Key storage administration

US 20050044375A1
Filed: 07/06/2004
Published: 02/24/2005
Est. Priority Date: 07/04/2003
Status: Active Grant

First Claim

Patent Images

1. A method for allowing multiple applications to manage their respective data in a device (100, 200) having a secure environment (104, 204, 211) to which access is strictly controlled, the method comprising the steps of:

allocating (301) a storage area within the secure environment (104, 204, 211);

associating (302) the storage area with an identity of an application;

storing (303) the associated identity within the secure environment; and

controlling (304) access to the storage area by verifying correspondence between the associated identity and the identity of an accessing application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method and a system for allowing multiple applications to manage their respective data in a device (100, 200) having a secure environment (104, 204, 211) to which access is strictly controlled. The idea of the invention is that a storage area is allocated (301) within the secure environment (104, 204, 211) of a device (100, 200). The storage area is associated (302) with an identity of an application, the associated identity is stored (303) in the secure environment (104, 204, 211) and access to the storage area is controlled (304) by verifying correspondence between the associated identity and the identity of an accessing application. This is advantageous, since it is possible for the accessing application to read, write and modify objects, such as cryptographic keys, intermediate cryptographic calculation results and passwords, in the allocated storage area.

95 Citations

View as Search Results

17 Claims

1. A method for allowing multiple applications to manage their respective data in a device (100, 200) having a secure environment (104, 204, 211) to which access is strictly controlled, the method comprising the steps of:
- allocating (301) a storage area within the secure environment (104, 204, 211);
  
  associating (302) the storage area with an identity of an application;
  
  storing (303) the associated identity within the secure environment; and
  
  controlling (304) access to the storage area by verifying correspondence between the associated identity and the identity of an accessing application.
- View Dependent Claims (2, 3, 4, 5, 6, 15, 16, 17)
- - 2. The method according to claim 1, wherein the identity of an application is a digital signature created by means of a private key, the digital signature being attached to the application, and the verification of the identity is performed by verifying the digital signature with a public key that corresponds to said private key.
  - 3. The method according to claim 2, wherein the steps of allocating (301) a storage area, associating (302) the storage area with an application identity, storing (303) the associated identity and controlling (304) the access to the storage area are performed for an application of a first party and, subsequently, the same steps (301, 302, 303, 304) are performed for an application of a second party independent of the first party.
  - 4. The method according to claim 1, wherein the application is located outside the device (100, 200) and sends commands to the device (100, 200) instructing the device (100, 200) to perform the steps of allocating (301) a storage area within the secure environment (104, 204, 211) and associating (302) the storage area with an identity of an application, the application identity being attached to the commands.
  - 5. The method according to claim 1, wherein the device (100, 200) stores a digital certificate issued by a trusted certification authority.
  - 6. The method according to claim 1, wherein the secure environment (104, 204, 211) comprises a smart card (211).
  - 15. A computer program comprising computer-executable components for causing a device (100, 200) to perform the steps recited in claim 1 when the computer-executable components are run on a processing unit (103, 203) included in the device.
  - 16. A computer-readable medium storing computer-executable components for causing a device (100, 200) to perform the steps recited claim 1 when the computer-executable components are run on a processing unit (103, 203) included in the device.
  - 17. The method according to claim 1, wherein the steps of allocating (301) a storage area, associating (302) the storage area with an application identity, storing (303) the associated identity and controlling (304) the access to the storage area are performed for an application of a first party and, subsequently, the same steps (301, 302, 303, 304) are performed for an application of a second party independent of the first party.

7. A system for allowing multiple applications to manage their respective data in a device (100, 200) having a secure environment (104, 204, 211) to which access is strictly controlled, the system comprising:
- means (103, 203) for allocating (301) a storage area within the secure environment (104, 204, 211);
  
  means (103, 203) for associating (302) the storage area with an identity of an application;
  
  means (103, 203) for storing (303) the associated identity within the secure environment (104, 204, 211); and
  
  means (103, 203) for controlling (304) access to the storage area by verifying correspondence between the associated identity and the identity of an accessing application.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The system according to claim 7, wherein the identity of an application is a digital signature created by means of a private key, the digital signature being attached to the application, and the verification of the identity is performed by decrypting the digital signature with a public key that corresponds to said private key.
  - 9. The system according to claim 7, wherein the application is located outside the device (100, 200) and arranged to send commands to the device (100, 200) instructing the device (100, 200) to allocate (301) a storage area within the secure environment (104, 204, 211) and associate (302) the storage area with an identity of an application, the application identity being attached to the commands.
  - 10. The system according to claim 7, wherein the device (100, 200) is arranged to store a digital certificate issued by a certification authority.
  - 11. The system according to claim 7, wherein the secure environment (104, 204, 211) comprises a smart card (211).

12. Circuitry (101, 201) for providing data security, which circuitry (101, 201) contains at least one processor (103, 203) and at least one storage circuit (104, 204, 211) and which circuitry (101, 201) comprises:
- at least one storage area in said at least one storage circuit (104, 204, 211), in which storage area protected data relating to circuitry security are located;
  
  mode setting means arranged to set said processor (103, 203) in one of at least two different operating modes, the mode setting means being capable of altering the processor (103, 203) operating mode;
  
  storage circuit access control means arranged to enable said processor (103, 203) to access said storage area in which said protected data are located when a first processor operating mode is set; and
  
  storage circuit access control means arranged to prevent said processor (103, 203) from accessing said storage area in which protected data are located when a second processor operating mode is set.
- View Dependent Claims (13, 14)
- - 13. A device (100, 200) comprising the circuitry (101, 201) for providing data security according to claim 12.
  - 14. The device (100, 200) according to claim 13, wherein the device is a mobile telecommunication terminal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Cofta, Piotr, Paatero, Lauri

Granted Patent

US 8,301,911 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/74   operating in dual or compar...

G06F 21/78   to assure secure storage of...

G06F 2221/2105   Dual mode as a secondary as...

Key storage administration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Key storage administration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others