Method For The Authentication Of Applications

US 20070198834A1
Filed: 11/26/2004
Published: 08/23/2007
Est. Priority Date: 11/27/2003
Status: Active Grant

First Claim

Patent Images

1. Authentication method of at least one application working in a equipment connected by a network to a control server, said equipment being locally connected to a security module, said application being at least one of loadable and executable via an application execution environment of the equipment and being adapted to use resources stored in the security module, the method comprising:

reception by the control server, via the network, of data comprising at least the identifier of the equipment and the identifier of the security module, analysis and verification by the control server of said data, generation of a cryptogram comprising a digest of the application, data identifying the equipment and the security module and instructions intended for said module, transmission of said cryptogram, via the network and the equipment, to the security module, and verification of the application by comparing the digest extracted from the cryptogram received with a digest determined by the security module, wherein, during at least one of initialization and activation of the application, the security module executes the instructions extracted from the cryptogram and at least one of releases, and blocks access to certain resources of said security module according to a result of the verification suited to this application carried out previously.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for the authentication of applications both at the time of their downloading, as well as at the time of their execution. At least one application works in an equipment connected by a network to a control server, the equipment being locally connected to a security module. The application is loaded and/or executed via an application execution environment of the equipment and uses resources stored in the security module. The authentication method includes reception by the control server, via the network, of data including at least the identifier of the equipment and the identifier of the security module, analysis and verification by the control server of the data; generation of a cryptogram including a digest of the application, data identifying the equipment and the security module and instructions intended for the module; transmission of the cryptogram, via the network and the equipment, to the security module; and verification of the application by comparing the digest extracted from the cryptogram received with a digest determined by the security module. Further, said method further comprising steps wherein, during the initialization and/or the activation of the application, the security module executes the instructions extracted from the cryptogram, to at least one of release and block the access to certain resources of the security module according to the result of the verification suited to this application carried out previously.

81 Citations

View as Search Results

19 Claims

1. Authentication method of at least one application working in a equipment connected by a network to a control server, said equipment being locally connected to a security module, said application being at least one of loadable and executable via an application execution environment of the equipment and being adapted to use resources stored in the security module, the method comprising:
- reception by the control server, via the network, of data comprising at least the identifier of the equipment and the identifier of the security module, analysis and verification by the control server of said data, generation of a cryptogram comprising a digest of the application, data identifying the equipment and the security module and instructions intended for said module, transmission of said cryptogram, via the network and the equipment, to the security module, and verification of the application by comparing the digest extracted from the cryptogram received with a digest determined by the security module, wherein, during at least one of initialization and activation of the application, the security module executes the instructions extracted from the cryptogram and at least one of releases, and blocks access to certain resources of said security module according to a result of the verification suited to this application carried out previously.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 19)
- - 2. Method according to claim 1 wherein the equipment is a mobile equipment of mobile telephony.
  - 3. Method according to claim 1 wherein the network is a mobile network of at least one of the type GSM, GPRS, UMTS.
  - 4. Method according to claim 1, wherein the security module is a subscriber module inserted into the mobile equipment of mobile telephony of the SIM card type.
  - 5. Method according to claim 4 wherein the identification of at least one of the set mobile equipment and subscriber module is carried out from the identifier of the mobile equipment and from the identifier of the subscriber module suited to a subscriber to the network.
  - 6. Method according to claim 1 wherein the instructions included in the cryptogram received by the security module condition the use of the applications according to criteria established previously by at least one of the operator, the application supplier and the user of the equipment.
  - 7. Method according to claim 6 wherein the criteria define limits of use of an application according to the risks associated with at least one of the software of said application and with the hardware of the equipment that the operator desires to take into account.
  - 8. Method according to claim 1 wherein the verification of the application with the cryptogram is carried out at the time of at least one of the first initialization and the first use of said application.
  - 9. Method according to claim 1 wherein the verification of the application with the cryptogram is periodically carried out at a given rate according to instructions originating from the control server.
  - 10. Method according to claim 1 wherein the verification of the application with the cryptogram is carried out at the time of each initialization of said application on the equipment.
  - 11. Method according to claim 1 wherein the cryptogram is generated with the aid of an asymmetrical or symmetrical encryption key from a data set containing, among other data, the identifier of the equipment, the identifier of the security module, an identifier of the application, the digest of the application calculated with an unidirectional hash function and identifiers of the resources of the security module and instructions for locking/releasing of resources of the security module.
  - 12. Method according to claim 11 wherein the cryptogram includes a variable that is predictable by the security module avoiding the double use of a same cryptogram, the value of said variable being controlled by the security module by making a comparison with that of a reference value stored in said module and regularly updated.
  - 13. Method according to claim 1 wherein the security module transmits to the control server, via the equipment and the network, a confirmation message when said security module has accepted or refused a cryptogram of an application.
  - 14. Method according to the claim 1 wherein the cryptogram is transmitted to the security module at the same time as the application is loaded into the equipment via the execution environment of the applications.
  - 15. Method according to claim 1 wherein the application, once loaded into the equipment from the control server via the network, requests a cryptogram from the server at the time of its initialization and transmits said cryptogram to the security module, the confirmation message of acceptance or refusal of the cryptogram being transmitted by the security module to the server via the application.
  - 16. Method according to claim 1, wherein the equipment is a Pay-TV decoder or a computer to which the security module is connected.
  - 19. Method according to claim 2, wherein the security module is a subscriber module inserted into the mobile equipment of mobile telephony of the SIM card type.

17. Security module comprising resources intended to be accessed locally by at least one application installed in an equipment connected to a network, said equipment including means for reading and transmitting data including at least an identifier of the equipment and an identifier of the security module, said module further comprising means for reception, storage and analysis of a cryptogram containing among other data, a digest of said application and instructions, means for verification of said application, and means for extraction and execution of the instructions contained in the cryptogram, for at least one of releasing and blocking certain resources according to the result of the verification of the application.
- View Dependent Claims (18)
- - 18. Security module according to claim 17, wherein the security module is at least one of the subscriber module and SIM card type intended to be connected to a mobile equipment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nagravision SA (Kudelski SA)
Original Assignee
Nagravision SA (Kudelski SA)
Inventors
Cantini, Renato, Ksontini, Rached

Granted Patent

US 8,261,365 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/411
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/34   involving the use of extern...

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 2221/2107   File encryption

G06F 2221/2153   Using hardware token as a s...

G06F 8/65   Updates security arrangemen...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04W 12/08   Access security

H04W 12/10   Integrity

H04W 12/35   Protecting application or s...

H04W 4/60   Subscription-based services...

Method For The Authentication Of Applications

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method For The Authentication Of Applications

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links