23-2013 |
20130145148 | PASSCODE RESTORATION - A system method that includes providing a passcode to a user based on presentation of both a recovery key and an active token is described herein. | 06-06-2013 |
20130145149 | AUTHENTICATION DEVICE, AUTHENTICATION METHOD AND COMPUTER READABLE MEDIUM - There is provided an authentication device in which a network access authenticating unit executes a first network access authentication process with a communication device; master key generator generates a first master key shared with the communication device in accordance with a result of the first network access authentication process; an application-oriented encryption key generator generates a first encryption key for an application, which is shared with the communication device, on the basis of the first master key; a master key identifier determiner determines an identifier of the first master key; and an application-oriented encryption key identifier determiner determines an identifier of the first encryption key for the application in accordance with the identifier of the first master key. | 06-06-2013 |
20130145150 | CODE SIGNING SYSTEM AND METHOD - A novel code signing system, computer readable media, and method are provided. The code signing method includes receiving a code signing request from a requestor in order to gain access to one or more specific application programming interfaces (APIs). A digital signature is provided to the requestor. The digital signature indicates authorization by a code signing authority for code of the requestor to access the one or more specific APIs. In one example, the digital signature is provided by the code signing authority or a delegate thereof. In another example, the code signing request may include one or more of the following: code, an application, a hash of an application, an abridged version of the application, a transformed version of an application, a command, a command argument, and a library. | 06-06-2013 |
20130159699 | Password Recovery Service - According to aspects of the present invention there are provided methods and apparatus for enabling a user to secure and back-up an encryption key for use by a client device in encrypting and decrypting data, enabling the user to change a user secret previously used to secure the encryption key, and enabling a server to update the user secret with a new user secret for securing a previous user encrypted key. The new user encrypted key can be used by the client device for encrypting and decrypting data, including data encrypted and decrypted using the previous user encrypted key. The methods for enabling a user to secure and back-up the encryption key and enabling a user to change the user secret may be performed on the client device or a trusted third party or service provider device. The method for updating the user secret with a new user secret may be performed on a service operator server or system. | 06-20-2013 |
20130159700 | COMPUTER SYSTEM AND VOLUME MIGRATION CONTROL METHOD USING THE SAME - A computer system regarding which there is no possibility that data loss or data leakage will occur caused by volume migration is provided. | 06-20-2013 |
20130159701 | SECURING DIGITAL CONTENT SYSTEM AND METHOD - A system and method of encrypting digital content in a digital container and securely locking the encrypted content to a particular user and/or computer or other computing device is provided. The system uses a token-based authentication and authorization procedure and involves the use of an authentication/authorization server. This system provides a high level of encryption security equivalent to that provided by public key/asymmetric cryptography without the complexity and expense of the associated PKI infrastructure. The system enjoys the simplicity and ease of use of single key/symmetric cryptography without the risk inherent in passing unsecured hidden keys. The secured digital container when locked to a user or user's device may not open or permit access to the contents if the digital container is transferred to another user's device. The digital container provides a secure technique of distributing electronic content such as videos, text, data, photos, financial data, sales solicitations, or the like. | 06-20-2013 |
20130166906 | Methods and Apparatus for Integrating Digital Rights Management (DRM) Systems with Native HTTP Live Streaming - Methods and apparatus for integrating digital rights management (DRM) systems with native HTTP live streaming. Several methods for integrating a DRM system with HTTP live streaming on an operating system (OS) platform are described. In each of these methods, a manifest is delivered to an application on a device; the application then accesses a remote DRM server to obtain a license and one or more keys for the content. The DRM server enforces the rights of the client in regard to the indicated content. The application may modify the manifest to indicate a method for obtaining the key. The application delivers the manifest to the OS, which uses the indicated method (e.g., a URL) to obtain the key. While similar, the methods primarily differ in the manner in which the OS is directed to obtain the key. | 06-27-2013 |
20130173911 | TASTE-BASED AUTHENTICATION TO SECURELY SHARE DATA - Examples are disclosed for transforming a multi-dimensional attribute value for a taste related to an area of interest for a user of a computing device and encrypting or decrypting a ciphertext using the transformed multi-dimensional attribute value in order to securely share data with another computing device. | 07-04-2013 |
20130179681 | System And Method For Device Registration And Authentication - Systems and methods for device registration and authentication are disclosed. In one embodiment, a method for authentication of a device may include (1) receiving, at a mobile device, a first credential; (2) transmitting, over a network, the first credential to a server; (3) receiving, from the server, a first key and a first value, the first value comprising a receipt for the first credential; (4) receiving, at the mobile device, a data entry for a second credential; (5) generating, by a processor, a second key from the data entry; (6) retrieving, by the mobile device, a third credential using the first key and the second key; (7) signing, by the mobile device, the first value with the third credential; and (8) transmitting, over the network, the signed third value to the server. | 07-11-2013 |
20130185551 | REVOCATION LIST UPDATE FOR DEVICES - In one embodiment, a method includes receiving a revocation request for revoking a model type of a device. A first computing device determines a list of device unit identifiers (UIDs) that are associated with the model type from a database. The device UIDs are for devices of the model type manufactured by a first entity. The method adds the list of device UIDs to a device revocation list and outputs the device revocation list to revoke a validity of secure information associated with devices associated with the list of device UIDs. | 07-18-2013 |
20130191632 | SYSTEM AND METHOD FOR SECURING PRIVATE KEYS ISSUED FROM DISTRIBUTED PRIVATE KEY GENERATOR (D-PKG) NODES - A system and method where the “dealer” of a split Master Secret becomes the Master Key Server, whose role is to initially compute the Master Secret, create and distribute shares of the Master Secret to two Distributed Private Key Generators (D-PKG), initialize and route the inter-process communication between the nodes, co-ordinate and computationally participate in the User System's IBE Private Key generation process. | 07-25-2013 |
20130198510 | USE OF APPLICATION IDENTIFIER AND ENCRYPTED PASSWORD FOR APPLICATION SERVICE ACCESS - To support authentication of a mobile device, an application server obtains an application identifier and password and creates an encrypted value by encrypting a combination of the password and a time-based value. The application server transmits the application identifier and encrypted value over a communication network to the mobile device as a credential, and the mobile device sends the credential over the network to a secure server providing an application assistance service. The secure server independently computes an encrypted value by encrypting the combination of the password and the time-based value. If the encrypted value from the received credential matches the encrypted value computed by the secure server, that server grants access to the assistance service for the mobile device. | 08-01-2013 |
20130205133 | STRONGLY AUTHENTICATED, THIRD-PARTY, OUT-OF-BAND TRANSACTIONAL AUTHORIZATION SYSTEM - A system and method to perform an out-of-band authenticated authorization of an activity. A requesting system initiates an authorization request for an activity which is signed using a key pair managed by a transaction server. The authorization request is asymmetrically encrypted for the intended authorizing system and is communicated to the server and stored. The authorizing system receives notification of the request and communicates with the transaction server to retrieve the request, decrypt it and verify the signature. The authorizing system interprets the request and generates an authorization response which is signed and encrypted such that only the requesting system can decrypt it. The response is communicated back to the transaction server which notifies the requesting system. The requesting system communicates with the server to retrieve the response, decrypt it, verify the signature and interpret the response to take action on the activity that initiated the request. | 08-08-2013 |
20130212377 | Method and System for a Certificate-less Authenticated Encryption Scheme Using Identity-based Encryption - A method of verifying public parameters from a trusted center in an identity-based encryption system prior to encrypting a plaintext message by a sender having a sender identity string may include: identifying the trusted center by a TC identity string, the trusted center having an identity-based public encryption key of the trusted center based on the TC identity string; determining if the sender has a sender private key and the public parameters for the trusted center including the public encryption key of the trusted center and a bilinear map; and verifying the public parameters using the TC identity string prior to encrypting the plaintext message into a ciphertext by comparing values of the bilinear map calculated with variables from the trusted center. The ciphertext may include a component to authenticate the sender once the ciphertext is received and decrypted by the recipient using the private key of the recipient. | 08-15-2013 |
20130212378 | METHOD FOR MANAGING KEYS IN A MANIPULATION-PROOF MANNER - A method manages keys in a manipulation-proof manner for a virtual private network. The method includes authenticating a communication terminal on an authentication server by use of a first key over a public network and providing a communication key, which is suitable for the communication over a virtual private network in the public network, for the authenticated communication terminal over the public network. The communication key in the communication terminal is encrypted by a second key, which is provided by a manipulation-protected monitoring device. | 08-15-2013 |
20130232335 | NETWORK OPTIMIZATION FOR SECURE CONNECTION ESTABLISHMENT OR SECURE MESSAGING - A first device is configured to receive an instruction to establish a secure connection with a second device or to send a secure message to the second device. The instruction may include a secure connection invitation or a message. The first device may send information, associated with the second device, to a first server; receive a response from the first server; obtain parameters based on the response indicating that the second device is subscribed to the first server; communicate the parameters to the first server; receive a parameters identifier associated with the parameters; store the parameters identifier in the secure connection invitation or the message; and send the secure connection invitation or the message to the second device. The second device may receive the parameters identifier to obtain the parameters to establish the secure connection or to decrypt the secure message. | 09-05-2013 |
20130238893 | DIGITAL LOCKER FOR ESTATE PLANNING SYSTEM AND METHOD - A secure system and method is presented for an individual to gather, organize, store, and share personal and asset information. The system is offered through software-as-service platform to professional service providers who provide the platform as a service for their clients as a complement to their traditional service offerings. The client uses the system as tool to provide information to his or her professional service provider. In addition, the client uses the system to gather, organize, store, and share personal information with others. This information can be shared at the time of the client's choosing, or at the client's death. The service provider assists the recipients in accessing the information by providing the verification point of a triggering event. | 09-12-2013 |
20130238894 | Managing Credentials - In a centralized credential management system, website credentials are stored in a vault storage at a vault. The website credentials are encrypted based upon a key not available to the vault and are for authenticating a user to a third party website. Through a client, a user authenticates to the vault and retrieves the encrypted website credentials and parameters and code for properly injecting the credentials into a website authentication form. The website credentials are decrypted at the client and injected into the authentication form using the parameters and code. | 09-12-2013 |
20130254533 | Automated Computer Biometric Identity Assurance - In a method of biometric identity assurance, biometric data based on a biometric modality is stored in a memory of a first computer. The biometric data is converted into a biometric template which is transferred from the first computer memory to a memory of a second computer. The second computer determines an encryption key based on a combination of the biometric template with a biometric-hash file of the user. Multiple credential files previously distributed among multiple remote computers are assembled into a single user credential file at the second computer. The first computer receives the encryption key and the user credential file from the second computer and accesses user credentials stored in the user credential file based on decryption of the user credential file using the encryption key. Via the thus accessed user credentials, the first computer uses or accesses one or more digital resources of the user. | 09-26-2013 |
20130262856 | METHOD AND SYSTEM FOR STATE MACHINE SECURITY DEVICE - A security device may be utilized to provide security measures to an electronic device that may incorporate the security device or be coupled to it. The security measures may comprise authentication (e.g., authentication of devices, users, or activities), and/or encryption measures (e.g., encrypting or decrypting exchanged data). A transaction or access via the security device may be authenticated by communicating an authentication request by the security device to an authentication server, which may generate, in response, a sequence of information requests that are sent to the security device. The security device may then generate, in response, a sequence of responses that are sent to the authentication server, with the sequence of responses comprising a sequence of reported values each of which are unique. The authentication server may then authenticate the security device based on comparing of the sequence of reported values with a sequence of expected values that identifies the security device. | 10-03-2013 |
20130262857 | SECURE AUTHENTICATION IN A MULTI-PARTY SYSTEM - A network user is authenticated to another network entity by using a first program to receive user input validation information, and store a user credential. A second program receives information, such as a random number, from the other entity. The first program receives an input transferring the information to it, transmits the information to the authentication server, and receives an identifier of the other entity, other information, and authentication policy requirements from the authentication server. It then transmits the input validation information corresponding to the received authentication policy requirements to the authentication server, and in response receives a request for a user credential. It signs a message, including the transferred information and the received other information, with the stored user credential, and transmits the signed message to the authentication server to authenticate the user. | 10-03-2013 |
20130262858 | SECURE AUTHENTICATION IN A MULTI-PARTY SYSTEM - A user device transmits a login request. A provider server, receives a random number from and transmits other information to an authentication server. The provider server transmits the random number to the device. The random number is transferred to a second user device, which transmits it to the authentication server. The authentication server transmits provider authentication policy requirements and further transmits the other information to the second device. The second device transmits user validation information to the authentication server. The authentication server determines that the transmitted validation information corresponds to the service provider authentication policy requirements, compares the validation information with stored validation information for the user to authenticate the user. The second device transmits a message, including the random number and the other information, signed with a user credential to the authentication server. The authentication server transmits notice of authentication and the signed message to the provider server. | 10-03-2013 |
20130262859 | SYSTEM AND METHOD FOR AUTHENTICATION OF A COMMUNICATION DEVICE - A system and method for authentication of a communication device is disclosed. A system that incorporates teachings of the present disclosure may include, for example, a communication device having a controller element to compute a shared secret key based at least in part on a communication device private key and a cryptography algorithm, where the communication device private key is stored in an identity module of the communication device and is unknown to an authentication center, and wherein the communication device is authenticated by the authentication center based at least in part on the shared secret key. Additional embodiments are disclosed. | 10-03-2013 |
20130268751 | METHOD, SYSTEM AND APPARATUS FOR MANAGING PERSONA-BASED NOTIFICATIONS AT A COMMUNICATION DEVICE - A method, system and apparatus for managing persona-based notifications at a communication device are provided. A port is dynamically assigned to an application on the basis of a persona at a communication device, the application enabled to receive notifications from a given provider. The port is registered with a server to receive the notification. The port is opened to receive notifications associated with the persona for the application from the server. | 10-10-2013 |
20130268752 | Hack-Deterring System for Storing Sensitive Data Records - A mobile communication system comprising a multiplicity of mobile devices, and a server communicating with the mobile devices via a communication network, and a central database which is in data communication with the server and which is operative for storing sensitive data encrypted using at least one key, at least a portion of which is provided, only on certain occasions, by an individual one of the mobile devices and is not retained between the occasions by the central database. | 10-10-2013 |
20130268753 | ANTI-TAMPER DEVICE, SYSTEM, METHOD, AND COMPUTER-READABLE MEDIUM - An anti-tamper hardware security device that communicates with a host machine, including a host interface coupled to the host machine and configured to receive an access request from the host machine, the access request being associated with an application; a key manager configured to manage cryptographic keys; a whitelist manager configured to manage application validation information; and a controller configured to receive the access request from the host interface, validate the application using the application validation information, retrieve a cryptographic key associated with the application, and transmit a response to the host machine through the host interface if the controller determines that the application is valid. | 10-10-2013 |
20130275747 | ENTERPRISE ENVIRONMENT DISK ENCRYPTION - A method for deploying a disk encryption password to a client computer includes installing a disk encryption agent on a client computer, where the agent communicates with an enterprise encryption service that encrypts a disk password using a public key generated at the client computer. The encrypted disk password is transmitted to the client computer where it is set as the current disk password. A system to deploy a disk encryption password includes one or more client computers and at least one server having a control processor configured to support operation of an enterprise encryption service. The encryption service is configured to install a disk encryption agent on a client computer and generate an encrypted disk password using a public key generated by the client computer. An enterprise encryption database in communication with the enterprise encryption service stores the disk password. | 10-17-2013 |
20130275748 | SECURE PASSWORD-BASED AUTHENTICATION FOR CLOUD COMPUTING SERVICES - Secure password-based authentication for cloud service computing. A request for cloud computing resource access includes a derivative password that contains a parameter that the recipient may extract in order to independently calculate the derivative password based on the parameter and a stored password which may then be verified against a known-to-be-correct password. Other systems and methods are disclosed. | 10-17-2013 |
20130283040 | METHOD, SYSTEM AND DEVICE FOR BINDING AND OPERATING A SECURE DIGITAL MEMORY CARD - A method, system and device for binding and operating a Secure Digital memory card (SD card) include: after an identification number of a SIM card is sent to the SD card, the SD card does not immediately establish the binding relationship with the SIM card; instead, the SD card establishes the corresponding relationship with the SIM card according to an authentication-passed message returned from an SD server, when the SD server determines that the identification number of the SIM card installed in the mobile terminal, which sends an authentication request, is the same as that of the SIM card in the authentication request; and then, while the services in the SD card are operating, the SD card side and the SD server side determine whether to allow the SD card to response to the services according to the binding relationship between the SD card and the SIM card, thus the security of the application of the service data in the SD card is improved. | 10-24-2013 |
20130290702 | METHOD, DEVICE, AND SYSTEM FOR ACQUIRING ENCRYPTED INFORMATION BASED ON WIRELESS ACCESS - A method, device, and system for acquiring encrypted information based on wireless access are disclosed in embodiments of the present invention, which are applied to the field of communications technologies. In the embodiments of the present invention, encrypted information is preset in an AP. When receiving a first access request sent by a terminal device and used for requesting access to a network, the AP verifies the terminal device. If the verification is successful, the AP schedules the preset encrypted information and sends the preset encrypted information to the terminal device. In this way, the AP sends the encrypted information to the terminal device only after the terminal device initiating the access request is successfully verified. | 10-31-2013 |
20130290703 | ENCRYPTING DATA FOR STORAGE IN A DISPERSED STORAGE NETWORK - A method begins by a dispersed storage (DS) processing module dividing data into a plurality of data segments, encoding a data segment using a dispersed storage error encoding function to produce a set of encoded data slices, and generating slice names for each encoded data slice to produce a plurality of slice names. When a subset of encoded data slices of the set of encoded data slices is to be encrypted, the method continues with the DS processing module generating a master key, selecting a portion of the slice names for the subset of encoded data slices to produce a subset of selected slice name portions, generating a subset of encryption keys, encrypting the subset of encoded data slices using the subset of encryption keys to produce a subset of encrypted encoded data slices, and outputting the subset of encrypted encoded data slices to a dispersed storage network (DSN). | 10-31-2013 |
20130297930 | AUTHENTICATION DEVICE, AUTHENTICATION METHOD, PROGRAM, AND SIGNATURE GENERATION DEVICE - Provided is an authentication device including a key setting unit for setting sεK | 11-07-2013 |
20130297931 | SYSTEMS AND METHODS FOR AUTHENTICATING AN ELECTRONIC MESSAGE - Systems and methods are disclosed for authenticating electronic messages. A data structure is generated by a computer server which allows for the authentication of the contents and computer server identity of a received electronic message and provides a trusted stamp to authenticate when the message was sent. Data which can authenticate the message, the computer server identity, and the time the message was sent is included into a data structure which is called an Electronic PostMark (EPM). | 11-07-2013 |
20130297932 | System and Method For Providing Load Balanced Secure Media Content And Data Delivery in a Distributed Computing Environment - A system and method for providing load balanced secure media content and data delivery ( | 11-07-2013 |
20130305040 | SECURE MESSAGING BY KEY GENERATION INFORMATION TRANSFER - A system is configured to receive a first authentication request from a first device, authenticate the first device, establish a secure connection with the first device based on authenticating the first device, and receive, via the secure connection with the first device, a set of parameters from the first device. The first device is capable of generating an encryption key for a secure message, intended for a second device, based on the set of parameters. The system is also configured to receive a second authentication request from a second device, authenticate the second device and establish a secure connection with the second device based on receiving the second authentication request, and send, via the secure connection with the second device, the set of parameters to the second device. The second user device is capable of generating a decryption key for the secure message based on the set of parameters. | 11-14-2013 |
20130311768 | SECURE AUTHENTICATION OF A USER USING A MOBILE DEVICE - A computer-readable medium embodies a computer program for authenticating a user. The computer program comprises computer-readable program code for: generating a first message including an identifier for a session, sending the first message through an interface associated with the session, receiving a response message including the identifier for the session, a user identifier, and at least a portion encrypted using a private key associated with a mobile device associated with the user, and authenticating the user in response to identifying that the response message includes at least the portion encrypted using the private key associated with the mobile device. | 11-21-2013 |
20130311769 | PUBLIC KEY ENCRYPTION OF ACCESS CREDENTIALS AND CONTENT DATA CONTAINED IN A MESSAGE - A method of sending data securely from a client computing device to a server computing device, the client computing device being arranged to store a public encryption key associated with the server computing device and being associated with a user, the user being a registered user on the server computing device, the method comprising: generating a message at the client computing device, the message comprising log-in data relating to the registered user for logging into the server computing device and content data; encrypting the message using the public encryption key; outputting the encrypted message for transmission to the server computing device. | 11-21-2013 |
20130311770 | TRACING DEVICE AND METHOD - A tracing method performed by a traceability device for validating a process having a purity of steps. During at least one step of the process, there is a step of receiving a marking message sent by a marking device; and a step of determining a new fingerprint as a function of the marking message and of a preceding fingerprint, by using a hash function; and a step of sending a validation message including the most recently determined new fingerprint to a validation device. During at least one step of the process, there is a step of determining an object signature as a function of the marking message by using an asymmetric signature function and a private key of the traceability device associated with a public key of the traceability device, and a step of determining a new fingerprint as a function of the object signature. | 11-21-2013 |
20130326213 | METHOD AND SYSTEM FOR AUTOMATIC GENERATION OF CONTEXT-AWARE COVER MESSAGE - One embodiment provides a system that facilitates secure communication between a sending device and a receiving device. During operation, the system first transmits an encrypted message to a secure message server, wherein the encrypted message is addressed to the receiving device. The system then generates a cover message which indicates that the encrypted message is available for the receiving device. The system then transmits a digest of the cover message to a cover message server and makes the cover message available for the receiving device, thereby allowing the receiving device to confirm with the cover message server whether the cover message indicates availability of the encrypted message for the receiving device, and allowing the receiving device to obtain the encrypted message from the secure message server. | 12-05-2013 |
20130332725 | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING METHOD, AND PROGRAM - An information processing apparatus includes a communication unit and a control unit. The control unit is configured to be capable of controlling the communication unit to receive, from a different information processing apparatus, storage location information representing a storage location of key information necessary for encrypted wireless communication with the different information processing apparatus, to access the storage location represented by the storage location information to receive the key information, and to establish a connection with the different information processing apparatus by using the received key information. | 12-12-2013 |
20130346740 | SECURE USER PRESENCE DETECTION AND AUTHENTICATION - This disclosure relates generally to a system and method for authenticating an electronic device may comprise a server configured to transmit an encrypted object, the encrypted object having an image file format, to the electronic device, the encrypted object being encrypted based on a certificate, the electronic device operatively coupled to the server and comprising a processor registered with the server to create a secured communication link between the processor and the server, wherein the certificate corresponds to the processor, the processor having a cryptographic engine configured to decrypt the encrypted object to result in a decrypted graphic, and a user interface operatively coupled to the processor. The user interface may be configured to display the decrypted graphic and receive a user input responsive to the decrypted graphic. The server may authenticate the electronic device based, at least in part, on the user input. | 12-26-2013 |
20130346741 | METHOD FOR AUTHENTICATING LOW PERFORMANCE DEVICE - The present invention relate to a method for authenticating a low performance device, and more particularly, to a device authenticating method, in which a low performance device such as a smart meter of a smart grid is authenticated in a matrix operation instead of an exponential operation through a homomorphic hash function (HHF) of a non-square matrix M, so that the amount of operations required for authenticating the device can be reduced and the device can be safely authenticated even without a separate certificate authority. | 12-26-2013 |
20130346742 | Method and System for Device Authentication - An information processing device, which is used by a user and includes a storage device, encodes target information required for a device authentication by a server by using device-specific information or information based on the device-specific information as an encryption key, and stores the encoded target information. The information processing device uses a decryption key that corresponds to the encryption key used in the generation of the stored encoded target information to decode the encoded target information, and sends the decoded target information to the server. The server receives the target information from the information processing device, and determines whether or not the received target information is correct. | 12-26-2013 |
20140006775 | MESSAGE ORIGINATOR TOKEN VERIFICATION | 01-02-2014 |
20140019752 | ENCRYPTION-BASED SESSION ESTABLISHMENT - A first server is configured to receive a first token from a user device, determine whether the first token is valid, request the user device to provide a set of credentials to a second server, based on determining that the first token is invalid, and receive a first response from the user device. The first response may include information identifying whether the user device is authenticated to communicate with the first server. The first server is further configured to send the first response to a third server. The third server may generate a second response to indicate authentication of the user device to communicate with the first server. The first server is further configured to receive the second response from the third server, generate a second token, based on receiving the second response, and send the second token to the user device. | 01-16-2014 |
20140019753 | CLOUD KEY MANAGEMENT - A system for managing encryption keys within a domain includes: a client computer coupled to a cloud key management server over a network, the client computer being configured to supply a request for an encryption key, the request including an object identifier associated with the encryption key; and a cloud key management service comprising the cloud key management server, the cloud key management service being configured to: store a plurality of encryption keys in association with a plurality of object identifiers; receive the request from the client computer; identify an encryption key of the stored encryption keys associated with the object identifier of the request; and send the identified encryption key to the client computer in response to the request. | 01-16-2014 |
20140047233 | SYSTEM AND METHODS FOR AUTOMATED TRANSACTION KEY GENERATION AND AUTHENTICATION - An independent, centralized token service that generates and authenticates transactions keys. The keys may be exchanged amongst registered users for use in a versatile variety of transactions and/or as a means of identification, authentication, and/or authorization. The service enables customization and recipient designation of the keys, as well as multi-party, multi-directional, multi-key exchanges. | 02-13-2014 |
20140052981 | CENTRALIZED KEY MANAGEMENT - A first network device is configured to receive a first request for a first secret key, generate the first secret key, and send the first secret key to a second network device and a first user device; and is also configured to receive a second request for a second secret key, generate the second secret key, and send the second secret key to a third network device and a second user device. The second network device and the first user device may mutually authenticate each other using the first secret key. The third network device and the second user device may mutually authenticate each other using second secret key. | 02-20-2014 |
20140052982 | METHODS AND SYSTEMS FOR DISTRIBUTING CRYPTOGRAPHIC DATA TO AUTHENTICATED RECIPIENTS - A method for distributing cryptographic data to authenticated recipients includes receiving, by an access control management system, from a first client device, information associated with an encrypted data object. The method includes receiving, by the access control management system, from a second client device, a request for the information associated with the encrypted data object. The method includes verifying, by the access control management system, that a user of the second client device is identified in the received information associated with the encrypted data object. The method includes authenticating, by the access control management system, with an identity provider, the user of the second client device. The method includes sending, by the access control management system, to the second client device, the received information associated with the encrypted data object. | 02-20-2014 |
20140068246 | CIRCUIT FOR SECURE PROVISIONING IN AN UNTRUSTED ENVIRONMENT - Embodiments of electronic circuits enable security of sensitive data in a design and manufacturing process that includes multiple parties. An embodiment of an electronic circuit can include a private key embedded within the electronic circuit that is derived from a plurality of components including at least one component known only to the electronic circuit and at least one immutable value cryptographically bound into messages and residing on the electronic circuit, public key generation logic that generates a public key to match the private key, and message signing logic that signs messages with the private key. | 03-06-2014 |
20140068247 | SECURITY DEVICE ACCESS - Technology is described to control a security device providing access to a restricted resource. The method can include generating a plurality of security access codes at a security locking device using at least one pre-configured symmetric key. The access codes may each be valid from predefined start times for varying time intervals. In a further operation, a candidate access code can be generated at a control server, using the same pre-configured symmetric key. The candidate access code from the control server can be provided to the security locking device. The security locking device can unlock when the candidate access code corresponds to at least one of a valid security access codes on the security locking device. | 03-06-2014 |
20140068248 | Learning a New Peripheral Using a Security Provisioning Manifest - A secure provisioning manifest used to authenticate and securely communicate with peripherals attached to a computer is provided with techniques to learn about a new peripheral not authorized to be attached to the computer and possibly gain authorization for the peripheral. A secure I/O module, that is separate from an operating system and transaction software executed by a processor of the computer, uses the secure provisioning manifest to authenticate and establish a secure encrypted session for communicating with each peripheral authorized to be attached to the computer. When an unauthorized peripheral is found, identifying information for the peripheral is transmitted to an enterprise provisioning server with a request to authorize the peripheral. | 03-06-2014 |
20140075184 | TRUST SERVICES FOR SECURING DATA IN THE CLOUD - Embodiments are directed to securing data in the cloud, securely encrypting data that is to be stored in the cloud and to securely decrypting data accessed from the cloud. In one scenario, an instantiated trust service receives information indicating that a trust server is to be instantiated. The trust service instantiates the trust server, which is configured to store key references and encrypted keys. The trust service receives the public key portion of a digital certificate for each publisher and subscriber that is to have access to various specified portions of encrypted data. A data access policy is then defined that specifies which encrypted data portions can be accessed by which subscribers. | 03-13-2014 |
20140082349 | SECURITY CREDENTIAL DEPLOYMENT IN CLOUD ENVIRONMENT - Techniques are described for deploying a security credential for an application deployed in a cloud. An encrypted security credential is received from a remote system and is inserted into a virtual machine image associated with the application. Upon deploying the virtual machine image as a virtual machine instance, embodiments transmit a request to a cryptex server for a decrypted security credential, the request including the encrypted security credential and a virtual machine identifier for the virtual machine instance. The cryptex server is configured to retrieve metadata associated with the virtual machine identifier and to authenticate the virtual machine instance using the retrieved metadata. Embodiments receive, from the cryptex server, the decrypted security credential for use by the application. | 03-20-2014 |
20140082350 | SECURITY CREDENTIAL DEPLOYMENT IN CLOUD ENVIRONMENT - Techniques are described for deploying a security credential for an application deployed in a cloud. An encrypted security credential is received from a remote system and is inserted into a virtual machine instance associated with the application. Upon deploying the virtual machine instance, embodiments transmit a request to a cryptex server for a decrypted security credential, the request including the encrypted security credential and a virtual machine identifier for the deployed virtual machine instance. The cryptex server is configured to retrieve metadata associated with the virtual machine identifier and to authenticate the deployed virtual machine instance using the retrieved metadata. Embodiments receive, from the cryptex server, the decrypted security credential for use by the application. | 03-20-2014 |
20140089658 | METHOD AND SYSTEM TO SECURELY MIGRATE AND PROVISION VIRTUAL MACHINE IMAGES AND CONTENT - A method, device, and system for securely migrating and provisioning a virtual machine image to a host device of a cloud service provider environment (CSPE) is disclosed. A customer device encrypts a virtual machine image (VMI) and stores the VMI in the CSPE. The host device retrieves the encrypted VMI from the object store and sends host trust data (including a symmetric key extracted from the encrypted VMI, the symmetric key being encrypted with the customer public key) to a key management server for trust attestation. If the key management server successfully attests the host device, the key management server decrypts the encrypted symmetric key using the customer private key and re-encrypts the symmetric key using the host public key. The host device receives the re-encrypted symmetric key from the key management server, decrypts it using the host private key, and decrypts the encrypted VMI using the symmetric key. | 03-27-2014 |
20140089659 | Method and apparatus for key provisioning of hardware devices - Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform. | 03-27-2014 |
20140095864 | REDUCED AUTHENTICATION TIMES IN CONSTRAINED COMPUTER NETWORKS - In one embodiment, a capable node in a low power and lossy network (LLN) may monitor the authentication time for one or more nodes in the LLN. The capable node may dynamically correlate the authentication time with the location of the one or more nodes in the LLN in order to identify one or more authentication-delayed nodes. The node may then select, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys so that the key-delegation nodes may perform localized authentication of one or more of the authentication-delayed nodes. The capable node may then distribute the one or more network keys to the one or more key-delegation nodes. | 04-03-2014 |
20140101437 | AUTOMATED CERTIFICATION BASED ON ROLE - In one aspect, systems and methods for generating a set of certification requirements based on a defined role and certification level for a requesting entity are provided. A target set of certification requirements is organized according to a set of process areas that are applicable to one or more roles. Each process area is defined into a set of process area subgroups, which is further defined according to base practice objectives. Each base practice objective includes an identification of certification requirements. Each of the certification requirements may be applicable to a requesting entity based on the specified level of certification. In another aspect, an entity may request certification based on an evaluation of certification information submitted by the entity against a set of previously determined applicable certification requirements. The certification authority can utilize a variety of thresholds to determine whether certification is appropriate or what level of certification is appropriate. | 04-10-2014 |
20140101438 | STRUCTURE PRESERVING DATABASE ENCRYPTION METHOD AND SYSTEM - A database encryption system and method, the Structure Preserving Database Encryption (SPDE), is presented. In the SPDE method, each database cell is encrypted with its unique position. The SPDE method permits to convert a conventional database index into a secure one, so that the time complexity of all queries is maintained. No one with access to the encrypted database can learn anything about its content without the encryption key. Also a secure index for an encrypted database is provided. Furthermore, secure database indexing system and method are described, providing protection against information leakage and unauthorized modifications by using encryption, dummy values and pooling, and supporting discretionary access control in a multi-user environment. | 04-10-2014 |
20140108782 | Reconfigurable Access Network Encryption Architecture - An access platform or other network elements can include multiple line cards configured to encrypt data. The platform and/or each of the line cards may receive encryption management data that conforms to a predefined encryption management data interface. The encryption management data received by a particular line card may be generated by a conditional access system device and converted to conform to the encryption management data interface by an encryption manager. Line cards may alternatively be configured for connection to separate encryption hardware components. Line cards may include a block of field programmable gate arrays or other type of programmable hardware that can be configured to execute an encryption module. | 04-17-2014 |
20140108783 | VIRTUAL NETWORK BUILDING SYSTEM, VIRTUAL NETWORK BUILDING METHOD, SMALL TERMINAL, AND AUTHENTICATION SERVER - A virtual network building system includes a small terminal and an authentication server. The small terminal includes an identifier transmission unit automatically transmitting an identifier to the authentication server via a client terminal in a state in which a connection unit is connected to the client terminal, and is attachable to and detachable from the client terminal. The authentication server includes an authentication unit performing authentication on the basis of the identifier of the small terminal, a distribution unit distributing software for encrypting communication to the client terminal according to selected communication protocol and encryption method, a reception unit receiving information (access request information) regarding a request for access to the target apparatus, which is automatically transmitted from the distributed software, and a redirect unit making a proxy response of access of the client terminal to the target apparatus in response to the received access request information. | 04-17-2014 |
20140115323 | SECURE SYSTEM FOR ALLOWING THE EXECUTION OF AUTHORIZED COMPUTER PROGRAM CODE - Systems and methods for selective authorization of code modules are provided. According to one embodiment, a trusted service provider maintain a cloud-based whitelist containing cryptographic hash values including those of code modules that are approved for execution on computer systems of subscribers of the service provider. A code module information query, including a cryptographic hash value of a code module, is received from a computer system of a subscriber by the service provider. If the cryptographic hash value matches one the cryptographic hash values contained within the cloud-based whitelist and the code module is an approved code module, then the service provider responds with an indication that the code module is authorized for execution; otherwise, it (i) responds with an indication that the code module is an unknown code module; and (ii) causes one or more behavior analysis techniques to be performed on the code module. | 04-24-2014 |
20140122867 | ENCRYPTION AND DECRYPTION OF USER DATA ACROSS TIERED SELF-ENCRYPTING STORAGE DEVICES - A method and system for automated encryption and decryption of user data across tiered self-encrypting storage devices is disclosed. A storage tier is created using self-encrypting devices. When a user logs on to an enterprise, the enterprise gateway authenticates the user with login credentials. A protocol packet is sent over the IP network to the storage tiering software. The protocol packet contains the user credentials, the storage devices that are mapped into user account. The storage tiering software identifies the list of mapped drives and maps them into devices and blocks. Further, the storage tiering software cascades all devices that contain user data. Selective decryption of the user data is then performed and is stored in a cache of each device and this data will be ready for user to use. The decrypted data from the cache will be erased when user logs off the enterprise. | 05-01-2014 |
20140122868 | AUTHENTICATOR - According to one embodiment, a method for authenticating a device, wherein the device holds secret identification information, encrypted secret identification information, and key management information, and an authenticator holds an identification key, the method includes reading, by the authenticator, the encrypted secret identification information and the key management information from the device, and obtaining, by the authenticator, a family key by using the key management information, the family key being capable of being decrypted with the identification key. The method further includes obtaining, by the authenticator, the secret identification information by decrypting the encrypted secret identification information with the family key. | 05-01-2014 |
20140129826 | Simplified Login for Mobile Devices - Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials. | 05-08-2014 |
20140136836 | METHOD AND SYSTEM FOR PROVIDING TOKENLESS SECURE LOGIN BY VISUAL CRYPTOGRAPHY - A method and system for providing tokenless secure login by visual cryptography. The method includes generating a password sequence and converting the password sequence to a password image. The method also includes encrypting the password image into a first image cipher and a second image cipher. The method further includes transmitting the first image cipher to a first electronic device of a user. Further, the method includes displaying the second image cipher on a second electronic device of the user. Moreover, the method includes enabling decryption of the password image by matching the first image cipher and the second image cipher using an image capture device on the first electronic device. The system includes a plurality of electronic devices, communication interface, memory, and processor. | 05-15-2014 |
20140136837 | METHOD FOR IDENTIFYING AND AUTHENTICATING A USER VIA A PORTABLE DEVICE - The method comprises:
| 05-15-2014 |
20140143537 | COMMUNICATION APPARATUS AND COMMUNICATION METHOD - In general, according to one embodiment, a communication apparatus includes an obtaining unit, generation unit, and communication unit. The obtaining unit obtains a master key from a first communication apparatus. The generation unit generates an individual key using the master key. The communication unit communicates with a second communication apparatus using the individual key. | 05-22-2014 |
20140149734 | MEDIATOR MONITORING AND CONTROLLING ACCESS TO ELECTRONIC CONTENT - Methods, systems and apparatuses for a mediator controlling access to an electronic content, are disclosed. One method includes receiving, by a mediator server of a mediator, a second share SK | 05-29-2014 |
20140156988 | MEDICAL EMERGENCY-RESPONSE DATA MANAGEMENT MECHANISM ON WIDE-AREA DISTRIBUTED MEDICAL INFORMATION NETWORK - A method, system, and/or computer program product provides medical information on a communication network. Encrypted medical information in a decryption request is received from a first computer connected to the communication network at a second computer, the second computer holding decryption information. The second computer determines whether or not the second computer holds decryption information for decrypting the encrypted medical information. In response to the second computer determining that the second computer holds the decryption information, the second computer checks with a third computer as to whether the first computer is authenticated. In response to the first computer being authenticated, the second computer: acquires the encryption information from the third computer; decrypts the encrypted medical information to create decrypted medical information; encrypts the decrypted medical information to create encrypted decrypted medical information; and sends the encrypted decrypted medical information to a sender that has sent the encrypted medical information. | 06-05-2014 |
20140156989 | Credential Recovery - In a credential recovery process, a user is authenticated using an application running on a mobile communications device, and requests recovery of a credential. The application generates a session key encrypted with the public key of a gateway, and sends the encrypted key to the gateway. The gateway recovers the credential from a depository, encrypted using a symmetric key shared with the depository. The gateway decrypts the credential and re-encrypts the credential using the session key. Preferably, the decryption and re-encryption is performed within a hardware secure module within the gateway. The re-encrypted credential is sent to the application, which decrypts the credential and outputs it to the user. In this way, the credential is provided securely to the user and may be made available for use immediately, or nearly so. | 06-05-2014 |
20140164761 | SECURE ACCESS USING LOCATION-BASED ENCRYPTED AUTHORIZATION - Embodiments of the present invention disclose a method, computer program product, and system for location-based authorization to access a resource. A first computer receives a request to access a resource from a second computer. The request to access the resource includes location information of the second computer. The first computer responds by sending a request to a third computer, requesting location information of the third computer. In response to receiving from the third computer, the location information of the third computer, the first computer determines a distance between the second computer and the third computer. If the distance between the second computer and the third computer fulfills a proximity condition, the first computer authorizes the resource request. | 06-12-2014 |
20140164762 | APPARATUS AND METHOD OF ONLINE AUTHENTICATION - In a method of online authentication, digital certificates of a client device and an application server are verified when the application server receives a login request to a network application system installed in the application server from the client device. The application server authenticates an identification of the client device when both of the application server and the client device are valid. The client is permitted to log in the network application system of the application server when the identification of the client is valid, and is forbidden to log in to the network application system of the application server when the identification of the client is invalid. | 06-12-2014 |
20140164763 | SYSTEMS AND METHODS OF PERFORMING LINK SETUP AND AUTHENTICATION - Systems and methods of performing link setup and authentication are disclosed. A method includes receiving, at a mobile device, a first access point nonce (ANonce) from an access point and generating a first pairwise transient key (PTK) using the first ANonce. The mobile device sends an authentication request including a station nonce (SNonce) to the access point, where the authentication request is protected using the first PTK. The mobile device receives an authentication response including a second ANonce from the access point, where the authentication response is protected using a second PTK. The mobile device generates the second PTK using the second ANonce and the SNonce and uses the second PTK to protect at least one subsequent message to be sent from the mobile device to the access point. | 06-12-2014 |
20140173273 | CREATING AND USING A SPECIFIC USER UNIQUE ID FOR SECURITY LOGIN AUTHENTICATION - A method of monitoring all network login activity, which includes a real-time analysis of intercepting all network login activity, analyzing network login activity, authenticating network login activity and closing (i.e., terminating) those network login connections that are not authenticated to proceed and access the network. | 06-19-2014 |
20140173274 | CREDENTIAL VALIDATION - A message to be signed and a base name point derived from a direct anonymous attestation (DAA) credential may be provided to a device. A signed version of the message and a public key value associated with the base name point may be received in response. Thereafter, the DAA credential may be determined to be valid based on the signed version of the message. | 06-19-2014 |
20140189346 | LICENSE SERVER MANAGER - Technology is disclosed for managing provision of licenses in an unsecure communication network (“the technology”). Various embodiments of the technology include creating a secure communication tunnel between a client device of a user requesting a license and a license server that contains the license for a secure transmission of the license from the license server to the client device. After a first successful authentication of the user, the license management server generates and sends temporary credentials to the client device. The client device uses the temporary credentials to setup the secure communication tunnel with the license management server that will be used to access the license server. The client device sends the request to the license server over the secure communication tunnel, which in response transmits the license back to the client device over the secure communication tunnel. | 07-03-2014 |
20140195799 | TARGETED SECURITY POLICY OVERRIDE - An aspect provides a method, including: gathering, with an information handling device, client system identification data of a client system; providing, with the information handling device, the client system with at least one cryptographic key; transmitting, with the information handling device, the client system identification data and a request for security policy override to a third party; receiving, with the information handling device, encrypted approval data from the third party; and transmitting, with the information handling device, encrypted approval data to the client system. Other aspects are described and claimed. | 07-10-2014 |
20140201517 | METHOD AND SYSTEM FOR DISTRIBUTED OFF-LINE LOGON USING ONE-TIME PASSWORDS - A method and a system for extending distributed logon services to an off-line computing device includes encrypting, on the off-line computing device, a one-time password (OTP), a nonce, and a unique identifier to generate an authorization request message. Using a mobile device as a proxy to forward the authorization request message to an access control server for authorization. Decrypting the authorization response message to obtain the nonce. Re-encrypting the nonce to generate an authorization response message. Using the mobile device as a proxy to forward the authorization response message to the off-line computing device. Decrypting the authorization response message to obtain the nonce. Comparing the nonce obtained from the authorization response message with the original nonce. The computing device to permit or deny access as result of comparing the nonce obtained from the authorization response message with the original nonce. | 07-17-2014 |
20140201518 | FRAMEWORK FOR PROVISIONING DEVICES WITH EXTERNALLY ACQUIRED COMPONENT-BASED IDENTITY DATA - A method is provided for updating identity data on devices. The method provides for acquiring a device comprising a component associated with a component identifier and having a One Time Programmable Key installed on the component, submitting the component identifier and the One Time Programmable Key to an External Trust Authority, receiving new identity data tied to the component identifier from the External Trust Authority that is encrypted with the One Time Programmable Key, loading the new identity data onto an Update Server, receiving a request at the Update Server from the device that requests new identity data, and providing the new identity data upon receipt of the request, upon which the device decrypts and installs the identity data using the One Time Programmable Key installed on the component within the device. | 07-17-2014 |
20140215205 | System and Method for Exchanging Cryptographic Capabilities - In some data communication configurations, data received from a sender may need to be viewed or otherwise processed by more than one entity with a corresponding client. For example, a message sent to a corporate email address may be viewed by either or both a mobile device and a desktop device. For the sender to utilize the strongest algorithm or protocol used by the recipient, it would therefore need to know which algorithms or protocols are supported by both the mobile and desktop mail clients. A system and method are provided to enable the mobile device to know about the capabilities of related mail clients associated with the communication address (e.g. email address) and vice versa such that the intersection of the capabilities (i.e. the strongest algorithm or protocol supported by all parties involved) can be chosen and the messages or data cryptographically processed accordingly. | 07-31-2014 |
20140223171 | METHODS AND APPARATUS TO CERTIFY DIGITAL SIGNATURES - Methods and apparatus to certify digital signatures are disclosed. An example method includes retrieving, from a first database, a first geographical location associated with an identification number associated with a network device and identified in a request to certify a digital signature, comparing the first geographical location associated with the identification number to a second geographical location to verify the second geographical location, determining that the first geographical location matches the second geographical location, and certifying the digital signature to indicate an authenticity of the digital signature based on the verification of the second geographical location and a comparison of (a) biometric information associated with a user associated with the request and (b) stored biometric information. | 08-07-2014 |
20140244997 | EMERGENCY MODE FOR IOT DEVICES - Methods and apparatuses for implementing an emergency instruction based on an emergency message from a trusted authority source. The method includes receiving, at an Internet of Things (IoT) device, an emergency secret key from a trusted authority source The method receives, at an IoT device, an emergency message from the trusted authority source; decoding, at an IoT device, the emergency message from the trusted authority source using the emergency secret key to determine a value within the emergency message. The method calculates, at an IoT device, a result based on the determined value. The method implements, at an IoT device, an emergency instruction if the result is above a predetermined threshold. | 08-28-2014 |
20140258708 | SECURING VARIABLE LENGTH KEYLADDER KEY - A system for securing a variable length keyladder key includes a keyladder decryptor configured to alter a first layer key and to execute a keyladder algorithm to generate a content key, the keyladder algorithm to generate the content key by decrypting an encrypted second layer key with the altered first layer key. The alteration mirrors the alteration applied to encrypt the second layer key by a content server providing content data to be decrypted. The system may further include a cryptographic direct memory access controller (DMAC) coupled with the keyladder decryptor and to decrypt encrypted content data using the generated content key. The keyladder decryptor may be further configured to send the content key to be stored in the DMAC without information regarding how the first layer key was altered. The alteration may include a permutation function or other change or modification. | 09-11-2014 |
20140281490 | ONE-TOUCH DEVICE PERSONALIZATION - Technologies for one-touch device personalization include at least two mobile computing devices configured to communicate with a personalization server. The first mobile computing device tracks changes to device personalization data and backs up the personalization data to the personalization server. The personalization server associates the personalization data to authenticated user credentials. The personalization server may store the personalization data in an operating-system-independent format. Later, a second mobile computing device sends a request for personalization including those user credentials. After authenticating the user credentials, the personalization server sends the personalization data to the second mobile computing device, which installs the personalization data. Installing the personalization data establishes a configuration of the second mobile computing device corresponding to a previous configuration of the first mobile computing device. For increased convenience and security, the user credentials may be stored on a smart card or other security device. Other embodiments are described and claimed. | 09-18-2014 |
20140281491 | IDENTITY ESCROW MANAGEMENT FOR MINIMAL DISCLOSURE CREDENTIALS - The subject disclosure is directed towards identity escrow management where anonymous online users can be de-anonymized if certain conditions are met. An auditor is configured to control a user's anonymity using a prime-order cryptographic group based encryption scheme. Via an authentication component, the auditor verifies that a pseudonym corresponding to the user's identity was encrypted correctly. If valid, the auditor decrypts encrypted pseudonym data using a private cryptographic key based upon the prime-order cryptographic group | 09-18-2014 |
20140281492 | Prevention of Forgery of Web Requests to a Server - Technologies for prevention of forgery of a network communication request to a server include a system for security of a network communication request. The system includes a communication module configured to receive the network communication request from a client. The network communication request may have a content parameter. The communication module may be configured to generate a string of content parameters comprising the content parameters and a hash of the content parameter, and communicate portions of a result of the network communication request to the client incorporating the encrypted string of content parameters. Furthermore, the communication module may receive a subsequent request from the client. The subsequent request may be associated with the network communication request. As a result of authenticating the subsequent request, the communication module may complete the network communication request. | 09-18-2014 |
20140281493 | PROVISIONING SENSITIVE DATA INTO THIRD PARTY - A method for providing identity data to network-enabled devices includes receiving a request for identity data from a network-enabled device that is deployed to an end-user. The network-enabled device is pre-provisioned with a PIN, a global key pair, a user-accessible first device identifier, and a second device identifier usable by a service provider delivering a service to the device. The identity data request includes the first and second identifiers, a protected rendition of the PIN, and an encryption key or other data from which an encryption key is derivable. The identifiers, the protected rendition of the PIN, and the encryption key or the other data are signed by a private key in the global key pair. The validity of the PIN included in the request is verified to authenticate the device. If the PIN is valid, identity data for the device is generated, encrypted and sent to the network-enabled device. | 09-18-2014 |
20140281494 | ACCESS CONTROL METHOD AND MOBILE TERMINAL WHICH EMPLOYS AN ACCESS CONTROL METHOD - An access control method for accessing an embedded system includes: performing a first access control operation for an access system by a first authentication subject, wherein the first access control operation includes performing a first authentication for the access system; when the first access control operation is passed, receiving at the first authentication subject a result of a second access control operation for the access system which is performed by a second authentication subject that is separate from the first authentication subject performing a second authentication for authenticating whether the access system is an access system that is authenticated by a second authentication subject that is separate from the first authentication subject, and receiving the result of the authentication; and allowing the access system to access the embedded system if the first authentication and the second authentication are successful. | 09-18-2014 |
20140281495 | METHOD AND APPARATUS FOR PERFORMING AUTHENTICATION BETWEEN APPLICATIONS - A method performed by a first application in a client apparatus to authenticate a second application in the client apparatus is provided. The method includes, when the first application receives an execution request from the second application, requesting authentication information of the second application from an authentication server, obtaining the authentication information of the second application from the authentication server, and authenticating the second application using the authentication information, wherein the authentication information of the second application is signed with a private key of the authentication server. | 09-18-2014 |
20140281496 | SECURE USER AUTHENTICATION IN A DYNAMIC NETWORK - A method, apparatus and/or computer program provides secure user authentication in a network having a dynamic set of services. The method comprises a client authenticating with an edge service and generating a query key. The edge service issues a request to the dynamic set of services. The request comprises (i) an encrypted identifier associated with the client, (ii) a private portion of the request being encrypted with the query key, and (iii) a public portion of the request. In response to ascertaining from the public portion of the request that it is able to respond to the request, one or more of the dynamic set of services respond to the edge service with (i) an identifier associated with the dynamic set of services, and (ii) the identifier associated with the client. The edge service then authenticates that it is able to respond to the request, including generating a session key. | 09-18-2014 |
20140289508 | METHOD, CLIENT AND SYSTEM OF IDENTITY AUTHENTICATION - A method, client device and system of identity authentication are provided. The method may include detecting a login or registration operation, to a server, via a login interface on a user interface of an application client. In response, identity information and an identifier of the application client may be determined The identity information and the identifier may be encoded into a code displayed on the application client. A mobile terminal may obtain and decode the code to obtain the encapsulated identity information and the identifier. The mobile terminal may also have access to information about an account registered with the authentication server in advance. The mobile terminal may send the identity information, the identifier, and account information to the authentication server for authentication. The application client may then receive an authentication result from the authentication server enabling the user to access the third party service. | 09-25-2014 |
20140289509 | SYSTEM AND METHOD FOR DELEGATING TRUST TO A NEW AUTHENTICATOR - A system, apparatus, method, and machine readable medium are described for delegating trust to a new client device or a new authenticator on a trusted device. For example, one embodiment of a method comprises: implementing a series of trust delegation operations to transfer registration data associated with one or more trusted authenticators on a trusted client device to one or more new authenticators on a new client device or on the trusted client device. | 09-25-2014 |
20140298008 | Control System Security Appliance - A widespread security strategy for industrial control networks is physical isolation of the network, also known as an “air gap.” But the network might still be infected with unauthorized software if, say, an infected USB drive were to be plugged into one of the network's computers. The invention relates to a security module placed between the network and a device in the network. Each security module in the network mimics the Internet protocol (IP) configuration of its protected device. Each security module includes a private encryption key and a signed public key that it automatically shares with other security modules discovered on the network. These keys permit the security module to perform asymmetric point-to-point encryption of traffic from the protected device to the corresponding security module for a target device node and to detect (and thus block) unauthorized devices. | 10-02-2014 |
20140298009 | DATA SEARCH DEVICE, DATA SEARCH METHOD, DATA SEARCH PROGRAM, DATA REGISTRATION DEVICE, DATA REGISTRATION METHOD, DATA REGISTRATION PROGRAM, AND INFORMATION PROCESSING DEVICE - A data search server stores a system ciphertext including a data ciphertext and a keyword ciphertext in each category-specific DB unit for each data category, and stores each category-determination secret key being associated with each category-specific DB unit. A search request receiving unit receives from a data search terminal a search request including a search trapdoor and an index tag. A data searching unit searches for a category-determination secret key with which the index tag is decrypted to the same value as a key-determination value. Using the search trapdoor, the data searching unit performs a search of a Public-key Encryption with Keyword Search scheme on system ciphertexts in a category-specific DB unit associated with this category-determination secret key. A search result transmitting unit transmits to the data search terminal a data ciphertext included in a system ciphertext which has been found as a hit in the search. | 10-02-2014 |
20140310515 | APPARATUS AND METHOD FOR AUTHENTICATION BETWEEN DEVICES BASED ON PUF OVER MACHINE-TO-MACHINE COMMUNICATIONS - Terminal devices that perform machine-to-machine (M2M) communication may autonomously perform password authentication by autonomously generating a personal identity number (PIN) value, which is not exposed externally, using a physical unclonable function (PUF). A terminal apparatus that performs M2M communication may include a PUF embedded in the terminal apparatus to generate an authentication key for password authentication associated with the terminal apparatus, and an authentication unit to perform the password authentication associated with the terminal apparatus using the authentication key generated by the PUF. | 10-16-2014 |
20140317398 | SECURING INFORMATION WITHIN A CLOUD COMPUTING ENVIRONMENT - Embodiments of the invention provide a solution for securing information within a Cloud computing environment. Specifically, an encryption service/gateway is provided to handle encryption/decryption of information for all users in the Cloud computing environment. Typically, the encryption service is implemented between Cloud portals and a storage Cloud. Through the use of a browser/portal plug-in (or the like), the configuration and processing of the security process is managed for the Cloud computing environment user by pointing all traffic for which security is desired to this encryption service so that it can perform encryption (or decryption in the case of document retrieval) as needed (e.g., on the fly) between the user and the Cloud. | 10-23-2014 |
20140317399 | COMPUTER STORAGE DEVICE HAVING SEPARATE READ-ONLY SPACE AND READ-WRITE SPACE, REMOVABLE MEDIA COMPONENT, SYSTEM MANAGEMENT INTERFACE, AND NETWORK INTERFACE - A storage device for use with a computer is disclosed. The storage device includes a processor communicably connected to a computer through a computer interface and a system interface. The computer interface enables communications exclusively between the processor and the computer, while the system interface enables to processor to manage one or more hardware components of the computer. A network interface is also included to enable the processor to communicate over a network with select file servers to the exclusion of other file servers. A storage means is communicably connected to the processor and includes first and second designated storage sections. The processor has read-write access to both storage sections, while the computer has read-only access to the first storage section and read-write access to the second storage section. A removable media storage component is also communicably connected to the processor. | 10-23-2014 |
20140317400 | SYSTEM AND METHOD FOR VALIDATION AND ENFORCEMENT OF APPLICATION SECURITY - A system and method for validation and enforcement of application security, wherein the user credentials and the integrity of a target application are verified before the target application is permitted to execute. | 10-23-2014 |
20140351574 | Systems and Methods for Application Identification - Systems and methods for application identification in accordance with embodiments of the invention are disclosed. In one embodiment, a user device includes a processor and memory configured to store an application, a session manager, an application identifier, and at least one shared library, and the processor is configured by the session manager to communicate the application identifier and the application identifier data to an authentication server and permit the execution of the application in response to authentication of the application by the authentication server. | 11-27-2014 |
20140351575 | Apparatuses and a Method for Protecting a Bootstrap Message in a Network - The embodiments of the present invention relate to apparatuses in the form of a first network unit and a device, and also relates to a method for enabling protection of a bootstrap message in a device management network system. The method comprises: receiving at the first network unit, a request to bootstrap the device; transmit a request for a bootstrap key, to a second network unit; receiving a message comprising the bootstrap key and further comprises trigger information and transmitting the trigger information to the device to trigger generation of the bootstrap key internally in the device. Thereafter a protected bootstrap message can be transmitted to the device from the first network unit, and when the device verifies and/or decrypts the bootstrap message, device management (DM) sessions can start between the device and the first network unit. | 11-27-2014 |
20140351576 | SERVER ALGORITHMS TO IMPROVE SPACE BASED AUTHENTICATION - A system and methods for location authentication are presented. An estimated server signal is estimated based on a generated known code signal, and a client received satellite signal is received from a client device. The client received satellite signal is compared to the estimated server signal to provide a comparison result. | 11-27-2014 |
20140359278 | Secure Remote Subscription Management - A method and apparatus are disclosed for performing secure remote subscription management. Secure remote subscription management may include providing the Wireless Transmit/Receive Unit (WTRU) with a connectivity identifier, such as a Provisional Connectivity Identifier (PCID), which may be used to establish an initial network connection to an Initial Connectivity Operator (ICO) for initial secure remote registration, provisioning, and activation. A connection to the ICO may be used to remotely provision the WTRU with credentials associated with the Selected Home Operator (SHO). A credential, such as a cryptographic keyset, which may be included in the Trusted Physical Unit (TPU), may be allocated to the SHO and may be activated. The WTRU may establish a network connection to the SHO and may receive services using the remotely managed credentials. Secure remote subscription management may be repeated to associate the WTRU with another SHO. | 12-04-2014 |
20140359279 | METHOD AND SYSTEM FOR AUTHENTICATING PEER DEVICES USING EAP - A system and method for authenticating a peer device onto a network using Extensible Authentication Protocol (EAP). The key lifetime associated with the keying material generated in the peer device and the authentication server is communicated from the authenticator to the peer device within the EAP Success message. The peer device, having been provided with the key lifetime, can anticipate the termination of its authenticated session and initiate re-authentication prior to expiry of the key lifetime. | 12-04-2014 |
20140365762 | Method and Apparatus for Securely Synchronizing Password Systems - A centralized password repository (CPR) provides network users with a password portal through which the user can manage password access to domains and applications on the network. A subset of the domains and applications on the network may be required, by design, to maintain a separate password infrastructure. For these systems, the CPR establishes a secure and authenticated communication channel and software on the system interfaces with the password infrastructure to synchronize the password in the system password infrastructure with the password in the CPR. For other systems not required to maintain a separate password infrastructure, the CPR performs password services by responding to requests from those systems seeking to validate user IDs and passwords. The CPR enables an administrator to modify network privileges and enables a user to alter passwords on the network through a single interface. | 12-11-2014 |
20140372749 | NETWORK WITH PROTOCOL, PRIVACY PRESERVING SOURCE ATTRIBUTION AND ADMISSION CONTROL AND METHOD - A device implemented, carrier independent packet delivery universal addressing networking protocol for communication over a network between network nodes utilizing a packet. The protocol has an IP stack having layers. At least some of the layers have privacy preserving source node attribution and network admission control. The packet is admitted to the network only if a source node of the network nodes admits the packet. | 12-18-2014 |
20140380040 | SECURE BIOMETRIC CLOUD STORAGE SYSTEM - A secure and scalable data storage system that includes a server and a plurality of clients. The server maintains an access permission file that includes a file-group name, a plurality of client access blocks, a first and second public key, and a signature that is based on a first private key. The signature ensures that only clients who have a certain level of access can modify the contents of the access blocks. Each client access block includes at least one of a first access key, a second access key and a third access key. The access keys are encapsulated within biometric information of the client. The server grants one of a first level of access based on a successful verification of a signed request with the first public key and a second level of access based on a successful verification of the signed request with the second public key. | 12-25-2014 |
20140380041 | METHODS AND SYSTEMS FOR REGISTERING A PACKET-BASED ADDRESS FOR A MOBILE DEVICE USING A FULLY-QUALIFIED DOMAIN NAME (FQDN) FOR THE DEVICE IN A MOBILE COMMUNICATION NETWORK - A mobile communication device registers for data communication through a mobile communication network with a packet-based network. The device may or may not have a mobile device number, and registers using a fully-qualified-domain-name (FQDN) uniquely identifying the device in a domain-name-system (DNS) of the packet-based network. A packet-data-network gateway assigns a packet-based address for the device, and generates a request for registering the address with the FQDN in a DNS server. Alternatively, the device generates the packet-based address based on a received portion of the address, retrieves the FQDN from an identity module, and sends a DNS-Update message to the DNS server including the address and FQDN. Again alternatively, a DNS server receives an encrypted DNS update message including a FQDN and a packet-based address, and decrypts the message prior to registering the address and FQDN in a DNS database. | 12-25-2014 |
20150012742 | Active biometric authentication with zero privacy leakage - The invention provides a method for frequent verifications of the identity of a user performed during a long session of client-server communication by secure exchange of keys between the client and the server. A user is represented at the server by a set of random numbers that have nothing to do with his biometric data. The server initiates authentication requests by sending encoded randomly generated permutation to the client. On each request, the client creates a dynamic response key built by using the decoded permutation and biometric data of the user so that this biometric data cannot be retrieved from the key. The key also includes the correlation coefficient between the sound of the user's breathing and the distance between the most outer sides of the wings of his nose and the correlation coefficient between the area of the user's pupil and the brightness of his computer screen. | 01-08-2015 |
20150012743 | DEVICE TO DEVICE SECURITY USING NAF KEY - A method, apparatus and computer program product are disclosed for establishing secure off-network communications between first and second Secure Cellular Devices that each have a cellular identity. The second Secure Cellular Device may assume the role of Remote Device for interaction with the NAF keyserver and may obtain a local key. The first Secure Cellular Device may derive the local key and the two devices may conduct secure communications using the shared local key. The two Secure Cellular Devices may alternate the roles of Secure Host and Remote Device, each twice obtaining or deriving a shared local key such that there are two such keys. The devices may employ one key for secure communication in one direction and the other for communication in the other direction. Alternatively, the devices may derive a unique shared key as a function of the two shared keys. | 01-08-2015 |
20150012744 | GROUP BASED BOOTSTRAPPING IN MACHINE TYPE COMMUNICATION - A group key is computed based on unique identifications of each member device of a group of machine type communication devices, wherein communication with a network application function is performed by using a session identification of the group, and/or by using a session identification of a member device of the group, generated based on the session identification of the group and the unique identification of the member device. | 01-08-2015 |
20150019862 | AVIONICS GATEWAY INTERFACE, SYSTEMS AND METHODS - Systems and methods are provided for FAA-certified avionics devices to safely interface with non-certified mobile telecommunications devices before, during, and after flight. Data transmitted to the certified devices do not affect functionality of the certified device unless and until a user acknowledges and/or confirms the data on the certified device. Thus, the integrity of the certified device is maintained. | 01-15-2015 |
20150026457 | CONTROLLING ACCESS BY CODE - A novel code signing system, computer readable media, and method are provided. The code signing method includes receiving a code signing request from a requestor in order to gain access to one or more specific application programming interfaces (APIs). A digital signature is provided to the requestor. The digital signature indicates authorization by a code signing authority for code of the requestor to access the one or more specific APIs. In one example, the digital signature is provided by the code signing authority or a delegate thereof. In another example, the code signing request may include one or more of the following: code, an application, a hash of an application, an abridged version of the application, a transformed version of an application, a command, a command argument, and a library. | 01-22-2015 |
20150026458 | Managing User Access in a Communications Network - A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network. | 01-22-2015 |
20150039883 | SYSTEM AND METHOD FOR IDENTITY-BASED KEY MANAGEMENT - A system and method for identity (ID)-based key management are provided. The ID-based key management system includes an authentication server configured to authenticate a terminal through key exchange based on an ID and a password of a user of the terminal, set up a secure channel with the terminal, and provide a private key based on the ID of the user to the terminal through the secure channel, and a private-key generator configured to generate the private key corresponding to the ID of the terminal user according to a request of the authentication server. | 02-05-2015 |
20150046695 | SCALABLE AUTHENTICATION SYSTEM - Disclosed is a key management method for administering a token with an administrative server and an authentication server wherein a set of keys stored therein in use differs so that at least a mutually exclusive key is stored in each of the token, the administrative server or the authentication server, the method comprising the steps of: the token transmitting an identity proxy ID 1 encrypted with an encryption key Key 1; the administrative server generating data Key 1a and Key 1b from Key 1 stored therein, whereby Key 1a and Key 1b can be used in conjunction to derive Key 1 but not separately; the administrative server generating an identity proxy ID 2 and an encryption key Key 2, whereby the administrative server records a token profile comprising an association information among ID 2, Key 1b and Key 2; the administrative server communicating ID 2, Key 1a and Key 2 to the token and the token storing ID 2, Key 1a and Key 2 wherein Key 2 is stored therein encrypted with Key 1; the administrative server communicating the token profile to the authentication server and deleting Key 1b and Key 2 from its records thereafter; the authentication server requesting ID 2 from the token and the token transmitting ID 2 thereto; the authentication server identifying Key 1b and Key 2 associated with the transmitted ID 2 and generating a new encryption key Key 3; the authentication server recording Key 3's association with ID 2 in the token profile and communicating Key 3 to the token; and the token storing Key 3 therein encrypted with Key 2, whereby the administrative server stores ID 1, ID 2 and Key 1, the authentication server stores ID 2, Key 1b, Key 2, and Key 3, and the token stores ID 1, ID 2, Key 1a, Key 2, and Key 3, wherein the token stores Key 2 encrypted with Key 1 and stores Key 3 encrypted with Key 2 therein. | 02-12-2015 |
20150046696 | METHOD AND APPARATUS FOR SECURED SOCIAL NETWORKING - Various methods are described for using a local trust level and/or a general trust level to control access of data in PSN. Any PSN user can select other users with at least a minimum level of local and/or general trust for secure communications. The users with a trust level below a minimum trust level cannot access the data sent from him/her. The general trust level is controlled by access keys that are generated and issued by a trusted server. The local trust level controlled access keys are generated by each PSN device. Each PSN device issues the corresponding personalized secret keys to those users that satisfy the decryption conditions related to local trust level evaluated by PSN user itself. Both sets of keys can be applied at the same time to secure communication data in PSN controlled by both the general trust level and the local trust level. | 02-12-2015 |
20150046697 | OPERATOR ACTION AUTHENTICATION IN AN INDUSTRIAL CONTROL SYSTEM - Operator actions and/or other commands or requests are secured via an authentication path from an action originator to a communications/control module or any other industrial element/controller. In implementations, an industrial control system includes an action authenticator configured to sign an action request generated by the action originator. The destination communications/control module or any other industrial element/controller is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified. | 02-12-2015 |
20150046698 | POWER LINE BASED THEFT PROTECTION OF ELECTRONIC DEVICES - Technologies for establishing and managing a connection with a power line communication network include establishing a communication connection between an electronic device and a security server. A default device encryption key associated with the electronic device is changed to correspond with a new device encryption key of the security server. Thereafter, the electronic device may only join a power line communication network of a particular security server using a network membership key, which is encrypted with the device encryption key that the particular security server associates to the electronic device. The electronic device contains a circuit interrupt to interrupt a circuit of the electronic device if the electronic device is not able to successfully decrypt the network membership key. | 02-12-2015 |
20150052350 | SYSTEM AND METHOD FOR AUTHENTICATING A USER - A method for a user authentication implementing a first server connected to a public network, and a second server connected to the first server but not connected to the public network, this method comprising a step of enrolment comprising: receiving by the first server an reference identifier and of a reference password, and transmitting this information to the second server, loading a security parameter by the second server, and calculating a first cryptogram by a one-way function Hash on the reference identifier, the reference password, and the security parameter, encrypting at least the reference identifier and the password by using an asymmetrical encryption method, and storing the encrypted data by the second server, returning the first cryptogram to the first server and storing said cryptogram by the first server, and a verification step of an user comprising: receiving by the first server of the current identifier and of the current password, and transmission of said information to the second server, calculating a second cryptogram by the one-way function Hash on the current identifier, the current password, and the security parameter by the second server, returning the second cryptogram to the first server and verification that the first cryptogram is included in the database, if not, generating an error message. | 02-19-2015 |
20150058618 | SECURE ACCESS OF MOBILE DEVICES USING PASSWORDS - Enhanced security measures are provided for accessing applications or data on a client device using an encryption scheme. The client device receives authorization to access the applications or data from a server that compares a password received at the client device with a password previously stored in the server. In addition to comparing the passwords, the server may implement additional security measures such as checking geographic locations of the client device or monitoring for suspicious patterns of usage on the client device. Further, different passwords may be used depending on whether the client device has connectivity with the server. When the connectivity is not available, a longer or more complicated password may be used instead of a shorter or simple password to provide added security. When the user is authenticated, a key is made available to access applications or data on the client device. | 02-26-2015 |
20150058619 | SYSTEMS AND METHODS FOR IMPLEMENTING COMPUTER SECURITY - A security server transmits a specification of a first set of files and directories to a computing device for monitoring according to a security policy. Each of the files or directories in the first set is associated with the operating system of the computing device or associated with an application running on the computing device. The server securely receiving data collected at the remote computing device, which includes metadata for the files and directories and content signatures computed for each file. The server compares the received metadata and content signatures for each file or directory against corresponding baseline metadata and baseline content signatures. The baseline metadata and baseline content signatures are stored at the security server. When there is a mismatch between the received metadata and corresponding baseline metadata or a mismatch between a received content signature and a corresponding baseline content signature, the server performs a remedial action. | 02-26-2015 |
20150067323 | Software Revocation Infrastructure - In one implementation, software components include an identity of a revocation authority. Prior to loading of the software in a given platform, the revocation authority is checked for any revocation messages. The revocation authority creates software component specific messages for any software components to be revoked, rather than using certificate revocation or individual licenses. The messages include mitigation information, such as instructions for automatically configuring already installed software without requiring an update or change in code. | 03-05-2015 |
20150067324 | Transmission/Reception System, Transmission Device, Reception Device, Authentication Device, User Equipment, Method Executed Using These, and Program - An encryption technique in which a transmission device and a reception device use solutions generated such that those generated in the same order are assumed to be the same is improved so as to enhance versatility without undermining security. An initial solution respectively used by two communication devices involved in communication in order to generate solutions is sent from one communicating device to the other. Both communication devices generate a mutually agreed-upon number of solutions from the initial solution and set the last solution among the generated solutions as a new initial solution, and using solutions generated based on the new initial solution, the transmission device performs encryption while the reception device performs decryption. | 03-05-2015 |
20150074389 | PRIVATE PEER-TO-PEER NETWORK PLATFORM FOR SECURE COLLABORATIVE PRODUCTION AND MANAGEMENT OF DIGITAL ASSETS - Asset management systems and methods are presented. In one embodiment, a system includes a computing resource associated with a project member. A project container is stored on the computing resource, wherein the project container comprises encrypted objects related to a project. The encrypted objects includes project metadata and one or more working objects associated with one or more sub-projects of which the project member is granted permissioned access. An encryption/decryption engine is included for encrypting and decrypting the encrypted objects. The system includes an archive file system for storing the encrypted objects and previous versions of the objects, and a façade file system for viewing and accessing and interacting with the one or more working objects. Other computing resources associated with other project members are similarly configured, wherein a plurality of project containers store distributed objects that are grouped within the project. An authentication server provides authenticated access to each of the plurality of project containers, and authenticated peer-to-peer communication between the plurality of project containers. | 03-12-2015 |
20150082024 | TECHNOLOGIES FOR SYNCHRONIZING AND RESTORING REFERENCE TEMPLATES - Generally, this disclosure describes technologies for restoring and/or synchronizing templates such as biometric templates to/among one or more client devices. In some embodiments one or more client devices may register with a synchronization server and provide encrypted copies of their reference templates to the server. In a restoration operation, the synchronization server may provide an encrypted copy of a client's reference template(s) to the client, which may decrypt them in a protected environment. In a synchronization operation, the synchronization server may provide encrypted copy of a first client's template(s) to a plurality of second clients. The second clients may then decrypt the encrypted template(s) within a protected environment using an appropriate decryption key. | 03-19-2015 |
20150082025 | AUTHENTICATION AND SECURED INFORMATION EXCHANGE SYSTEM, AND METHOD THEREFOR - Identity based encryption (IBE). An IBE server assigns a private and public key pair to a client device based on a unique identification of the client device. To establish an encrypted session with the client device a server device requests the client device's public key from the IBE server. Authentication of the client and the server by the IBE server is based on credentials or a token. Assigned keys are securely stored in an embedded trusted platform provided in the client device. | 03-19-2015 |
20150082026 | SYSTEMS AND METHODS FOR LOCKING AN APPLICATION TO DEVICE WITHOUT STORING DEVICE INFORMATION ON SERVER - A system and method for locking an application to specific hardware device without storing device or user information on server. A lock registration is performed during the first usage of the application where the application sends a unique value to the server through secured channel. This unique value is combination of user specific information and device information. The server receives the unique value, and sends the encrypted value to the device, which is stored in predefined location of device. During lock validation, which is initiated during every request to the server or on every session creation, the device unique value and encrypted value is sent to the server. The server receives it, decrypts the encrypted value, and compares with the received unique value. If both the values are same, the server validates application instance by sending the response to the device else error message is sent to the device. | 03-19-2015 |
20150089213 | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING SYSTEM, AND COMPUTER PROGRAM PRODUCT - According to an embodiment, an information processing apparatus includes a main processor, a secure operating system (OS) module, a non-secure OS module, a secure monitor memory setting module, a timer, and an address space controller. When receiving a notification of an interrupt from the timer, a secure monitor instructs the secure OS module to execute certain processing. The secure OS module is configured to execute certain processing instructed by the secure monitor and store data of a result of the processing in a first memory area. | 03-26-2015 |
20150089214 | ENHANCED AUTHENTICATION AND/OR ENHANCED IDENTIFICATION OF A SECURE ELEMENT OF A COMMUNICATION DEVICE - A method for enhanced authentication and/or enhanced identification of a secure element of a user equipment includes: transmitting a first message to a secure element; receiving a second message, from the secure element at a first server entity, the second message including at least the signed public key and a signature information, wherein the signing message content includes at least one information element that is omitted in the second message; transmitting a third message, to the second server entity, the third message including at least the signed public key and the signature information, wherein the signing message content is accessible to or derivable by the second server entity in view of a verification of the signature information contained in the second message for authentication and/or identification purposes. | 03-26-2015 |
20150095638 | METHOD AND SYSTEM FOR ENTERPRISE NETWORK SINGLE-SIGN-ON BY A MANAGEABILITY ENGINE - A manageability engine (ME) receives an authentication response from a user during pre-boot authentication and registers the user with a key distribution center (KDC), indicating that the user has successfully authenticated to the PC. The KDC supplies the ME with single-sign-on credentials in the form of a Key Encryption Key (KEK). The KEK may later be used by the PC to obtain a credential used to establish secure access to Enterprise servers. | 04-02-2015 |
20150100777 | Secure Federated Identity Service - Federated identity is the means of linking a person's electronic identity and attributes, such that the user can be authenticated with a single sign-on, across multiple systems and organizations. A system and a method is proposed to provide a unique user digital identifier which is different for each security identity services subscriber. | 04-09-2015 |
20150113265 | LOGIN SYSTEM BASED ON SERVER, LOGIN SERVER, AND VERIFICATION METHOD THEREOF - A method performed by a login server with memory and one or more processors are described. The method includes receiving a login request from a computer system; determining whether an identity of the computer system matches a preset standard; and, in accordance with a determination that the identity of the computer system does not match the preset standard, denying the login request. The login server and its components, and a computer readable storage medium storing one or more programs for execution by one or more processors of the login server are also described. | 04-23-2015 |
20150121065 | ELECTRONIC DEVICE AND ANTIPIRACY PROTECTING METHOD - In a method of protecting copyright of a digital media file in an electronic device, the electronic device receives a request for downloading the digital media file, from a recipient electronic device, the electronic device requires the recipient electronic device, to provide information of the recipient electronic device, the electronic device further requests a third-party authorization system, to allocate a key for the digital media file according to the information, once the electronic device locks the digital media file using the key, the electronic device sends the locked digital media file to the recipient electronic device. | 04-30-2015 |
20150121066 | Set of Servers for "Machine-to-Machine" Communications using Public Key Infrastructure - A set of servers can support secure and efficient “Machine to Machine” communications using an application interface and a module controller. The set of servers can record data for a plurality of modules in a shared module database. The set of servers can (i) access the Internet to communicate with a module using a module identity, (i) receive server instructions, and (iii) send module instructions. Data can be encrypted and decrypted using a set of cryptographic algorithms and a set of cryptographic parameters. The set of servers can (i) receive a module public key with a module identity, (ii) authenticate the module public key, and (iii) receive a subsequent series of module public keys derived by the module with a module identity. The application interface can use a first server private key and the module controller can use a second server private key. | 04-30-2015 |
20150134950 | STORAGE ARRAY PASSWORD MANAGEMENT - A system and method for generating passwords for secure login to a storage array. A randomly generated root secret is utilized along with a compartment ID to generate a root password for logging into a storage array with root privileges. The root secret is encrypted with the public key of a public-private key pair and stored on the storage array. The encrypted root secret is then stored in the storage array. When root access is needed, a private key stored externally to the storage array is utilized to decrypt the root secret. The decrypted root secret is then used along with the compartment ID to regenerate the root password. | 05-14-2015 |
20150143106 | REMOTE AUTHENTICATION SYSTEM - One embodiment of the invention is directed to a method including receiving an alias identifier associated with an account associated with a presenter, determining an associated trusted party using the alias identifier, sending a verification request message to the trusted party after determining the associated trusted party, and receiving a verification response message | 05-21-2015 |
20150149766 | SYSTEM AND METHODS FOR FACILITATING AUTHENTICATION OF AN ELECTRONIC DEVICE ACCESSING PLURALITY OF MOBILE APPLICATIONS - Systems and methods for facilitating authentication of an electronic device accessing plurality of mobile applications are disclosed. The system may receive a device public key and authentication information of the electronic device. The system may validate the authentication information to initiate a device session with the electronic device and create an authentication token signed with a server signature. The system may enable the electronic device to access a first mobile application based on the authentication information validated. Further, the system may receive the authentication token signed with a device signature. The system may authorize the authentication token by verifying the device signature and the server signature on the authentication token with a device public key and a server public key respectively. The system may then enable the electronic device to access the second mobile application using the authentication token authorized. | 05-28-2015 |
20150149767 | METHOD AND SYSTEM FOR AUTHENTICATING THE NODES OF A NETWORK - A system and a method are provided for authenticating the nodes of a communication network in order to access the services of a service provider, and includes a collective authentication of the nodes, performed in a single exchange between the nodes of the network declared in a group and an authentication server. Depending on the result of the authentication, the service provider is provided with cryptographic material in order to implement individualized controlled access to the resources or to the services offered for each node. | 05-28-2015 |
20150304110 | SYSTEM AND METHOD FOR AN INTEGRITY FOCUSED AUTHENTICATION SERVICE - Systems and methods for authentication. At an authentication service, key synchronization information is stored for an enrolled authentication device for a user identifier of a service provider. The key synchronization information indicates that a private key stored by the authentication device is synchronized with a public key stored at the service provider. Responsive to an authentication request provided by the service provider for the user identifier, the authentication service determines an authentication device for the user identifier that stores a synchronized private key by using the key synchronization information, and provides the authentication request to the authentication device. The authentication service provides a signed authentication response to the service provider. The authentication response is responsive to the authentication request and signed by using the private key. The service provider verifies the signed authentication response by using the public key. | 10-22-2015 |
20150312038 | TOKEN SECURITY ON A COMMUNICATION DEVICE - Techniques for enhancing the security of storing sensitive information or a token on a communication device may include sending a request for the sensitive information or token. The communication device may receive a session key encrypted with a hash value derived from user authentication data that authenticates the user of the communication device, and the sensitive information or token encrypted with the session key. The session key encrypted with the hash value, and the sensitive information or token encrypted with the session key can be stored in a memory of the communication device. | 10-29-2015 |
20150317493 | PLATFORM TO BUILD SECURE MOBILE COLLABORATIVE APPLICATIONS USING DYNAMIC PRESENTATION AND DATA CONFIGURATIONS - System and method to provide access to protected data for a communication terminal, the system including: a publisher database configured to store protected data in encrypted form; a first server coupled to the publisher database; a second server coupled to the first server, the second server configured to provide a cryptographically strong authentication of access to the protected data; an interface to a first secure channel, between the first server and the communication terminal; and an interface to a second secure channel, between the first server and a customer application, wherein the first server is configured to exchange protected data with the communication terminal via the first secure channel, and to exchange protected data with the customer application via the second secure channel. | 11-05-2015 |
20150318992 | METHOD FOR SERVER ASSISTED KEYSTORE PROTECTION - The present invention relates to a method to access a data store previously locked using a passphrase from a device. The method includes the following steps, when the user requests access to the data store: requesting the user to enter the personal code; generating an access code by applying a first function to at least the entered personal code; sending out, to the server, at least an identifier of the device and the access code; for the server, comparing the access code with the preliminary received first function; for the server, if the access code is correct, returning the passphrase to the device; and for the device, unlocking the data store using the received passphrase in combination with the entered personal code. | 11-05-2015 |
20150326395 | METHOD FOR SETTING UP A SECURE CONNECTION BETWEEN CLIENTS - The invention relates to a method for authorising a second client (C | 11-12-2015 |
20150326402 | Authentication Systems - A method of authenticating an agent to a secure environment of a device, in a challenge-response authentication sys tem comprising the device, a remote authentication server and a connection path between the device and the remote authentication server, the method comprising: while the connection path is not established:—obtaining a predictable challenge based on at least a current value of a counter;—obtaining a response for the challenge; and,—authenticating the agent to the secure environment based on at least the response; and, wherein, upon successful authentication, the value of the counter is incremented. A challenge-response authentication system and an apparatus are also claimed. | 11-12-2015 |
20150326543 | ESTABLISHING AN INITIAL ROOT OF TRUST FOR INDIVIDUAL COMPONENTS OF A DISTRIBUTED SECURITY INFRASTRUCTURE - The embodiments described herein describe technologies for a device definition process to establish a unique identity and a root of trust of a cryptographic manager (CM) device, the CM device to be deployed in a CM system. The device definition process can take place in a device definition phase of a manufacturing lifecycle of the CM device. One implementation includes a non-transitory storage medium to store an initialization application that, when executed by a CM device, causes the CM device to perform a device definition process to generate a device definition request to establish the unique identity and the root of trust. In response to the device definition request, the initialization application obtains device identity and device credentials of the CM device and stores the device definition request in storage space of a removable storage device. The initialization application imports a device definition response containing provisioning information generated by a provisioning device of a cryptographic manager system in response to the device definition request. | 11-12-2015 |
20150326567 | MODULES TO SECURELY PROVISION AN ASSET TO A TARGET DEVICE - The embodiments described herein describe technologies for Module management, including Module creation and Module deployment to a target device in an operation phase of a manufacturing lifecycle of the target device in a cryptographic manager (CM) environment. One implementation includes a Root Authority (RA) device that receives a command to create a Module and executes a Module Template to generate the Module in response to the command. The Module is deployed to an Appliance device. A set of instructions of the Module, when executed by the Appliance device, results in a secure construction of a sequence of operations to securely provision a data asset to the target device. The Appliance device is configured to distribute the data asset to a cryptographic manager (CM) core of the target device. | 11-12-2015 |
20150326577 | ACCELERATED APPLICATION AUTHENTICATION AND CONTENT DELIVERY - A samples service is configured to provide accelerated application authentication and content delivery. A proof of identity of a client application is exchanged with credentials that are used to authenticate the client application to a content provider. Samples of documents from the content provider are selected based on a contextual information of the client application to provide it with customized content. Static data associated with the samples are provided instead of dynamic data that is resource intensive to generate. | 11-12-2015 |
20150333909 | INFORMATION PROCESSING SYSTEM AND INFORMATION PROCESSING METHOD - An information processing system is provided in which a first information processing apparatus generates a hash value of predetermined information when authentication is successfully performed with respect to information transmitted from a client apparatus, generates encrypted data by encrypting the hash value using a first encryption key, and transmits the encrypted data and the predetermined information to a client apparatus. A second information processing apparatus receives a request including the encrypted data and the predetermined information that is transmitted from the client apparatus, decrypts the encrypted data using a second encryption key that is the same as the first encryption key or forms a pair with the first encryption key, generates a hash value of the predetermined information included in the received request, compares the decryption result with the generated hash value, and executes a process in response to the request according to the comparison result. | 11-19-2015 |
20150341174 | Relational Encryption - A method includes receiving a first linearity ciphertext that represents a first biometric template encrypted using a relational linearity encryption scheme. The method includes receiving a second linearity ciphertext that represents a second biometric template encrypted using the relational linearity encryption scheme. The method includes discovering a linearity relationship between the first and second linearity ciphertexts using a linearity relational secret key. The method includes receiving a first proximity ciphertext that represents the first biometric template encrypted using a relational proximity encryption scheme. The method includes receiving a second proximity ciphertext that represents the second biometric template encrypted using the relational proximity encryption scheme. The method includes detecting a proximity between the first and second proximity ciphertexts in terms of a Hamming distance using a proximity relational secret key and authenticating an identity of a user based upon the proximity and the linearity relationship. | 11-26-2015 |
20150347734 | Access Control Through Multifactor Authentication with Multimodal Biometrics - A system is provided in which a person may use a Cellular (Mobile) Telephone, a PDA or any other handheld computer to make a purchase. This is an example only. The process may entail any type of transaction which requires authentication, such as any financial transaction, any access control (to account information, etc.), and any physical access scenario such as doubling for a passport or an access key to a restricted area (office, vault, etc.). It may also be used to conduct remote transactions such as those conducted on the Internet (E-Commerce, account access, etc.). In the process, a multifactor authentication is used. | 12-03-2015 |
20150349957 | ANTIALIASING FOR PICTURE PASSWORDS AND OTHER TOUCH DISPLAYS - Antialiasing for picture passwords and other touch displays is disclosed. In some embodiments a client device for authenticating a user is operable to obtain a sequence of input actions for an image and obtain a partial hash from a Proof of Knowledge (PoK) server where the partial hash is part of a hash used for authentication of the user. The client device is also operable to calculate a hash for the sequence and determine if a part of the hash matches the partial hash. If the part of the hash matches the partial hash, the client device sends a communication to the PoK server to authenticate the user based on the hash for the sequence of the one or more input actions and obtain a response indicating whether the user is authenticated. In this way, sending some hashes to the proof of knowledge server may not be necessary, saving resources. | 12-03-2015 |
20150350209 | AUTHORITY DELEGATION SYSTEM, METHOD, AUTHENTICATION SERVER SYSTEM, AND STORAGE MEDIUM THEREFOR - There is provided an authority delegation system capable of issuing, in a case where an identifier of a user is associated with an identifier of a client, authority information indicating that an authority of the user has been delegated to the client without receiving an instruction for authorizing the authority of the user on the service to be delegated to the client. | 12-03-2015 |
20150365413 | Secure Configuration of Authentication Servers - Embodiments of the invention are directed to automatically populating a database of names and secrets in an authentication server by sending one or more lists of one or more names and secrets by a network management software to an authentication server. Furthermore, some embodiments provide that the lists being sent are encrypted and/or embedded in otherwise inconspicuous files. | 12-17-2015 |
20150365826 | Methods, Systems and Apparatus to Pair Medical Devices to an In-Body Network - Methods, apparatus, systems and articles of manufacture are disclosed to pair devices to an in-body network. An example apparatus disclosed herein includes a device capability manager to identify remote sensors associated with a candidate medical device, an encryption engine to provide the candidate medical device with hashing instructions to be applied to input values from selected ones of the remote sensors, a measurement engine to acquire input values from local sensors corresponding to the selected ones of the available remote sensors during a measurement schedule, the encryption engine to apply the hashing instructions to the input values from the local sensors, and a pairing engine to authorize the candidate medical device when an encryption key associated with the remote sensors includes a threshold indication of parity with an encryption key associated with the local sensors. | 12-17-2015 |
20150372814 | METHOD TO MANAGE MODIFICATION OF ENCRYPTION CREDENTIALS - A method to manage modification of encryption credentials for an encryption server. The encryption server is used to encrypt data uploaded by a user after provision of user encryption credentials associated with an encryption account. The data is encrypted by using a user encryption key stored in a cloud storage server. | 12-24-2015 |
20150381366 | METHODS AND APPARATUSES FOR BINDING TOKEN KEY TO ACCOUNT - A method for binding a token key to an account is provided. The method includes: sending a binding request message including information regarding the account, for a security authentication server to generate a certification link and a first token key corresponding to the account; receiving the certification link and the first token key from the server; generating display information based on the certification link and the first token key; receiving encrypted information from the server, wherein the encrypted information is generated according to the first token key and included in an access request message from a mobile terminal to the server; obtaining a second token key based on the encrypted information; determining that the second token key matches the first token key; and sending a binding success message to the server. | 12-31-2015 |
20150381584 | SELECTIVELY PERFORMING MAN IN THE MIDDLE DECRYPTION - An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies. | 12-31-2015 |
20150381610 | LOCATION-BASED DATA SECURITY - In an example, a system and method are disclosed for location-based security for devices such as portable devices. A portable device may be provided with a short-range transceiver (such as RIFD) that is detectable when a user enters or exits an area. The device may also include an encrypted storage divided into a plurality of discrete units. Upon entering an area, the devices identity and location are provided to a policy server. In response, the policy server may wirelessly provide security tokens to the portable device that enable decryption of specific storage units authorized for access in that area. When a user passes back through a portal to the area, the security tokens are revoked, so that access to secured units of the storage is restricted. | 12-31-2015 |
20160006715 | SYSTEM AND METHOD FOR OBTAINING ELECTRONIC CONSENT - A system for obtaining electronic consent whereby a user provides consent through a mobile device. In the system the mobile device is electronically connected to a central computing system. The central computing system generates the consent forms that are transmitted over the communication link to the mobile device. After inputting a unique password, the user is then able to review and attest to the documents provided on the mobile device. Upon completion, the documents are then transmitted back to the central computing device where they are reviewed for completeness and accuracy. The authorized documents are then filed in a secure electronic file. The mobile device is then purged of all personal data in order to maintain the integrity of the personal information. | 01-07-2016 |
20160007197 | SERVICE ACTIVATION USING ALGORITHMICALLY DEFINED KEY - Systems and methods for service activation using algorithmically defined keys are disclosed. A consumer who has a relationship with a first party may wish to enroll in a service provided by a third party. The first party can maintain control of such enrollments through the use of algorithmically defined keys. The algorithmically defined keys also allow the third party service provider to verify data provided by the consumer as matching data stored by the first party. The verification provides for data synchronization without requiring the third party to have access to the first parties data systems. | 01-07-2016 |
20160013942 | Identity Verification Using Key Pairs | 01-14-2016 |
20160037343 | SIMPLIFIED LOGIN FOR MOBILE DEVICES - Aspects of the subject matter described herein relate to a simplified login for mobile devices. In aspects, on a first logon, a mobile device asks a user to enter credentials and a PIN. The credentials and PIN are sent to a server which validates user credentials. If the user credentials are valid, the server encrypts data that includes at least the user credentials and the PIN and sends the encrypted data to the mobile device. In subsequent logons, the user may logon using only the PIN. During login, the mobile device sends the PIN in conjunction with the encrypted data. The server can then decrypt the data and compare the received PIN with the decrypted PIN. If the PINs are equal, the server may grant access to a resource according to the credentials. | 02-04-2016 |
20160050068 | SYSTEM AND METHOD FOR PERFORMING KEY RESOLUTION OVER A CONTENT CENTRIC NETWORK - A key-resolution service (KRS) can facilitate a client device in verifying that Content Objects are signed by a trusted entity. During operation, the KRS service can receive an Interest that includes a KRS query for a content name that is to be resolved. The KRS service obtains the content name from the Interest, and obtains a KRS record that includes security information for the content name or a prefix of the content name. The KRS service then returns a Content Object whose payload includes the KRS record to satisfy the first Interest. The client device can query the KRS service to obtain a trusted key associated with at least a name prefix of the Content Object, and if necessary, can disseminate Interests to obtain keys that complete a chain of trust between the trusted key and a key that is used to authenticate the Content Object. | 02-18-2016 |
20160065370 | METHODS FOR SECURE CRYPTOGRAM GENERATION - Embodiments of the invention introduce efficient methods for securely generating a cryptogram by a user device, and validating the cryptogram by a server computer. In some embodiments, a secure communication can be conducted whereby a user device provides a cryptogram without requiring the user device to persistently store an encryption key or other sensitive data used to generate the cryptogram. For example, the user device and server computer can mutually authenticate and establish a shared secret. Using the shared secret, the server computer can derive a session key and transmit key derivation parameters encrypted using the session key to the user device. The user device can also derive the session key using the shared secret, decrypt the encrypted key derivation parameters, and store the key derivation parameters. Key derivation parameters and the shared secret can be used to generate a single use cryptogram key. The cryptogram key can be used to generate a cryptogram for conducting secure communications. | 03-03-2016 |
20160070894 | AUTHENTICATION METHOD AND SYSTEM USING PASSWORD AS THE AUTHENTICATION KEY - A computer implemented user authentication method, according to which a mobile application is installed on the mobile terminal device of the user and when the user inputs his username and password, the mobile application creates a private and public encryption keys and encrypts the password with the public key. Data including the encrypted password, the username and the public key is sent to a dedicated server and stored therein as an encrypted file under the username, along with information required for contacting the user's mobile terminal device. The user to selects, and enrolls to, an advanced authentication mechanism, which creates an authentication key for validating the identity of the user and encrypting the private key. The encrypted private key is stored on the user's terminal device. Upon launching the mobile application, the user selects a preferred advanced authentication mechanism which returns an authentication key upon successful authentication of the user. The authentication key is used to decrypt the encrypted private key. Then the encrypted password for the user is retrieved and the private key is used to decrypt the user's password. The user's username and password are then forwarded to the mobile application, to complete the authentication. | 03-10-2016 |
20160072785 | INITIALIZATION AND REGISTRATION OF AN APPLICATION - A public/private key pair is generated on a client device for an application. A device identifier for the client device is generated. An application identifier for the application is generated on the client device. At least one of the public key, the device identifier, and the application identifier are transmitted to a server. | 03-10-2016 |
20160080326 | SYSTEM AND METHOD FOR SECURE AUTHENTICATION - A system and method for secure authentication performed on a mobile communication device. The method includes an authentication application carrying out the steps of: receiving a unique identifier for a transaction from a first application provided on the same mobile communication device as the authentication application; receiving an encrypted transaction from a remote secure server; decrypting or obtaining decryption of the transaction with a private key of the authentication application; signing or obtaining signing of the transaction with the private key; signing the transaction with the unique identifier; and transmitting the signed transaction back to the remote secure server. | 03-17-2016 |
20160080330 | Broadband Certified Mail - The present invention provides a system and method for providing certified voice and/or multimedia mail messages in a broadband signed communication system which uses packetized digital information. Cryptography is used to authenticate a message that has been compiled from streaming voice or multimedia packets. A certificate of the originator's identity and electronic signature authenticates the message. A broadband communication system user may be provisioned for certified voice and/or multimedia mail by registering with a certified mail service provider and thereby receiving certification. The called system user's CPE electronically signs the bits in received communication packets and returns the message with an electronic signature of the called system user to the calling party, along with the system user's certificate obtained from the service provider/certifying authority during registration. The electronic signature is a cryptographic key of the called party. | 03-17-2016 |
20160094540 | Distributed Single Sign-On - Methods and apparatus are provided for authenticating user computers | 03-31-2016 |
20160099919 | SYSTEM AND METHOD FOR PROVIDING A SECURE ONE-TIME USE CAPSULE BASED PERSONALIZED AND ENCRYPTED ON-DEMAND COMMUNICATION PLATFORM - A secure one-time use capsule based personalized and encrypted on-demand communication platform enables encrypted personalized secure on-demand stateless single-use capsuled communication channels over the Internet. Using the personalized capsuled secure communication system, a greater degree of communication security can be achieved than in the existing conventional methods. In one embodiment, the personalized capsuled secure communication system includes a capsule infrastructure system ( | 04-07-2016 |
20160112384 | SECURE REMOTE DESKTOP - A method for communication includes receiving in a secure installation via a network from a remote user terminal an input comprising a stream of symbols that has been encrypted using a preselected encryption key. The encrypted stream of symbols is decoded in the secure installation using a decryption key corresponding to the preselected encryption key, to produce a clear stream of symbols. A computer program running on a processor in the secure installation is used in processing the symbols in the clear stream and generating a graphical output in a predefined display format in response to processing the symbols. The graphical output is outputted from the secure installation to the network in an unencrypted format for display on the remote user terminal. | 04-21-2016 |
20160119335 | METHODS AND SYSTEMS FOR DISTRIBUTING CRYPTOGRAPHIC DATA TO AUTHENTICATED RECIPIENTS - A method includes receiving, by an access control management system, from a first client device, information associated with an encrypted data object. The access control management system receives, from a second client device, a request for the information. The access control management system verifies that a user of the second client device is identified in the received information. The access control management system selects an identity provider, based on a user identifier included in the received information, the user identifier associated with the user of the second client device. The access control management system requests from the selected identity provider, authentication of the user of the second client device. The access control management system sends, to the second client device, the received information. The access control management system stores an identification of at least one of the second client device and the received request for the information. | 04-28-2016 |
20160134421 | CREDENTIAL VALIDATION - A message to be signed and a base name point derived from a direct anonymous attestation (DAA) credential may be provided to a device. A signed version of the message and a public key value associated with the base name point may be received in response. Thereafter, the DAA credential may be determined to be valid based on the signed version of the message. | 05-12-2016 |
20160149698 | Method for generating a key in a network and users configured for this purpose - A method for generating a shared key between two users of a network. The two users respectively have at least one clock as well as an arrangement for detecting a certain surroundings variable. The two users detect the certain surroundings variable synchronously at respectively predefined points in time or start a detection of a course of the surroundings variable. Finally, the two users respectively generate the shared key taking values detected in this manner for the surroundings variable into account. | 05-26-2016 |
20160149705 | Supporting the decryption of encrypted data - A first installation stores a secret key of a user and a second installation provides encrypted data for the user. In order that a user apparatus can decrypt the encrypted data, the apparatus creates a one-time password, encrypts the one-time password by means of a public key of the first installation and causes the second installation to retrieve the secret key of the user from the first installation by means of the encrypted one-time password and a key identification allocated to the user in the second installation. The first installation decrypts the one-time password, searches for the secret key based on the key identification, encrypts it with the one-time password and transmits the encrypted secret key to the apparatus via the second installation. There, the secret key of the user is decrypted by means of the one-time password and is used for decrypting the encrypted data. | 05-26-2016 |
20160156471 | LEARNING A NEW PERIPHERAL USING A SECURITY PROVISIONING MANIFEST | 06-02-2016 |
20160164679 | CONFIDENTIAL DATA IDENTIFICATION SYSTEM - A computerized method and apparatus are established to identify confidential data of common interest among multiple parties without releasing the confidential data. Furthermore, a computerized network provides different parties at different locations with a mechanism to conduct cooperative activities concerning such confidential data of common interest without exposing that confidential data to possible identity theft. | 06-09-2016 |
20160164680 | AN IDENTIFICATION TOKEN - An approach for obtaining and applying an identification token is provided. One approach includes obtaining one or more tokens for screening incoming communication items to a first user, encrypting the one or more tokens to create respective one or more encrypted tokens, and providing the one or more encrypted tokens to one or more second users for subsequent use in communication to the first user to enable the first user to screen incoming communication items. Another approach includes receiving an indication of one or more incoming communication items addressed to a first user and an encrypted token associated with one or more identifiers characterizing the one or more communication items, decrypting the encrypted token to derive a decrypted token to enable verification of the token, and applying a predetermined rule based on the outcome of the verification to screen incoming communication items. | 06-09-2016 |
20160164849 | Technologies For Synchronizing And Restoring Reference Templates - Generally, this disclosure describes technologies for restoring and/or synchronizing templates such as biometric templates to/among one or more client devices. In some embodiments one or more client devices may register with a synchronization server and provide encrypted copies of their reference templates to the server. In a restoration operation, the synchronization server may provide an encrypted copy of a client's reference template(s) to the client, which may decrypt them in a protected environment. In a synchronization operation, the synchronization server may provide encrypted copy of a first client's template(s) to a plurality of second clients. The second clients may then decrypt the encrypted template(s) within a protected environment using an appropriate decryption key. | 06-09-2016 |
20160173498 | IDENTITY AUTHENTICATION SYSTEM, APPARATUS, AND METHOD, AND IDENTITY AUTHENTICATION REQUEST APPARATUS | 06-16-2016 |
20160182237 | METHOD AND SYSTEM FOR PROVIDING A WAY TO VERIFY THE INTEGRITY OF A DOCUMENT | 06-23-2016 |
20160191244 | METHOD AND APPARATUS FOR SECURING A MOBILE APPLICATION - Methods, apparatus, and systems for personalizing a software token using a dynamic credential (such as a one-time password or electronic signature) generated by a hardware token are disclosed. | 06-30-2016 |
20160197913 | METHOD OF USING SYMMETRIC CRYPTOGRAPHY FOR BOTH DATA ENCRYPTION AND SIGN-ON AUTHENTICATION | 07-07-2016 |
20160205098 | IDENTITY VERIFYING METHOD, APPARATUS AND SYSTEM, AND RELATED DEVICES | 07-14-2016 |
20160254904 | NETWORK SERVICES VIA TRUSTED EXECUTION ENVIRONMENT | 09-01-2016 |
20160254913 | SYSTEM AND METHOD FOR SECURE RELEASE OF SECRET INFORMATION OVER A NETWORK | 09-01-2016 |
20160255069 | CONTEXT SENSITIVE DYNAMIC AUTHENTICATION IN A CRYPTOGRAPHIC SYSTEM | 09-01-2016 |
20160255080 | Authenticating Cloud Computing Enabling Secure Services | 09-01-2016 |
20160381001 | METHOD AND APPARATUS FOR IDENTITY AUTHENTICATION BETWEEN SYSTEMS - Embodiments of the disclosure provide a method and apparatus for identity authentication between systems. The method includes: determining, by an authorization center, whether a user can be authorized to log onto a first system upon reception of a message, sent by the first system, of the user to request for logging onto the first system, and sending an encrypted information, into which user information of the user is encrypted, to the first system, upon determining that the user can log onto the first system; and upon reception of a message, sent by a second system, of the user to request for logging onto the second system, if the message carries the encrypted information, then decrypting, by the authorization center, the encrypted information in the case of the second system is determined as a trusted system of the first system, and returning the decrypted user information to the second system. | 12-29-2016 |
20180026787 | METHODS FOR SECURE CRYPTOGRAM GENERATION | 01-25-2018 |
20190149329 | NETWORK AUTHENTICATION METHOD, AND RELATED DEVICE AND SYSTEM | 05-16-2019 |
20190149335 | AUTHENTICATION APPARATUS USING VISUAL CRYPTOGRAPHY AND METHOD THEREOF | 05-16-2019 |
20190149610 | VIN ESN SIGNED COMMANDS AND VEHICLE LEVEL LOCAL WEB OF TRUST | 05-16-2019 |
20220141024 | CALL CENTER WEB-BASED AUTHENTICATION USING A CONTACTLESS CARD - Systems, methods, articles of manufacture, and computer-readable media. A server may receive a phone call and generate a uniform resource locator (URL) comprising a session identifier for an account. The server may transmit the URL to a client device. The server may receive, from a web browser, a request comprising the URL. The server may determine that the session identifier in the URL of the request matches the session identifier for the account, and transmit, to the web browser, a web page at the URL. The server may receive, from the web browser, a cryptogram read by the web page via a card reader of the client device and decrypt the cryptogram. The server may authenticate the identity of the caller for the call based on decrypting the cryptogram and the session identifier of the URL matching the session identifier of the account. | 05-05-2022 |