Method and system for establishing a communications pipe between a personal security device and a remote computer system

US 20040143731A1
Filed: 10/30/2003
Published: 07/22/2004
Est. Priority Date: 04/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a communications pipe between at least one PSD (40) and at least one Remote Computer System (50) over a network (45) using at least one Client (10) as a host to said at least one PSD (40), said at least one Client (10) and said at least one Remote Computer System (50) being in functional communications using a packet-based communications protocol over said network (45), said method comprising the steps of:

a) generating or retrieving, in said at least one Remote Computer System (50), a request (200;

500) to access said at least one PSD (40), said request (200;

500) being in a high-level messaging format, b) converting, in said at least one Remote Computer System (50), said request (200;

500) from said high-level messaging format to a PSD-formatted request message (220;

520), c) encapsulating, in said at least one Remote Computer System (50), said PSD-formatted request message (220;

520) with said packet-based communications protocol, thus producing an encapsulated PSD-formatted request message (210;

530), d) transmitting (230, 240;

535, 540) said encapsulated PSD-formatted request message (210;

530), using said packet-based communications protocol, from said at least one Remote Computer System (50) to said at least one Client (10) via said network (45), e) extracting, in said at least one Client (10), said PSD-formatted request message (260, 270;

560, 570) from said encapsulated PSD-formatted request message (250;

550), f) transmitting said PSD-formatted request message (260, 270;

560, 570) from said at least one Client (10) to said at least one PSD (40), g) processing, in said at least one PSD (40), said PSD-formatted request message (260, 270;

560, 570), thus producing a PSD-formatted response message (360, 370;

660, 670), h) transmitting said PSD-formatted response message (360, 370;

660, 670) from said at least one PSD (40) to said at least one Client (10), i) encapsulating, in said at least one Client (10), said PSD-formatted response message (360, 370;

660, 670) with said packet-based communications protocol, thus producing an encapsulated PSD-formatted response message (350;

650), j) transmitting (330, 340;

635;

640) said encapsulated PSD-formatted response message (350;

650), using said packet-based communications protocol, from said at least one Client (10) to said at least one Remote Computer System (50) via said network (45), k) extracting, in said at least one Remote Computer System (50), said PSD-formatted response message (320;

630) from said encapsulated PSD-formatted response message (310;

610), and l) converting, in said at least one Remote Computer System (10), said PSD-formatted response message (320;

630) into a high-level response message (300;

600), and m) processing said high-level response message in said at least one Remote Computer System (50).

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method and a system for establishing a communications path (the “pipe” 75) over a communications network (45) between a Personal Security Device (PSD 40) and a Remote Computer System (50) without requiring means for converting high-level messages such as API-level messages to PSD-formatted messages such as APDU-formatted messages (and inversely) to be installed on a local Client (10) in which a PSD (40) is connected.

Citations

16 Claims

1. A method for establishing a communications pipe between at least one PSD (40) and at least one Remote Computer System (50) over a network (45) using at least one Client (10) as a host to said at least one PSD (40), said at least one Client (10) and said at least one Remote Computer System (50) being in functional communications using a packet-based communications protocol over said network (45), said method comprising the steps of:
- a) generating or retrieving, in said at least one Remote Computer System (50), a request (200;
  
  500) to access said at least one PSD (40), said request (200;
  
  500) being in a high-level messaging format, b) converting, in said at least one Remote Computer System (50), said request (200;
  
  500) from said high-level messaging format to a PSD-formatted request message (220;
  
  520), c) encapsulating, in said at least one Remote Computer System (50), said PSD-formatted request message (220;
  
  520) with said packet-based communications protocol, thus producing an encapsulated PSD-formatted request message (210;
  
  530), d) transmitting (230, 240;
  
  535, 540) said encapsulated PSD-formatted request message (210;
  
  530), using said packet-based communications protocol, from said at least one Remote Computer System (50) to said at least one Client (10) via said network (45), e) extracting, in said at least one Client (10), said PSD-formatted request message (260, 270;
  
  560, 570) from said encapsulated PSD-formatted request message (250;
  
  550), f) transmitting said PSD-formatted request message (260, 270;
  
  560, 570) from said at least one Client (10) to said at least one PSD (40), g) processing, in said at least one PSD (40), said PSD-formatted request message (260, 270;
  
  560, 570), thus producing a PSD-formatted response message (360, 370;
  
  660, 670), h) transmitting said PSD-formatted response message (360, 370;
  
  660, 670) from said at least one PSD (40) to said at least one Client (10), i) encapsulating, in said at least one Client (10), said PSD-formatted response message (360, 370;
  
  660, 670) with said packet-based communications protocol, thus producing an encapsulated PSD-formatted response message (350;
  
  650), j) transmitting (330, 340;
  
  635;
  
  640) said encapsulated PSD-formatted response message (350;
  
  650), using said packet-based communications protocol, from said at least one Client (10) to said at least one Remote Computer System (50) via said network (45), k) extracting, in said at least one Remote Computer System (50), said PSD-formatted response message (320;
  
  630) from said encapsulated PSD-formatted response message (310;
  
  610), and l) converting, in said at least one Remote Computer System (10), said PSD-formatted response message (320;
  
  630) into a high-level response message (300;
  
  600), and m) processing said high-level response message in said at least one Remote Computer System (50).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, further comprising the steps of:
    - b1) encrypting said PSD-formatted request message (520) in said at least one Remote Computer System (50) after said step b) and before said step c), f1) decrypting said PSD-formatted request message (560, 570) in said at least one PSD (40) after said step f) and before said step g), g1) encrypting said PSD-formatted response message (660, 670) in said at least one PSD (40) after said step g) and before said step h), and k1) decrypting said extracted PSD-formatted response message (630) in said at least one Remote Computer System (50) after said step k) and before said step l).
  - 3. The method according to claim 2, wherein said at least one PSD (40) comprises unique identification information, comprising the step of cross-referencing said unique identification information with a look-up table in order to select proper cryptographic means for implementing said steps b1, f1, g1 and k1.
  - 4. The method according to claim 1, 2 or 3, comprising the step of initiating said communications pipe automatically upon connection of said at least one PSD (40) to said at least one Client (10).
  - 5. The method according to claim 1, 2 or 3, comprising the step of initiating said communications pipe upon an initial request generated by said at least one Client (10).
  - 6. The method according to claim 1, 2 or 3, comprising the step of initiating said communications pipe upon an initial request generated by at least one networked Remote Computer System.
  - 7. The method according to claim 1, 2 or 3, comprising the step of establishing said communications pipe in the background.
  - 8. The method according to claim 1, wherein said high-level messaging format is an API-level format, and wherein said PSD-formatted messages are APDU-formatted messages.

9. A Client (10) for establishing a communications pipe between at least one PSD (40) and at least one Remote Computer System (50) over a network (45) using said Client (10) as a host to said at least one PSD (40), said Client (10) comprising:
- a) PSD interface means (25) for functionally connecting said at least one PSD (40) to said Client (10), b) Client communications means (105C) for transmitting and receiving messages over said network (45) using a packet-based-communications protocol, c) Client processing means (15) comprising;
  
  c1) means for receiving incoming message packets (250;
  
  550) over said network (45) using said Client communications means (105C), for extracting incoming PSD-formatted messages (260, 270;
  
  560, 570) from said incoming message packets (250;
  
  550), and for transmitting said incoming PSD-formatted messages (260, 270;
  
  560, 570) to said PSD (40) through said PSD interface means (25), and c2) means for receiving outgoing PSD-formatted messages (360, 370;
  
  660, 670) coming from said PSD (40) through said PSD interface (25), for encapsulating said outgoing PSD-formatted messages (360, 370;
  
  660, 670) into outgoing message packets (350;
  
  650), and for transmitting said outgoing message packets (350;
  
  650) over said network (45) using said Client communications means (105C).

10. A Remote Computer System (50) for establishing a communications pipe between at least one PSD (40) and said Remote Computer System (50) over a network (45) using a Client (10) as a host to said at least one PSD (40), said Remote Computer System (50) comprising:
- a) Remote Computer System communications means (105S) for transmitting and receiving messages over said network using a packet-based-communications protocol, b) first Remote Computer System data processing means (55) for converting PSD-formatted messages into high-level messages, and inversely, c) second Remote Computer System data processing means (100) for implementing high-level programs, d) third Remote Computer System data processing means (70) comprising;
  
  d1) means for receiving incoming message packets (310;
  
  610) over said network (45) using said Remote Computer System communications means (105S), for extracting incoming PSD-formatted messages (320;
  
  630) from said incoming message packets (310;
  
  610), and for transmitting said incoming PSD-formatted messages (320;
  
  630) to said second Remote Computer System data processing means (100) through said first Remote Computer System data processing means (55), and d2) means for receiving outgoing PSD-formatted messages (220;
  
  520) coming from said second Remote Computer System data processing means (100) through said first Remote Computer System data processing means (55), for encapsulating said outgoing PSD-formatted messages (220;
  
  520) into outgoing message packets (210;
  
  530), and for transmitting said outgoing message packets (210;
  
  530) over said network (45) using said Remote Computer System communications means (105S).
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The Remote Computer System (50) according to claim 10, wherein said incoming PSD-formatted messages (630) are to be decrypted and said outgoing PSD-formatted messages (520) are to be encrypted, further comprising cryptographic means (440;
    - 525) for decrypting said incoming PSD-formatted messages (630), and for encrypting said outgoing PSD-formatted messages (520).
  - 12. The Remote Computer System (50) according to claim 11, wherein said cryptographic means comprise a Hardware Security Module (440).
  - 13. A system for the establishment of a communications pipe, comprising at least one Client (10) according to claim 9 and at least one Remote Computer System (50) according to claim 10 functionally connected to said at least one Client (10) through said network (45).
  - 14. The system according to claim 13, further comprising at least one PSD (40) comprising:
    - a) means for functionally connecting said at least one PSD to said PSD interface means (25), b) PSD communications means for transmitting and receiving PSD-formatted messages (260, 270, 360, 370) through said PSD interface means (25), and c) PSD processing means for interpreting incoming PSD-formatted messages (260, 270), executing commands included in said incoming PSD-formatted messages (260, 270) and transmitting outgoing PSD-formatted messages (360, 370) through said PSD interface (25) using said PSD communications means.
  - 15. A system for the establishment of a secure communications pipe, comprising at least one Client (10) according to claim 9 and at least one Remote Computer System (50) according to claim 11 functionally connected to said at least one Client (10) through said network (45).
  - 16. The system according to claim 15, further comprising at least one PSD (40) comprising:
    - a) means for functionally connecting said at least one PSD (40) to said PSD interface means (25), b) PSD communications means for transmitting and receiving encrypted PSD-formatted messages (560, 570, 660, 670) through said PSD interface means (25), c) PSD cryptographic means for decrypting encrypted incoming PSD-formatted messages (560, 570) and for encrypting outgoing PSD-formatted messages (660, 670), and d) PSD processing means for interpreting said decrypted incoming PSD-formatted messages, executing commands included in said decrypted incoming PSD-formatted messages, and generating outgoing PSD-formatted messages to be encrypted by said PSD cryptographic means and transmitted through said PSD interface (25) using said PSD communications means.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assa Abloy AB
Original Assignee
Activcard Ireland, Limited (Assa Abloy AB)
Inventors
Clemot, Olivier, Audebert, Yves Louis Gabriel

Granted Patent

US 7,853,789 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06Q 20/3672   initialising or reloading t...

H04L 12/4633   Interconnection of networks...

H04L 63/0428   wherein the data content is...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/141   Setup of application sessio...

H04L 69/08   Protocols for interworking;...

H04L 69/085   specially adapted for inter...

H04L 69/32   Architecture of open system...

H04L 69/323   in the physical layer [OSI ...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

H04W 12/06   Authentication

Method and system for establishing a communications pipe between a personal security device and a remote computer system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for establishing a communications pipe between a personal security device and a remote computer system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links