System for Enforcing Security Policies on Mobile Communications Devices

US 20100064341A1
Filed: 03/27/2006
Published: 03/11/2010
Est. Priority Date: 03/27/2006
Status: Active Grant

First Claim

Patent Images

1-48. -48. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for enforcing security policies on mobile communications devices is adapted to be used in a mobile communications network in operative association with a subscriber identity module. The system having a client-server architecture includes a server operated by a mobile communications network operator and a client resident on a mobile communications device on which security policies are to be enforced. The server is adapted to determine security policies to be applied on said mobile communications device, and to send thereto a security policy to be applied. The client is adapted to receive the security policy to be applied from the server, and to apply the received security policy. The server includes a server authentication function adapted to authenticate the security policy to be sent to the mobile communications device; the client is further adapted to assess authenticity of the security policy received from the server by exploiting a client authentication function resident on the subscriber identity module.

578 Citations

72 Claims

1-48. -48. (canceled)

49. A system for enforcing security policies on mobile communications devices, the mobile communications devices being adapted to be used in a mobile communications network in operative association with a subscriber identity module, the system having a client-server architecture and comprising:
- a server operated by a mobile communications network operator; and
  
  a client resident on a mobile communications device on which security policies are to be enforced,wherein said server is adapted to determine security policies to be applied on said mobile communications device, and to send thereto a security policy to be applied, and wherein said client is adapted to receive the security policy to be applied from the server, and to apply the received security policy, the server comprising a server authentication function adapted to authenticate the security policy to be sent to the mobile communications device; and
  
  wherein the client is further adapted to assess authenticity of the security policy received from the server by exploiting a client authentication function resident on the subscriber identity module.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
- - 50. The system of claim 49, wherein said server authentication function is adapted to calculate authentication information adapted to allow assessing the authenticity of the security policy to be sent to the mobile communications device, and to add the authentication information to the security policy to be sent to the mobile communications device.
  - 51. The system of claim 50, wherein said authentication information is also adapted to allow assessing the integrity of the security policy to be sent to the mobile communications device.
  - 52. The system of claim 50, wherein said authentication information comprises at least one of a message authentication code or a digital signature calculated on a block of data corresponding to the security policy to be sent to the mobile communications device.
  - 53. The system of claim 50, wherein said client authentication function is adapted to:
    - calculate authentication information on the security policy received from the server, andcompare calculated authentication information to the authentication information contained in the received security policy.
  - 54. The system of claim 53, wherein the server authentication function is adapted to encrypt said authentication information using a secret cryptographic key shared with the client authentication function, and the client authentication function is adapted to decrypt the authentication information in the security policy received from the server.
  - 55. The system of claim 54, wherein the client comprises:
    - a manager module adapted to manage messages received from the server;
      
      a local database of security policies to be applied by the mobile communications device; and
      
      an enforcer module adapted to enforce selected security policies on the mobile communications device.
  - 56. The system of claim 55, wherein the manager module is adapted to invoke the client authentication function upon receipt from the server of a message containing a security policy to be applied, and to store the received security policy in the local database in case the security policy is assessed to be authentic.
  - 57. The system of claim 56, wherein the received security policy is stored with the respective authentication information.
  - 60. The system of claim 55, wherein the server is further adapted to send to the client an update message instructing the client to update a specified security policy already stored in the local database, said update message comprising update information for updating the specified policy, and authentication information calculated by the server authentication function on the updated security policy.
  - 61. The system of claim 60, wherein the manager module, upon receipt from the server of the update message, is adapted to identify the specified security policy in the local database to update the security policy based on the update information, and to invoke the client authentication function for assessing the authenticity of the updated security policy, based on authentication information contained in the update message.
  - 62. The system according to claim 49, wherein the server authentication function is further adapted to authenticate the messages to be sent to the mobile communications device, and the client authentication function is further adapted to assess authenticity of the messages received from the server.
  - 63. The system of claim 62, wherein said server authentication function is adapted to calculate message authentication information adapted to allow assessing the authencity of the messages sent to the mobile communications device, and to add the message authentication information to the message, and the client authentication function is adapted to exploit the message authentication information to assess the authenticity of the received message.
  - 64. The system of claim 63, wherein said message authentication information comprises at least one of a message authentication code or a digital signature calculated on a block of data corresponding to the security policy to be sent to the mobile communications device.
  - 65. The system of claim 49, wherein the server and the client are adapted to communicate with one another over at least one communications channel selected from the group of:
    - a messaging service of the mobile communications network, a GPRS connection, a Wi-Fi connection, a Bluetooth connection, a ZigBee connection, an IrDA connection, and a UMTS connection.
  - 66. The system of claim 49, wherein said client authentication function comprises a SIM application toolkit application implemented on the subscriber identity module.
  - 67. The system of claim 49, wherein the server comprises an event collection and management function adapted to collect and manage events from one or both among systems external to the mobile communications device and systems internal to the mobile communications device, and to determine a security policy to be applied on the mobile communications device responsive to collected events.
  - 68. The system of claim 67, wherein the event collection and management function are adapted to interact with one or more platforms selected from the group comprising:
    - an early detection platform adapted to early detect malware attacks based on anomaly detection;
      
      one or more geographic localization platforms adapted to determine the geographic localization of the mobile communications device;
      
      an anti-fraud system;
      
      an intrusion detection system;
      
      presence detection systems adapted to detect presence within specified areas of a user of the mobile communications device; and
      
      a context awareness platform.
  - 69. The system of claim 49, wherein said security policy comprises at least one security rule to be enforced on the mobile communications device and is formatted in XML.

58. The system of claim 58, wherein the server is further adapted to send to the client a policy apply message instructing the client to apply a specified security policy already stored in the local database.
- View Dependent Claims (59)
- - 59. The system of claim 58, wherein the manager module, upon receipt from the server of the policy apply message, is adapted to identify the specified security policy in the local database to invoke the client authentication function for assessing the integrity of the identified security policy exploiting the authentication information, and in case integrity is assessed, to pass the identified security policy to the enforcer module for causing the security policy application.

70. A method of enforcing security policies on mobile communications devices, wherein the mobile communications devices are adapted to be used in a mobile communications network in operative association with a subscriber identity module, comprising:
- having the mobile communications network determine a security policy to be applied on a mobile communications device, and send the security policy to the mobile communications device, andhaving the mobile communications device receive the security policy and enforce it,said sending the security policy comprising authenticating the security policy to be sent to the mobile communications device, andsaid having the mobile communications device receive the security policy and enforce it comprising having the mobile communications device assess the authenticity of the received security policy exploiting an authentication function resident on the subscriber identity module.

71. A mobile communications device capable of being adapted to be used in a mobile communications network in operative association with a subscriber identity module, wherein the mobile communications device comprises an adaptation to receive from the mobile communications network a security policy to be enforced, and to apply the received security policy, the mobile communications device comprising a further adaptation to assess authenticity of the security policy received from the mobile communications network by exploiting an authentication function resident on the subscriber identity module operatively associated therewith,

72. A subscriber identify module capable of being adapted to be operatively associated with a mobile communications device for enabling use of the mobile communications device in a mobile communications network, the subscriber identify module comprising an adaptation to implement an authentication function adapted to assess authenticity of a security policy received by the mobile communications device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telecom Italia S.p.A.
Original Assignee
Telecom Italia S.p.A.
Inventors
Aldera, Carlo

Granted Patent

US 8,413,209 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0853   using an additional device,...

H04L 63/102   Entity profiles

H04L 63/123   received data contents, e.g...

H04L 63/20   for managing network securi...

H04W 12/08   Access security

H04W 12/10   Integrity

H04W 12/37   Managing security policies ...

H04W 8/245   from a network towards a te...

H04W 88/02   Terminal devices

System for Enforcing Security Policies on Mobile Communications Devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

578 Citations

72 Claims

Specification

Solutions

Use Cases

Quick Links

System for Enforcing Security Policies on Mobile Communications Devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

578 Citations

72 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links