Система и способ обеспечения безопасности IoT-устройств посредством установки компонентов обеспечения безопасности

Изобретение относится к технологиям обеспечения информационной безопасности для IoT-устройств, а более конкретно к системам и способам установки компонентов обеспечения безопасности на IoT-устройства. Технический результат настоящего изобретения заключается в повышении безопасности IoT-устройств посредством установки компонентов обеспечения безопасности на IoT-устройства в сети. Технический результат достигается с помощью системы и способа, в которых получают информацию о взаимодействии устройства с другим устройством, сервисом и сервером; определяют категории устройства и категории пользователя устройства посредством взаимодействия с сервисом безопасности; в зависимости от определенных категорий устройства и пользователя устройства выявляют компонент обеспечения безопасности, который необходимо установить на устройство; выполняют установку на устройство компонента безопасности. 2 н. и 12 з.п. ф-лы, 4 ил.

Modifizierte Schnittstellen mit Passwort geschütztem Speicherzugriff

Die Erfindung betrifft Schnittstellen zum Testen integrierter Schaltungen und/oder zum Testen von Mikrosystemen. Die Schnittstellen und/oder die integrierte Schaltung und/oder das Mikrosystem weisen einen geschützten Speicherbereich (MEM) auf. Die Schnittstellen weisen eine Speicherzugriffslogik (MAL) auf, die den Zugriff auf den geschützten Speicher steuert. Die Schnittstellen umfassen ein Kundenpasswortregister (CPWR) und ein Passwortregister (PWR). Das Kundenpasswortregister (CPWR) enthält ein Kundenpasswort. Das Passwortregister (PWR) kann mittels einer der Schnittstellen mit einem Passwort beschrieben werden. Der Zugriff auf den geschützten Speicherbereich (MEM) über die Speicherzugriffslogik (MAL) ist nur möglich, wenn das Kundenpasswort im Kundenpasswortregister (CPWR) mit dem Passwort im Passwortregister (PWR) in vorbestimmter Weise übereinstimmt.

Verfahren für ein abhörsicheres Smartphone

Auf einer Platine sind 6 Steckplätze (2) mit USB-Buchsen (3) angebracht. In jede Platine kann ein Marktplatzstecker bestehend aus einem USB-Stecker (4) an einer Steckplatine (5) im Format 3 cm tief und 2,5 cm breit, mit einem Marktplatzdeckel 6 angebracht werden. Ein Marktplatz (12) umfasst mehrere Anbieter von Applikationen (13), welche eine gleiche Erweiterungshardware (7) benötigen, in unserem Fall einen Rechner mit GPS und Android-Betriebssystem. Die Hardware ist ein voll funktionsfähiger Rechner und besitzt eigenen Arbeits- und Datenspeicher. Der Beispiel-Marktplatz (12) zeichnet sich außerdem dadurch aus, dass die Applikationen (13) das Bluetooth Protokoll benutzen, um mit einem zweiten Device zu kommunizieren. Dieses zweite Device ist das Smartphone (1) mit Prozessor (8), Touchscreen, Lautsprecher, etc.. Über eine Liste (9) wird je Steckplatz (2), das Protokoll des Marktplatzsteckers in einer Liste hinterlegt. Hierdurch wird ein Bluetooth Stack (10) aufgerufen, sobald eine Kommunikationsanfrage ...

Integrierte Zweitfaktor-Authentifizierung

Computergerät, umfassend: eine sichere physische Einheit, die in dem Computergerät integriert ist; mit der sicheren physischen Einheit durch Drähte und/oder drahtlose Nahfeldkommunikations (NFC)-Übertragung kommunikativ verbundene physische Strukturen; einen oder mehrere Prozessor(en); und ein oder mehrere computerlesbare Speichermedien mit Anweisungen darauf, die in Reaktion auf Ausführung durch den einen oder die mehreren Prozessoren Vorgänge ausführen, umfassend: Empfangen einer Kombination von physischen Auswahlen, die durch die physischen Strukturen erfolgen, wobei die physischen Auswahlen durch die Drähte und/oder drahtlose NFC-Übertragung empfangen werden; Bestimmen, basierend auf der Kombination von physischen Auswahlen, dass eine Person im Besitz der sicheren physischen Einheit ist; und in Reaktion auf Bestimmen des Besitzes der sicheren physischen Einheit, Angeben, dass die Person im Besitz der sicheren physischen Einheit ist und/oder Ermöglichen des Zugriffs auf eine Ressource ...

Indirect control flow instructions and inhibiting data value speculation

Input data 900 is received, e.g. by a compiler, and a sequence of instructions for execution by a processing circuitry is outputted. The sequence comprises an indirect control flow instruction 910 comprising a field indicating where a target of the instruction is stored. The sequence comprises at least one instruction to store a state of control‑flow‑speculation (sstate) after execution of the indirect‑control‑flow‑instruction. This way it can be determined whether the destination of the branch was correct. An instruction in the sequence, e.g. an access instruction, is inhibited from being subject to data value speculation, e.g. via a CSDB barrier. Indirect control flow instruction 910 comprises a multi‑target branch instruction, e.g. switch statement, and a variable i for determining the target. Sstate indicates whether control‑flow‑speculation occurred correctly by determining at each target whether the value of variable i corresponds to the associated target. Secure data leaks by side-channel ...

DISTRIBUTION CHANNEL LOSS PROTECTION FOR ELECTRONIC DEVICES

An electronic device prior to entering a distribution channel is equipped with a Loss Prevention Client which permits limited use of the device until correct authentication is provided by a legitimate purchaser. By permitting limited use before authentication, the device remains both useful to a legitimate purchaser and valuable to a thief. While allowing operation in the possession of a thief, options can be provided to permit tracking of the device or to allow proper purchase of the device.

Portable device in order criptare/to decrypt and/or to compress/to decompress given.

Linvenzione riguarda un dispositivo (100) portatile per criptare/decriptare e/o comprimere/decomprime dati comprendente: un involucro esterno (2); almeno una CPU; almeno un chip di supporto di autenticazione criptografico (4); almeno una prima porta (5) di ingresso/uscita dati atta ad essere interfacciata con dispositivi esterni; almeno una seconda porta (6) di ingresso/uscita dati atta ad essere interfacciata con dispositivi esterni.

Portable device in order criptare/tocriptare/to decrypt and/or to compress/to decompress given.

La presente invenzione concerne un dispositivo (100) portatile per criptare/decriptare e/o comprimere/decomprimere dati comprendente: un involucro esterno (2); almeno una CPU (3); almeno un chip di supporto di autenticazione criptografico (4); almeno una prima porta (5) di ingresso/uscita dati atta ad essere interfacciata con dispositivi esterni; almeno una seconda porta (6) di ingresso/uscita dati atta ad essere interfacciata con dispositivi esterni.

Embedded device firmware protecting method and device

The invention discloses an embedded device firmware protecting method and device. The firmware content is simplified into a character string, whether the firmware content is tampered with or not is judged by comparing the written-in character string and the character string used during compiling, a protecting measure is taken when the written-in character string is tampered with, risks caused when the firmware content is tampered with are avoided, the safety of firmware is improved, and the embedded device firmware protecting method and device have the advantages of being simple and efficient.

Write filtering technology based on a magnetic disk protection system

Control device

THE INVENTION CONCERNS A SECURE ELECTRONIC CIRCUIT BY DISTURBANCE OF ITS POWER SUPPLY.

DIAGNOSTIC TOOL CALCULATOR

METHOD FOR AUTHENTICATING A PROVING DEVICE, E.G. A SMART CARD, REGISTRATION IN TESTER

L'invention concerne un procédé d'authentification d'un dispositif de preuve, auprès d'un dispositif vérificateur comprenant les étapes suivantes mises en œuvre par le dispositif vérificateur: • partage d'une clé secrète et de données d'entrée avec le dispositif de preuve, en vue de la mise en œuvre, par le dispositif de preuve, d'un traitement de référence à partir des données d'entrée et de la clé secrète, de sorte que le dispositif de preuve émette un signal physique porteur d'informations par canaux cachés relatives à la mise en œuvre du traitement de référence par le dispositif de preuve, • acquisition du signal physique, • au moins une mise en œuvre du traitement de référence à partir des données d'entrée et de la clé secrète, • rejet ou non du dispositif de preuve en fonction de la mise en œuvre du traitement et du signal physique acquis, dans lequel le traitement de référence comprend des sous-étapes de : • génération de données intermédiaires à partir d'une première des données ...

ELECTRONIC CHIP

L'invention concerne une puce électronique comprenant : une pluralité de premières barres semiconductrices d'un premier type de conductivité et de deuxièmes barres semiconductrices d'un deuxième type de conductivité disposées de manière alternée et contiguë sur une région (3) du premier type de conductivité ; deux contacts de détection (17) disposés aux extrémités de chaque deuxième barre ; un circuit de détection (19) de la résistance entre les contacts de détection de chaque deuxième barre ; des tranchées d'isolement (11) s'étendant dans les deuxièmes barres sur une première profondeur entre des éléments de circuit ; et des murs d'isolement (32) s'étendant sur toute la largeur de chaque deuxième barre sur une deuxième profondeur supérieure à la première profondeur.

METHOD AND DEVICE FOR PRODUCING FUNCTION BY A MICROCIRCUIT

METHOD FOR ACTIVATING A SERVICE, METHOD FOR ACTIVATING A FIRE HYDRANT, RELATED DEVICE AND SYSTEM

METHOD FOR SECURING THE USE OF AN APPARATUS OPERATING WITH AN ACCESSORY OR A CONSUMABLE

SYSTEM AND METHOD FOR SECURING AN ELECTRONIC CIRCUIT

L'invention porte sur un système (1) de sécurisation d'un circuit électronique (2) comprenant plusieurs régions (Z1-Z2, Z4-Z6) dont l'activité de chacune peut être contrôlée, comportant une pluralité de capteurs (S1-Sm) intégrés dans le circuit électronique, chaque capteur étant sensible aux variations de processus de fabrication et apte à fournir une mesure représentative d'une activité locale du circuit électronique, caractérisé en ce qu'il comprend une unité de traitement comprenant un module de vérification d'intégrité configuré pour : - déterminer, à partir des mesures fournies par les capteurs, et pour chacune des régions, une partition des capteurs entre capteurs affectés et capteurs non affectés par une activation de la région; - comparer chacune des partitions à une partition modèle pour détecter l'éventuelle présence d'un cheval de Troie matériel susceptible d'infecter le circuit électronique. Le système peut également réaliser une authentification du circuit électronique grâce ...

Computer system, has group of system resources that is compatible with and under control of computer device when it is connected to system, where set of temporary data stored on system units is deleted, when device is disconnected

L'invention concerne un système (1) informatique comportant des moyens (10) de visualisation et/ou des moyens (11 ) de saisie et/ou des moyens (12) de connexion à des moyens de stockage et/ou des moyens (13) de connexion à un réseau (14) de télécommunications, caractérisé en ce qu'il comporte des moyens (100) aptes à être connectés à un dispositif comportant un microprocesseur, des moyens formant mémoire vive et des moyens formant mémoire non volatile, l'ensemble des moyens du système (1 ) informatique étant d'une part compatible avec les moyens du dispositif et étant sous contrôle du dispositif lorsque celui-ci est connecté au système (1), l'ensemble des données temporaires stockées sur des moyens du système étant d'autre part effacé lors de la déconnexion du dispositif du système. L'invention concerne également un dispositif compatible avec le système et un procédé d'utilisation du système et du dispositif.

AN INTRUSION DETECTION SYSTEM

시스템 온 칩에서의 대역폭 할당의 제어

... 일 실시예에서, 시스템 온 칩(SoC)과 같은 프로세서의 패브릭은 복수의 에이전트로 및 복수의 에이전트로부터, 그리고 메모리로 및 메모리로부터 전달되는 데이터를 각각 저장하는 복수의 엔트리를 포함하는 적어도 하나의 데이터 버퍼와, 패브릭의 순서화된 도메인으로 출력될 계류 중인 요청의 추적을 유지하는 요청 트래커와, 코어 에이전트로부터의 기입 트랜잭션과 메모리로부터의 판독 완료 트랜잭션 사이의 순서화된 도메인으로의 할당을 제어하는 아웃바운드 스로틀 로직을 포함한다. 다른 실시예가 기술되고 청구되어 있다.

Method and apparatus for providing a security mechanism on a mobile device

A method and apparatus for providing a security mechanism on a mobile device are described. The method (800) and apparatus (200) include determining (830) a location for a device having a distance from a first location, determining (850) if the distance is greater than a first threshold value, initiating (850) an operating condition if the distance exceeds the first threshold, including a security measure to prevent unauthorized use and initiating a security timer, determining (860) if the distance does not exceed a second threshold value after the distance has exceeded the first threshold value before the security timer reaches a time threshold. terminating (880) the at least one security measure if the distance from the first location does not exceed the second threshold value before the time threshold, and initiating a further operating condition if the distance exceeds the third threshold, including a second security measure that is more severe than the at least one first security measure ...

Security architecture for using host memory in the design of a secure element

EXECUTION PROFILE ASSEMBLY USING BRANCH RECORDS

Technologies for assembling an execution profile of an event are disclosed. The system and method may include recording a plurality of branch records, generating a first test event substantially identical to the event, verifying legitimacy of an owner of a code segment associated with the event, establishing an initial point of an execution chain associated with the event, establishing a final point of the execution chain associated with the event, analyzing branch records for an address associated with the code segment, installing a plurality of primary monitors within the execution chain associated with the event, and triggering the plurality of primary monitors.

STREAMING TECHNIQUES

There are disclosed distributed playback, DP, techniques. For examples a DP master device (500), may: establish a local connection (520) with a plurality of DP client devices (600) and for establishing a remote connection (501 ) with a remote content provider (50), so as to receive a first encrypted media stream (504) from the remote content provider (50); decrypt the first encrypted media stream (504) to obtain a decrypted media stream (508); adding DP information, DPI (510), to the decrypted media stream (508); encrypting the decrypted media stream (508, 514, 182') according to a second encryption standard to obtain a second encrypted stream (518, 189', 389'); additionally encrypting the DPI (510) in the second encrypted media stream (518, 189', 389') or adding the DPI (510) to the encrypted media stream (518, 189', 389') in plaintext, transmitting an output media stream (518, 189', 389'), which is the second encrypted media stream (518, 189', 389'), to the plurality of DP client devices ...

PROVIDING A TRUSTED EXECUTION ENVIRONMENT USING A PROCESSOR

In an embodiment, a system on a chip includes: a single core to execute a legacy instruction set, the single core configured to enter a system management mode (SMM) to provide a trusted execution environment to perform at least one secure operation; and a memory controller coupled to the single core, the memory controller to interface with a system memory, where a portion of the system memory comprises a secure memory for the SMM, and the single core is to authenticate and execute a boot firmware, and pass control to the SMM to obtain a key pair from a protected storage and store the key pair in the secure memory. Other embodiments are described and claimed.

APPARATUS AND METHOD FOR PROTECTING ELECTRONIC DEVICE

A method for operating an apparatus according to various embodiments may comprise the operations of: detecting whether a first signal transmitted from a control device to a storage device includes a designated address; and transmitting a second signal to the control device when the first signal includes the designated address, wherein the first signal may be a signal for transmitting, by the control device, a request for data to the storage device, and the second signal may be a signal for detecting whether uncommon data is included in a signal generated from the first signal.

SECURED MEMORY

A hardware memory includes at least one memory cell, peripheral circuitry and randomization circuitry. The memory cell(s) store data, which may be written to, read from and held in the hardware memory. The peripheral circuitry reads and writes data to the memory cell(s) and may perform other functions necessary for facilitating the data read, write and hold. The randomization circuitry randomizes operations performed by the peripheral circuitry to reduce a correlation between the data and the current consumed by the hardware memory.

MAGNETO-ELECTRIC SENSOR FOR HARDWARE TROJAN DETECTION

A sensing circuit for detecting hardware trojans in a target integrated circuit is provided. The sensing circuit includes an array of magnetic tunnel junction circuits where each magnetic tunnel junction circuit including one or more magnetic tunnel junctions. Characteristically, each magnetic tunnel junction circuit configured to provide data for and/or determine a temperature map or a current map of the target integrated circuit.

DETERMINATION OF SENSOR USAGE

Particular embodiments described herein provide for an electronic device that can receive a request from an application to access a sensor in a system, hook the request at a low level in the system, and log data related to the request. In an example, the request is hooked at a level below an operating system sensor application program interface in the system.

Printer encryption

Examples associated with printer encryption are described. One example printer includes a data store to store a one-time pad. An encryption module may encrypt a message using the one-time pad. The encryption module also transmits the encrypted message to a trusted device that stores a copy of the one-time pad. A decryption module uses the one-time pad to decrypt a received message form the trusted device. The decryption module also controls the printer to perform an action based on the received message. A refresh module replaces the one-time pad during a service event.

Securing method for computer bus devices

The invention relates to a security lock for devices connectable to a computer bus. The devices receives from the computer information as to the owner of the computer, and compares the information it receives from the bus to information regarding the legitimate owner, which is permanently stored in the device.When the information received from the bus is different from the information stored in the device, the operation of the device is restricted.The invention prevents use of a device on a computer other than the one of the legitimate owner. It discourages theft of the device.

Instruction execution that broadcasts and masks data values at different levels of granularity

An apparatus is described that includes an execution unit to execute a first instruction and a second instruction. The execution unit includes input register space to store a first data structure to be replicated when executing the first instruction and to store a second data structure to be replicated when executing the second instruction. The first and second data structures are both packed data structures. Data values of the first packed data structure are twice as large as data values of the second packed data structure. The execution unit also includes replication logic circuitry to replicate the first data structure when executing the first instruction to create a first replication data structure, and, to replicate the second data structure when executing the second data instruction to create a second replication data structure. The execution unit also includes masking logic circuitry to mask the first replication data structure at a first granularity and mask the second replication ...

Embedded secure element for authentication, storage and transaction within a mobile terminal

Various embodiments of the present invention relate to incorporating an embedded secure element into a mobile device, and more particularly, to systems, devices and methods of incorporating the embedded secure element into a mobile device for identity authentication, data storage and processing in trusted transactions. These trusted transactions require a high security level to protect sensitive data or programs in bank account management, purchasing orders, contactless payment, passport verification, and many other high-security applications. The secure element will provide a root of trust such that that applications running on the mobile device are executed in a controlled and trusted environment. In addition to conventional password or encryption protection, alternative security features are introduced from both software and hardware levels based on the embedded secure element. Therefore, the security level of the mobile device is not only enhanced, but also may potentially exceed that ...

Sharing user-generated notes

A method for sharing notes created in a multilayered document among users of a social network within a digital education platform is provided. In one embodiment, the digital education platform allows a user to create notes linked to a particular location in the document using a notepad application. Notes are aggregated and stored in the user's personal library on the digital education platform. When a user requests to share another user's notes and is granted access, the digital education platform retrieves the other user's notes and inserts the shared notes into the requesting user's existing notes associated with the document, based on their individual sharing attributes and metadata.

Power and cost efficient peripheral input

Systems and methods may provide for receiving, at a controller of a first device having a host processor, user input data and converting the user input data into one or more packets. Additionally, the one or more packets may be sent to a wireless communication component of the first device. In one example, the one or more packets are sent to the wireless communication component while the host processor is in one or more of a sleep state or a low power state.

Functional device and control apparatus

A functional device which surely prevents tampering performed through an external interface in the functional device comprising an external interface which is accessible to an internal functional component is provided. In the functional device, a coupling controller is provided between an external Flash terminal which is an external interface and an internal Flash memory. The coupling controller physically blocks between the external Flash terminal and the internal Flash memory after a Fuse is disconnected except for a case where a certification result in a REG maintains validity. The certification result is validated only while current is carried.

Authentication of medical device computing systems by using metadata signature

Computer code embedded in an electronic component (e.g., a processor, a sensor, etc.) of a medical device, such as a dialysis machine, can be authenticated by comparing a metadata signature derived from the computer code of the electronic component to a key derived from a pre-authenticated code associated with the electronic component. The metadata signature can be derived by running an error-check/error-correct algorithm (e.g., SHA256) on the computer code of the electronic component. A use of the metadata signature enables detection of any unauthorized changes to the computer code as compared to the pre-authenticated code.

METHOD FOR EXECUTING AN APPLICATION IN AN NFC DEVICE

ОГРАНИЧЕННАЯ ПЛАТФОРМА ДРАЙВЕРОВ, КОТОРАЯ ЗАПУСКАЕТ ДРАЙВЕРЫ В ПЕСОЧНИЦЕ В ПОЛЬЗОВАТЕЛЬСКОМ РЕЖИМЕ

Изобретение относится к способу исполнения преобразующего драйвера, реализуемому вычислительным устройством. Технический результат заключается в повышении надежности вычислительной системы за счет обеспечения безопасности в работе преобразующих драйверов. Способ содержит этапы, на которых: получают преобразующий драйвер, содержащийся в комплекте драйвера, имеющем назначенный формат, ассоциированный с платформой безопасности драйверов; распознают назначенный формат комплекта драйвера при установке, основываясь по меньшей мере отчасти на идентификационных данных, включенных в комплект драйвера; в качестве реакции на упомянутое распознавание регистрируют преобразующий драйвер в платформе безопасности драйверов, реализуемой вычислительным устройством; создают экземпляр ограниченной среды исполнения для преобразующего драйвера посредством платформы безопасности драйверов; и исполняют преобразующий драйвер в ограниченной среде исполнения, чтобы выполнять одну или несколько задач по указанию платформы ...

АДРЕСАЦИЯ ДОВЕРЕННОЙ СРЕДЫ ИСПОЛНЕНИЯ С ИСПОЛЬЗОВАНИЕМ КЛЮЧА ПОДПИСИ

Группа изобретений относится к области защиты информации. Техническим результатом является увеличение безопасности. Система выполнена с возможностью принимать запрос на защищенные данные от запрашивающей стороны, ассоциированной с вложенной TrEE, заключение об аттестации безопасного ядра и заключение о сертификации ключа, при этом вложенная TrEE содержит доверенное приложение, исполняющееся поверх безопасного ядра, причем заключение о сертификации ключа связывает общедоступный ключ шифрования доверенного приложения и ID доверенного приложения; извлекать защищенные данные из упомянутой системы, в которой хранятся секреты, в ответ на данный запрос; зашифровывать защищенные данные с помощью общедоступного ключа шифрования доверенного приложения и посылать зашифрованные защищенные данные запрашивающей стороне. 3 н. и 17 з.п. ф-лы, 14 ил.

Криптомодуль с функцией контроля внешнего контура защиты

Изобретение относится к криптомодулю с функцией контроля внешнего контура защиты. Технический результат заключается в повышении уровня защиты мастер-устройства, в которое устанавливается криптомодуль, от НСД. Криптомодуль снабжен внешним контуром защиты, выполненным в виде установленной под защитной крышкой энергозависимой памяти, питаемой аккумулятором, и двух контактов, выведенных в интерфейсный разъем. Внешний контур защиты задействуется замыканием контактов и командой криптомодулю на включение внешнего контура защиты, при этом осуществляется перенос криптоключей из энергозависимой памяти внутреннего контура защиты в энергозависимую память внешнего контура защиты, а криптоключи в энергозависимой памяти внутреннего контура защиты удаляются. В результате при размыкании контактов криптоключи из энергозависимой памяти внешнего контура защиты удаляются. Команда криптомодулю на включение внешнего контура защиты сопровождается заданием пароля, который используется при отключении внешнего контура ...

Selection of access conditions for portable tokens

The invention relates to a portable token (SC) comprising a capability query mechanism (CQM). The capability query mechanism (CQM) is set to inform entities (PC, MW) willing to communicate with the portable token (SC) of at least a subset of the command(s) (C) available in the portable token (SC). The portable token (SC) is arranged to set a flag when the capability query mechanism (CQM) is invoked. When a command (C) is called, the portable token (SC) enforces first access conditions (AC1) for the command (C) if the flag is set, or second access conditions (AC2) if the flag is cleared.

A detection method based on k-nearest neighbor algorithm for system anomaly

Abstract: This invention is a way of detection in system exceptions by using K-nearest neighbor algorithm. The method will define the user system' s instruction set to a converted characteristic, and distinguish the data set to training data and testing data. By using the K-nearest neighbor, it recognizes the data sets and predicts the recognition results to estimate the system exceptions. If there are exceptions, it will alarm the user. The method is easily to approach, high accuracy with strong practicability. User1 user_cmnd_feature fdist User2 user cmd feature fdiSt User50 user_CMd_feature Data fdist user1_l abel L user50_label Figure 1 -Etra ] accuary Different K * Pick Kopt accuary Fig.2 New normal o command operation list Use Kopt Yes New User Data Process- History Data KNN a abnormal Warning operation Fig.3 ...

Fire Containment Vessel

Afire containment vessel (1A) such as a bin for collecting paper from ATMs, containing a mechanical unity system (1) enabling the doors to move together, the always closed unless opened, and close immediately upon release of the door; a bottom opening (2) for emptying of the vessel contents, aligned with and cooperating with mesh door covers (3), preferably made of stainless steel mesh. The following arms (4) assist in the emptying action with the doors. Preferably the outer vessel shape is semi-circular (5). The vessel comprises metal construction (6) and is completely enclosed other than the intended use opening (7), positioned in front of the vessel for insertion into vessel cavity. Optionally, the vessel may contain an extinguishing canister (8). Figure I -- - - :ji. .--,\ -:-, .g ...

ASSEMBLIES, SYSTEMS AND METHODS FOR PROGRAMMING MEDICAL DEVICES

The present invention relates to medical device programming assemblies, systems and methods for programming a medical treatment parameter on a medical device, via a programming key. The programming key may be adapted to mate with the medical device which comprises a programmable, non-transitory, computer readable storage device. The storage device comprises a data connector which is configured to mate with a corresponding data connector on the medical device. The storage device may be affixed to a fastener coupling configured to mate with a corresponding coupling on the medical device when the data connector is brought into proximity with the corresponding data connector on the medical device. The programming key is configured to occupy a space formed within the medical device when the data connector and fastener coupling are mated with the corresponding data connector and fastener coupling of the medical device.

A PRIVACY-PRESERVING, MUTUAL PUF-BASED AUTHENTICATION PROTOCOL

An authentication protocol using a Hardware-Embedded Delay PUF ("HELP"), which derives randomness from within-die path delay variations that occur along the paths within a hardware implementation of a cryptographic primitive, for example, the Advanced Encryption Standard ("AES") algorithm or Secure Hash Algorithm 3 ("SHA-3"). The digitized timing values which represent the path delays are stored in a database on a secure server (verifier) as an alternative to storing PUF response bitstrings thereby enabling the development of an efficient authentication protocol that provides both privacy and mutual authentication.

SYSTEMS AND METHODS FOR CONTROLLING ACCESS TO A COMPUTER DEVICE

A method and system for controlling access to a computer device. The method and system involves operating a computer device to control access to the computer device by a host system. The method comprises determining if the host system is authorized to have access to the computer device; operating the computer device to start a session if and only if the host system is authorized to have access to the computer device; during the session, providing the host system with access to the computer device; operating the computer device to monitor the host system during the session to determine if a session termination event has occurred; and, terminating the session when the session termination event has occurred, wherein terminating the session blocks access to the computer device by the host system.

Data interchange middleware

Computer safety device capable of achieving network physical isolation

Information safety computer

The invention relates to an information safety computer, which belongs to the technical field of computer safety, particularly suitable for using on occasion with strict requirement to computer information safety. The invention comprises a central processing unit and a mainboard, wherein the mainboard is provided with a safety control system which includes a south bridge chip, a super input output chip, a basic input output system chip and a safety chip, the safety chip is an integrated circuit chip which is equipped with an LPC interface or simultaneously with an SPI interface, one end of the integrated circuit chip is used to connect with the LPC interface of the south bridge chip, the other end of the integrated circuit chip is connected with the super input output chip and the basic input output chip. The invention has the advantages that the LPC interface on the mainboard is safely controlled, thereby in particular simultaneously the invention realizes real-time for equipment under ...

USB-port plugging electronic label method and device

Chip protecting method and system

The invention provides a chip protecting method and system, which relates to the field of electronic circuits and solves the problem of poor safety when fuse wires are used for protecting chips. The method comprises the following steps: acquiring the output signal of an encrypted circuit and the encrypted operation result of a chip; comparing the output signal of the encrypted circuit and the encrypted operation result of the chip; and if the output signal of the encrypted circuit and the encrypted operation result of the chip are different, triggering safety precautions of the chip. The technical scheme provided by the invention is suitable for circuit protection.

ELECTRONIC CHIP PROVIDED WITH A SAFETY DEVICE WITH A PHASE CHANGE MATERIAL, A METHOD FOR DETECTING AN ATTACK OF THE CHIP AND A METHOD FOR THE PRODUCTION THEREOF.

DEVICE FOR PROTECTING AN ELECTRONIC CIRCUIT WITH DETECTION OF A CHANGE IN ELECTRICAL REACTANCE

SYSTEM Of COMPUTER, SOURCE OF PROGRAM AND PROCESS OF SELECTIVE VALIDATION OF FUNCTIONS IN SUCH a SYSTEM Of COMPUTER.

ELECTRONIC TRANSMISSION SYSTEM A DIGITAL DOCUMENT

ANTI-INTRUSION DEVICE FOR COMPUTING UNIT

SYSTEM Of Exchange of information

L'invention concerne un système d'échange de données comportant : - un microprocesseur (UC), - une mémoire non volatile (EEPROM), - un premier canal de communication (C1) reliant le microprocesseur à la mémoire non volatile, - un premier canal d'alimentation (A1) agencé pour alimenter en énergie électrique le microprocesseur et la mémoire non volatile, - un dispositif de commande (10), - un deuxième canal de communication (C2) à travers lequel un dispositif (20) externe peut échanger des données avec la mémoire non volatile, - un deuxième canal d'alimentation (A2) agencé pour alimenter le dispositif de commande (10) et la mémoire non volatile.

METHOD FOR PROTECTING AN ELECTRONIC TERMINAL, COMPUTER PROGRAM, AND CORRESPONDING ELECTRONIC TERMINAL.

L'invention concerne un procédé de protection d'un terminal électronique. Selon l'invention, un tel procédé comprend les étapes suivantes : activation d'un état de surveillance dudit terminal ; dans ledit état de surveillance, détection d'une manipulation dudit terminal, générant le passage dudit terminal dans un état dit suspect, représentatif d'un risque de tentative d'utilisation frauduleuse dudit terminal ; - dans ledit état suspect, déclenchement d'une réaction par ledit terminal.

Device such as a connected object with means for controlling the execution of a program executed by the device

AN INTRUSION DETECTION SYSTEM

La présente invention concerne un système (20) de détection d'intrusions comprenant : - deux couches de maillage, chaque couche de maillage comprenant une pluralité de cellules et une pluralité de points de connexion traversant, chaque cellule comprenant au moins un motif continu dont une extrémité est reliée à un point de connexion traversant, le taux de couverture de l'ensemble des motifs de chaque cellule étant strictement supérieur à 80 pourcents, l'ensemble des cellules de chaque couche de maillage délimitant une zone protégée par la couche de maillage, et - une pluralité de connexions, chaque connexion connectant entre eux deux motifs de cellules de différentes couches de maillage par l'intermédiaire de points de connexion traversant pour former des boucles. Les points de connexion traversant de chaque couche de maillage sont répartis sur toute la surface de la zone protégée par la couche de maillage.

Multistage Physical Unclonable Function System

METHOD OF REINFORCING STABILITY OF ANDROID TERMINAL FOR ABNORMAL POWER TRANSFER AND COMPUTER-READABLE RECORDING MEDIUM FOR RECORDING PROGRAM THEREFOR

The present invention relates to a technology for reinforcing the stability of an android terminal for an abnormal power transfer, especially, to a technology for reinforcing the stability of an android terminal by automatically solving a problem by using a crash counter, etc. when the problem that an android system does not work properly due to an abnormal power on/off occurs. When the problem that the android system does not work properly due to an abnormal power on/off occurs, the present invention provides convenience for a user to use the terminal without special inconvenience by automatically recovering the problem. COPYRIGHT KIPO 2015 (S12) [Boot loader] Increase a crash counter (S13) Crash counter ＞ CTHS? (S14) [Boot loader] Enter into a recovery mode (S15) Recovery counter = 0? (S16) [Recovery] Reset a factory (S17) [Recovery] Upgrade a firmware (S18) [Kernel] Start booting (S19) Android booting? (S20) [Android] Initialize the crash counter (S21) [Android] Complete a normal booting ...

SECURITY-ENHANCED COMPUTER SYSTEMS AND METHODS

Preventing Method for Using of a Battery Pack and Detection Method for Loss of a Battery Pack

System and method for unlocking an electronic device

APPARATUS AND METHOD FOR LOCKING AND UNLOCKING REMOVABLE MEDIA FOR USE INSIDE AND OUTSIDE PROTECTED SYSTEMS

A method includes detecting (802) a storage device (402) and performing (800) a check-in process for the storage device. The check-in process includes scanning (804) the storage device to identify any malware contained on the storage device, digitally signing (808) one or more clean files on the storage device, and modifying (816) a file system of the storage device. The method may also include performing (900) a check-out process for the storage device, where the check-out process includes restoring (918) the file system of the storage device. The file system of the storage device can be modified during the check-in process so that one or more protected nodes (102, 102a-102n) within a protected system are able to recognize the modified file system of the storage device and nodes (702) outside of the protected system cannot recognize the modified file system of the storage device.

CABLE-LOCK UNIT PRESENCE IN COMPUTING SYSTEMS

CABLE-LOCK UNIT PRESENCE IN COMPUTING SYSTEMS Examples of a computing system having a lock port for a cable-lock unit are described. In an example, a computing system includes a control unit, a receptacle electrically coupled to the control unit, a lock port to receive a cable-lock unit to lock the computing system at a location, a lock engagement member, and a plug coupled to the lock engagement member. The lock engagement member and the plug are to translate and form an electrical connection between the plug and the receptacle in response to receiving the cable-lock unit in the lock port. The control unit is to determine presence of the cable-lock unit in the lock port in response to formation of the electrical connection between the plug and the receptacle.

Manifold for filtering medical waste being drawn under vacuum into a medical waste collection system

A method of method of manufacturing a surgical waste collection manifold with a volume collected datum and a rover type to ensure compatibility with a surgical waste collection rover is provided. The surgical waste collection rover including a vacuum pump and a receiver defining an opening. The method includes obtaining a second manifold. The second manifold having a second housing defining a surface, the housing defining a second manifold volume and a second outlet opening in fluid communication with the second manifold volume. The method may further include coupling a second circuit to the surface of the second manifold, the second circuit comprising a second memory device including a third memory bank and a fourth memory bank, the third memory bank including a fifth memory field and the fourth memory bank including a sixth memory field. The method may further include programming the fifth memory field with an encrypted first hash digest based on the rover type and programming the sixth ...

Apparatus for autonomous security and functional safety of clock and voltages

An apparatus is provided for autonomous security and functional safety (FUSA) of clock and voltages. The apparatus may include: a multiplexer having a first input communicatively coupled to a pin to receive a first clock external to a die, and a second input coupled to an output of a divider; an oscillator to provide a second clock; and a counter coupled to an output of the multiplexer and the oscillator, wherein the counter is to operate with the second clock and is to determine a frequency of the first clock. The apparatus may further include a voltage monitor circuitry for monitoring voltage(s) for FUSA, a reference generator for FUSA, a duty cycle monitor for FUSA, a frequency degradation monitor for FUSA, and a phase error degradation monitor for FUSA.

RELIABILITY ENHANCEMENT METHODS FOR PHYSICALLY UNCLONABLE FUNCTION BITSTRING GENERATION

A PRIVACY-PRESERVING, MUTUAL PUF-BASED AUTHENTICATION PROTOCOL

DETERMINATION OF SENSOR USAGE

СПОСОБ, УСТРОЙСТВО И СИСТЕМА ВЕРИФИКАЦИИ ДЛЯ ЗАЩИТЫ ОТ ПОДДЕЛОК

Изобретение относится к безопасности терминалов. Технический результат заключается в повышении эффективности защиты от подделок терминалов. Способ, выполняемый сервером, в котором формируют зашифрованное сообщение, соответствующее i-му этапу верификации, который представляет собой такой этап верификации из всех n этапов верификации, предварительно установленных и размещенных в заранее установленном порядке, для верификации терминала, 1≤i≤n; отправляют зашифрованное сообщение в терминал; принимают запрос вызова из терминала для того, чтобы вызывать i-й этап верификации; выполняют i-й этап верификации, если запрос вызова представляет собой запрос вызова, инициированный согласно зашифрованному сообщению, соответствующему i-му этапу верификации; вычисляют i=i+1 и формируют зашифрованное сообщение, соответствующее i-му этапу верификации, если i-й этап верификации выполняется успешно, и i≠n; отправляют результаты неудавшейся верификации в терминал, если i-й этап верификации терпит неудачу при ...

СПОСОБ ЗАЩИТЫ КОМПЬЮТЕРА

Изобретение относится к способу защиты компьютера от несанкционированного доступа к хранимой в нем информации. Технический результат заключается в получении более устойчивых к взлому компьютеров. Предложен способ, в котором компьютер оснащают встроенным аппаратным средством защиты информации (АСЗИ), устанавливаемым в виде дочерней платы в один из слотов материнской платы компьютера, причем на материнской плате для установки АСЗИ выделяют определенный слот с расширенным набором контактов, через его избыточные контакты транзитно пропускают, по меньшей мере, одну электрическую цепь, размыкание которой гарантированно приводит к потере работоспособности компьютера, а на плате АСЗИ к соответствующим контактам присоединяют, по меньшей мере, один элемент физической коммутации, обеспечивающий замыкание/размыкание вышеупомянутой цепи или цепей при установке/извлечении платы АСЗИ. 4 з.п. ф-лы.

Verfahren zum IT-Schutz sicherheitsrelevanter Daten und ihrer Verarbeitung

Verfahren zum IT-Schutz sicherheitsrelevanter Daten und ihrer Verarbeitung mit folgenden Merkmalen: – mehr als ein Mikrokontroller mit einem internen nichtflüchtigen Speicher, eine Zufallsquelle bestehend aus Rauschquelle und Verstärker, ein nichtflüchtiger Speicher, spiralförmige mäanderförmige Leiterstrukturen, mindestens eine der Teilanordnungen Tiefpass, Hochpass, Bandpass, Bandsperre, Spannungsteiler sind auf mehr als einer inneren Ebene eines dreidimensionalem Raumes angeordnet, wobei mindestens zwei Mikrocontroller in verschiedenen inneren Ebenen vorhanden sind, die über mindestens zwei der Kommunikationswege nichtflüchtiger Speicher, Bussysteme, Inputs und Output direkt und über mindestens eine der Teilanordnungen in Verbindung stehen, – auf mindestens einer der inneren Ebenen des dreidimensionalen Raumes ist mindestens ein Teil einer der Teilanordnungen Tiefpass, Hochpass, Bandpass, Bandsperre, Spannungsteiler, mit individuellen Toleranzen angeordnet, wobei der Rest der Teilanordnung ...

Verfahren zum Schutz einer MEMS-Einheit vor Infrarot-Untersuchungen sowie MEMS-Einheit

Vorgestellt wird ein Verfahren zum Schutz einer MEMS-Einheit, insbesondere eines MEMS-Sensors, gegen Infrarot-Untersuchungen, wobei mindestens ein Bereich der MEMS-Einheit dotiert wird und wobei der mindestens eine dotierte Bereich mehr als 50%, insbesondere mehr als 90%, eines auf ihn einfallendes Infrarot-Lichts absorbiert, reflektiert oder diffus streut.

Indirect control flow instructions and inhibiting data value speculation

Operand size control

System and method for in-place encryption

Disclosed herein are systems, methods, and non-transitory computer-readable storage media for performing in-place encryption. A system configured to practice the method receives a request from a user to encrypt an unencrypted volume of a computing device and identifies, generates, and/or randomly selects a volume key. Then the system converts the unencrypted volume to an encryptable format divided into portions. The system then encrypts, based on the volume key, the encryptable volume, portion by portion, to enable the user to use the computing device while encrypting. The system can maintain an encryption progress status and display the encryption progress status. The system can monitor disk accesses to the encryptable volume, and, when the disk accesses exceed a first threshold, apply a back-off algorithm to stop encrypting until the disk accesses fall below a second threshold. Thus, the computing device can be used while the encryption occurs in the background.

SYSTEM AND METHODS FOR ENTROPY AND STATISTICAL QUALITY METRICS

The Distribution Effect is proposed for the HELP PUF that is based on purposely introducing biases in the mean and range parameters of path delay distributions to enhance entropy. The biased distributions are then used in the bitstring construction process to introduce differences in the bit values associated with path delays that would normally remain fixed. Offsets are computed to fine tune a token's digitized path delays as a means of maximizing entropy and reproducibility in the generated bitstrings: a first population-based offset method computes median values using data from multiple tokens (i.e., the population) and a second chip-specific technique is proposed which fine tunes path delays using enrollment data from the authenticating token.

ECU (Electric Control Unit) security access processing method

DEVICE FOR SECURING AN ELECTRONIC DOCUMENT

METHOD AND APPARATUS FOR CONTROLLING ACCESS TO A SHARED RESOURCE BETWEEN SOFTWARE TASKS EXECUTED IN A PREDETERMINED APPLICATION CONTEXT

GATEWAY SECURITY IMPROVED AVIONICS AND AIRCRAFT COMPRISING SUCH BRIDGE

Cette passerelle (10) est propre à établir une interconnexion entre des premier et second réseaux de communication (11, 12) d'une installation informatique embarquée à bord d'un aéronef et à surveiller au moins un canal de communication (C1) entre un premier équipement émetteur (13) sur le premier réseau et un second équipement destinataire (14) sur le second réseau. La passerelle se caractérise en ce qu'elle est propre à mettre en œuvre, à l'instant courant, une politique de sécurité dudit canal de communication qui dépend d'un mode de fonctionnement courant (M) de la passerelle, le mode de fonctionnement courant étant une fonction d'un état courant (E) de l'aéronef, la passerelle comportant une table de configuration (30), qui indique, pour chaque mode de fonctionnement courant (M) possible, et pour chaque canal de communication à surveiller, une valeur d'au moins un paramètre de configuration définissant la politique de sécurité.

ANTI-INTRUSION DEVICE FOR COMPUTING UNIT

La présente invention a pour objet un dispositif anti-intrusion (24) pour un calculateur électronique (2) pouvant être installé sur un véhicule automobile, le calculateur électronique (2) comprenant au moins un microcontrôleur (14) avec une mémoire, un boîtier (4) et des moyens photosensibles adaptés pour détecter une ouverture du boîtier (4).

SAFETY DEVICE FOR A PAYMENT TERMINAL COMPRISING AN EMBEDDED SECURITY ELEMENT.

METHOD FOR DETECTION OF A THINNING OF THE SEMICONDUCTOR SUBSTRATE OF AN INTEGRATED CIRCUIT FROM ITS BACKSIDE AND A CORRESPONDING INTEGRATED CIRCUIT

사용자 모드에서의 샌드박스 내의 제한된 드라이버 플랫폼의 드라이버 구동

... 제한된 변형 드라이버 플랫폼이 여기에 설명된다. 하나 이상의 구현에서, 가상 사설 네트워크(VPN) 드라이버 및 다른 변형 드라이버에 대한 제한된 실행 환경을 인에이블시키는 플랫폼이 제공된다. 플랫폼은, 드라이버가 플랫폼에 등록할 수 있도록 하고 플랫폼에 의해 지원되는 기능을 수행하도록 인보크될 수 있는 인터페이스를 노출시키는 운영 체제 컴포넌트로서 구현될 수 있다. 제한된 실행 환경은 플랫폼을 통해 동작하는 변형 드라이버에 하나 이상의 제한을 둔다. 예를 들어, 실행은 사용자별로 그리고 샌드박스 내에서 사용자 모드에서 발생할 수 있다. 또한, 플랫폼은 상대적으로 낮은 권한을 갖는 백그라운드 프로세스로서 관련 드라이버를 구동시키게 한다. 또한, 플랫폼은 백그라운드 작업의 스케줄링에 의해 드라이버를 정지할 수 있고 드라이버의 동작을 제어할 수 있다. 따라서, 시스템에 대한 변형 드라이버의 노출이 플랫폼을 통해 제어되고 제한된다.

스마트그리드 기기의 침해사고 탐지 장치 및 방법

... 스마트그리드 기기의 침해사고 탐지 장치 및 방법이 개시된다. 본 발명에 따른 스마트그리드 기기의 침해사고 탐지 장치는, 복수의 스마트그리드 기기들로부터 각각 비휘발성 메모리 덤프이미지와 시스템 및 어플리케이션 로그데이터를 포함하는 시스템 변화 정보들을 수신하는 수신부, 수신된 복수의 상기 시스템 변화 정보들을 분석하여, 파일 시스템 변화 추이 정보 및 로그데이터 변화 추이 정보 중에서 적어도 하나를 포함하는 추이 정보를 상기 스마트그리드 기기 별로 생성하는 분석부, 그리고 제1 스마트그리드 기기에 상응하는 제1 추이 정보를 상기 제1 스마트그리드 기기를 제외한 나머지 스마트그리드 기기들에 상응하는 제2 추이 정보와 비교하여, 상기 제1 스마트그리드 기기의 보안 침해 사고 발생 여부를 판단하는 판단부를 포함한다.

REMOVABLE STORAGE MEDIA CONTROL APPARATUS FOR PREVENTING DATA LEAKAGE AND METHOD THEREOF

Security device having physical unclonable function

Storage device with multiple interfaces and multiple levels of data protection and related method thereof

Systems and methods of device authentication including features of circuit testing and verification in connection with known board information

A method and system for authenticating a device, board, assembly or system includes obtaining or processing test/scan information provided via extraction of ECID or other unique identifying information regarding a board. A re-authentication process is performed to verify that the board contains only legitimate ECID or other uniquely identified devices, via comparison of re-extracted codes of devices at known positions against a reference record, the reference record being established by an initial authentication process that utilizes information regarding authentic/unique ECID or other uniquely identified codes of devices delivered to populate the board to derive the reference record for the device.

Physical ingress protection for a device

Particular embodiments described herein provide for physical ingress protection for a device. A device can include a main body wherein the main body includes a mounting panel and a tamper tab located in the mounting panel, wherein the tamper tab is removably secured to the mounting panel, wherein the mounting panel and tamper tab are configured to secure the main body to a surface such that when the main body is removed from the surface, the tamper tab remains on the surface.

Anti-counterfeiting electronic device and method thereof

An anti-counterfeiting electronic device includes a function component assigned with an identification code ID and a processor. The processor generates a random code K 1 and transmits the random code K 1 to the function component; the function component encrypts the random code K 1 and the identification code ID to generate a key ID 1 . The processor further obtains the key ID 1 from the function component and decrypts the key ID 1 to generate an identification code ID 2 , and determines whether the identification code ID 2 is the same as the ID and executes the system login command if the identification code ID 2 is the same as the identification code ID. An anti-counterfeiting method is also provided.

Switch to perform non-destructive and secure disablement of ic functionality utilizing mems and method thereof

Structures and methods are provided for performing non-destructive and secure disablement of integrated circuit (IC) functionality. A structure for enabling non-destructive and secure disablement and re-enablement of the IC includes a micro-electrical mechanical structure (MEMS) initially set to a chip enable state. The structure also includes an activation circuit operable to set the MEMS device to an error state based on a detected predetermined condition of the IC. The IC is disabled when the MEMS device is in the error state.

Configurable integrated tamper dectection circuitry

Tamper detection circuitry includes a first surface layer surrounding a protected memory, the first surface layer comprising a first plurality of conductive sections; a second surface layer surrounding the protected memory, the second surface layer comprising a second plurality of conductive sections; a programmable interconnect located inside the first surface layer, the programmable interconnect being connected to each conductive section by a plurality of conductive traces, the programmable interconnect being configured to group the conductive section of the first and second plurality of conductive sections into a plurality of circuits, each of the plurality of circuits having a different respective voltage; and a tamper detection module, the tamper detection module configured to detect tampering in the event that a conductive section that is part of a first circuit comes into physical contact with a conductive section that is part of a second circuit.

Delaying or deterring counterfeiting and/or cloning of a component

In an embodiment, to deter or delay counterfeiting/cloning of a replacement component of a host device, the replacement component is provided with a code value. The code value is generated from a value of at least one physical parameter of the replacement component and is stored on the replacement component. The host device determines whether the replacement component is authentic if the stored code value matches a reference code value.

Anti-tampering protection assembly

An anti-tampering protection assembly for sensing tampering with at least one conductor, the anti-tampering protection assembly including unpredictably varying signal generating circuitry, connected to the at least one conductor, for providing unpredictably varying signals on the at least conductor and tampering sensing circuitry for sensing tampering with the at least one conductor.

AUTHENTICATION IN HETEROGENEOUS IP NETWORKS

The invention proposes a system for authenticating and authorizing network services comprising: a mobile device being adapted to, upon receipt of an information message indicating at least one network access type, determine the network access type, to create a start message containing at least a user identity, and to encapsulate the start message in an authentication message compatible with the access network identified in the information message, and an access controller for reading the encapsulated message from the mobile and forwarding the encapsulated message to an authentication server identified in the encapsulated message. The invention also proposes a corresponding method for authenticating and authorizing network services, and an access control device, a subscriber device and a router device. 118-. (canceled)19. A system comprising:a mobile device configured to at least determine a network access type upon receipt of an information message indicating at least one network access type, create a start message containing at least a user identity, and encapsulate the start message in an authentication message compatible with an access network identified in the information message; andan access controller configured to at least read the encapsulated message from the mobile device and forward the encapsulated message to an authentication server identified in the encapsulated message.20. A system comprisingdetermining means for determining a network access type by a mobile device, upon receipt of an information message indicating at least one network access type;creating means for creating a start message containing at least a user identity; andencapsulating means for encapsulating the start message in an authentication message compatible with an access network identified in the information message; andaccess controller means comprising reading means for reading the encapsulated message from the mobile device and a forwarding means for forwarding the encapsulated ...

METHODS OF AND SYSTEMS FOR REMOTELY CONFIGURING A WIRELESS DEVICE

A particular method includes transmitting a message from a first device to a second device. The message includes first information associated with identification of the first device. The first information enables the second device to obtain access data. The method also includes establishing a first communication link between the first device and the second device based on the access data. The method further includes receiving, via the first communication link, second information associated with establishment of a second communication link between the first device and a third device. The method also includes configuring the first device to establish the second communication link between the first device and the third device based on the second information. 1. A method comprising:transmitting a message from a first device to a second device, wherein the message comprises first information associated with identification of the first device, wherein the first information enables the second device to obtain access data;establishing a first communication link between the first device and the second device based on the access data;receiving, via the first communication link, second information associated with establishment of a second communication link between the first device and a third device; andconfiguring the first device to establish the second communication link between the first device and the third device based on the second information.2. The method of claim 1 , wherein the first device comprises a machine-to-machine communication device.3. The method of claim 1 , further comprising configuring the first device to operate in accordance with a first mode of operation claim 1 , wherein the first device is configured to provide a wireless local area network while in the first mode of operation.4. The method of claim 1 , wherein establishing the first communication link comprises:receiving security information from the second device, wherein the security ...

INFORMATION TERMINAL DEVICE AND METHOD OF PERSONAL AUTHENTICATION USING THE SAME

An information terminal device is provided that may use the input functionality of a touch panel to remove the restriction on the use thereof, for example, release the key lock. The information terminal device () is an information terminal device including a display () and a touch panel (), including: a pattern storage memory () configured to store a release pattern that is to be entered into the touch panel () to remove the restriction on the use of the information terminal device, the release pattern being designated by a user as a graphic pattern; a comparison unit () configured to determine whether an entered pattern entered into the touch panel matches the release pattern; and a controller () configured to remove the restriction on the use of the information terminal device if the comparison unit () determines that the entered pattern matches the release pattern. 1. An information terminal device including a display and a touch panel , comprising:a pattern storage memory configured to store a release pattern that is to be entered into the touch panel to remove a restriction on a use of the information terminal device, the release pattern being designated by a user as a graphic pattern;a comparison unit configured to determine whether an entered pattern entered into the touch panel matches the release pattern; anda controller configured to remove the restriction on the use of the information terminal device if the comparison unit determines that the entered pattern matches the release pattern.2. The information terminal device according to claim 1 , wherein:the pattern storage memory stores an input request pattern suggesting that the release pattern be entered, andthe input request pattern is displayed on the display when the restriction on the use of the information terminal device is to be removed.3. The information terminal device according to claim 2 , wherein:the pattern storage memory stores a set of input request patterns suggesting that the release ...

MULTI-DOMAIN SECURE COMPUTER SYSTEM

Disclosed is a hardware based secure multi-level security computing system system. The system comprises a chassis enclosing multiple separate, secure computer devices or domains, each within an electromagnetic shielding Faraday cage. The chassis structure includes internal electromagnetic shields and other features to prevent cross domain electromagnetic interference or compromising emanations. The chassis may be the size of a standard computer tower. The computer devices or domains may be configured for handling information of different classification levels. Optionally, each of the computer devices may operate on significantly less power than a standard computer. Preferably, each computer operates on no more than 50 Watts of power, more preferably on less than 35 Watts of power. 1. A multi-level security computing system , comprising:a chassis having a front, top, bottom, and two sides, each comprising an electromagnetic shield;a first computer domain comprising a first motherboard, a first dedicated bus, a first processor, a first data storage device, and a first dedicated power supply;a second computer domain comprising a second motherboard, a second dedicated bus, a second processor, a second data storage device, and a second dedicated power supply;a third computer domain comprising a third motherboard, a third dedicated bus, a third processor, a third data storage device, and a third dedicated power supply;the first, second, and third computer domains enclosed within the chassis, with a first internal electromagnetic field shield located inside the chassis and interposed between the first computer domain and the second computer domain to prevent data migration between the first computer domain and the second computer domain, and a second internal electromagnetic field shield located inside the chassis and interposed between the second computer domain and the third computer domain to prevent data migration between the second computer domain and the third ...

System and Method for Transaction Security Enhancement

The present disclosure involves a system that includes a computer memory storage component configured to store computer programming instructions and a computer processor component operatively coupled to the computer memory storage component. The computer processor component is configured to run a secure operating system and a non-secure operating system in parallel. The secure and non-secure operating systems are isolated from each other. The computer processor component is configured to execute code to perform the following operations: receiving an authentication request from an application that is run by the non-secure operating system, wherein the authentication request contains credentials of the application; communicating with a secure applet that is run by the secure operating system, and wherein the communicating includes transferring the credentials of the application to the secure applet; and authenticating and vetting the application based on the credentials of the application. 1. A system , comprising:a computer memory storage component configured to store computer programming instructions; and receiving an authentication request from an application that is run by the non-secure operating system, wherein the authentication request contains credentials of the application;', 'communicating with a secure applet that is run by the secure operating system, and wherein the communicating includes transferring the credentials of the application to the secure applet; and', 'authenticating and vetting the application based on the credentials of the application., 'a computer processor component operatively coupled to the computer memory storage component, wherein the computer processor component is configured to run a secure operating system and a non-secure operating system in parallel, wherein the secure and non-secure operating systems are isolated from each other, and wherein the computer processor component is configured to execute code to perform the following ...

Method and Apparatus for Enabling Secure Distribution of Digital Content

A digital content management system includes a host machine and a delivery machine remote from the host machine. The host machine sends validation agent software to the delivery machine, which executes the validation agent. The validation agent performs one or more tests or observations to determine whether the delivery machine has been compromised, and communicates the results of the tests or observations to the host machine. If the host machine determines that the delivery machine has not been compromised, the host machine sends digital content to the delivery machine, and a player module at the delivery machine delivers the content to the user according to an appropriate set of access rights. After delivering the content, the delivery machine deletes the content to prevent unwanted access to the content. The content can contain signals indicative that the content is legitimate, such as watermarks or bad code segments or sectors. 1. A digital content access control system comprising:at least one processor;at least one network interface device;at least one memory device which stores a plurality of instructions which, when executed by the at least one processor, cause the at least one processor to operate with the at least one network interface device to:(a) cause a validation agent to be sent to a remote delivery machine over a data network, said validation agent configured to determine, based on a result of at least one test performed upon arrival of the validation agent at the remote delivery machine, whether said remote delivery machine has been compromised,(b) receive, over the data network, a signal indicative of whether to send content to the remote delivery machine, said signal based, at least in part, on the determination by the validation of whether the remote delivery machine has been compromised,(c) determine whether to send the content to the remote delivery machine based on the received signal, (i) send at least a portion of the content, over the data ...

SECURE SYSTEM-ON-CHIP

A secure system-on-chip for processing data, the system-on-chip comprising at least a central processing unit (CPU), an input and an output channel, an encryption/decryption engine and a memory, wherein, said input channel comprises an input encryption module to encrypt all incoming data, said output channel comprising an output decryption module to decrypt all outgoing data, said CPU receiving the encrypted data from the input encryption module and storing them in the memory, and while processing the stored data, said CPU reading the stored data from the memory, requesting decryption of same in the encryption/decryption engine, processing the data and requesting encryption of the result by the encryption/decryption engine and storing the encrypted result, outputting the result to the output decryption module for decryption purpose and exiting the decrypted result via the output channel. 1. A secure system-on-chip for processing data , the system-on-chip comprising:at least a central processing unit (CPU);an input channel connected to the CPU, the input channel including an input encryption module;an output channel connected to the CPU, the output channel including an output decryption module;a CPU encryption module connected to the CPU;a CPU decryption module connected to the CPU;at least one key register connected to the input encryption module and the output decryption module; anda memory connected to the CPU;wherein said input encryption module is configured to add an internal encryption layer to all incoming data, said output decryption module is configured to remove the internal encryption layer on all outgoing data, and said central processing unit is configured to perform the steps ofreceiving encrypted data from the input encryption module;storing the encrypted data in the memory;when processing the stored data, reading the stored data from the memory, requesting the removal of the internal encryption layer by the CPU decryption module, processing the data ...

SYSTEMS AND METHODS OF DEVICE AUTHENTICATION INCLUDING FEATURES OF CIRCUIT TESTING AND VERIFICATION IN CONNECTION WITH KNOWN BOARD INFORMATION

A method and system for authenticating a device, board, assembly or system includes obtaining or processing test/scan information provided via extraction of ECID or other unique identifying information regarding a board. 1. A method of authenticating a board , assembly or system , the method comprising:obtaining or processing test/scan information provided via extraction of unique identifying information regarding one or more devices on a board, assembly or system, including determination of associated mounted position(s);performing one or more re-authentication processes to verify that the board, assembly or system contains only legitimate uniquely identified devices, via comparison of re-extracted codes of devices at known positions against a reference record, the reference record being established by an initial authentication process that utilizes information regarding authentic and unique codes of devices delivered to populate the board, assembly or system as placed at specific positions to derive the reference record for the device, enabling the re-attestation of the authenticity of such devices.2. The method of further comprising processing information regarding knowledge of all legitimately shipped codes of a given device type assuring each code's uniqueness claim 1 , verifying non-duplication over the supply chain from legitimate IC fabricator(s).3. The method of wherein the reference record is received claim 1 , directly or indirectly claim 1 , from an IC fabricator that performed the initial authentication process on a newly assembled board claim 1 , assembly or system at a board claim 1 , assembly or system factory.4. The method of wherein the information regarding the codes includes lot information regarding securely documented lots of devices shipped via a supply chain.5. A method of authenticating a board claim 1 , assembly or system claim 1 , the method comprising:performing an initial authentication process that utilizes information regarding ...

PLATFORM INTEGRITY VERIFICATION SYSTEM AND INFORMATION PROCESSING DEVICE

A platform integrity verification system capable of executing platform integrity verification by a trusted boot without causing a delay of system startup time. The platform integrity verification system has an information processing device and an integrity verification computer that is communicably connected to each other. The information processing device comprises an acquisition section acquires a unique value from each of a plurality of programs executed by the information processing device when the information processing device is shut down; and a storage section configured to store the unique value acquired by the acquisition section in a storage device. The integrity verification computer comprises a comparison section configured to acquire the unique value stored in the storage device through communication with the information processing device and compares the acquired unique value with a predetermined value held in advance for each program. 1. A platform integrity verification system having an information processing device and an integrity verification computer that is communicably connected to each other , whereinsaid information processing device comprises:an acquisition unit configured to acquire a unique value from each of a plurality of programs executed by said information processing device when said information processing device is shut down; anda storage unit configured to store said unique value acquired by said acquisition unit in a storage device, andsaid integrity verification computer comprises a comparison unit configured to acquire the unique value stored in the storage device through communication with said information processing device and compares the acquired unique value with a predetermined value held in advance for each program.2. The platform integrity verification system according to claim 1 , wherein said comparison unit enables said integrity verification computer to acquire a measurement value recorded in the storage device via a ...

ANTI-TAMPER DEVICE FOR INTEGRATED CIRCUITS

An anti-tamper device () for one or more integrated circuits () includes a firing assembly () and a breach assembly (). The firing assembly () includes a contained energy source (), an impact element () and a breach assembly (). The breach assembly () is configured to house one or more integrated circuits () and a propellant charge (). Upon an attempt to improperly remove or dislodge an integrated circuit () from the anti-tamper device (), the contained energy source () is actuated. The energy source () propels the impact element () against the propellant charge (), causing the charge to ignite. The resultant forces from the impact element () and ignition of the charge imparts a shock wave through the anti-tamper device (). This shock wave induces spalling of the integrated circuit () such that the circuit is physically altered and rendered unreadable. 110-. (canceled)11. A breach assembly for an anti-tamper device for one or more integrated circuits , comprising:a breach element defining a chamber to house a propellant charge.1210. The breach assembly of claim , further comprising an opening in the breach element for receiving the one or more integrated circuits.1310. The breach assembly according to claim , further comprising at least one vent hole for release of propellant gas(es) after ignition of the propellant charge.1410. An anti-tamper device for one or more integrated circuits , comprising the breach assembly according to claims .15. The anti-tamper device of claim 14 , further comprising an impact element.16. The anti-tamper device according to claim 14 , wherein the impact element is configured to ignite the propellant charge and induce spalling of the at least one integrated circuit.17. The anti-tamper device according to claim 14 , further comprising a contained energy source that accelerates the impact element into contact with the propellant charge.18. The anti-tamper device according to claim 14 , further comprising a tripping mechanism.19. A method ...

Mobile Device Peripherals Management System and Multi-Data Stream Technology (MdS)

A device and system for management of and access to externally connected peripheral devices by mobile devices. User and/or application data on a mobile device is sent to externally connected peripheral devices. External peripheral devices includes, but are not limited to, printers, scanners, displays, audio interfaces, speakers, network adapters, storage drives, hard drives, and the like. An end user mobile device application interface is installed as an application on a mobile device. Data may be sent directly to a peripheral device, or to a peripherals aggregation device, which may be active or passive. 1. A non-transitory computer-readable storage medium with an executable program stored thereon , wherein the program instructs a processor or microprocessor to perform the following steps:receiving a request from a mobile computing device to access a peripheral computing device;authenticating the mobile computing device;upon authenticating the mobile computing device, forwarding the request from the mobile computing device to the peripheral computing device.2. The program of claim 1 , wherein the mobile computing device is a smart phone or tablet computer.3. A mobile computing device with a processor or microprocessor claim 1 , wherein the processor or microprocessor is programmed to:receive a request from an application on the mobile computing device to access a non-networked physical peripheral device;identifying the driver or drivers necessary for operation of the peripheral device; andsending the request to a peripherals aggregation device for subsequent processing and forwarding to the peripherals device.4. The device of claim 3 , wherein the peripherals aggregation device is active.5. The device of claim 3 , wherein the peripherals aggregation device is passive.6. The device of claim 3 , wherein the processor or microprocessor is further programmed to provide authentication data for the mobile computer device. This application claims benefit of and priority ...

CONNECTION DEVICE AUTHENTICATION

A method and apparatus are provided for a secure interconnect between data modules, including a security apparatus within a secured data interconnect apparatus installed with a security chip. The interconnect apparatus may be authenticated prior to enabling a stacking feature. Authentication of a interconnect apparatus may be used to ensure the quality and performance of the interconnect apparatus and the data modules. 1. An interconnect apparatus , comprising:a cable having first and second opposed ends;a first connector provided at the first end of the cable;a second connector provided at the second end, the cable to provide communication of data between the first and the second connectors; and a processor; and', 'a memory storage unit, the processor and the memory storage unit are powered by the electronic device responsive to the connection of the interconnect apparatus with the electronic device, the first authentication module to transition to a dormant state that does not consume power,, 'at least one authentication module comprising a first authentication module, the first authentication module configured to facilitate an authentication of the interconnect apparatus responsive to a connection of the interconnection apparatus with an electronic device, the interconnect apparatus is initialized to enable data transmissions responsive to an identification of the interconnect apparatus as passing the authentication of the interconnect apparatus, the first authentication module comprisingthe interconnect apparatus to receive a data transmission from the electronic device notwithstanding the transition of the first authentication module to the dormant state2. The interconnect apparatus of claim 1 , wherein the first authentication module comprises memory to persistently store authentication information operatively used to authenticate the interconnect apparatus.3. The interconnect apparatus of claim 2 , wherein the authentication information identities a ...

Trusted Service Management Process

Techniques for providing trusted management services (TSM) are described. According to one aspect of the techniques, a secure element (SE) is personalized via the TSM. A process is provided to personalize an SE with multiple parties involved and orchestrated by a party or a business running the TSM, hence as a trusted service manager (TSM). The TSM brings the parties together to recognize the SE being personalized so that subsequent transactions can be authorized and carried out with a device embedded with the SE. In operation, each of the parties may load a piece of data into the SE, including registration information, various services or application data, and various keys so that subsequent transactions can be carried out with or via an authorized party and in a secured and acknowledgeable manner. 1. A method for trusted service management , the method comprising:initiating data communication between a portable device with a secure element (SE) and a server configured to provide the trusted service management;receiving device information of the secure element from the portable device in responding to a request from the server after the server determines that the secure element is registered therewith, wherein the device information is a sequence of characters uniquely identifying the secure element, and the request is a command causing the portable device to retrieve the device information from the secure element therein; andsending a set of instruction to cause the portable device to receive in the secure element at least a set of keys from a designated place, wherein the keys are generated in accordance with the device information of the secure element, wherein the set of keys in the secure element facilitates a subsequent transaction between the portable device and a service provider.2. The method as recited in claim 1 , further comprising:identifying a party originating the secure element from the device information; andverifying with the party that the secure ...

Resource-Type Weighting of Use Rights

Resource-type weighting is used in evaluating the use-rights associated with hardware resources. 1. Computer-readable media comprising:a weightings table for assigning use-right weightings to hardware types so that some hardware types are assigned greater weights than other hardware types.2. Computer-readable media as recited in further comprising means for assigning costs to temporary hardware activations as a function of said weightings.3. Computer-readable media as recited in further comprising a workload manager for reallocating hardware resources to workloads so that a quantity of hardware resources assigned to said workloads changes proportionally more than the quantity of use rights assigned to said workloads.4. Computer-readable media as recited in wherein said workload manager reallocates said hardware resources without changing the quantity of said use rights.5. Computer-readable media as recited in wherein said workload manager changes the quantity of use rights when reallocating said hardware resources.6. Computer-readable media as recited in wherein said workload manager changes the quantity of use rights when reallocating said hardware processors by an amount less than least amount of use rights associated with a single processor.7. Computer-readable media as recited in wherein said workload manager managers hardware resources on separate first and second standalone computer systems.8. Computer-readable media as recited in wherein processors on said first computer system have a different nominal performance than the processors on said second standalone computer system.9. A method comprising assigning use-rights weightings to hardware resources in a computing system.10. A method as recited in further comprising assigning a cost to a temporary activation of hardware at least in part as a function of said weightings.11. A method as recited in further comprising reallocating hardware resources to workloads while transferring user rights from a first ...

CIRCUIT PERSONALIZATION

A method distributes personalized circuits to one or more parties. The method distributes a generic circuit to each party, encrypts a unique personalization value using a secret encryption key, and transmits each encrypted personalization value to the corresponding party. Each party then stores the encrypted personalization value in their circuit. The stored encrypted personalization value allows a piece of software to be properly executed by the circuit. A semiconductor integrated circuit is arranged to execute a piece of software that inputs a personalization value as an input parameter. The circuit comprises a personalization memory arranged to store an encrypted personalization value; a key memory for storing a decryption key; a control unit comprising a cryptographic circuit arranged to decrypt the encrypted personalization value using the decryption key; and a processor arranged to receive the decrypted personalization value and execute the software using the decrypted personalization value. 1. A method , comprising:associating a first personalization value with a first plurality of generic circuits;associating a second personalization value with a second plurality of generic circuits;encrypting, using one or more configured processing devices, the first personalization value;encrypting, using the one or more configured processing devices, the second personalization value;initiating storage of the encrypted first personalization value in the first plurality of generic circuits; and retrieve an encrypted personalization value stored in the respective generic circuit;', 'decrypt the retrieved encrypted personalization value; and', 'use the decrypted personalization value to control execution of software., 'initiating storage of the encrypted second personalization value in the second plurality of generic circuits, wherein each of the first plurality of generic circuits and each of the second plurality of generic circuits is configured to2. The method of wherein ...

METHOD FOR ACCESSING A SECURE STORAGE, SECURE STORAGE AND SYSTEM COMPRISING THE SECURE STORAGE

It is described a method for accessing a secure storage of a mobile device, the method comprising: providing a generic interface for accessing the secure storage; accessing the secure storage using the generic interface by a first application of the mobile device; accessing the secure storage using the generic interface by a second application of the mobile device. Further, a corresponding secure electronic storage and a system is described. 1. Method for accessing a secure storage of a mobile device , the method comprising:providing a generic interface for accessing the secure storage;accessing the secure storage using the generic interface by a first application of the mobile device;accessing the secure storage using the generic interface by a second application of the mobile device.2. Method according to claim 1 , wherein the generic interface is implemented as a generic software module claim 1 , in particular an applet claim 1 , stored within the secure storage.3. Method according to claim 2 , wherein the generic software module is stored in a read-only portion of the secure storage.4. Method according to claim 1 , wherein the first application is not stored in the secure storage claim 1 , wherein the second application is not stored in the secure storage.5. Method according to claim 2 , wherein the generic interface provides access functions comprising first access functions and second access functions for communicating with the secure storage claim 2 ,wherein the second access functions are invockable, by the first application, only after successfully invoking, by the first application, at least one of the first access functions,wherein the second access functions are invockable, by the second application, only after successfully invoking, by the second application, at least one of the first access functions.6. Method according to claim 5 , wherein the first access functions comprise at least one of:a registration function for generically registering the first ...

ANTI-PRYING ENCRYPTED KEYBOARD

An pry-proof encrypted keyboard. The encrypted keyboard comprises a keyboard panel (), a lining board () assembled under the keyboard panel (), a waterproof silicon rubber () and a main control panel (). Convex rib circles () are provided on the circumference of the surface of the lining board () attached with the waterproof silicon rubber (). The waterproof silicon rubber is extruded by the lining board () when the encrypted keyboard is assembled, and the thickness of corresponding waterproof silicon rubber () extruded by the convex rib circles () is less than 0.2 MM. The metallic lining to board () can efficiently prevent fusion attack from the lateral face of the encrypted keyboard, meanwhile two convex rib circles () are added on the circumference of the surface of the lining board attached with the water silicon rubber (), so that the thickness of the waterproof silicon rubber () at the grooves () is less than 0.2 MM, which is the diameter of the known thinnest needle, thus the attackers could not easily breakthrough the lining board () or the waterproof silicon rubber () to reach the inside of the encrypted keyboard, as a result illegally leading the wire out from the inside of the encrypted keyboard is efficiently prevented, thus the information of the keyboard is efficiently protected, and the security performance is improved. 1. An anti-poking encryption keyboard , comprising a keyboard panel and a lining plate , a water-proof silicone rubber , a main control board and a bottom board which are assembled below the keyboard panel in sequence , characterized in that a protrusion ring is provided on a periphery of a surface of the lining plate abutting against the water-proof silicone rubber.2. The anti-poking encryption keyboard according to claim 1 , wherein when the anti-poking encryption keyboard is assembled claim 1 , the lining plate presses the water-proof silicone rubber claim 1 , and a thickness of the pressed water-proof silicone rubber at a position ...

METHOD FOR AUTHENTICATING A PORTABLE DATA CARRIER

A method for authenticating a portable data carrier () to a terminal device employs a public key (PKG) and a secret key (SK) of the data carrier () as well as a public session key (PK) and a secret session key (SK) of the terminal device. The data carrier () employs as a public key a public group key (PKG). As a secret key the data carrier () employs a key (SK) that has been derived from a secret group key (SKG) associated with the public group key (PKG). 116.-. (canceled)171. A method for authenticating a portable data carrier to a terminal device while employing a public key (PKG) and a secret key (SK) of the data carrier and a public session key (PK) and a secret session key (SK) of the terminal device , comprising the stepsusing as a public key (PKG) a public group key (PKG), and{'b': 1', '1, 'using as a secret key (SK) a secret key (SK) derived from a secret group key (SKG) associated with the public group key (PKG).'}1811. The method according to claim 17 , wherein before a further execution of the authentication method the secret key (SK) of the data carrier is replaced by a secret session key (SK) of the data carrier that is derived from the secret key (SK).191. The method according to claim 17 , wherein claim 17 , by means of the public group key (PKG) and the secret key (SK) of the data carrier as well as the public session key (PK) and the secret session key (SK) of the terminal device claim 17 , a communication key (KK) is agreed on between the data carrier and the terminal device.20. The method according to claim 17 , wherein the public group key (PKG) employed as a public key (PKG) of the data carrier is verified by the terminal device by means of a certificate (C) of the public group key (PKG).2111. The method according to claim 17 , wherein the secret key (SK) is derived from the secret group key (SKG) while employing a first random number (RND).221. The method according to claim 17 , wherein the secret session key (SK) of the data carrier is derived ...

COMPUTER-READABLE MEDIUM RECORDED WITH INFORMATION PROCESSING PROGRAM, INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING SYSTEM, AND INFORMATION PROCESSING METHOD

An example information processing program that causes a computer of an information processing apparatus including a restricting unit which restricts use of software or use of a function of the information processing apparatus by software, to function as: a releasing unit which releases, on a per software basis, a restriction by the restricting unit even in a state where the restriction by the restricting unit is enabled; and a release continuing unit which makes the release by the releasing unit continuous by permitting reading of release information indicating that the release by the releasing unit is enabled, upon execution of release subject software that is to be subjected to the release. 1. An computer-readable medium recorded with an information processing program that causes a computer of an information processing apparatus including a restricting unit for restricting use of software or use of a function of the information processing apparatus by software , to function as:a releasing unit for releasing, on a per software basis, a restriction by the restricting unit even in a state where the restriction by the restricting unit is enabled; anda release continuing unit for making the release by the releasing unit continuous by permitting reading of release information indicating that the release by the releasing unit is enabled, upon execution of release subject software that is to be subjected to the release.2. The computer-readable medium recorded with the information processing program according to claim 1 , whereinsoftware to be subjected to a restriction by the restricting unit includes at least apart of the information processing program, andthe release continuing unit permits reading of the release information upon execution of the release subject software by at least a part of the information processing program included in the software being executed.3. The computer-readable medium recorded with the information processing program according to claim 1 , ...

MEASUREMENT PROBE SYSTEMS FOR CO-ORDINATE POSITIONING APPARATUS

A measurement probe, such as a touch trigger measurement probe, is described that comprises a measurement portion for measuring an object and a data transfer portion for receiving data from and/or transmitting data to an associated unit. The measurement device also comprises an authentication module for verifying the authenticity of the associated unit. The authentication module may include a processor for running a one-way hash algorithm. Authenticity may be established using a challenge and response authentication process. 1. A measurement probe system comprising a measurement probe mountable to co-ordinate positioning apparatus ,the measurement probe having a measurement portion for measuring an object, comprising a deflectable stylus, a data transfer portion for receiving data from and/or transmitting data to an associated unit, and', 'an authentication module for verifying the authenticity of the associated unit., 'wherein the measurement probe system comprises;'}2. A measurement probe system according to claim 1 , wherein the authentication module comprises a processor that claim 1 , in use claim 1 , runs an encryption algorithm.3. A measurement probe system according to claim 2 , wherein the encryption algorithm is a one-way hash algorithm.4. A measurement probe system according to claim 1 , wherein the authentication module comprises a random data string generator.5. A measurement probe system according to claim 1 , wherein the authentication module comprises a secure memory for storing a secret key.6. A measurement probe system according to claim 5 , wherein the authentication module verifies the authenticity of the associated unit using a challenge and response process claim 5 , wherein the challenge and response process confirms that the associated unit holds the same secret key as the secure memory of the authentication module without disclosing the secret key.7. A measurement probe system according to claim 1 , wherein the data transfer portion ...

METHOD AND DEVICE FOR CHALLENGE-RESPONSE AUTHENTICATION

Method of performing a challenge-response process, comprising, in this sequence, the steps of a) providing a first challenge-response pair () on a source device (), assigned to a responding device (); b) loading the first challenge-response pair () from the source device () to a challenging device (), while the source device () is operationally connected to the challenging device (); c) performing a challenge-response process between the challenging device () and the responding devices () to which the first challenge-response pair () is assigned, d) loading one or more second challenge-response pairs () from a source device () to the challenging device (), while the source device () is operationally connected to the challenging device (), wherein the step of loading the first challenge-response pair () from the source device () to a challenging device () is performed before the challenging device () has received any information from one of the responding devices (), to which the first challenge-response pair () is assigned. 1. Method of performing a challenge-response process , comprising , in this sequence , the steps ofa) providing a first challenge-response pair on a source device, wherein the first challenge-response pair is assigned to one or more responding devices;b) loading the first challenge-response pair from the source device to a challenging device, while the source device is operationally connected to the challenging device;c) performing a challenge-response process between the challenging device and one of the one or more responding devices to which the first challenge-response pair is assigned, using the first challenge-response pair, which is assigned to the responding device;d) loading one or more second challenge-response pairs from a source device to the challenging device, while the source device is operationally connected to the challenging device,characterized in that the step of loading the first challenge-response pair from the source device ...

METHOD FOR MANAGING ACCESS TO PROTECTED COMPUTER RESOURCES

A method for controlling access to protected computer resources provided via an Internet Protocol network that includes registering identity data of a subscriber identity module associated with at least one client computer device; storing (i) identity data of at least one access server, (ii) the identity data of a subscriber identity module, and (iii) authorization data regarding the protect computer resources; receiving the identity data of a subscriber identity module, and a request for the protected computer resources; authenticating (i) the identity data of the at least one access server, and (ii) the identity data of a subscriber identity module; authorizing the at least one client computer device to receive at least a portion of the protected computer resources; and permitting access to the at least the portion of the protected computer resources (i) upon successfully authenticating the identity data of the at least one access server and the identity data of a subscriber identity module associated with the at least one client computer device, and (ii) upon successfully authorizing the at least one client computer device. 1. A method for controlling access to protected computer resources provided via a network utilizing at least one Internet Protocol , the method comprising:registering, by at least one authentication server, identity data of a subscriber identity module associated with at least one client computer device;storing, by the at least one authentication server i n an associated database, (i) identity data of at least one access server, (ii) the identity data of a subscriber identity module associated with the at least one client computer device, and (iii) authorization data associated with the protected computer resources;receiving, by the at least one access server, (i) the identity data of a subscriber identity module associated with the at least one client computer device and (ii) a request for the protected computer resources from the at least ...

Providing Integrity Verification And Attestation In A Hidden Execution Environment

In one embodiment, a processor includes a microcode storage including processor instructions to create and execute a hidden resource manager (HRM) to execute in a hidden environment that is not visible to system software. The processor may further include an extend register to store security information including a measurement of at least one kernel code module of the hidden environment and a status of a verification of the at least one kernel code module. Other embodiments are described and claimed. 1. An article comprising a machine-accessible storage medium including instructions that when executed cause a system to:receive an attestation request and a nonce from a verifier to attest to a hidden environment of the system executed using a hidden resource manager (HRM) implemented in microcode of a processor, wherein the hidden environment is not visible to system software;generate a signed attestation record responsive to the attestation request directly in the processor via the microcode and without communication with an agent coupled to the processor via an interconnect; andprovide the signed attestation record to the verifier.2. The article of claim 1 , further comprising instructions to receive the attestation request in a kernel of the hidden environment and access a launch history of an application associated with the attestation request claim 1 , hash the launch history and provide the nonce and the hashed launch history to the HRM.3. The article of claim 2 , further comprising instructions to generate claim 2 , using the HRM claim 2 , the attestation record including an owner identifier of the system claim 2 , the owner identifier created by an owner of the system claim 2 , a measurement of a launch control policy claim 2 , a measurement of at least one kernel of the hidden environment claim 2 , and to sign the attestation record with a private key.4. The article of claim 3 , further comprising instructions to transmit the signed attestation record to the ...

INFORMATION PROCESSING SYSTEM CONTROL METHOD, INTERMEDIATE SERVICE DEVICE, AUTHENTICATION METHOD, AND STORAGE MEDIUM

Provided is a method for controlling an information processing system including a relay service device, an intermediate service device, and an authentication service device. The control method includes transmitting an authentication request from the intermediate service device to the intermediate service device; acquiring a first access token from the authentication service device that has made a success of authentication; storing the first access token; comparing the stored first access token with a second access token included in an execution request of an relation processing upon reception of the processing execution request from the relay service; and executing processing received from the intermediate service device when it is determined in the comparing that the first access token matches the second access token or not executing the processing when it is determined in the comparing that the first access token does not match the second access token. 1. A method for controlling an information processing system , wherein the information processing system comprising a relay service device that performs relay processing related to a service provided from a provision device to a user via a network , an intermediate service device that communicates with the relay service device and performs relation processing related to the service , and an authentication service device that receives an authentication request from the intermediate service device and performs authentication processing , the method comprising:transmitting, by the relay service device, an authentication request or an execution request of the relation processing to the intermediate service device;transmitting, by the intermediate service device, the authentication request from the relay service device to the authentication service device;acquiring, by the intermediate service device, a first access token from the authentication service device that has made a success of authentication;storing, by the ...

COMMUNICATION APPARATUS, SERVER APPARATUS, RELAY APPARATUS, CONTROL APPARATUS, AND COMPUTER PROGRAM PRODUCT

According to an embodiment, a communication apparatus is connected to a server apparatus that issues first authentication information used in communication. The communication apparatus includes a receiving unit configured to receive an execution instruction to execute a bootstrap authentication process of issuing the first authentication information. The bootstrap authentication process includes validation of capability information indicating a capability of the communication apparatus. The communication apparatus also includes a first authentication processing unit configured to execute the bootstrap authentication process with the server apparatus based on second authentication information including the capability information, when the receiving unit receives the execution instruction. 1. A communication apparatus connected to a server apparatus that issues first authentication information used in communication , comprising:a receiving unit configured to receive an execution instruction to execute a bootstrap authentication process of issuing the first authentication information, the bootstrap authentication process including validation of capability information indicating a capability of the communication apparatus; anda first authentication processing unit configured to execute the bootstrap authentication process with the server apparatus based on second authentication information including the capability information when the receiving unit receives the execution instruction.2. The communication apparatus according to claim 1 , whereinthe first authentication processing unit receives the first authentication information from the server apparatus when the bootstrap authentication process for the communication apparatus results in success, andthe communication apparatus further comprises a second authentication processing unit configured to execute a communication authentication process of communicating with an external apparatus with the external apparatus based ...

AUTHENTICATION METHOD BETWEEN CLIENT AND SERVER, MACHINE-READABLE STORAGE MEDIUM, CLIENT AND SERVER

An authentication method between a server and a client is provided. The authentication method includes transmitting, to the client, an inquiry message including a first modified secret key generated based on a first secret key and a first blinding value, receiving, from the client, a response message including a response value generated based on the first blinding value, a second secret key, and an error value, calculating the error value from the response value, and determining whether authentication of the client has succeeded based on the error value. 1. An authentication method between a server and a client , the authentication method comprising:transmitting, to the client, an inquiry message including a first modified secret key generated based on a first secret key and a first blinding value;receiving, from the client, a response message including a response value generated based on the first blinding value, a second secret key, and an error value;calculating the error value from the response value; anddetermining whether authentication of the client has succeeded based on the error value.2. The authentication method of claim 1 , wherein the first secret key and the second secret key are shared between the client and the server.3. The authentication method of claim 1 , wherein the determining of whether authentication of the client has succeeded comprises:comparing a total number of 0s or 1s in the error value with a pre-established threshold; anddetermining whether authentication of the client has succeeded based on a result of the comparing.4. The authentication method of claim 1 , wherein the determining of whether authentication of the client has succeeded comprises:comparing a Hamming weight of the error value with a pre-established threshold; anddetermining the authentication of the client as a success when the Hamming weight is less than or equal to the pre-established threshold.5. The authentication method of claim 1 , further comprising:transmitting, ...

Resilient Device Authentication System

A resilient device authentication system comprising: one or more verification authorities (VAs) including a memory loaded with a complete verification set that includes hardware part-specific data, and configured to create a limited verification set (LVS) therefrom; one or more provisioning entities (PEs) each connectable to at least one of the VAs, including a memory loaded with a LVS, and configured to select a subset of data therefrom so as to create an application limited verification set (ALVS); and one or more device management systems connectable to at least one of the PEs, including a memory loaded with an ALVS, and configured to manage device security-related applications through the performance of security-related functions on devices associated with the hardware part-specific data.

Information Management System And Device

The present invention relates to an information management system, and in particular to a portable information management device. The device includes a housing having a first surface and a second surface, said first and second surfaces securely enclosing electronic componentry of the device, wherein the electronic componentry includes: a data storage device for storing information about a person or asset; and a processor for transferring the information from the data storage device to an external device via a communication means, wherein the communication means includes: an antenna to allow contactless transfer of the information; and an input/output interface to allow transfer of the information via physical means. 1. A portable information management device comprising:a housing having a first surface and a second surface, said first and second surfaces securely enclosing electronic componentry of the device, wherein the electronic componentry comprises:a data storage device for storing information about a person or asset, said data storage device comprises a memory having a plurality of secure memory segments configured to store selected information in separate memory segments; anda processor for transferring the information from the data storage device to an external device via a communication means, an antenna to allow contactless transfer of the information; and', 'input/output interface to allow transfer of the information via physical means., 'wherein the communication means comprises2. A portable information management device according to claim 1 , wherein said plurality of secure memory segments are configured with different levels of security access.3. A portable information management device according to claim 1 , wherein the antenna is configured to allow transfer of information when either the first or second surfaces are in close proximity to a reader.4. A portable information management device according to claim 1 , wherein said housing is marked with ...

Determine Authorization of a Software Product Based on a First and Second Authorization Item

Embodiments disclosed herein relate to determining authorization of a software product based on a first authorization item and a second authorization item. Each authorization item may be a file or a registry key. A processor may determine whether use of the software product is authorized at a particular time period by comparing a first authorization item and a second authorization item. 1. A computing system to determine authorization of a software product based on a first and second authorization item , comprising: {'b': '104', 'claim-text': create a first authorization item when a software product is installed;', 'create a second authorization item when the software product is executed for the first time.', {'b': 106', '108, 'wherein each authorization item comprises a file stored in a storage or a registry key stored in a registry , 'determine whether use of the software product is authorized at a particular time based on a comparison of the first authorization item and the second authorization item; and', 'prevent use of the software product if determined that use of the software product is not authorized., 'a processor to, 'an electronic device comprising2. The computing system of claim 1 , wherein creating the second authorization item comprises:determining whether the first authorization item indicates that the second authorization item should exist;determining whether the second authorization item exists;if determined that the second authorization item should not exist and determined that the second authorization item exists, preventing use of the software product; andif determined that the second authorization item should not exist and determined that the second authorization item does not exist, create the second authorization item.3. The computing system of claim 1 , wherein comparing the first authorization item and the second authorization item comprises:determining whether the second authorization item exists; andif determined that the second ...

METHODS FOR FIRMWARE SIGNATURE

A method for installing embedded firmware is provided. The method includes generating one or more firmware file instances and generating one or more digital certificate instances that are separate instances from the firmware file instances. The method includes associating the one or more digital certificate instances with the one or more firmware file instances to facilitate updating signature-unaware modules with signature-aware firmware or to facilitate updating signature-aware modules with signature-unaware firmware. 1. A method , comprising:receiving, by a first device, signature unaware firmware code;installing, by the first device via boot code, the signature unaware firmware code on the first device, wherein the boot code is configured for installation of a signature aware firmware code or the signature unaware firmware code to the first device and is not configured for signature aware firmware code.2. The method of claim 1 , wherein installing the signature unaware firmware code further comprises verifying that the signature unaware firmware code is received from a second device associated with a user that has physical access to the first device.3. The method of claim 2 , wherein the verifying further comprises employing at least one feedback mechanism to ensure that the user has physical access to the first device.4. The method of claim 1 , wherein installing the signature unaware firmware code further comprises verifying that the signature unaware firmware code is received from a proxy module located remotely from the first device claim 1 , where the proxy module has verified the signature unaware firmware code.5. The method of claim 1 , wherein installing the signature unaware firmware code further comprises receiving from a proxy module that intercepted a request to install the signature unaware firmware code on the first device claim 1 , a signed certificate containing generated by the proxy module.6. The method of claim 5 , wherein installing the ...

METHOD AND APPARATUS FOR SECURING MOBILE APPLICATIONS

A non-transitory processor-readable medium stores code that represents instructions to be executed by a processor. The code includes code to receive an object code of a first application. The first application is defined by an author different from an author of a second application. The code also includes code to dynamically load at least two intercept points into the object code of the first application, using the second application. The code further includes code to, responsive to a read request for data by the first application, intercept the read request by at least one of the two intercept points. The code further includes code to determine, in response to intercepting the read request, whether or not access to read the data is authenticated. The code further includes code to send a signal to provide the data to the first application, based on the determining. 1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor , the code comprising code to cause the processor to:receive an object code of a first application, the first application defined by an author different from an author of a second application;dynamically load at least two intercept points into the object code of the first application, using the second application;responsive to a read request for data by the first application, intercept the read request by at least one of the two intercept points;determine, in response to intercepting the read request, whether or not access to read the data is authenticated; andsend a signal to provide the data to the first application, based on the determining.2. The non-transitory processor-readable medium of claim 1 , the code further comprising code to cause the processor to:define a password input on a mobile device associated with the first application;receive a password signal associated with the password input, the password signal having authentication information; andanalyze the password signal to ...

APPARATUS AND METHOD OF CONTROLLING PERMISSION TO APPLICATIONS IN A PORTABLE TERMINAL

An apparatus and method of controlling permission to an application in a portable terminal, the apparatus including a controller for, when requested for an invocation of a specific function provided by a framework during an execution of a specific application, determining whether a permission for the specific function is obtained using the specific application's user ID and process ID, and if the permission for the specific function is determined to be restricted, displaying a first message indicating that the permission is restricted. 1. An apparatus configured to control permission to an application in a portable terminal , the apparatus comprising:a display; and when requested for an invocation of a specific function provided by a framework during an execution of a specific application, determine whether a permission for the specific function is obtained using a user ID and a process ID of the specific application; and', 'when the permission for the specific function is determined to be restricted, display a first message indicating that the permission is restricted., 'a controller configured to2. The apparatus of claim 1 , wherein the controller is configured to display a name of the specific function together with the first message.3. The apparatus of claim 1 , wherein the controller is configured to store permission restriction information that includes a permission restricted specific function correspond to the specific application's package name claim 1 , when requested for restricting the permission for the specific function.4. The apparatus of claim 1 , wherein the controller is configured to;identify the user ID and the process ID;search for process information that includes information about a currently executing process in the portable terminal;search for application information using the process information and the process ID;identify the package name of the specific application using the application information and the user ID;identify the permission ...

INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSOR, IMAGE FORMING APPARATUS, AND INFORMATION PROCESSING METHOD

An information processing system including multiple apparatuses capable of executing one or more applications and an information processor connected to the apparatuses through a first network is disclosed. The information processing system includes a license status information obtaining part configured to obtain the license status information of the applications installed in each of the apparatuses from the corresponding apparatuses through the first network, a license data obtaining part configured to obtain license data authorizing usage of the applications from a computer connected through a second network based on the license status information, and a license data delivery part configured to deliver the license data to each of the apparatuses. 1. (canceled)2. An information processing system , comprising:an apparatus capable of installing a plurality of applications; andan information processor connected to the apparatus via a first network, 'a license data obtaining part configured to obtain license data from a computer connected to the information processor via a second network, wherein the license data include application identification information for identifying an application and apparatus information identifying an apparatus authorized to use the application in correlation with each other; and', 'wherein the information processor includes'}a license data transmission part configured to transmit the license data to the apparatus, and a license data storage part configured to receive and store the license data transmitted by the license data transmission part; and', 'a determination part configured to determine, in response to a request to use an installed application, whether the apparatus is authorized to use the installed application based on the apparatus information and the application identification information included in the license data., 'wherein the apparatus includes'}3. The information processing system as claimed in claim 2 , wherein the ...

DATA PACKET GENERATOR FOR GENERATING PASSCODES

A data packet generator periodically generates a data packet including a passcode comprising a plurality of characters. The data packet is sent to a server or a computing device for validation. If validated, the data packet is used, for example, to identify the location of a user or device. Additional systems and methods involving such a data packet generator are also disclosed. 1. A data packet generator comprising:a processing device;memory storing data instructions, which when executed by the processor cause the processor to periodically generate a passcode, the passcode including a plurality of characters;an output device that outputs a data packet including a passcode; andan attachment device configured for semi-permanent attachment to an object.2. The data packet generator of claim 1 , wherein the output device is a display device.3. The data packet generator of claim 1 , wherein the output device is a digital data communication device selected from a wired communication device and a wireless communication device.4. The data packet generator of claim 3 , wherein the data packet further includes data selected from a serial number claim 3 , a second passcode claim 3 , a temperature claim 3 , a humidity claim 3 , a username claim 3 , a distance-to-floor claim 3 , a GPS coordinate claim 3 , data received from a neighboring data packet generator claim 3 , and a tamper code.5. The data packet generator of claim 3 , wherein the output device is a wireless communication device configured to transmit the data packet in a service set identifier.6. The data packet generator of claim 1 , wherein the plurality of characters is in a range from five to ten characters.7. The data packet generator of claim 1 , wherein the attachment device includes one or more of a screw claim 1 , a bolt claim 1 , a nail claim 1 , and adhesive.8. The data packet generator of claim 1 , wherein the attachment device is configured for attachment to a worksurface and is configured to be removed ...

NON-INVASIVE SAFETY WRAPPER FOR COMPUTER SYSTEMS

A processing system comprising: a first processor adapted to perform one or more tasks according to a predetermined schedule and generate one or more first outputs; and a second processor synchronised with the first processor; wherein the second processor is adapted to receive the one or more first outputs and generate one or more corresponding second outputs when the timing of the one or more first outputs corresponds with the predetermined schedule. 1. A processing system comprising:a first processor adapted to perform one or more tasks according to a predetermined schedule and generate one or more first outputs;a second processor synchronised with the first processor; andwherein the second processor is adapted to receive the one or more first outputs and generate one or more corresponding second outputs when the timing of the one or more first outputs corresponds with the predetermined schedule.2. A processing system according to claim 1 , wherein the first processor and the second processor are implemented on separate chips or on separate soft or hard processor cores within a single processor.3. A processing system according to claim 1 , wherein the first processor and the second processor are synchronised by a clock link which provides one or more timer ticks to either or both processors.4. A processing system according to claim 3 , wherein the second processor provides one or more timer ticks via the clock link to the first processor.5. A processing system according to claim 3 , wherein the first processor provides one or more timer ticks via the clock link to the second processor.6. A processing system according to claim 3 , wherein the system further comprises a clock source which provides one or more timer ticks via the clock link to both the first processor and the second processor.7. A processing system according to claim 3 , wherein the timer ticks are provided by an operating system configured to execute one or more tasks at predetermined times.8. A ...

AUTHENTICATED LAUNCH OF VIRTUAL MACHINES AND NESTED VIRTUAL MACHINE MANAGERS

An embodiment of the invention provides for an authenticated launch of VMs and nested VMMs. The embodiment may do so using an interface that invokes a VMM protected launch control mechanism for the VMs and nested VMMs. The interface may be architecturally generic. Other embodiments are described herein. 1. An article comprising a non-transient machine-accessible storage medium including instructions that when executed enable a system to:launch a first virtual machine manager (VMM);authenticate a launch of a second VMM; andnest the second VMM within the first VMM.2. The article of including instructions that enable the system to:authenticate a launch of a first virtual machine (VM); andmanage the first VM with one of the first VMM and the second VMM.3. The article of wherein the first VMM is a root VMM launched via a non-reentrant secure boot.4. The article of claim 1 , wherein authenticating the launch of the second VMM includes bypassing the first VMM while both (a) invoking a second launch control policy module (LCPM) claim 1 , and (b) using a hardware security attestation module.5. The article of claim 4 , wherein the hardware security attestation module includes a trusted platform module (TPM).6. The article of including instructions that enable the system to evaluate a second launch control policy (LCP) claim 1 , associated with the second VMM claim 1 , via a second launch control policy module (LCPM).7. The article of including instructions that enable the system to perform claim 6 , via the second LCPM claim 6 , an integrity measurement of the second VMM and authenticate the measurement via the second LCP.8. The article of including instructions that enable the system to:extend the measurement into a platform configuration register (PCR) included in a trusted platform module (TPM); andupdate a log based on extending the measurement into the PCR.9. The article of including instructions that enable the system to load the second LCPM into protected memory and ...

Electronic physical unclonable functions

An electronic asymmetric unclonable function applied to an electronic system being evaluated includes an electronic system and an AUF array electronically associated with the electronic system. The AUF array includes a plurality of non-identical cells. Each of the non-identical cells includes a test element representing a characteristic of the electronic system being evaluated and a measurement device evaluating the test element. A comparison unit processes an output of the measurement device to provide a multi-bit output value representing a magnitude of differences.

METHOD AND SYSTEM FOR PROVIDING INTERNET SERVICES

A service integration platform system for providing Internet services includes: an interface configured to receive a service request message that is initiated by a user of an application provided by an Independent Software Vendor (ISV), the service request message being implemented according to an Application Programming Interface (API) type and including a plurality of platform-level parameters that conform to the API type. The system further includes one or more processors coupled to the interface, configured to: locate a set of authentication checks that are appropriate for the API type, based at least in part on the plurality of platform-level parameters included in the service request message and a mapping of predefined combinations of platform-level parameters and corresponding sets of authentication checks; perform authentication of the service request according to the set of authentication checks; and route the service request to a service address of the Internet Service Provider (ISP) in the event that the service request is authenticated. 1. A method for providing web services with a service integration platform comprising: the plurality of platform-level parameters comprise an Appkey associated with the application provided by the ISV;', 'the Appkey is a parameter issued to the application provided by the ISV and is not modifiable by the application provided by the ISV; and', 'the Appkey is a proof of identity that identifies the web services the application provided by the ISV is allowed to access;, 'receiving a service request message that is initiated by a user of an application provided by an Independent Software Vendor (ISV), the service request message being implemented according to an Application Programming Interface (API) type and including a plurality of platform-level parameters that conform to the API type, wherein the API type is one of a plurality of possible API types;', 'for each possible API type there is a corresponding set of ...

STATELESS ATTESTATION SYSTEM

A method includes assessing a trustworthiness level of a user computer by communication between the user computer and a first server. A record indicating the trustworthiness level is sent from the first server to the user computer, for storage by the user computer. A request is sent from the user computer to a second server, different from the first server, for a service to be provided to the user computer by the second server. The record is provided from the user computer to the second server by communicating between the user computer and the second server. At the second server, the trustworthiness level is extracted from the record, and the requested service is conditionally allowed to be provided to the user computer depending on the extracted trustworthiness level. 124-. (canceled)25. A method comprising:requesting from a user computer access to a service of a first server over a network;receiving an attestation request from the first server in response to requesting access to the service; 'wherein the locally-stored attestation record is previously received from an attestation server separate from the first server, and wherein the attestation record is stored locally in a secure storage device; and', 'sending a locally-stored attestation record from the user computer to the first server in response to the attestation request,'}receiving access to the service in response to the first server verifying the attestation record received from the user computer.26. The method of claim 25 , wherein sending the locally-stored attestation record further comprises:obtaining the record from a trusted platform module (TPM) of the user computer.27. The method of claim 25 , wherein the locally-stored attestation record is received in response to the attestation server verifying trustworthiness of the user computer.28. The method of claim 27 , further comprising:the user computer sending configuration information of the user computer to the attestation server to cause the ...

ELECTRONIC PHYSICAL UNCLONABLE FUNCTIONS

An electronic asymmetric unclonable function applied to an electronic system being evaluated includes an electronic system and an AUF array electronically associated with the electronic system. The AUF array includes a plurality of non-identical cells. Each of the non-identical cells includes a test element representing a characteristic of the electronic system being evaluated and a measurement device evaluating the test element. A comparison unit processes an output of the measurement device to provide a multi-bit output value representing a magnitude of differences. 1a plurality of ring oscillator structures, each ring oscillator structure including a multiplexer, an inverter, groups of delay elements, a binary counter, and routing resources; anda comparison unit to which output of each binary counter of the plurality of ring oscillator structures is routed wherein output of the comparison unit is a multi-bit value.. An unclonable function, comprising: This application claims the benefit of U.S. Provisional Application Ser. No. 61/624,023, entitled “ELECTRONIC PHYSICAL UNCLONABLE FUNCTIONS,” filed Apr. 13, 2012.1. Field of the InventionThis invention relates to technologies for authentication of electronic devices and systems. Specifically, this invention deals with electronic Physical Unclonable Function (PUF) technology.2. Description of the Related ArtA Physical Unclonable Function (PUF) is a device or structure (physical, electronic, chemical, etc) that is easily implemented but difficult to counterfeit. A PUF could be an ink smear that is well documented and difficult to replicate. Some PUFs are implemented as drops of clear lacquer with multi-color glitter embedded (see Tuyls, Schrijenm, Geloven, Verhaegn, Wolters. “Read-Proof Hardware from Protective Coatings.” —CHES 2006, volume 4249 of , pages 369-383. Springer, Oct. 10-13, 2006.). The glittered lacquer is easy to apply but it is obviously difficult to replicate any specific glitter pattern that is ...

Method of managing virtual computer, computer system and computer

A method of managing a virtual computer in a computer system including a plurality of computers, each of the computer storing a program for realizing a virtualization management module for managing a virtual computer, including a management storage area that is accessible only by the virtualization management module, storing start-up management information representing a correspondence among identification information on the virtual computer, identification information on a logical storage area storing a service program, and start-up authentication information for starting the virtual computer. The method including: a step of referring to the start-up management information to determine whether the start-up authentication information corresponding to the virtual computer exists, in a case of receiving a start-up request; a step of reading the service program from the logical storage area and executing the read service program, in a case of being determined the start-up authentication information exists.

Providing A Multi-Phase Lockstep Integrity Reporting Mechanism

In one embodiment, a processor can enforce a blacklist and validate, according to a multi-phase lockstep integrity protocol, a device coupled to the processor. Such enforcement may prevent the device from accessing one or more resources of a system prior to the validation. The blacklist may include a list of devices that have not been validated according to the multi-phase lockstep integrity protocol. Other embodiments are described and claimed. 1. A processor comprising:a plurality of cores and an uncore logic, wherein the processor is to enforce a blacklist and to validate a device coupled to the processor according to a multi-phase lockstep integrity protocol in which the processor and the device each perform an integrity protocol, the blacklist including a list of devices that have not been validated according to the multi-phase lockstep integrity protocol the processor to act as a master to perform at least a portion of the multi-phase lockstep integrity protocol, and to extend a first trusted platform module (TPM) platform configuration register (PCR) responsive to an authority value read from a policy entry of a table of the device written by the device after the device has completed at least a portion of a first phase of the multi-phase lockstep integrity protocol.2. The processor of claim 1 , wherein the first phase includes a verification by the device of firmware.3. The processor of claim 2 , wherein the master is to extend a second TPM PCR responsive to a detail value read from a detail entry of the table written by the device after the device has completed at least a portion of a second phase of the multi-phase lockstep integrity protocol.4. The processor of claim 3 , wherein the second phase includes measurement of an image manifest by the device.5. The processor of claim 3 , wherein the table includes a plurality of entries each having a type field to indicate a type of measurement stored in the entry claim 3 , a length field to indicate a length of a ...

METHOD AND SYSTEM FOR MONITORING CALLS TO AN APPLICATION PROGRAM INTERFACE (API) FUNCTION

A method and device for monitoring calls to an application program interface (API) function includes monitoring for a memory permission violation of a computing device caused by the API function call. If a memory permission violation occurs, control of the computing device is transferred to a virtual machine monitor to intervene prior to execution or the API function. The virtual machine monitor may perform one or more actions in response to the API function call. 124-. (canceled)25. A computing device comprising:a processor; anda memory having stored therein a plurality of instructions that, in response to being executed by the processor, causes the processor to:set a memory permission of an extended page table (EPT) to cause an error in response to an attempted execution of a monitored application programming interface (API) function located in a memory page associated with the EPT; andgenerate an EPT permission violation error in response to the attempted execution of the monitored API function.26. The computing device of claim 25 , wherein the memory permission indicates that the memory page includes non-executable code.27. The computing device of claim 25 , wherein the plurality of instructions further causes the processor to transfer control to a virtual machine monitor (VMM) of the computing device in response to the EPT permission violation error.28. The computing device of claim 27 , wherein the plurality of instructions further causes the processor to determine whether the call to the monitored API function is made to perform a malicious activity on the computing device.29. The computing device of claim 28 , wherein to determine whether the call to the monitored API function is malicious comprises to invoke an error handler with the VMM to manage the EPT permission violation error.30. The computing device of claim 28 , wherein the instructions further cause the processor to at least one of (i) prevent execution of the monitored API function in response to ...

METHOD AND DEVICE FOR CONTROLLING ACCESS TO A COMPUTER SYSTEM

A device for controlling access to a computer system, the device comprising at least one multifunctional port capable of being connected to various categories of peripherals and an access interface capable of being connected to the computer system, wherein the device comprises access management means connected between the multifunctional port and the interface, the access management means being physically configured to authorize the interface access by means of a peripheral connected to the multifunctional port, only if said peripheral belongs to a category of peripherals specifically and permanently associated with the multifunctional port to which same is connected. 1. A device for controlling access to a computer system , the device comprising at least one multifunctional port capable of being connected to different categories of peripherals and an access interface capable of being connected to the computer system , wherein the device being characterized in that it comprises access management means connected between the multifunctional port and the interface , the access management means being physically configured to authorize access to the interface by means of a peripheral connected to the multifunctional port only if said peripheral belongs to a category of peripherals specifically and permanently associated with the multifunctional port to which it is connected.2. The device according to claim 1 , wherein the device comprises a first and a second multifunctional port claim 1 , and the access management means are physically configured to authorize access to the interface by means of a peripheral connected to the first multifunctional port only if said peripheral belongs to a first category of peripherals specifically and permanently associated with the first multifunctional port and to authorize access to the interface by means of a peripheral connected to the second multifunctional port only if said peripheral belongs to a second category of peripherals ...

AUTHENTICATION DEVICE AND SYSTEM

A public key architecture () includes a dual certificate hierarchy which facilitates two independent authentication functions. One of the authentication functions authenticates an authentication device () to a verification device (). The other authentication function authenticates a configuration device () to the authentication device (). In some embodiments, the authentication process uses a lightweight certificate formed in conjunction with a lightweight signature scheme (). 1. An authentication method comprising:storing a device authentication private key on an authentication device;storing a device authentication public key certificate on the authentication device, wherein the device authentication private key and the device authentication public key certificate facilitate authentication of the authentication device to a verification device according to a device authentication protocol; andstoring a configuration root certificate on the authentication device, wherein the configuration root certificate facilitates authentication of a configuration device to the authentication device according to a configuration authentication protocol.2. The authentication method of claim 1 , further comprising:receiving, at the authentication device, a configuration public key certificate from the configuration device; anddetermining, at the authentication device, whether the configuration device has a configuration private key corresponding to the configuration public key certificate.3. The authentication method of claim 2 , further comprising:Receiving, at the authentication device, a configuration parameter from the configuration device; andstoring the configuration parameter on the authentication device in response to a determination at the authentication device that the configuration device has the configuration private key.4. The authentication method of claim 3 , wherein the configuration parameter from the configuration device comprises identification information for the ...

Location Bound Secure Domains

A telecommunications apparatus has secure operation based on geographic location. A positioning mechanism determines a geographic location for the telecommunications apparatus. A processor identifies a secure domain and determines an availability of an application programming interface for the based on the geographic location, wherein at certain geographic locations access to the application programming interface is restricted, and at other geographic locations access to the application programming interface is unrestricted. 1. A method for location bound secure domains in a mobile client device , comprising:identifying a secure domain for a mobile client device;determining the geographic location of the mobile client device; andlimiting the availability of a native function on the device based on the geographic location.2. The method of claim 1 , wherein the mobile client device can obtain an allowed permission by which unfettered access to an API is permitted based upon the geographic location of the mobile client device.3. The method of claim 1 , wherein the mobile client device further includes a selective user permission claim 1 , granting access upon user approval claim 1 , in a secure domain.4. The method of claim 1 , wherein the mobile client device further includes a selective user permission claim 1 , in a secure domain claim 1 , barring access to an API upon access denial.5. The method of claim 1 , further comprising multiple interaction modes claim 1 , including access to an API for the length of installation.6. The method of claim 1 , further comprising multiple interaction modes claim 1 , including access to an API for a limited predetermined period of time.7. The method of claim 1 , further comprising multiple interaction modes claim 1 , including a mode requiring permission request for each use of the API.8. A telecommunications apparatus with secure operation based on geography claim 1 , comprising:a positioning mechanism that determines a ...

System and Method for Enabling Seamless Transfer of a Secure Session

An information handling system includes a memory and a processor to execute instructions stored in the memory, which causes the processor to at least: send identification information to a second information handling system in response to an identification request broadcast from the second information handling system via a short-range communication; receive first authentication information for a local application and a remote service from the second information handling system; receive a copy of the local application; authenticate a user for the copy of the local application and for the remote service prior to the user logging on to the information handling system; receive second authentication information from the user to access the information handling system; authenticate the user to the information handling system; and automatically initiate a secure session between the copy of the local application and the remote service when the user is authenticated to the information handling system. 1. An information handling system comprising:a memory; and receive first authentication information for a local application and a remote service from a second information handling system via a short-range communication;', 'receive a copy of the local application, wherein the copy of the local application includes session data from a secure session between the local application and the remote service, and keys used to encrypt and decrypt information sent during the secure session;', 'authenticate a user for the copy of the local application and for the remote service prior to the user logging on to the information handling system based on the first authentication information;', 'authenticate the user to the information handling system based on second authentication information received from the user; and', 'automatically initiate a secure session between the copy of the local application and the remote service when the user is authenticated to the information handling system., 'a ...

Embedded multimediacard and electronic device using the same, and energining board for embedded multimediacard

An embedded MultiMediaCard (eMMC), an electronic device equipped with an eMMC and an eMMC engineering board are disclosed. The eMMC includes an eMMC substrate plate, a plurality of solder balls and an eMMC chip. The solder balls are soldered to the eMMC substrate plate, and, one of the solder balls is designed as a security protection enable/disable solder ball. The eMMC chip is bound to the eMMC substrate plate, and, the eMMC chip has a security protection enable/disable pin electrically connected to the security protection enable/disable solder ball. The security protection enable/disable pin is internally pulled high by the eMMC chip when the security protection enable/disable solder ball is floating. When the security protection enable/disable solder ball is coupled to ground, the eMMC is protected from software-based attacks.

Authenticate a Hypervisor with Encoded Information

Disclosed embodiments relate to authenticating a hypervisor with encoded hypervisor information. In one embodiment, booting firmware includes instructions to determine whether a received hypervisor is an authentic hypervisor. In one embodiment, booting firmware includes instructions to determine whether the received hypervisor is in a selected configuration. In one embodiment, booting firmware includes instructions to determine whether the receive hypervisor is a selected version. 1. An electronic device for authenticating s hypervisor , comprising:a hypervisor; determine whether a hypervisor is an authentic hypervisor based on encoded hypervisor authentication information; and', 'if determined that the received hypervisor is not the authentic hypervisor, perform at least one of terminating the boot process or providing an error message; and, 'firmware toa processor to execute the firmware during the boot process of the electronic device.2. The electronic device of claim 1 , wherein the encoded authentication information comprises a digital signature.3. The electronic device of claim 2 , wherein determining whether a received hypervisor is an authentic hypervisor comprises verifying the digital signature with a public key.4. The electronic device of claim 1 , wherein the firmware comprises a setting indicating whether to determine if the received hypervisor is authentic.5. The electronic device of claim 1 , wherein the firmware further:determines whether the hypervisor received during the boot process is in a selected configuration by comparing the configuration of the received hypervisor to encoded configuration information; andif determined that the hypervisor is not in the selected configuration, performs at least one of terminating the boot process or providing an error message.6. The electronic device of claim 5 , wherein the firmware comprises a setting indicating whether to determine if the received hypervisor is in the selected configuration.7. The ...

IMAGE FORMING APPARATUS, LAUNCHING METHOD OF PROGRAM IN THE APPARATUS, IMAGE FORMING SYSTEM, AND PROGRAM AND STORAGE MEDIUM THEREFOR

An image forming apparatus which is connected to an external device via a communication unit includes a launching program identification unit which stores launching program information for specifying a program module to be executed upon launching from a plurality of program modules for realizing a plurality of functions, and a program management unit which executes a program module corresponding to the launching program information when the image forming apparatus is activated, on the basis of the launching program information stored in the launching program identification unit. License information containing the identification information and launching program information of the apparatus is acquired from a PC via the communication unit. The launching program information stored in the launching program identification unit is updated on the basis of the acquired license information, thereby changing the program module to be executed upon activating the apparatus. 115.-. (canceled)16. An image forming apparatus capable of communicating with an information processing apparatus , the image forming apparatus comprising:a server unit configured to provide an operation screen for designating license information of a program module to be sent to the image forming apparatus from the information processing apparatus, in response to an access from a web browser application of the information processing apparatus, wherein the license information of the program module is stored in the information processing apparatus and the license information designated on the operation screen displayed on the information processing apparatus is transmitted from the information processing apparatus to the image forming apparatus;a license confirmation unit configured to confirm whether the license information of the program module transmitted from the information processing apparatus is valid; anda program control unit configured to control operation of the program module,wherein the program ...

COMPUTER CHASSIS WITH PROTECTION AGAINST INSECTS

A computer chassis includes a chassis body, a control unit, a motor unit, a gate unit and a detection unit. The chassis body defines an opening. The motor unit is electronically connected to the control unit. The gate unit is connected to the motor unit. The detection unit is electronically connected to the control unit. The gate unit and the detection unit are positioned in the opening, the detection unit detects and sends a detection signal to the control unit, the control unit receives the detection signal and control the motor unit to closes the gate unit. 1. A computer chassis , comprising:a chassis body defining an opening;a control unit;a motor unit electronically connected to the control unit;a gate unit connected to the motor unit; anda detection unit electronically connected to the control unit;wherein the gate unit and the detection unit are positioned in the opening, the detection unit detects and sends a detection signal according to the detection to the control unit, the control unit receives the detection signal and controls the motor unit to close the gate unit.2. The computer chassis as claimed in claim 1 , further comprising an alarm unit claim 1 , wherein the alarm unit is electronically connected to the control unit claim 1 , the alarm unit activates if the control unit receives the detection signal.3. The computer chassis as claimed in claim 1 , wherein the diction unit includes a first detector and a second detector claim 1 , the first detector claim 1 , the alarm unit claim 1 , the second detector and the gate unit are orderly positioned in the opening.4. The computer chassis as claimed in claim 1 , further comprising a power unit claim 1 , wherein the power unit is electronically connected to the control unit claim 1 , the motor unit and the detection unit for supplying power.5. The computer chassis as claimed in claim 4 , wherein the power unit includes a main source claim 4 , a subsidiary source claim 4 , a power port and a control port ...

CLIENT COMPUTER, REMOTE CONTROL SYSTEM, AND REMOTE CONTROL METHOD

A client computer that is connectable to a host computer by a network, includes a communication part to communicate with the host computer; a user input part; a system part to perform a function depending on an application; and a controller to control the system part to be put into a locking state to stop performing operations input by a user from the user input part if a locking signal is received from the host computer through the communication part, and to control the communication part to unlock the locking state if an unlocking signal is received from the host computer through the communication part. 1. A mobile device comprising:a communication portion to communicate with an external device via a wireless network;a display portion to display information; anda controller configured to:cause the mobile device to transition into a locked state based on a lock instruction and authentication information associated with the lock instruction received from the external device via the communication portion, andunlock the mobile device using the authentication information while the mobile device is in the locked state.2. The mobile device according to claim 1 , wherein the controller is configured to display a notification on the display portion to inform a user that the mobile device is in the locked state.3. The mobile device according to claim 1 , further comprising:a speaker to output an informing sound that the mobile device is in the locked state if a user input is received through a user input portion while the mobile device is in the locked state.4. The mobile device according to claim 1 , further comprising:a storing portion to store the authentication information, the authentication information comprising passwords,wherein the controller determines whether the lock instruction includes a first password if the lock instruction is received, and controls the storing portion to store the first password if the lock instruction includes the first password, ...

ENABLE/DISABLE METHOD OF ADDITIONAL-FUNCTION UNIT, SYSTEM FOR SAME, PROGRAM FOR SAME, AS WELL AS ADDITIONAL-FUNCTION UNIT

The objective of the present invention is to disable functionality of an additional-function unit if an unauthorized program has been installed in an information processing device, thereby preventing an unauthorized program from acquiring, in an unauthorized manner, information from the additional-function unit. The present invention is an enable/disable method for an additional-function unit in an information processing device to which the additional-function unit has been added, which has a step for calculating a first directional function value on the basis of data included in a recording medium storing a boot loader and an operating system so as to store the first directional function value at manufacture time into the additional-function unit, a step for calculating a second directional function value on the basis of data included in the recording medium after the information processing device has been started up, and a step for disabling the functionality of the additional-function unit if the first directional function value and the second directional function value are different. 1. A method of validating/invalidating an additional function unit in an information processing apparatus to which the additional function unit is added , the method comprising:a step of calculating a first one-way function value based on data included in a recording medium that stores a boot loader and an operating system, and storing the first one-way function value in the additional function unit upon manufacturing;a step of calculating a second one-way function value based on the data included in the recording medium after the information processing apparatus is activated; anda step of, when the first one-way function value and the second one-way function value are different, invalidating a function of the additional function unit,wherein the recording medium is provided in the information processing apparatus,the additional function unit is a unit that is added to the ...

MEMORY DEVICE COMPRISING A PLURALITY OF MEMORY CHIPS, AUTHENTICATION SYSTEM AND AUTHENTICATION METHOD THEREOF

A memory device includes a plurality of memory chips, including one or more memory chips that store authentication information, and a controller including a first register that stores information indicating a representative memory chip, from among the one or more memory chips that store the authentication information, that stores valid authentication information. 1. A memory device , comprising:a plurality of memory chips, wherein one or more memory chips of the plurality of memory chips is configured to store authentication information; anda controller comprising a first register configured to store information indicating a representative memory chip from among the one or more memory chips configured to store the authentication information, wherein valid authentication information is stored in the representative memory chip.2. The memory device of claim 1 , wherein at least one of the plurality of memory chips is a memory chip that is not configured to store the authentication information.3. The memory device of claim 1 , wherein the valid authentication information stored in the representative memory chip comprises information used to authenticate the memory device.4. The memory device of claim 1 , wherein the authentication information comprises a unique ID of a memory chip of the one or more memory chips configured to store the authentication information that is currently storing the authentication information.5. The memory device of claim 4 , wherein the authentication information cannot be changed or deleted subsequent to the authentication information being initially programmed.6. The memory device of claim 4 , wherein the memory chip of the one or more memory chips comprises:a first region configured to store the authentication information; anda second region configured to store encrypted authentication information corresponding to the authentication information,wherein the authentication information stored in the first region is not accessible to a host ...

SYSTEMS, METHODS AND APPARATUSES FOR THE APPLICATION-SPECIFIC IDENTIFICATION OF DEVICES

The systems, methods and apparatuses described herein provide a computing environment that manages application specific identification of devices. An apparatus according to the present disclosure may comprise a non-volatile storage storing identifier (ID) base data and a processor. The processor may be configured to validate a certificate of an application being executed on the apparatus. The certificate may contain a code signer ID for a code signer of the application. The processor may further be configured to receive a request for a unique ID of the application, generate the unique ID from the code signer ID and the ID base data and return the generated unique ID. 1. An apparatus , comprising:a non-volatile storage storing identifier (ID) base data; and validate a certificate of an application being executed on the apparatus, the certificate containing a code signer ID for a code signer of the application;', 'receive a request for a unique ID of the application;', 'generate the unique ID from the code signer ID and the ID base data; and', 'return the generated unique ID., 'a processor configured to2. The apparatus of claim 1 , wherein the request for the unique ID is received from the application and wherein the generated unique ID is returned to the application.3. The apparatus of claim 2 , wherein the ID base data is device specific.4. The apparatus of claim 3 , wherein the unique ID is generated by combining the code signer ID and ID base data and calculating a one-way hash function from the combination.5. The apparatus of claim 4 , wherein the unique ID is generated by taking the code signer ID as a string claim 4 , appending the ID base data to the string claim 4 , and calculating a hash of the resulting string.6. The apparatus of claim 1 , wherein the non-volatile storage also stores key base data and the processor is further configured to:receive a request for a cryptographic operation from the application;generate an encryption key from the code signer ID ...

TIMER FOR HARDWARE PROTECTION OF VIRTUAL MACHINE MONITOR RUNTIME INTEGRITY WATCHER

An apparatus and method for hardware protection of a virtual machine monitor (VMM) runtime integrity watcher is described. A set of one or more hardware range registers that protect a contiguous memory space that is to store the VMM runtime integrity watcher. The set of hardware range registers are to protect the VMM runtime integrity watcher from being modified when loaded into the contiguous memory space. The VMM runtime integrity watcher, when executed, performs an integrity check on a VMM during runtime of the VMM. Execution of the VMM runtime integrity watcher is triggered by a timer event generated based on multiple frequency bands. 1. An apparatus , comprising:a set of one or more hardware range registers to protect a contiguous memory space that is to store a virtual machine monitor (VMM) runtime integrity watcher, wherein the set of hardware range registers are to protect the VMM runtime integrity watcher from being modified when loaded into the contiguous memory space;a timer to generate a timer event based on a plurality of frequency bands; andthe VMM runtime integrity watcher to be invoked based on the timer event to perform an integrity check on a VMM during runtime of the VMM.2. The apparatus of claim 1 , wherein the timer event is based on one of the plurality of frequency bands selected from plurality of frequency bands according to a probability distribution of desired number of events per frequency band.3. The apparatus of claim 2 , wherein the selection of the one of the plurality of frequency bands is based on a random number.4. The apparatus of claim 3 , wherein the timer event is generated after a delay randomly selected from the selected frequency band.5. The apparatus of claim 2 , wherein execution of the VMM is preempted upon the event being generated.6. The apparatus of claim 1 , wherein the VMM runtime integrity watcher is further to claim 1 , when executed claim 1 , report results of the integrity check.7. The apparatus of claim 6 , ...

SYSTEM AND METHOD FOR OUT-OF-BAND APPLICATION AUTHENTICATION

Application-to-Application authentication features using a second communication channel for out-of-band authentication separate from a communication channel of a request from a client to a server. Authentication information is associated with a component of the system such as the request or the client application, while being collected independent of interaction with the client application initiating the request. Implementations provide improved security over existing solutions using in-band or other means of collecting authentication information. 1. A system for authentication comprising: (i) receive, via a first channel, a request from a client machine, said request associated with a client application on said client machine;', '(ii) connect, via a second channel that is separate from said first channel, to said client machine to request authentication information;', '(iii) receive, via said second channel, said authentication information;', '(iv) validate, based on said authentication information, said request, and, '(a) a server machine configured to wherein said authentication information is associated with a component of the system selected from the group consisting of:', '(A) said request; and', '(B) said client application, and', 'wherein said authentication information is collected independently of interaction with said client application., '(i) collect said authentication information'}, '(b) a client machine configured to2. The system of wherein said server machine is further configured to effect a preliminary request validation of said request prior to connecting via said second channel to said client machine claim 1 , said connecting being contingent on a success of said preliminary request validation.3. The system of wherein said request is for access credentials to network resources or other server machines.4. The system of wherein said server machine is further configured to:(v) initiate a transmission, in response to said request from the client ...

DEBUG ARCHITECTURE

Roughly described, a method of restricting access of a debug controller to debug architecture on an integrated circuit chip, the debug architecture comprising an access controller, a plurality of peripheral circuits, and a shared hub, the shared hub being accessible by the access controller and the plurality of peripheral circuits, the method comprising: at the access controller, authenticating the debug controller; at the access controller, following authentication, assigning to the debug controller a set of access rights, the set of access rights granting the debug controller partial access to the debug architecture; and after assigning the set of access rights, allowing the debug controller access to the debug architecture as allowed by the set of access rights. 1. A method of restricting access of a debug controller to debug architecture on an integrated circuit chip , the debug architecture comprising an access controller , a plurality of peripheral circuits , and a shared hub , the shared hub being accessible by the access controller and the plurality of peripheral circuits , the method comprising:at the access controller, authenticating the debug controller;at the access controller, following authentication, assigning to the debug controller a set of access rights, the set of access rights granting the debug controller partial access to the debug architecture; andafter assigning the set of access rights, allowing the debug controller access to the debug architecture as allowed by the set of access rights.2. A method as claimed in claim 1 , further comprising implementing the set of access rights by asserting and/or deasserting locks on links between the shared hub and the peripheral circuits.3. A method as claimed in claim 2 , wherein an asserted lock on a link between the shared hub and a peripheral circuit prevents the passage of data on that link from the debug controller to the peripheral circuit.4. A method as claimed in claim 2 , wherein an asserted ...

USER DEVICE SECURITY MANAGER

Systems and methods are disclosed to authenticate and authorize a user for web services using user devices. In various embodiments, a method may comprise: identifying, by a user device security manager executing at a user device corresponding to a user of a web service, a first request issued from an application to access remote resources associated with the web service, the application executing at the user device and separate from the user device security manager; acquiring, by the user device security manager, security information of the application in response to the identifying of the first request, the security information including at least one of an application identification, an access scope or a nonce of the application; and transmitting a second request from the user device security manager to the web service to authenticate the application by the web service based, at least in part, on the application identification. 1. An apparatus comprising:a processor-implemented identification module to identify a first request issued from an application to access remote resources associated with a web service, the application configured to execute at a user device and separate from the user device security manager;a processor-implemented acquisition module to acquire security information associated with the application in response to the identifying of the first request, the security information including at least one of an application identification, an access scope or a nonce for the application; anda processor implemented communication module to transmit a second request to the web service to authenticate the application by the web service at least based on the application identification.2. The apparatus of claim 1 , further comprising:a processor-implemented artifact module to retrieve at least one user artifact from a security manager identifier (SMID) received from the web service; anda processor-implemented verification module to perform fingerprinting of ...

ALWAYS-AVAILABLE EMBEDDED THEFT REACTION SUBSYSTEM

A platform including a security system is described. The security system comprises, in one embodiment, a multi-state system having a plurality of modes, available whenever the platform has a source of power. The modes comprise an unarmed mode, in which the security system is not protecting the platform, an armed mode, in which the platform is protected, the armed mode reached from the unarmed mode, after an arming command, and a suspecting mode, in which the platform is suspecting theft, the suspecting mode reached from the armed mode, when a risk behavior is detected. 1. A system to provide an always-on always-available security system for a platform , comprising a multi-state system having a plurality of modes , available whenever the platform has a source of power , the modes comprising:an unarmed mode, in which the security system is not protecting the platform;an armed mode, in which the platform is protected, the armed mode reached from the unarmed mode, after an arming command;a suspecting mode, in which the platform is suspecting theft, the suspecting mode reached from the armed mode, when a risk behavior is detected, such that the security system provides the plurality of modes regardless of a power status of the platform.2. The system of claim 1 , wherein the risk behavior comprises one of:disconnection of external power, movement detection, loss of proximity to a paired device, loss of network connection.3. The system of claim 1 , wherein when the risk behavior is detected claim 1 , the system takes a security action.4. The system of claim 3 , wherein the security action comprises one of: sending an alert via a network connection claim 3 , audio alarm claim 3 , an alert for the end-user claim 3 , transitioning the platform to another mode for data protection.5. The system of claim 1 , wherein the arming command comprises one of:automatic arming which requires no affirmative end user action,semi-automatic arming including a first manual step that readies ...

ANTI-CLONING SYSTEM AND METHOD

A method for authenticating a software application instance, the method includes a user device transmitting a request for access to a server device, wherein the request includes an App ID. The method further includes a server device transmitting a session ID to the user device and transmitting the session ID and the App ID to an anti-clone engine. The method further includes the anti-clone engine generating and transmitting a challenge token to the user device, and receiving and processing a response token to determine whether the user device is an authentic software application instance. The method further includes the anti-clone engine transmitting an authorization message to the server device. 1. A method for authenticating a software application instance , the method comprising:transmitting, by a user device comprising a software application instance, a request for access to at least one server device, said request including application identification data (App ID) associated with said software application instance; transmitting session identification data (session ID) to the user device, and', 'transmitting the session ID and the App ID to an anti-clone engine, said anti-clone engine being embodied in a non-transient computer readable medium; and, 'the at least one server device generating and transmitting a challenge token to the user device,', 'receiving a response token from said user device,', 'processing the response token to determine whether the software application instance comprises an authentic instance of said software application, and', 'transmitting an authorization message to said server device according to said determination., 'the anti-clone engine2. The method of claim 1 , wherein the authorization message comprises a confirmation message if the software application instance is determined to be authentic.3. The method of claim 2 , further comprising the server device granting access to the user device.4. The method of claim 1 , wherein the ...

METHODS AND SYSTEMS FOR INTERACTIVE EVALUATION USING DYNAMICALLY GENERATED, INTERACTIVE RESULTANT SETS OF POLICIES

A method for interactive policy evaluation using dynamically generated, interactive resultant sets of policies includes the step of receiving, by a graphical user interface, at least one of: a description of a client requesting access to a resource, a description of the resource, and a description of a method of access requested by the client. The graphical user interface displays at least one policy applicable to the client request for access to the resource. The graphical user interface displays a decision made by applying the at least one policy to the received description. 158.-. (canceled)59. A method for interactive policy evaluation using dynamically generated interactive resultant sets of policies , the method comprising: a description of a client requesting access to a resource,', 'a description of the resource,', 'a description of a method of access requested by the client;', 'displaying, by the graphical user interface, at least one policy applicable to the at least one received description;, 'receiving, by a graphical user interface, at least one ofdisplaying, by the graphical user interface, a decision made by applying the at least one policy to the at least one received description; anddisplaying, by the graphical user interface, a description of a policy aspect that resulted in denial of access to at least one of a client, resource, or method of access in the case a client, resource, or method of access has been denied as a result of the simulation, the description comprising a summary of the policy aspect that resulted in denial of access.60. The method of claim 59 , wherein a description of the client further comprises displaying a user identifier.61. The method of claim 59 , wherein a description of the resource further comprises displaying an identifier of the resource.62. The method of claim 59 , further comprising displaying at least one filter associated with the at least one policy.63. The method of claim 62 , further comprising receiving a ...

Infusion Devices and Methods

Medical devices having restrictive access, and methods thereof are provided. 1. A medical device , comprising:one or more processing units;a memory operatively coupled to the one or more processing units including programming stored therein, which, when executed by the one or more processing units, causes the one or more processing units to provide an access level hierarchy that enables a plurality of individuals to have different access level rights to enter, modify or lock parameters of the medical device, the access level hierarchy including at least a first, a second, and a third access level;wherein first access level rights enable a healthcare professional having first access level rights to set, modify or lock prescriptive parameters and non-prescriptive parameters of the medical device;wherein second access level rights enable a caregiver having second access level rights to set, modify or lock non-prescriptive parameters of the medical device that have not been locked by the healthcare professional;wherein the second access level rights preclude the caregiver from setting, modifying or locking prescriptive parameters of the medical device;wherein third access level rights enable a user having third access level rights to set, modify or lock non-prescriptive parameters of the medical device that have not been locked by the healthcare professional or the caregiver; andwherein the third access level rights preclude the user from setting, modifying or locking prescriptive parameters of the medical device.2. The medical device of wherein at least one of the parameters comprises a reminder for reminding the user to take a diagnostic action.3. The medical device of wherein the diagnostic action is to measure the user's analyte level.4. The medical device of wherein the non-prescriptive parameters include at least one non-prescriptive alarm threshold value configured to trigger an alarm claim 1 , an alert or a reminder.5. The medical device of wherein the ...

MULTILAYER SECURITY WRAP

A security wrap () for protecting an electronic component () having a bonding surface includes a substrate () having a first side and a second side opposite to each other. A first security screen () is disposed over the first side of the substrate () and includes a first pair of screen terminals () and a first conductive track () between the first pair of screen terminals (). A second security screen () includes a second pair of screen terminals () and a second conductive track () between the second pair of screen terminals () and overlaying the first conductive track () on the first security screen (). A layer of adhesive () is over a side of the second security screen () remote from the substrate () and bonds the second security screen () to the bonding surface of the electronic component (). 1. A security wrap for protecting an electronic component having a bonding surface , comprising:a substrate having a first side and a second side opposite to each other;a first security screen disposed over the first side of said substrate and including a first pair of screen terminals and a first conductive track between the first pair of screen terminals;a second security screen including a second pair of screen terminals and a second conductive track between the second pair of screen terminals and overlaying the first conductive track on said first security screen; anda layer of adhesive over a side of said second security screen remote from said substrate and bonding said second security screen to the bonding surface of the electronic component.2. The security wrap of claim 1 , wherein said second security screen is disposed over the second side of said substrate.3. The security wrap of claim 1 , further comprising a dielectric layer over a side of said first security screen remote from said substrate claim 1 , wherein said second security screen is disposed over said dielectric layer.4. The security wrap of claim 1 , further comprising an adhesion modification layer ...

MEMORY CONTROLLER, NONVOLATILE MEMORY DEVICE, NONVOLATILE MEMORY SYSTEM, AND ACCESS DEVICE

A memory device includes a memory configured to store a secret key, an interface configured to communicate with an the external apparatus in a first communication method and a second communication method that is faster than the first communication method, and a controller configured to control the memory and the interface. The controller is configured to decrypt an encrypted management data encryption key, an encrypted management data, an encrypted individual data encryption key and an encrypted individual data according to communication method, record the decrypted individual data in the memory, decrypt an encrypted application key and an encrypted application according to communication method, and record the decrypted application in the memory. 1. A method of recording an application to a memory device , wherein the memory device includes a memory configured to store a secret key , and an interface configured to communicate with an external apparatus in a first communication method and a second communication method that is faster than the first communication method , the method comprising:decrypting an encrypted management data encryption key by using the secret key, when the interface receives the encrypted management data encryption key in the first communication method from the external apparatus;decrypting an encrypted management data by using the management data encryption key, when the interface receives the encrypted management data in the first communication method from the external apparatus;decrypting an encrypted individual data encryption key by using the secret key, when the interface receives the individual data encryption key in the first communication method from the external apparatus;decrypting an encrypted individual data by using the individual data encryption key, when the interface receives the encrypted individual data in the second communication method from the external apparatus;recording the decrypted individual data in the memory; ...

METHOD FOR DISPLAYING INFORMATION ON A DISPLAY DEVICE OF A TERMINAL

The invention relates to a method for displaying information on a display device (D D) of a terminal, particularly a mobile terminal, wherein the terminal contains a microprocessor unit in which a normal runtime environment (NZ) and a protected runtime environment (TZ) are implemented, wherein display data (DD DD DD′, TDD) can be provided for reproduction on the display device (D D) by means of the normal runtime environment (NZ) and the protected runtime environment (TZ). In this case, at least some display data (DD) provided by means of the normal runtime environment (NZ) are transferred to the protected runtime environment (TZ), which checks whether the transferred display data (DD) satisfy one or more security criteria, wherein if they do not satisfy at least one security criterion then the display data (DD) are rejected or are altered such that they can be distinguished from display data (TDD) provided by means of the protected runtime environment (TZ) when they are next reproduced on the display device (D D). 112122212. A method for displaying information on a display device (D , D) of a terminal , particularly a mobile terminal , wherein the terminal contains a microprocessor unit in which a normal runtime environment (NZ) and a protected runtime environment (TZ) are implemented , wherein display data (DD , DD , DD′ , TDD) for reproduction on the display device (D , D) can be provided via the normal runtime environment (NZ) and the protected runtime environment (TZ) ,characterized in that{'b': 2', '2', '2', '2', '1', '2, 'display data (DD) provided via the normal runtime environment (NZ) are transferred at least in part to the protected runtime environment (TZ), which checks whether the transferred display data (DD) meet one or more security criteria, wherein if the display data (DD) do not meet at least one security criterion then they are rejected or altered such that they can be distinguished from display data (TDD) provided via the protected runtime ...

ANALYZING APPARATUS VALIDATING SYSTEM AND PROGRAM FOR THE SYSTEM

In validation of an analyzing apparatus, in the case where the system configuration is not standard or where a reference value required for the validation is different from a standard value, the validation work cannot be automatically performed, which requires time and effort. For a validation target analyzing apparatus system, first, a parameter acquiring unit acquires parameters for qualification implementation of the analyzing apparatus system on a basis of an electronically supplied qualification plan document and an electronically supplied qualification implementation procedure manual. Then, a validation executing unit executes validation of the analyzing apparatus system using the acquired parameters for qualification implementation. 1. An analyzing apparatus validating system that executes validation of an analyzing apparatus system , comprising:a parameter acquiring unit acquiring a parameter for qualification implementation of the analyzing apparatus system, from an electronically supplied qualification plan document and an electronically supplied qualification implementation procedure manual of the analyzing apparatus system; anda validation executing unit executing the validation of the analyzing apparatus system using the acquired parameter for qualification implementation.2. The analyzing apparatus validating system according to claim 1 , further comprising a report creating unit creating claim 1 , in a predetermined format claim 1 , a qualification report of the analyzing apparatus system on a basis of a validation result obtained by executing the validation.3. An analyzing apparatus validating system that executes validation of an analyzing apparatus system claim 1 , comprising:a parameter acquiring unit acquiring a parameter for qualification implementation from an electronically supplied qualification basic plan document;a procedure manual creating unit adding the parameter for qualification implementation to an electronically supplied qualification ...

Keypad Device

An example tamper detection mechanism may include an electrical pathway having a closed conductive configuration and being openable to prevent electrical conduction along the electrical pathway, and may further include detection circuitry connected to the electrical pathway and configured to detect a change in the resistance of the electrical pathway. The electrical pathway includes a pair of conductive pads electrically isolated from one another, and also includes a connector which in the closed conductive configuration contacts both conductive pads to form an electrical connection therebetween. The connector is moveable away from the pads to open the electrical connection for tamper detection. The connector has a resistor of predefined resistance which in the closed conductive configuration is included in the electrical pathway. The detection circuitry can distinguish, on the basis of the resistance of the electrical pathway, between connection of the pads by the connector and shorting between the two pads. 1. A keypad device comprising: a printed circuit board , a casing part and a tamper detection mechanism; the casing part holding keys operable by a user to enter information; the printed circuit board being configured to generate electrical signals representative of said entered information; the tamper detection mechanism comprising: an electrical pathway having a closed conductive configuration and being openable to prevent electrical conduction along the electrical pathway; and circuitry connected to the electrical pathway and configured to detect a change in the resistance of the electrical pathway; the electrical pathway including a pair of electrical contacts electrically isolated from one another; the electrical pathway also including a connector which in said closed conductive configuration of the electrical pathway bridges said electrical contacts to form an electrical connection therebetween , wherein movement of the casing part away from the printed ...

AUTHENTICATION REQUESTING APPARATUS, AUTHENTICATION PROCESSING APPARATUS, AND AUTHENTICATION EXECUTION METHOD BASED ON PHYSICALLY UNCLONABLE FUNCTION

An authentication requesting apparatus, an authentication processing apparatus and an authentication execution method based on a physically unclonable function (PUF) are provided. The authentication requesting apparatus includes a signal transmission and reception unit, a response generation unit, and an authentication request unit. The signal transmission and reception unit receives a first pilot signal from an authentication processing apparatus that processes authentication. The response generation unit generates a challenge value based on the first pilot signal, acquires an output value by inputting the challenge value into a PUF circuit, and generates a response value from the output value. The authentication request unit requests authentication by transmitting the response value to the authentication processing apparatus, receives authentication result information from the authentication processing apparatus, and determines whether authentication has been successful. 1. An authentication requesting apparatus based on a physically unclonable function (PUF) , comprising:a signal transmission and reception unit configured to receive a first pilot signal from an authentication processing apparatus that processes authentication;a response generation unit configured to generate a challenge value based on the first pilot signal, to acquire an output value by inputting the challenge value into a PUF circuit, and to generate a response value from the output value; andan authentication request unit configured to request authentication by transmitting the response value to the authentication processing apparatus, to receive authentication result information from the authentication processing apparatus, and to determine whether authentication has been successful.2. The authentication requesting apparatus of claim 1 , further comprising a channel state information estimation unit configured to estimate state information of a communication channel between the authentication ...

METHOD FOR MONITORING A TAMPER PROTECTION AND MONITORING SYSTEM FOR A FIELD DEVICE HAVING TAMPER PROTECTION

The invention relates to a method for monitoring a tamper protection of a field device, comprising the steps of: checking whether manipulation of the field device has taken place; outputting a non-manipulation certificate in case a negative inspection result was determined; transferring the non-manipulation certificate; a registration device checking the non-manipulation certificate; the registration device determining an active status of the field device in case the non-manipulation certificate is valid; a monitoring device checking the field device by querying the status of the field device and transferring field device data to the monitoring device; the monitoring device accepting the field device data if the field device has an active status. The invention further relates to a monitoring system for a field device and a use. 11. A method for monitoring a tamper protection of a field device () , comprising the steps:{'b': 1', '1, 'claim-text': {'b': '2', 'outputting (S) of a non-manipulation certificate if a negative test result has been determined,'}, 'checking (S) whether a manipulation has taken place at the field device (),'}{'b': '3', 'transmitting (S) of the non-manipulation certificate,'}{'b': 4', '3, 'checking (S) of the non-manipulation certificate by a registration device (),'}{'b': 5', '1', '3, 'determining (S) an active status of the field device () by the registration device () if the non-manipulation certificate is valid,'}{'b': 6', '1', '4', '1, 'checking (S) of the field device () by a monitoring device () by inquiring about the status of the field device (), and'}{'b': 7', '4, 'transmitting (S) of field device data to the monitoring device (),'}{'b': 8', '4', '1, 'accepting (S) of the field device data by the monitoring device () if the field device () has an active status.'}2. The method as claimed in claim 1 ,characterized in that{'b': 3', '3', '1, 'the transmitting (S) of the non-manipulation certificate to the registration device () takes ...

SECURITY DEVICE AND INTEGRATED CIRCUIT INCLUDING THE SAME

A security device includes a shield having at least one first and second conductive wire, first and second logic units, and a detecting unit. The first logic unit is configured to receive a first pattern signal, transmit data based on the first pattern signal through the at least one first conducting wire, and output a detection pattern signal based on data received through the at least one second conducting wire. The second logic unit is configured to perform a logical operation on the data received through the at least one first conducting wire, and transmit a result of the logical operation through the at least one second conducting wire. The detecting unit is configured to provide the first pattern signal to the first logic unit, receive the detection pattern signal from the first logic unit, and detect an unauthorized access attempt. 1. A security device , comprising:a shield comprising at least one first conducting wire and at least one second conducting wire;a first logic unit configured to receive a first pattern signal, transmit data based on the first pattern signal through the at least one first conducting wire, and output a detection pattern signal based on data received through the at least one second conducting wire;a second logic unit configured to perform a logical operation on the data received through the at least one first conducting wire and transmit a result of the logical operation through the at least one second conducting wire; anda detecting unit configured to provide the first pattern signal to the first logic unit, receive the detection pattern signal from the first logic unit, and detect an unauthorized access attempt.2. The security device of claim 1 , wherein the detecting unit is configured to provide a second pattern signal to the second logic unit claim 1 , andwherein the second logic unit is configured to transmit a result of a logical operation performed on the data received through the at least one first conducting wire and the ...

Security Central Processing Unit Monitoring of On-Chip Conditions

A system includes a security processing unit to monitor inputs from process, voltage and temperature sensors to maintain a security of the system. The security processing unit can operate at a determined clock frequency. A timing path detector can connect with the security processing unit. The timing path detector can monitor a condition near the security processing unit. The timing path detector can switch the clock frequency to a lower frequency before the security processing unit fails from the condition. 1. A system , comprising:a security processing unit to monitor inputs from process, voltage and temperature sensors to maintain a security of the system, the security processing unit to operate at a determined clock frequency, and the security processing unit functions below a tripping point of a power-on-reset module; anda timing path detector connected with the security processing unit, the timing path detector to monitor a condition near the security processing unit, the timing path detector to switch the clock frequency to a lower frequency before the security processing unit fails from the condition.2. (canceled)3. The system of claim 1 , where the security processing unit operating at the lower frequency can operate below the tripping point of the power-on-reset module.4. The system of claim 1 , where the timing path detector switches the frequency of the security processing unit to a higher frequency when the security processing unit can function at the higher frequency.5. The system of claim 1 , where the security processing unit is included in a system-on-a-chip integrated circuit.6. The system of claim 1 , where security processing unit functions as a key router.7. The system of claim 1 , further including a switch claim 1 , the timing path detector to control the switch to provide the lower frequency or a higher frequency to the security processing unit.8. The system of where the security processing unit operates at a lower than peak performance at ...

DYNAMICALLY RECONFIGURABLE 2D TOPOLOGY COMMUNICATION AND VERIFICATION SCHEME

Systems and methods for securing devices and encoding information in hardware and hardware arrangements are provided. Variations include switched networks included in conformal coatings applied to or connected to components to be protected or encoded. The decoding or security key data is included as part of the network layout and/or switching logic such that physical changes to the network prevent the recovery of the key data. Nodes in the network may include sensors meant to change node or network behavior based on sensor detection results. 1. A conformal coating having information embedded therein , the coating comprising:an insulating layer disposed on a component;an active layer including a switched network having a plurality of nodes controlled by a master device controller (MDC);wherein a node on the switched network is configured to have dormant, active, and routed states such that said node, upon getting an activation command from the MDC, said node enters the active state, upon getting a signal routing command, said node enters the routed state, and upon getting a de-activation command from the MDC, said node enters the dormant state;wherein the node provides information about itself to the MDC via the switched network in the active state and transmits a signal from the MDC to a subsequent node along a routed signal path in the routed state;wherein the routing command causes an active node to connect to a subsequent node in said network, said subsequent node being identified in the routing command; andwhere the embedded information includes a measurable property of a node in a signal path in the network.2. The coating of claim 1 , said embedded information including whether or not a particular node in the network is in an anomalous state.3. The coating of claim 1 , said embedded information including cryptographic information for accessing data or functions of a component connected to said coating.4. The coating of claim 3 , where the cryptographic ...

INFORMATION PROCESSOR, SYSTEM AND RECORDING MEDIUM

An information processor is connected via a network to an output apparatus and configured to control a job outputting process of the output apparatus. The information processor includes a job identifier generation part configured to generate a job identifier for uniquely identifying a job input from a terminal apparatus connected via the network to the information processor, an information storage part configured to store information that correlates the job identifier and the input job, a job identifier transmission part configured to transmit the job identifier correlated with the input job to the terminal apparatus, and a job association part configured to associate user information for uniquely identifying an authenticated user received from the output apparatus with the input job based on a job association request including the user information and the job identifier and on the information stored in the information storage part. 1. An information processor connected via a network to an output apparatus and configured to control a job outputting process of the output apparatus , the information processor comprising:a job identifier generation part configured to generate a job identifier for uniquely identifying a job input from a terminal apparatus connected via the network to the information processor;an information storage part configured to store information that correlates the job identifier and the input job;a job identifier transmission part configured to transmit the job identifier correlated with the input job to the terminal apparatus; anda job association part configured to associate user information for uniquely identifying an authenticated user received from the output apparatus with the input job based on a job association request including the user information and the job identifier and on the information stored in the information storage part.2. The information processor as claimed in claim 1 , further comprising:an authentication status ...

ADAPTIVE DEVICE AUTHENTICATION

Device attributes corresponding to hardware and system configuration and characteristics of the user of the device are associated with adjustment logic, e.g., according to various types and classes of attributes. A hierarchical authentication process provides highly detailed and accurate authentication of a device, including device identification, device authentication, user authentication, and attribute adjustment. If the device is not properly identified, authentication fails. Otherwise, device authentication is attempted. If device authentication fails, all authentication fails. Otherwise, the user of the device is authenticated. If user authentication fails, authentication of the device fails. Otherwise, adjustment logic is used to adjust attributes for subsequent authentication. 1. A method for identifying a remotely located device , the method comprising: a device identifier, wherein the device identifier is a unique identifier of one of a number of known devices;', 'attribute data, wherein the attribute data represents one or more hardware configuration characteristics of the device; and', 'interactive attribute data, wherein the interactive attribute data represents one or more characteristics of a user of the device;, 'receiving device identification data from the device, wherein the device identification data includesdetermining that the device identifier identifies the device;in response to determining that the device identifier identifies the device, determining that the attribute data is consistent with corresponding reference attribute data stored for the device;in response to determining that the attribute data is consistent with corresponding reference attribute data stored for the device, determining that the interactive attribute data is consistent with corresponding reference interactive attribute data stored for the user of the device; andin response to determining that the interactive attribute data is consistent with corresponding reference ...

CLIENT CREDENTIALS DATA STRUCTURE AND METHOD OF EMPLOYING THE SAME

A client credentials data structure, a method of employing the same and a secure client-server communication system employing the data structure or the method. One embodiment of the data structure is associated with a client and includes: (1) a pre-provisioned set of credentials configured to register the client with a server, (2) a standard user set of credentials employable for secure client-server communication, and (3) a re-acquisition token combinable with the pre-provisioned set of credentials to allow the client to re-register the client with the server. 1. A client credentials data structure associated with a client and comprising:a pre-provisioned set of credentials configured to register said client with a server;a standard user set of credentials employable for secure client-server communication; anda re-acquisition token combinable with said pre-provisioned set of credentials to allow said client to re-register said client with said server.2. The client credentials data structure as recited in wherein said re-acquisition token is combinable with said pre-provisioned set of credentials after said standard user set of credentials is invalidated.3. The client credentials data structure as recited in wherein said re-acquisition token is configured to be replaced when said new standard user set of credentials is generated.4. The client credentials data structure as recited in wherein said re-acquisition token is configured to be authenticated by data shared by said client and said server.5. The client credentials data structure as recited in wherein said client is managed.6. The client credentials data structure as recited in wherein said client is configured to store said new standard user set of credentials in a memory within said server.7. The client credentials data structure as recited in wherein said new standard user set of credentials are employable to resume said secure client-server communication.8. A method of restoring secure communication between ...

Access Arbitration Module and System for Semiconductor Fabrication Equipment and Methods for Using and Operating the Same

An access arbitration module includes a plurality of active component communication ports for communicating with a plurality of active components, and includes a passive component communication port for communicating with a passive component. The access arbitration module also includes switching logic defined to control transmission of access communication protocol signals between each of the plurality of active component communication ports and the passive component communication port, such that an authorized one of the plurality of active component communication ports is connected in communication with the passive component communication port at a given time, and such that non-authorized ones of the plurality of active component communication ports are prevented from communication with the passive component communication port at the given time. 1. An access arbitration module for a passive component within a semiconductor fabrication facility , comprising:a plurality of active component communication ports for communicating with a plurality of active components;a passive component communication port for communicating with a passive component; andswitching logic defined to control transmission of access communication protocol signals between each of the plurality of active component communication ports and the passive component communication port, such that an authorized one of the plurality of active component communication ports is connected in communication with the passive component communication port at a given time, and such that non-authorized ones of the plurality of active component communication ports are prevented from communication with the passive component communication port at the given time.2. The access arbitration module of claim 1 , wherein the plurality of active components include a near-tool container buffer system and an overhead container transport system.3. The access arbitration module of claim 2 , wherein the plurality of components ...

Secure Connected Digital Media Platform

An embodiment of the invention provides a system including a secure media device having one or more security keys stored therein. The secure media device is housed in a device that is connected to a television unit and a network. Secure application environments are housed in the device, wherein each secure application environment is operationally isolated from one another. The secure application environments receive and process information sent over the network only if the information includes a security code corresponding to the security key in the secure media device. The security code is obtained from a clearinghouse when the information satisfies predetermined criteria. More specifically, the clearinghouse receives a copy of the security key from a manufacturer of the secure media device and creates the security code based on the security key. 1. A method comprising:receiving a request to create a secure partition for accessing a content provider in a digital media device;receiving a security code from the content provider; and comparing the received security code with a key value that is burned into a memory unit at the hardware circuit to determine if the security code is from an authorized content provider and, if the content provider is determined to be authorized, creating a secure partition at the digital media device, wherein the creation of the secure partition comprises creating a memory partition that corresponds to the secure partition in a non-volatile memory at the digital media device, wherein the memory partition can only be accessed by the content provider having the security code,', 'receiving software from the content provider and storing the software in the secure partition, and', 'receiving content from the content provider and storing the content in the secure partition., 'invoking a hypervisor at the digital media device, wherein at least part of the hypervisor is comprised of a hardware circuit, wherein the hypervisor performs the ...

BIOS PROTECTION DEVICE

A boot program held in a BIOS memory device of a processing system is authenticated. At system start-up, a BIOS protection device temporarily prevents execution of the boot program by the central processor of the processing system by control of address and data paths. The BIOS protection device interrogates the contents of the BIOS memory device to establish authentication. If the contents of the BIOS memory device are not authentic, execution of the boot program is prevented. 1. A processing system comprising:a central processor;a BIOS memory device including a boot program;a BIOS protection device including an internal memory;a plurality of memory address and data paths configured to provide communication between the processor, the BIOS memory device and the BIOS protection device; andwherein the BIOS protection device is configured to store a copy of the boot program in the internal memory as the BIOS protection device verifies the authenticity of the boot program, wherein the BIOS protection device is further configured to control the memory address and data paths to prevent execution of the boot program until the boot program is authenticated, and wherein the BIOS protection device communicates with the central processor when the boot program is successfully authenticated.2. The system as claimed in wherein the BIOS protection device is in communication between the central processor and the BIOS memory device claim 1 , wherein the BIOS protection device includes address and data path interface connections claim 1 , and an authentication processor claim 1 , wherein the BIOS protection device is configured to control the address and data path(s) to which it is connected claim 1 , and wherein the authentication processor is configured to interrogate the BIOS memory device connected to the address and data path(s) to determine if the boot program contained in the BIOS memory device is authentic claim 1 , and if the boot program is determined to be authentic permit ...

Method and System for Authentication of Device Using Hardware DNA

Methods and systems for authentication of a device are disclosed. An exemplary method includes transmitting an energy towards the device including a material, monitoring a response of the device to the transmitted energy, generating a signature of the device based on the response of the device to the transmitted energy, comparing the device signature to an enrolled signature for the device, and indicating that authentication of the device is successful when the generated signature matches the enrolled signature. An exemplary system includes a transmitter configured to transmit an energy towards the device, a receiver configured to monitor a response of the device, and a processor configured to generate a signature of the device based on the response of the device, compare the device signature to an enrolled signature for the device, and indicate that authentication of the device is successful when the generated signature matches the enrolled signature. 1. A method for authentication of a device comprising:transmitting an energy towards the device including a material;monitoring a response of the device to the transmitted energy;generating a signature of the device based on the response of the device to the transmitted energy;comparing the device signature to an enrolled signature for the device; andindicating that authentication of the device is successful when the generated signature matches the enrolled signature.2. The method of claim 1 , wherein transmitting the energy towards the device comprises:illuminating a surface of the device with a laser beam.3. The method of claim 2 , wherein monitoring the response comprises:capturing an image of the surface of the device.4. The method of claim 1 , wherein transmitting the energy towards the device comprises:emitting an electromagnetic signal.5. The method of claim 4 , wherein monitoring the response comprises:capturing an image of the surface of the device.6. The method of claim 4 , wherein monitoring the response ...

SECURED COMPUTING SYSTEM WITH ASYNCHRONOUS AUTHENTICATION

A computing device includes an input bridge, an output bridge, a processing core, and authentication logic. The input bridge is coupled to receive a sequence of data items for use by the device in execution of a program. The processing core is coupled to receive the data items from the input bridge and execute the program so as to cause the output bridge to output a signal in response to a given data item in the sequence, and the authentication logic is coupled to receive and authenticate the data items while the processing core executes the program, and to inhibit output of the signal by the output bridge until the given data item has been authenticated. 1. A computing device , comprising:an input bridge, which is coupled to receive a sequence of data items for use by the device in execution of a program;an output bridge;a processing core, which is coupled to receive the data items from the input bridge and execute the program so as to cause the output bridge to output a signal in response to a given data item in the sequence; andauthentication logic, which is coupled to receive and authenticate the data items while the processing core executes the program, and to inhibit output of the signal by the output bridge until the given data item has been authenticated.2. The device according to claim 1 , wherein the data items comprise program instructions and the given data item comprises an output instruction claim 1 , and wherein the processing core is configured to execute the program by executing the program instructions claim 1 , including the output instruction.3. The device according to claim 1 , wherein the authentication logic is configured to authenticate the data items asynchronously with execution of the program by the processing core.4. The device according to claim 1 , wherein the authentication logic is configured to authenticate the given data item after the given data item has been used in executing the program by the processing core claim 1 , and to ...

SECURE PROCESSOR AND A PROGRAM FOR A SECURE PROCESSOR

The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside. 1. A method of controlling an integrated circuit including a processor , a non-rewritable memory and a security resource , the method comprising:executing, by the processor, a first program included in the non-rewritable memory after power-on of the integrated circuit;authenticating a second program on the basis of a first key included in the security resource by executing the first program;executing, by the processor, the authenticated second program to issue a request for an access to the security resource to a third program which monitors the request; and,accessing the security resource by the third program.2. The method according to claim 1 ,wherein the non-rewritable memory is a read only memory.3. The method according to claim 1 ,wherein the second program is stored in a secondary storage.4. The method according to claim 1 ,wherein the security resource includes an encryption processing block.5. The method according to claim 1 ,wherein the security resource includes an authentication processing block.6. The method according to claim 1 ,wherein the third program causes the processor to restrict an access to the security resource by a non-authenticated program.7. The method according to claim 1 ,wherein the third program executes a key process.8. The method according to claim 7 ,wherein the key process includes a key table operation.9. A method of controlling an integrated circuit including a processor claim 7 , a non-rewritable memory and a security resource claim 7 , comprising:executing, by the processor, a first program included in the non-rewritable memory after power-on ...

ELECTRONIC APPARATUS AND CONTROL METHOD

According to one embodiment, an electronic apparatus includes a close proximity communication module and a controller. The close proximity communication module executes close proximity communication. The controller receives, by using the close proximity communication, first account information from an external apparatus close to the electronic apparatus in response to an account setting request from the external apparatus, and sets the first account information in the electronic apparatus. The first account information is information for logging in to a server system configured to provide a certain service. 1. An electronic apparatus comprising:a close proximity communicator configured to execute close proximity communication; anda controller configured to receive, by using the close proximity communication, first account information from an external apparatus close to the electronic apparatus in response to an account setting request from the external apparatus, and to set the first account information in the electronic apparatus, wherein the first account information is for logging in to a server system configured to provide a certain service.2. The apparatus of claim 1 , wherein the controller is further configured to delete the first account information set in the electronic apparatus in response to an account deletion request from the external apparatus.3. The apparatus of claim 1 , wherein the controller is further configured to temporarily invalidate second account information for logging in to the server system and validates the first account information claim 1 , if the second account information is set in the electronic apparatus.4. The apparatus of claim 1 , wherein the controller is further configured to activate an application program for use of the certain service and transmit the first account information to the server system to log in to the server system claim 1 , after the first account information is set in the electronic apparatus.5. The ...

SYSTEM AND METHOD FOR AUTHENTICATING RFID TAGS

A system and method of providing authenticity to a radio frequency identification (RFID) tag are provided. The method comprises generating a plurality of digital signatures, wherein each digital signature is generated using an index value unique to that digital signature and using information associated with the RFID tag; and storing the plurality of digital signatures on the RFID tag in association with respective index values to enable a desired digital signature to be selected according to a provided index value. Also provided are a system and method of enabling an RFID reader to authenticate an RFID tag, which utilize a challenge comprising an index value to request one of the stored signature and authenticating same. Also provided is an RFID tag that is configured to participate in the challenge-response protocol. 123-. (canceled)24. A method for authenticating a radio frequency identification (RFID) tag , the method comprising:sending a challenge comprising an index value i to the RFID tag;{'sup': th', 'th, 'sub': i', 'i', 'i, 'receiving, in response to the challenge, at least, a corresponding iset of signature components, wherein each of said iset of signature components having been generated from a message mcomprising at least a hidden portion Hand a corresponding visible portion V;'}{'sub': 'i', 'sup': 'th', 'obtaining the corresponding visible portion Vand a public key W corresponding to the iset of signature components; and,'}{'sup': 'th', 'sub': 'i', 'verifying the corresponding iset of signature components using the corresponding visible portion Vand the public key W;'}{'sup': th', 'th, 'sub': 'i', 'wherein the RFID tag is authenticated if the corresponding iset of signature components is verified, and wherein the hidden portion His recoverable from the corresponding iset of signature components.'}25. The method of claim 24 , wherein before authenticating the RFID tag the method further comprises:{'sub': i', 'i, 'sup': 'th', 'recovering a representation ...

Security-Enhanced Web Application Module Translation

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for preserving code safety of application code that is received in a portable, instruction-set-neutral format. One aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving a portable code file that is implemented in an instruction-set-neutral and source code independent format; translating the portable code file into native object code for execution on a particular instruction set architecture; generating a native executable for the particular instruction set architecture using the native object code; and validation the native executable using a trusted validator prior to execution of the native executable. 1. A computer implemented method , comprising: a respective native execution environment, wherein the native execution environment of at least one user device is different from the native execution environment of at least one other user device, and', 'a trusted validator that is operable within a language-independent sandboxing environment of the native execution environment to validate untrusted native executables for execution in the native execution environment; and, 'receiving a plurality of requests for a software module, the software module implemented as a code file having an instruction-set-neutral and source code independent format and requiring translation into naive object code in order to be executed on a user device having a native execution environment, each request corresponding to a user device of a plurality of user devices, and each of the user devices havingtranslating, at a computing device other than any of the plurality of user devices, the code file into a plurality of untrusted native object codes, including: converting the code into the plurality of native object codes, each native object code being dependent on an instruction set architecture of a user device; sending the ...

METHOD AND SYSTEM FOR PLATFORM AND USER APPLICATION SECURITY ON A DEVICE

A method and system for platform and user application security on a computing device is provided. The method includes: verifying integrity of operating system code on the computing device to establish a trusted execution environment in the operating system of the computing device; and in response to success of the integrity verification of the operating system code, binding a user-space application on the computing device to the operating system on the computing device. 1. A method of enhancing security on a computing device , comprising:verifying integrity of operating system code on the computing device to establish a trusted execution environment in the operating system of the computing device; andin response to the successful integrity verification of the operating system code, binding a user-space application on the computing device to the operating system on the computing device.2. A method according to claim 1 , wherein the verifying integrity of the operating system code comprises:verifying integrity of on-disk and/or in-memory image of the operating system,the method comprising granting the binding of the user-space application and the operating system in response to success of the integrity verification of the on-disk and/or in-memory image of the operating system.3. A method according to claim 2 , wherein the verifying integrity of the operating system code comprises:in response to success of the integrity verification of the on-disk and/or in-memory image of the operating system, verifying continuous and incremental integrity of the in-memory image of the operation system,the binding of the user-space application and the operating system being granted in response to success of the continuous and incremental integrity verification of the on-disk and in-memory image of the operating system.4. A method according to claim 1 , comprising:in response to success of the integrity verification of the operating system code, verifying integrity of the user-space ...

DEVICE-SPECIFIC AUTHENTICATION CREDENTIALS

Methods and systems for providing device-specific authentication are described. One example method includes generating device-specific credentials, associating the device-specific credentials with a device, authenticating the device based on the device-specific credentials, and after authenticating the device, authenticating a user of the device based on user-specific credentials associated with the user and different than the device-specific credentials. 1generating device-specific credentials;associating the device-specific credentials with a device;authenticating the device based on the device-specific credentials; andafter authenticating the device, authenticating a user of the device based on user-specific credentials associated with the user and different than the device-specific credentials.. A method performed by one or more data processing apparatuses, the method comprising: This application is a continuation application of and claims priority to U.S. application Ser. No. 13/857,714, filed on Apr. 5, 2013.This specification generally relates to providing device-specific authentication, and secure user authentication.In corporate and other networks, users may be required to authenticate to a proxy server prior to accessing the Internet. One widely used authentication scheme is HyperText Transfer Protocol (HTTP) Basic Authentication (Basic Auth). In Basic Auth, a client sends its username and password in unencrypted plaintext to a server, such as, for example, a proxy server. The server authenticates the client and subsequently allows the client access to other resources, such as the Internet. In such a configuration, an attacker can monitor network packets to obtain the username and password of the client, and possibly compromise the security of the network.In general, one aspect of the subject matter described in this specification may be embodied in systems, and methods performed by data processing apparatuses that include the actions of generating device- ...

INHIBITING A PENETRATION ATTACK

A technique includes providing a security monitor to at least detect a penetration attack on a circuit assembly that contains the security monitor. The technique includes inhibiting success of the penetration attack, including flexibly mounting the security monitor to the circuit assembly to allow the security monitor to move in response to the security monitor being contacted during the penetration attack. 115-. (canceled)16. An apparatus comprising:an enclosure;a penetration detection layer that provides an electrical response to a physical penetration attack on a secure region inside the enclosure; and a circuit board comprising an electrical circuit, the electrical circuit being coupled to the penetration detection layer to detect the electrical response; and', 'a spring mount attached to the circuit board to allow movement of the circuit board when contacted during the physical penetration attack, the movement of the circuit board creating or extending a time period between a time that the penetration attack contacts the circuit board and a time that the physical penetration attack disables at least part of the electrical circuit, wherein the electrical circuit performs one or more operations in response to the physical penetration attack during the time period., 'an assembly disposed in the secure region, the assembly comprising17. The apparatus of claim 16 , wherein the spring mount comprises a flexible connector with a first end fixed with respect to the circuit board and a second end fixed with respect to the enclosure.18. The apparatus of claim 17 , further comprising a power distribution circuit to provide a power signal claim 17 , wherein the flexible connector communicates the power signal to the electrical circuit.19. The apparatus of claim 18 , further comprising an energy source mounted to the circuit board claim 18 , wherein the energy source charges using the power signal to provide a temporary source of power for the electrical circuit.20. The ...

PROCESS MANAGEMENT

Particular embodiments described herein provide for a network element that can be configured to determine that an application begins to execute, receive credentials for the application, where the credentials are located in an immediate field of the application, receive a request from the application to access a secure resource, and block access to the secure resource if the credentials for the application do not allow the application to access the secure resource. In an example, the credentials include a public key and a private key. 1. At least one machine readable medium comprising one or more instructions that when executed by at least one processor , cause the at least processor to:receive credentials for an application, wherein the credentials are located in an immediate field of the application;receive a request from the application to access a secure resource; andblock access to the secure resource if the credentials for the application do not allow the application to access the secure resource.2. The at least one machine readable medium of claim 1 , further comprising one or more instructions that when executed by the at least one processor claim 1 , further cause the at least one processor to:verify the credentials for the application; andstore the verified credentials in a process management cache.3. The at least one machine readable medium of claim 1 , wherein the credentials are verified by comparing the credentials for the application to credentials stored inside a boundary of the at least one processor.4. The at least one machine readable medium of claim 1 , wherein the credentials are presented by instructions during process management by the at least one processor.5. The at least one machine readable medium of claim 1 , wherein the secure resource is a locker that the application accesses to store a state of the application.6. The at least one machine readable medium of claim 5 , wherein the locker is a process control block.7. The at least one ...

Migration of Trusted Security Attributes to a Security Engine Co-Processor

A system-on-chip (SoC) includes a host CPU on a CPU fabric, the host CPU including multiple processor cores, each associated with multiple security attributes. The SoC includes a secure asset on a network-on-chip and a security co-processor. The security co-processor includes circuitry to detect requests from the processor cores targeting the secure asset and security function processing requests, to determine, based on associated security attributes, whether the core or function is authorized to access the secure asset, to allow the request to be issued, if the core or function is so authorized, and to prevent its issuance, if not. The determination may be dependent on a signal from the CPU fabric indicating whether the host CPU can modify its security attributes or they are locked down. The security co-processor may have the highest security level and may be the only master on the SoC that can access the secure asset. 1. A system , comprising:a host CPU comprising a processor core, the processor core including circuitry to execute instructions;a CPU fabric communicatively coupled to the processor core, the CPU fabric including a first storage location to store a first security identifier value associated with the processor core;a secure asset;an on-chip network, communicatively coupled to the secure asset, through which requests that target the secure asset are to be directed to the secure asset; and a processor to execute instructions; and', detect a request from the processor core for performance, by the security engine, of a security function that targets the secure asset;', 'determine, dependent on the first security identifier value associated with the processor core, whether or not access to the secure asset by the security function is authorized;', 'allow, responsive to a determination that access to the secure asset by the security function is authorized, the request to be issued over the on-chip network; and', 'prevent, responsive to a determination that ...

THEFT AND TAMPER RESISTANT DATA PROTECTION

Systems and methods are provided for adding security to client data by maintaining keys providing access to the client data remotely from the client data. In some circumstances, the systems encrypt a cluster of data using an encryption key, associate the cluster of encrypted data with a unique identifier and send the unique identifier and the decryption key to a server for storage. The decryption key is then received from the server and is used to decrypt the cluster of encrypted data. A server can also perform policy checks or trigger additional authentication such as SMS, phone, or email notification before allowing access to a key. Furthermore, in some instances, the server can also prevent access to the stored keys in response to anomalies, such as decommissioning and other asset management events. 1. A client computing system for keeping encrypted data tamper resistant , comprising:one or more processors; and associating a cluster of data with a unique key identifier;', 'encrypting the cluster of data using an encryption key;', 'sending the unique key identifier and a decryption key to a server that has access to a key ID database that stores the unique key identifier and the decryption key, wherein the decryption key is interrelated to the encryption key and configured to decrypt the cluster of data that is encrypted using the encryption key;', 'storing the unique key identifier in the cluster of encrypted data as metadata without storing the encryption key;', 'initiating boot of a client system;', 'sending a communication request to a server that has access to the key ID database;', 'receiving a communication response from the server;', 'sending the unique key identifier to the server;', 'receiving a decryption key from the server; and', 'decrypting the cluster of encrypted data using the decryption key., 'one or more storage media having stored computer-executable instructions that are executable by the one or more processors for implementing a method for ...

FLEXIBLE REAL-TIME INBOX ACCESS

Systems and methods for authenticating access to multiple data stores substantially in real-time are disclosed. The system may include a server coupled to a network, a client device in communication with the server via the network and a plurality of data stores. The server may authenticate access to the data stores and forward information from those stores to the client device. An exemplary authentication method may include receipt of a request for access to data. Information concerning access to that data is stored and associated with an identifier assigned to a client device. If the identifier is found to correspond to the stored information during a future request for access to the store, access to that store is granted. 1a server coupled to a network; anda mobile device communicatively coupled to the server via the network.. A system for authenticating access to one or more data stores, comprising: This application is a continuation of U.S. patent application Ser. No. 13/614,583 entitled “Flexible Real-Time Inbox Access” which is a continuation of U.S. patent application Ser. No. 11/640,629 filed Dec. 18, 2006 and entitled “Flexible Real-Time Inbox Access” which is a continuation-in-part and claims the priority benefit of U.S. patent application Ser. No. 11/525,294 filed Sep. 21, 2006, now U.S. Pat. No. 8,064,583 and entitled “Multiple Data Store Authentication” which is a continuation and claims the priority benefit of U.S. patent application Ser. No. 11/112,690 filed Apr. 21, 2005, now U.S. Pat. No. 7,796,742 and entitled “Systems and Methods for Simplified Provisioning”. The disclosure of these commonly owned and assigned applications are incorporated herein by reference.The present invention relates generally to authentication of and access to data stores and, more specifically, to authentication and access to data in those stores substantially in real-time.A user seeking access to a data store such as electronic-mail is often required to provide a name and ...

AUTHENTICATION OF PLUGINS IN A VIRTUALIZED COMPUTING ENVIRONMENT

Plugins are authenticated for purposes of accessing and using application program interfaces (APIs) of a management service of a virtualized computing environment. In an authentication process, each plugin is associated with a session ticket that is unique to the plugin. The session ticket may be in the form of a single-use token that has a finite duration, and which may be used by the plugin to establish a session with the APIs of the management service. Because of the single-use and finite duration constraints of the token, the plugin is unable to use the token for other sessions and other plugins are also unable to use the same token to conduct their own sessions with the management service. 1. A method to authenticate a first plugin to enable the first plugin to interact with a management server in a virtualized computing environment , the method comprising:using a session identification (ID), uniquely associated with the first plugin, to obtain a session ticket, wherein the session ticket is uniquely associated with the first plugin and is configured with a finite validity; andusing the session ticket to authorize the first plugin to access the management server for a first session with the management server,wherein the finite validity prevents use of the session ticket, by the first plugin, for a second session with the management server, andwherein the finite validity prevents use of the session ticket, by at least a second plugin, for authenticated sessions with the management server.2. The method of claim 1 , wherein the finite validity enables use of the session ticket for only the first session between the first plugin and the management server claim 1 , and invalidates the session ticket for other sessions including the second session.3. The method of claim 1 , wherein the finite validity enables use of the session ticket for a finite duration and invalidates the session ticket after expiration of the finite duration claim 1 , and wherein the finite ...

Mobile Device Peripherals Management System and Multi-Data Stream Technology (MdS)

A device and system for management of and access to externally connected peripheral devices by mobile devices. User and/or application data on a mobile device is sent to externally connected peripheral devices. External peripheral devices includes, but are not limited to, printers, scanners, displays, audio interfaces, speakers, network adapters, storage drives, hard drives, and the like. An end user mobile device application interface is installed as an application on a mobile device. Data may be sent directly to a peripheral device, or to a peripherals aggregation device, which may be active or passive. 1. A non-transitory computer-readable storage medium with an executable program stored thereon , wherein the program instructs a processor or microprocessor to perform the following steps:receiving a request from a mobile or remote computing device to access a peripheral computing device;encapsulating data into proprietary frames for transmission over wired or wireless connections;authenticating the mobile or remote computing device;upon authenticating the mobile or remote computing device, forwarding the request from the mobile or remote computing device to the peripheral computing device, wherein the peripheral computing device is not connected to a network;providing application and device publishing services;providing data optimization, protection, or profiling services; andproviding resource management services for peripheral computing devices.2. The non-transitory computer-readable storage medium with an executable program stored thereon of claim 1 , wherein the processor or microprocessor receives said request from one or more of the following: a portable computing device claim 1 , a laptop computer claim 1 , a personal digital assistant claim 1 , a notebook computer claim 1 , a cell phone claim 1 , a smart phone claim 1 , a pager claim 1 , an Internet appliance claim 1 , or a tablet computer.3. The non-transitory computer-readable storage medium with an ...

COMPUTER-BASED SYSTEMS AND COMPUTING DEVICES CONFIGURED TO UTILIZE ONE OR MORE AUTHENTICATION SERVERS FOR SECURING DEVICE COMMANDS TRANSMISSIONS AND METHODS OF USE THEREOF

In some embodiments, securing device commands includes a first electronic device receiving a command authorization request message from a second electronic device, including a device command to be performed by the second electronic device, a command argument, and a first message authentication code (MAC) generated by applying a hash function to the device command, the command argument and a first counter value. The first electronic device generates a second MAC by applying the hash function to the device command, the command argument and a second counter value synchronized with the first counter value. The first electronic device compares the first MAC and the second MAC to authenticate the device command and transmit a command approval message or a command denial message. The command approval message causes the second electronic device to perform the device command and the command denial message causes the second electronic device to reject the device command. 1. A method for securing device commands , the method comprising: i) at least one first message authentication code (MAC),', 'ii) at least one device command, and', 'iii) at least one command argument;', 'wherein the at least one device command is a respective command to be performed by the second electronic device;', 'wherein the at least one first MAC has been generated by applying a one-way hash function to a first hash input to produce the non-reusable hashing;', 'wherein the first hash input comprises at least one first counter value;, 'receiving, by a first electronic device, a command authorization request message having non-reusable hashing from a second electronic device, comprisinggenerating, by the first electronic device, at least one second counter value based on a current time associated with receiving the command authorization request message; wherein the second hash input comprises the at least one second counter value;', 'wherein the at least one second counter value being based on the ...