Authentication framework for smart cards
First Claim
1. A smart card that features a generalized authentication framework, the smart card comprising:
- processing resources including memory and an instruction processor;
an authentication technology applet (ATA) stored in the memory;
authentication data stored in the memory as part of the ATA;
authentication instructions within the ATA that receive user input from a host via a first application protocol data unit (APDU) interface, authenticate user identity based on the authentication data and the user input, and return an authentication result to the host via the first APDU interface;
an authentication policy applet (APA) stored in the memory;
a card application applet (CAA) stored in the memory, wherein the CAA communicates with the host via a second APDU interface, and the CAA enforces security according to a predefined user role;
security configuration data stored in the memory as part of the APA, wherein the security configuration data includes security configurations that define relationships between user roles for CAAs and corresponding authentication requirements, and wherein at least one of the security configurations associates the predefined user role for the CAA with an application identifier (AID) for the ATA;
the APA including an internal interface, wherein the APA receives a call for role validation from the CAA via the internal interface, and the APA provides a gateway between the CAA and the ATA, such that;
in response to receiving the call for role validation, the APA accesses the security configuration data to identify the ATA associated with the predefined user role for the CAA;
in response to identifying the ATA, the APA communicates with the identified ATA to obtain an authentication status;
in response to obtaining the authentication status, the APA uses the authentication status and the authentication requirements for the predefined user role to determine a role validation result;
in response to determining the role validation result, the APA returns the role validation result to the CAA; and
the user input for user authentication does not pass through the CAA.
3 Assignments
0 Petitions
Accused Products
Abstract
A smart card authentication framework may include a card application applet (CAA), an authentication policy applet (APA), and an authentication technology applet (ATA). The CAA may provide a protected service for a user. The APA may provide an authentication-technology-independent user validation service for the CAA. The ATA may provide a technology-specific authentication service. In one embodiment, the CAA provides a first external interface, the ATA provides a second external interface and a first internal interface, and the APA provides a second internal interface. The ATA may receive a host request for user authentication via the second external interface, and the ATA may process the authentication request without participation by the CAA. The CAA may communicate with the APA via the first internal interface to determine whether the user is currently validated. If so, the CAA may provide the protected service for the host via the first external interface.
126 Citations
32 Claims
-
1. A smart card that features a generalized authentication framework, the smart card comprising:
-
processing resources including memory and an instruction processor;
an authentication technology applet (ATA) stored in the memory;
authentication data stored in the memory as part of the ATA;
authentication instructions within the ATA that receive user input from a host via a first application protocol data unit (APDU) interface, authenticate user identity based on the authentication data and the user input, and return an authentication result to the host via the first APDU interface;
an authentication policy applet (APA) stored in the memory;
a card application applet (CAA) stored in the memory, wherein the CAA communicates with the host via a second APDU interface, and the CAA enforces security according to a predefined user role;
security configuration data stored in the memory as part of the APA, wherein the security configuration data includes security configurations that define relationships between user roles for CAAs and corresponding authentication requirements, and wherein at least one of the security configurations associates the predefined user role for the CAA with an application identifier (AID) for the ATA;
the APA including an internal interface, wherein the APA receives a call for role validation from the CAA via the internal interface, and the APA provides a gateway between the CAA and the ATA, such that;
in response to receiving the call for role validation, the APA accesses the security configuration data to identify the ATA associated with the predefined user role for the CAA;
in response to identifying the ATA, the APA communicates with the identified ATA to obtain an authentication status;
in response to obtaining the authentication status, the APA uses the authentication status and the authentication requirements for the predefined user role to determine a role validation result;
in response to determining the role validation result, the APA returns the role validation result to the CAA; and
the user input for user authentication does not pass through the CAA.
-
-
2. A smart card that features a generalized authentication framework, the smart card comprising:
-
an authentication technology applet (ATA) that provides a technology-specific authentication service;
an authentication policy applet (APA) that provides a technology-independent authentication service; and
a card application applet (CAA) that uses the technology-independent authentication service provided by the APA. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method for enforcing user validation in a smart card with a generalized authentication framework, the method comprising:
-
using an authentication technology applet (ATA) to provide a technology-specific authentication service;
using an authentication policy applet (APA) to provide a technology-independent authentication service; and
using the technology-independent authentication service provided by the APA at a card application applet (CAA) to determine user validation. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A method for enforcing user validation in a smart card with a generalized authentication framework, the method comprising
communicating from a card application applet (CAA) to a authentication policy applet (APA) via an internal interface of the APA to determine whether a user is currently validated; -
if the user is currently validated, providing a host with a protected service from the CAA via an external interface of the CAA;
if the user is not currently validated, receiving a host request for user authentication at an authentication technology applet (ATA) via an external interface of the ATA; and
processing the host request for user authentication at the ATA without participation by the CAA. - View Dependent Claims (25, 26, 27, 28, 29, 30, 32)
-
-
31. A program product that provides an authentication framework for a smart card, the program product comprising:
-
a computer-usable medium; and
computer instructions encoded in the computer-usable medium, wherein the computer instructions, when executed by a processor in a smart card, perform operations comprising;
communicating from a card application applet (CAA) to an authentication policy applet (APA) via an internal interface of the APA to determine whether a user is currently validated;
if the user is currently validated, providing a host with a protected service from the CAA via an external interface of the CAA;
if the user is not currently validated, receiving a host request for user authentication at an authentication technology applet (ATA) via an external interface of the ATA; and
processing the host request for user authentication at the ATA.
-
Specification