TELECOMMUNICATIONS DEVICE SECURITY

US 20100195833A1
Filed: 07/13/2007
Published: 08/05/2010
Est. Priority Date: 07/14/2006
Status: Active Grant

First Claim

Patent Images

1. A terminal for use with a cellular or mobile telecommunications network, the terminal including:

a normal execution environment and a secure execution environment in which security functions trusted by a third party are performed, andmeans for enabling amendment of the software of the terminal for performing the security functions in the secure execution environment.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile terminal for use with a cellular or mobile telecommunications network includes a normal execution environment (operating system) (30) and a secure execution environment (32) comprising a Mobile Trusted Module (MTM). The mobile terminal enables the software of the terminal in the secure execution environment (32) to be updated. The terminal 1 may be provided with minimal software initially in the secure execution environment (32), and is operable to subsequently update the software by over the air transmission of software. Also disclosed is a method for managing rights in respect of broadcast, multicast and/or unicast (downloaded) data, relevant in particular to managing access to a broadcast video data stream complying with a mobile digital broadcast scheme. The method defines a service protection platform implemented on mobile terminals having both normal execution environment (i.e. the operating system) and secure execution environment. Service protection is provided by separating the operation of service protection application components into those that operate in the normal environment and those that are adapted to execute only in the secure execution environment. Making the secure execution environment application component interchangeable allows the method to be adapted to any of a number of service protection protocols or “profiles” by downloading only the secure execution environment application component.

Citations

50 Claims

1. A terminal for use with a cellular or mobile telecommunications network, the terminal including:
- a normal execution environment and a secure execution environment in which security functions trusted by a third party are performed, andmeans for enabling amendment of the software of the terminal for performing the security functions in the secure execution environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The terminal of claim 1, provided with minimal software initially, the terminal being operable to update the software by subsequent over the air transmission of software.
  - 3. The terminal of claim 1, further including:
    - means for determining when a required software component is absent from the terminal, andmeans for obtaining the software component from a predetermined application server.
  - 4. The terminal of claim 3, wherein the software component is loaded into the secure execution environment.
  - 5. The terminal of claim 1, wherein the amendment of the software of the terminal in the secure execution environment is performed in the background without requiring intervention of a user of the terminal.
  - 6. The mobile terminal of claim 1, further including means for receiving authorisation authorization data, such as new keys, for use in the secure execution environment.
  - 7. The terminal of claim 1, further including means for deleting or otherwise disabling the software of the terminal in the secure execution environment.
  - 8. The terminal of claim 1, wherein the security functions relate to the storage of sensitive data together with a record of the state of the terminal.
  - 9. The terminal of claim 1, wherein the security functions implement a Mobile Trusted Module, MTM, or a Trusted Platform Module, TPM.
  - 10. The terminal of claim 9, wherein the security functions implement a subset of MTM or TPM functions initially, and for performing a greater subset of MTM or TPM functions, or full MTM or TPM functions, after said amendment of the software.
  - 11. The terminal of claim 1, further including means for transferring software or authorization data, such as keys, to another terminal without requiring intervention of the user of at least one of the terminals.

12. A method of providing security functions trusted by a third party in a mobile terminal for use with a cellular or mobile telecommunications network, the terminal including a normal execution environment and a secure execution environment in which the security functions trusted by the third party are performed, the method including:
- amending the software of the terminal for performing the security functions in the secure execution environment.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the software of the terminal for performing the security functions has only minimal functionality initially, the method including subsequently updating the software by over the air transmission of software.
  - 14. The method of claim 12, further including:
    - determining when a required software component is absent from the terminal, andobtaining the software component from a predetermined application server.
  - 15. The method of claim 14, including loading the software component into the secure execution environment.
  - 16. The method of claim 12, further including amending the software of the terminal in the secure execution environment in the background without requiring the intervention of the user of the terminal.
  - 17. The method of claim 12, further including receiving authorisation authorization data, such as new keys, for use in the secure execution environment.
  - 18. The method of claim 12, further including deleting or otherwise disabling the software of the terminal in the secure execution environment.
  - 19. The method of claim 12, wherein the security functions relate to the storage of sensitive data together with a record of the state of the terminal.
  - 20. The method of claim 12, wherein the security functions implement a Mobile Trusted Module, MTM, or a Trusted Platform Module, TPM.
  - 21. The method of claim 20, wherein the security functions implement a subset of MTM or TPM functions initially, and for performing a greater subset of MTM or TPM functions, or full MTM or TPM functions, after said amendment of the software.
  - 22. The method of claim 12, further including transferring software or authorization data, such as keys, to another terminal without requiring intervention of the user of at least one of the terminals.

23. A method for processing encrypted data received by a terminal, comprising:
- providing a security platform having a normal execution environment and a secure execution environment;
  
  obtaining key information necessary for facilitating decryption of the encrypted data;
  
  in the secure execution environment, processing the key information in accordance with a given secure protocol to extract temporary decryption information; and
  
  in the normal execution environment, using the temporary decryption information to decrypt the encrypted data traffic,wherein the given secure protocol is represented by at least one secure application component that is adapted to execute only in the secure execution environment.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 24. A method for processing encrypted data received by a terminal as claimed in claim 23, wherein the terminal is portable.
  - 25. A method as claimed in claim 23, wherein the encrypted data traffic is encrypted in accordance with one of a plurality of secure protocols, each having a corresponding secure application component, the method further comprising determining which of the plurality of secure protocols has been used in encrypting the data traffic;
    - and loading the or each corresponding secure application component.
  - 26. A method as claimed in claim 25, further comprising:
    - whenever a corresponding secure application component is not available within the terminal, requesting a copy of the corresponding secure application component from a pre-determined application server downloading the component, installing the component on the terminal; and
      
      loading the component into the secure execution area.
  - 27. A method as claimed in claim 23 further comprising:
    - determining whether the at least one secure application component requires replacement;
      
      requesting a replacement secure application component from a predetermined application server;
      
      downloading the replacement component;
      
      installing the replacement component on the terminal; and
      
      loading the replacement component into the secure execution area in place of the at least one secure application component.
  - 28. A method as claimed in claim 23, wherein the key information necessary for facilitating decryption is securely stored in the terminal.
  - 29. A method as claimed in claim 23, wherein the key information necessary for facilitating decryption is obtained from a broadcast key information message.
  - 30. A method as claimed in claim 23, wherein access to the key information is provided by a smartcard inserted in the terminal.
  - 31. A method as claimed in claim 30, wherein the key information is securely stored on the smartcard.
  - 32. A method as claimed in claim 23, wherein the key information includes rights objects and/or key stream messages that incorporate service keys.
  - 33. A method as claimed in claim 32, wherein the service keys are securely stored in the secure area.
  - 34. A method as claimed in claim 23, wherein the encrypted data received by the terminal is downloaded encrypted content, the key information being a rights object corresponding to the content and the temporary decryption information being a decryption key for decrypting the downloaded encrypted content.
  - 35. A method as claimed in claims 23, wherein the encrypted data received by the terminal is broadcast data traffic, so that the method decrypts the encrypted data traffic in real time.

36. A system for processing encrypted data received by a terminal incorporating a security platform with a normal execution environment and a secure execution environment, the system comprising:
- means for obtaining key information necessary for facilitating decryption of the encrypted data traffic;
  
  means for processing the key information in accordance with a given secure protocol to extract temporary decryption information in the secure execution environment; and
  
  further processing means for using the temporary decryption information to decrypt the encrypted data traffic in the normal execution environment,wherein the given secure protocol is represented by at least one secure application component that is adapted to execute only in the secure execution environment.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 37. A system as claimed in claim 36, wherein the secure execution environment is adapted to host a plurality of secure protocol instruction files, each corresponding to a distinct secure protocol.
  - 38. A system as claimed in claim 36, wherein the terminal is portable.
  - 39. A system as claimed in claim 36, wherein the encrypted data traffic is encrypted in accordance with one of a plurality of secure protocols, each having a corresponding secure application component, the system further comprising:
    - protocol identification means for determining which of the plurality of secure protocols has been used in encrypting the data traffic; and
      
      an application loader for loading the or each corresponding secure application component.
  - 40. A system as claimed in claim 39, further comprising:
    - availability checking means for determining whether a corresponding secure application component is available within the terminal;
      
      a server interface, which requests a copy of the corresponding secure application component from an application server when the checking means determines that the corresponding secure application component is not available; and
      
      a downloader for downloading the component and installing the component on the terminal;
      
      wherein the application loader further operates to load the newly installed component into the secure execution area.
  - 41. A system as claimed in claim 39, further comprising:
    - update checking means for determining whether the at least one secure application component requires replacement;
      
      interface means for requesting a replacement secure application component from a replacement application server when the update checking means determines that the corresponding secure application component requires replacement; and
      
      a replacement downloader for downloading the replacement component and installing the replacement component on the terminal;
      
      wherein the application loader further operates to load the replacement component into the secure execution area in place of the at least one secure application component.
  - 42. A system as claimed in claim 36, wherein the key information necessary for facilitating decryption is securely stored in the terminal.
  - 43. A system as claimed in claim 36, wherein the key information necessary for facilitating decryption is obtained from a broadcast key information message.
  - 44. A system as claimed in claim 36, wherein access to the key information is provided by a smartcard inserted in the terminal.
  - 45. A system as claimed in claim 44, wherein the key information is securely stored on the smartcard.
  - 46. A system as claimed in claim 36, wherein the key information includes rights objects and/or key stream messages that incorporate service keys.
  - 47. A system as claimed in claim 46, wherein the service keys are securely stored in the secure area.
  - 48. A system as claimed in claim 36, wherein the encrypted data received by the terminal is downloaded encrypted content, the key information being a rights object corresponding to the content and the temporary decryption information being a decryption key for decrypting the downloaded encrypted content.
  - 49. A system as claimed in claim 36, wherein the encrypted data received by the terminal is broadcast data traffic, so that the method decrypts the encrypted data traffic in real time.
  - 50. A user terminal incorporating the system as claimed in claim 36.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vodafone Group PLC
Original Assignee
Vodafone Group PLC
Inventors
Bone, Nicholas, Wright, Timothy, Belrose, Caroline Jessica, Priestley, Mark, Irwin, James

Granted Patent

US 8,600,060 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/273
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04L 2463/101   applying security measures ...

H04L 63/20   for managing network securi...

H04L 67/125   involving control of end-de...

H04L 67/34   involving the movement of s...

H04W 12/00   Security arrangements; Auth...

H04W 12/02   Protecting privacy or anony...

H04W 12/04   Key management, e.g. using ...

H04W 12/35   Protecting application or s...

TELECOMMUNICATIONS DEVICE SECURITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

TELECOMMUNICATIONS DEVICE SECURITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links