Method and Apparatus for Providing Dynamic Security Management

US 20080244685A1
Filed: 02/08/2005
Published: 10/02/2008
Est. Priority Date: 02/11/2004
Status: Active Grant

First Claim

Patent Images

1. A method of providing a dynamic security management in an apparatus, the apparatus comprising:

a platform for running an application;

a security manager for handling access of the application to functions existing in the apparatus;

an application interface between the platform and the application;

a set of access permissions stored in the apparatus and used by the security manager for controlling access of the application to functions through the application interface the method comprising;

downloading into the apparatus an object containing access permissions applicable to at least one function;

verifying the object; and

installing the access permissions together with the existing permissions.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and devices provide dynamic security management in an apparatus, such as a mobile telephone terminal. The apparatus includes a platform for running an application; a security manager for handling access of the application to functions existing in the apparatus; an application interface (API) between the platform and the application; a set of access permissions stored in the apparatus and used by the security manager for controlling access of the application to functions through the application interface. Methods can include downloading into the apparatus an object containing access permissions applicable to at least one function; verifying the object; and installing the access permissions together with the existing permissions.

Citations

35 Claims

1. A method of providing a dynamic security management in an apparatus, the apparatus comprising:
- a platform for running an application;
  
  a security manager for handling access of the application to functions existing in the apparatus;
  
  an application interface between the platform and the application;
  
  a set of access permissions stored in the apparatus and used by the security manager for controlling access of the application to functions through the application interface the method comprising;
  
  downloading into the apparatus an object containing access permissions applicable to at least one function;
  
  verifying the object; and
  
  installing the access permissions together with the existing permissions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method according to claim 1, wherein the object is verified by checking a certificate chain of the object.
  - 3. A method according to claim 1 further comprising verifying that a policy of the function allows updates.
  - 4. A method according claim 1, further comprising installing a library comprising new routines and/or new functions to be called by an application or another library stored in the apparatus to enable access of functions through the application interface.
  - 5. A method according to claim 4, wherein the new routines and/or new functions can access existing functions through the library.
  - 6. A method according to claim 5, wherein the security manger, when accessing functions, recursively checks the permissions of the application interfaces and libraries in a linked chain related to the called functions.
  - 7. A method according to claim 1, further comprising installing a new function so that the new function can access existing functions through the application interface.
  - 8. A method according to claim 7, wherein the new functions can access existing functions through a library.
  - 9. A method according claim 1, wherein the access permissions are contained in a policy file.
  - 10. A method according to claim 9, characterised in that wherein the policy file has a structure linking access levels of existing functions with a domain associated with the downloaded object.
  - 11. A method according to claim 9, wherein the policy file has a structure linking access levels of existing functions with information contained in a certificate chain.
  - 12. A method according to claim 11, wherein the information includes a signature of the end entity certificate, a signature of an intermediate certificate, or specific level information (level OID).
  - 13. A method according to claim 10, wherein the policy file has a structure including logical expressions.

14. A method of providing a dynamic security management in an apparatus, the apparatus comprising:
- a platform for running an application;
  
  a security manager for handling access of the application to functions existing in the apparatus;
  
  an application interface between the platform and the application;
  
  a set of access permissions stored in the apparatus and used by the security manager for controlling access of the application to functions through the application interface, the method comprising;
  
  storing the access permissions in a security policy; and
  
  providing the security policy with a hierarchical structure.
- View Dependent Claims (15, 16, 17)
- - 15. A method according to claim 14, wherein the security policy has a structure linking access levels of existing functions with a domain associated with the downloaded object.
  - 16. A method according to claim 15, wherein the security policy has a structure linking access levels of existing functions with information contained in a certificate chain.
  - 17. A method according to claim 16, wherein the information includes a signature of the end entity certificate, a signature of an intermediate certificate, or specific level information (level OID).

18. An apparatus with dynamic security management comprising:
- a platform for running an application;
  
  a security manager for handling access of the application to functions existing in the apparatus;
  
  an application interface between the platform and the application;
  
  a set of access permissions stored in the apparatus and used by the security manager for controlling access of the application to functions through the application interface wherein the apparatus is configured to download an object containing access permissions applicable to at least one function;
  
  to verify the object; and
  
  to install the access permissions together with the existing permissions.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 35)
- - 19. An apparatus according to claim 18, wherein the security manager is configured to verify the object by checking a certificate chain of the object.
  - 20. An apparatus according to claim 18 wherein the security manager is configured to verify that a policy of the function allows updates.
  - 21. An apparatus according to claim 18, wherein the apparatus is configured to install a library (12) comprising new routines and/or new functions to be called by an application or another library stored in the apparatus to enable access of functions through the application interface.
  - 22. An apparatus according to claim 21, wherein the new routines and/or new functions can access existing functions through the library.
  - 23. An apparatus according to claim 22, wherein the security manger, when accessing functions, is configured to recursively check the permissions of the application interfaces and libraries in a linked chain related to the called functions.
  - 24. An apparatus according claim 18, wherein the apparatus is configured to install a new function so that the new function can access existing functions through the application interface.
  - 25. An apparatus according to claim 24, wherein the new functions can access existing functions through a library.
  - 26. An apparatus according to claim 18, wherein the access permissions are contained in a policy file.
  - 27. An apparatus according to claim 26, wherein the policy file has a structure linking access levels of existing functions with a domain associated with the downloaded object.
  - 28. An apparatus according to claim 26, wherein the policy file has a structure linking access levels of existing functions with information contained in a certificate chain.
  - 29. An apparatus according to claim 28, wherein the information includes a signature of the end entity certificate, a signature of an intermediate certificate, or specific level information (level OID).
  - 30. An apparatus according to claim 28, wherein the policy file has a structure including logical expressions.
  - 35. An apparatus according to claim 18, wherein the apparatus is a portable telephone, a pager, a communicator, a smart phone, or an electronic organizer.

31. An apparatus for providing a dynamic security management comprising:
- a platform for running an application;
  
  a security manager for handling access of the application to functions existing in the apparatus;
  
  an application interface between the platform and the application;
  
  a set of access permissions stored in the apparatus and used by the security manager for controlling access of the application to functions through the application interface, wherein the apparatus is configured to store the access permissions in a security policy; and
  
  provide the security policy with a hierarchical structure.
- View Dependent Claims (32, 33, 34)
- - 32. An apparatus according to claim 31, wherein the security policy has a structure linking access levels of existing functions with a domain associated with the downloaded object.
  - 33. An apparatus according to claim 32, wherein the security policy has a structure linking access levels of existing functions with information contained in a certificate chain.
  - 34. An apparatus according to claim 33, wherein the information includes a signature of the end entity certificate, a signature of an intermediate certificate, or specific level information (level OID).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sony Corporation (Sony Group Corp.)
Original Assignee
Sony Ericsson Mobile Communications AB (Sony Group Corp.)
Inventors
Andersson, Stefan, Aronsson, Par-Anders

Granted Patent

US 7,712,126 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/34   involving the movement of s...

H04L 69/329   in the application layer [O...

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

Method and Apparatus for Providing Dynamic Security Management

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Providing Dynamic Security Management

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links