Protection against rerouting a communication channel of a telecommunication device having an NFC circuit and a secure data circuit

US 10,511,626 B2
Filed: 05/02/2017
Issued: 12/17/2019
Est. Priority Date: 12/20/2010
Status: Active Grant

First Claim

Patent Images

1. A method to protect data stored in a secure data circuit of a telecommunication device equipped with a near-field communication (NFC) router, a microcontroller, and the secure data circuit, the method comprising:

for all messages received with the NFC router, parsing each message to retrieve a communication pipe identifier and an instruction code;

comparing the communication pipe identifier and the instruction code to corresponding information in a filter table that is separate from a routing table of the NFC router; and

when the instruction code of a particular message is an instruction to modify a communication pipe associated with the retrieved communication pipe identifier by reassigning one end of the communication pipe associated with the retrieved communication pipe identifier from a port of the NFC router to a different circuit, blocking the particular message from reaching the secure data circuit when the instruction code is not authorized in the filter table and permitting passage of the particular message to the secure data circuit when the instruction code is authorized in the filter table,wherein comparing the communication pipe identifier and the instruction code to corresponding information in the filter table includes comparing a format of data of the particular message with authorized formats stored in the filter table.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and associated circuits protect data stored in a secure data circuit of a telecommunication device equipped with a near-field communication (NFC) router, a microcontroller, and the secure data circuit. In the method, each message received with the NFC router is parsed to retrieve a communication pipe identifier and an instruction code. The communication pipe identifier and the instruction code are compared to corresponding information in a filter table. Instruction codes of particular messages that attempt to modify a communication pipe by reassigning one end of the communication pipe from the port of the NFC router to a different circuit are acted upon. These messages are blocked from reaching the secure data circuit when the instruction code is not authorized in the filter table, and these messages are permitted when the instruction code is authorized in the filter table.

57 Citations

View as Search Results

31 Claims

1. A method to protect data stored in a secure data circuit of a telecommunication device equipped with a near-field communication (NFC) router, a microcontroller, and the secure data circuit, the method comprising:
- for all messages received with the NFC router, parsing each message to retrieve a communication pipe identifier and an instruction code;
  
  comparing the communication pipe identifier and the instruction code to corresponding information in a filter table that is separate from a routing table of the NFC router; and
  
  when the instruction code of a particular message is an instruction to modify a communication pipe associated with the retrieved communication pipe identifier by reassigning one end of the communication pipe associated with the retrieved communication pipe identifier from a port of the NFC router to a different circuit, blocking the particular message from reaching the secure data circuit when the instruction code is not authorized in the filter table and permitting passage of the particular message to the secure data circuit when the instruction code is authorized in the filter table,wherein comparing the communication pipe identifier and the instruction code to corresponding information in the filter table includes comparing a format of data of the particular message with authorized formats stored in the filter table.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the filter table includes a plurality of authorized instruction codes.
  - 3. The method of claim 1, wherein comparing the communication pipe identifier and the instruction code to corresponding information in the filter table includes:
    - comparing a received control signal to corresponding information in the filter table; and
      
      based on comparing the received control signal, asserting an authorization code or a denial code.
  - 4. The method of claim 1, wherein the particular message includes telecommunication data.

5. A method to protect data stored in a secure data circuit of a telecommunication device equipped with a near-field communication (NFC) router, a microcontroller, and the secure data circuit, the method comprising:
- for all messages received with the NFC router, parsing each message to retrieve a communication pipe identifier and an instruction code;
  
  comparing the communication pipe identifier and the instruction code to corresponding information in a filter table that is separate from a routing table of the NFC router; and
  
  when the instruction code of a particular message is an instruction to modify a communication pipe associated with the retrieved communication pipe identifier by reassigning one end of the communication pipe associated with the retrieved communication pipe identifier from a port of the NFC router to a different circuit, blocking the particular message from reaching the secure data circuit when the instruction code is not authorized in the filter table and permitting passage of the particular message to the secure data circuit when the instruction code is authorized in the filter table, wherein the NFC router includes a plurality of filter tables, each one of the plurality of filter tables associated with a different secure data circuit.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method of claim 5, wherein the plurality of filter tables includes at least one filter table associated with the microcontroller.
  - 7. The method of claim 5, comprising:
    - intercepting the particular message before the message reaches the secure data circuit.
  - 8. The method of claim 5, wherein the filter table includes a plurality of authorized instruction codes.
  - 9. The method of claim 5, wherein blocking the message is as a result of determining that the instruction code is not included as an authorized instruction code in the filter table.

10. A device, comprising:
- a secure data circuit;
  
  a microcontroller; and
  
  a contactless front-end (CLF) router communicatively arranged between the secure data circuit and the microcontroller, the device arranged to form a communication pipe between a port of the secure data circuit and a port of the CLF router, wherein the CLF router is configured to;
  
  receive a plurality of messages;
  
  parse the plurality of messages to retrieve a channel identifier of the communication pipe and an instruction code for each parsed message; and
  
  when a particular instruction code is an instruction to divert a particular communication pipe by reassigning one end of the particular communication pipe from the port of the CLF router to a different circuit, the CLF router is configured to compare the respective channel identifier and the respective instruction code to corresponding information in a filter table that is separate from a routing table of the CLF router, and based on the comparison, the CLF router is arranged to block the respective message from reaching the secure data circuit when the instruction code is not authorized in the filter table and the CLF router is arranged to permit passage of the respective message to the secure data circuit when the instruction code is authorized in the filter table,wherein comparison between the respective channel identifier and the respective instruction code to corresponding information in the filter table includes comparison between a format of the instruction code to authorized formats stored in the filter table.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The device of claim 10, wherein the device is a telecommunication device.
  - 12. The device of claim 10, wherein CLF router conforms to a near-field communication protocol.
  - 13. The device of claim 10, wherein comparing the respective channel identifier and the respective instruction code to corresponding information in the filter table includes:
    - comparing a format of the instruction code to authorized formats stored in the filter table.
  - 14. The device of claim 10, where the CLF router is further arranged to:
    - assert an authorization code or a denial code.

15. A device, comprising:
- a secure data circuit;
  
  a microcontroller; and
  
  a contactless front-end (CU) router communicatively arranged between the secure data circuit and the microcontroller, the device arranged to form a communication pipe between a port of the secure data circuit and a port of the CLF router, wherein the CLF router is configured to;
  
  receive a plurality of messages;
  
  parse the plurality of messages to retrieve a channel identifier of the communication pipe and an instruction code for each parsed message; and
  
  when a particular instruction code is an instruction to divert a particular communication pipe by reassigning one end of the particular communication pipe from the port of the CLF router to a different circuit, the CLF router is configured to compare the respective channel identifier and the respective instruction code to corresponding information in a filter table that is separate from a routing table of the CLF router and based on the comparison, the CLF router is arranged to block the respective message from reaching the secure data circuit when the instruction code is not authorized in the filter table and the CLF router is arranged to permit passage of the respective message to the secure data circuit when the instruction code is authorized in the filter table, wherein the CLF router is formed in at least one of a universal serial bus (USB) key, a bank teller terminal, and an adhesive device.
- View Dependent Claims (16, 17, 18)
- - 16. The device of claim 15, wherein the CLF router includes memory that stores the filter table.
  - 17. The device of claim 15, wherein the CLF router includes an interception module disposed along a path between the microcontroller and the secure data circuit, the interception module configured to intercept the instruction to divert the particular communication pipe.
  - 18. The device of claim 15, wherein the CLF router conforms to a near-field communication protocol.

19. A device comprising:
- a secure data circuit;
  
  a microcontroller; and
  
  a contactless front-end (CLF) router communicatively arranged between the secure data circuit and the microcontroller, the device arranged to form a communication pipe between a port of the secure data circuit and a port of the CLF router, wherein e CLF router is configured to;
  
  receive a plurality of messages;
  
  parse the plurality of messages to retrieve a channel identifier of the communication pipe and an instruction code for each parsed message; and
  
  when a particular instruction code is an instruction to divert a particular communication pipe by reassigning one end of the particular communication pipe from the port of the CLF router to a different circuit, the CLF router is configured to compare the respective channel identifier and the respective instruction code to corresponding information in a filter table that is separate from a routing table of the CLF router, and based on the comparison, the CLF router is arranged to block the respective message from reaching the secure data circuit when the instruction code is not authorized in the filter table and the CLF router is arranged to permit passage of the respective message to the secure data circuit when the instruction code is authorized in the filter table, wherein the CLF router includes memory that stores a plurality of filter tables, each one of the plurality of filter tables associated with a different secure data circuit.
- View Dependent Claims (20, 21, 22)
- - 20. The device of claim 19, wherein the CLF router includes memory that stores the filter table.
  - 21. The device of claim 19, wherein the CLF router includes an interception module disposed along a path between the microcontroller and the secure data circuit, the interception module configured to intercept the instruction to divert the particular communication pipe.
  - 22. The device of claim 19, wherein the CLF router conforms to a near-field communication protocol.

23. A method performed in a device, comprising:
- forming a communication pipe between a secure data circuit and a near-field communication (NFC) router;
  
  receiving a message with the NFC router;
  
  filtering the message by isolating an instruction code in the message and a channel identifier, wherein the instruction code is an instruction to modify the communication pipe by reassigning one end of the communication pipe from a port of the NFC router to a different circuit; and
  
  either blocking the message from reaching the secure data circuit when the channel identifier identifies the communication pipe and when the instruction code is not authorized to act on the communication pipe based at least in part on comparison of the instruction code with information in a filter table that is separate from a routing table of the NFC router, or passing the message toward the secure data circuit when the channel identifier identifies the communication pipe and when the instruction code is authorized to act on the communication pipe, wherein comparison between the instruction code with the information in the filter table includes comparison between a format of data of the message and authorized formats stored in the filter table.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
- - 24. The method of claim 23, comprising:
    - blocking the message as a result of determining that the instruction code is not recognized.
  - 25. The method of claim 23, wherein the message is addressed to the secure data circuit.
  - 26. The method of claim 23, wherein each operation of parsing, determining, comparing, and blocking is performed by the NFC router.
  - 27. The method of claim 23, comprising:
    - forming in the device a second communication pipe between a second secure data circuit and the NFC router;
      
      receiving a second message with the NFC router;
      
      filtering the second message by isolating a second instruction code in the message and a second channel identifier; and
      
      blocking the second message when the second channel identifier identifies the second communication pipe and when the second instruction code is not authorized to act on the second communication pipe.
  - 28. The method of claim 23, comprising:
    - comparing a received control signal to corresponding information in the filter table; and
      
      based on comparison between the received control signal and the corresponding information, asserting an authorization code or a denial code.
  - 29. The method of claim 23, comprising:
    - intercepting the message before the message is transmitted to the different circuit.
  - 30. The method of claim 23, wherein the different circuit is the secure data circuit and the instruction code is an instruction to modify the communication pipe by reassigning one end of the communication pipe from the port of the NFC router to a port of the security data circuit.
  - 31. The method of claim 23, wherein comparing the communication pipe identifier and the instruction code to corresponding information in the filter table includes:
    - comparing a received control signal to corresponding information in the filter table; and
      
      as a result of comparing the received control signal, generating an authorization code or a denial code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
STMicroelectronics SAS (STMicroelectronics NV)
Original Assignee
STMicroelectronics SAS (STMicroelectronics NV)
Inventors
Huque, Thierry, Van Nieuwenhuyze, Olivier, Charles, Alexandre
Primary Examiner(s)
Eng, George
Assistant Examiner(s)
Du, Hung K

Application Number

US15/585,107
Publication Number

US 20170237774A1
Time in Patent Office

959 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/0492   by using a location-limited...

H04L 63/083   using passwords cryptograph...

H04L 63/107   wherein the security polici...

H04L 63/1466   Active attacks involving in...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/122   Counter-measures against at...

H04W 4/80   Services using short range ...

Protection against rerouting a communication channel of a telecommunication device having an NFC circuit and a secure data circuit

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Protection against rerouting a communication channel of a telecommunication device having an NFC circuit and a secure data circuit

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links