PARTITIONING THE NAMESPACE OF A CONTACTLESS SMART CARD

US 20120159105A1
Filed: 09/26/2011
Published: 06/21/2012
Est. Priority Date: 12/17/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for partitioning the namespace of a secure element into at least two storage types by a control software application within the secure element, the method comprising:

defining, in the control software application, at least a first access type, a second access type, a first access key, and a second access key for a plurality of memory blocks within the secure element namespace,wherein each of the first access key and the second access key provides one of the first access type, or the second access type to the plurality of memory blocks within the secure element namespace,wherein the first access type comprises surrender of control for memory blocks controlled by the first access type such that an initial owner of the memory blocks controlled by the first access type cannot reclaim the memory blocks controlled by the first access type without cooperation of a current user of the memory blocks controlled by the first access type, andwherein the second access type comprises a surrender of control by an initial owner of the memory blocks controlled by the second access type to a current user such that the initial owner of the memory blocks controlled by the second access type can reclaim the memory blocks controlled by the second access type without cooperation of the current user of the memory blocks controlled by the second access type;

selecting, by the control software application, from the plurality of memory blocks within the secure element namespace, at least a first group of memory blocks, a second group of memory blocks, and access types for each of the selected groups of memory blocks, wherein at least one memory block in each of the selected groups of memory blocks is an access memory block for providing the selected access type for a software application or application data within data memory blocks of the selected groups of memory blocks to an external data requesting device; and

transmitting, from the control software application, for storage in the access memory block for each of the selected groups of memory blocks appropriate ones of and the second access key to provide the selected access type for each respective selected groups of memory blocks, thereby partitioning the namespace of the secure element into at least two storage types.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, computer programs, and devices are disclosed herein for partitioning the namespace of a secure element in contactless smart card devices and for writing application data in the secure element using requests from a software application outside the secure element. The secure element is a component of a contactless smart card incorporated into a contactless smart card device. A control software application resident in the same or a different secure element provides access types and access bits, for each access memory block of the secure element namespace, thereby portioning the namespace into different access types. Further, a software application outside the secure element manages the control software application by passing commands using a secure channel to the secure element, thereby enabling an end-user of the contactless smart card device or a remote computer to control the partitioning and use of software applications within the secure element.

68 Citations

View as Search Results

25 Claims

1. A computer-implemented method for partitioning the namespace of a secure element into at least two storage types by a control software application within the secure element, the method comprising:
- defining, in the control software application, at least a first access type, a second access type, a first access key, and a second access key for a plurality of memory blocks within the secure element namespace,wherein each of the first access key and the second access key provides one of the first access type, or the second access type to the plurality of memory blocks within the secure element namespace,wherein the first access type comprises surrender of control for memory blocks controlled by the first access type such that an initial owner of the memory blocks controlled by the first access type cannot reclaim the memory blocks controlled by the first access type without cooperation of a current user of the memory blocks controlled by the first access type, andwherein the second access type comprises a surrender of control by an initial owner of the memory blocks controlled by the second access type to a current user such that the initial owner of the memory blocks controlled by the second access type can reclaim the memory blocks controlled by the second access type without cooperation of the current user of the memory blocks controlled by the second access type;
  
  selecting, by the control software application, from the plurality of memory blocks within the secure element namespace, at least a first group of memory blocks, a second group of memory blocks, and access types for each of the selected groups of memory blocks, wherein at least one memory block in each of the selected groups of memory blocks is an access memory block for providing the selected access type for a software application or application data within data memory blocks of the selected groups of memory blocks to an external data requesting device; and
  
  transmitting, from the control software application, for storage in the access memory block for each of the selected groups of memory blocks appropriate ones of and the second access key to provide the selected access type for each respective selected groups of memory blocks, thereby partitioning the namespace of the secure element into at least two storage types.
- View Dependent Claims (3, 5, 6, 7, 8, 9, 10, 24, 25)
- - 3. The method according to claim 1, wherein each of the group of memory blocks selected by the control software application comprises three data memory blocks and an access memory block, the three data and one access memory blocks forming a sector within the secure element namespace.
  - 5. The method according to claim 1, wherein at least one of the memory blocks of the first or the second groups of memory blocks comprises a directory table, the directory table comprising computer-coded application identifiers that point an external data requesting device to a different memory block comprising a requested software application.
  - 6. The method according to claim 5, wherein the external data requesting device is a contactless type card reader terminal configured to use radio frequency waves for communication with the secure element or a contact type card reader terminal device configured to read magnetic or optically coded data from the secure element.
  - 7. The method according to claim 1, further comprising managing, by a remote software application on a remote computer or a user-interface software application, the control software application in the secure element, thereby executing inputs at the user-interface software application or from the remote software application for defining the first access type, the second access type, the first access key, and the second access key;
    - for selecting the first group of memory blocks, the second group of memory blocks, and access types for each of the selected groups of memory blocks; and
      
      for transmitting the appropriate ones of the first access key and the second access key to provide the selected access type for each respective selected groups of memory blocks.
  - 8. The method according to claim 7, wherein the managing step is authenticated via a trusted service manager, wherein the user-interface software application provides an authentication request for each of the defining, the selecting, and the transmitting inputs in the managing step to the trusted service manager computer via a wireless communication channel, and the trusted service manager computer provides, to the control application software a response comprising authentication for each of the requested inputs.
  - 9. The method according to claim 1, wherein the external data requesting device is provided access to make changes to the software application or application data within at least one of the selected groups of memory blocks in the secure element namespace when the external data requesting device presents to the secure element either the first access key, the second access key, or the combination of the first and the second access key, and wherein the first access key, the second access key, or the combination of the first and the second access key matches a stored access key or a stored combination of access keys for a write access type, the write access type defined in the access memory block of the selected group of memory blocks.
  - 10. The method according to claim 1, further comprising:
    - storing, in a secure memory, by the control software application, existing data from within at least one memory block having the second access type, wherein the existing data is an existing software application or existing application data;
      
      reclaiming, by the control software application, control of the at least one memory block having the second access type without cooperation of a current user of the at least one memory block having the second access type;
      
      overwriting, by the control software application the existing data in the at least one memory block having the second access type; and
      
      writing, by the control software application in the secure element, back to the at least one memory block having the second access type, the stored existing data from the secure memory.
  - 24. The method according to claim 10, wherein overwriting comprises deleting, by the control software application, the existing data in the at least one memory block.
  - 25. The method according to claim 10, further comprising, prior to the writing step:
    - providing, by the control software application, a second user with the second type of access to the at least one memory block;
      
      writing, by the control software application in the secure element, a second software application or second application data type to the at least one memory block; and
      
      reclaiming, by the control software application in the secure element, control of the at least one memory block without cooperation of the second user of the at least one memory block.

2. (canceled)

4. (canceled)

11. A computer-implemented system, comprising:
- a secure element; and
  
  a control software application within the secure element, the control software application having defined therein at least a first access type, a second access type, a first access key, and a second access key for a plurality of memory blocks within the secure element namespace,wherein each of the first access key and the second access key provides one of the first access type, or the second access type to the plurality of memory blocks within the secure element,wherein the first access type comprises surrender of control for memory blocks controlled by the first access type such that an initial owner of the memory blocks controlled by the first access type cannot reclaim the memory blocks controlled by the first access type without cooperation of a current user of the memory blocks controlled by the first access type, andwherein the second access type comprises a surrender of control by an initial owner of the memory blocks controlled by the second access type to a current user such that the initial owner of the memory blocks controlled by the second access type can reclaim the memory blocks controlled by the second access type without cooperation of the current user of the memory blocks controlled by the second access type.
- View Dependent Claims (12, 14, 16, 17, 18, 19, 20, 21, 22, 23)
- - 12. The system according to claim 11, the control software application having further defined therein:
    - at least a first group of memory blocks, a second group of memory blocks, and access types for each of the selected groups of memory blocks, wherein at least one memory block in each selected group of memory blocks is an access memory block for providing the selected access type for a software application or application data within data memory blocks of the selected groups of memory blocks to an external data requesting device,wherein the access memory block for each selected group of memory blocks has stored therein appropriate ones of the first access key and the second access key to provide the selected access type, for each respective selected groups of memory blocks.
  - 14. The system according to claim 12, wherein each selected group of memory blocks comprises three data memory blocks and one access memory block, the three data and one access memory blocks forming a sector within the secure element.
  - 16. The system according to claim 12, wherein at least one of the memory blocks of the first or second groups of memory blocks comprises a directory table, the directory table comprising computer-coded application identifiers that point external data requesting devices to a different memory block comprising a requested software application.
  - 17. The system according to claim 16, wherein the external data requesting device is a contactless type card reader terminal configured to use radio frequency waves for communication with the secure element or a contact type card reader terminal device configured to read magnetic or optically coded data from the secure element.
  - 18. The system according to claim 12, further comprising:
    - a remote software application on a remote computer that manages the control software application in the secure element, to define the first access type, the second access type, the first access key, and the second access key, to select the first group of memory blocks, the second group of memory blocks, and access types for each of the selected groups of memory blocks, and to transmit appropriate ones of the first access key and the second access key to provide the selected access type for each respective selected groups of memory blocks.
  - 19. The system according to claim 18, further comprising a user-interface software application, wherein the remote software application is a trusted service manager, wherein the user-interface software application provides an authentication request for each defining, selecting, and transmitting input to the trusted service manager via a wireless communication channel, and wherein the trusted service manager provides, to the control software application, a response comprising authentication for each requested input.
  - 20. The system according to claim 12, wherein an external data requesting device is provided access to make changes to the software application or application data within at least one of the selected groups of memory blocks in the secure element when the external data requesting device presents to the secure element either the first access key, the second access key, or the combination of the first and the second access keys, and wherein the first access key, the second access key, or the combination of the first and the second access keys matches a stored access key or a stored combination of access keys for a write access type, the write access type defined in the access memory block of the selected group of memory blocks.
  - 21. The system according to claim 11, further comprising:
    - a secure memory,wherein the control software applicationstores existing data from within at least one memory block having the second access type wherein the existing data is an existing software application or an existing application data;
      
      reclaims control of the at least one memory block having the second access type without cooperation of a current user of the at least one memory block;
      
      overwrites the existing data in the at least one memory block having the second access type; and
      
      writes back to the one memory block having the second access type, the stored existing data from the secure memory.
  - 22. The system according to claim 21, wherein overwriting comprises deleting, by the control software application, the existing data in the at least one memory block.
  - 23. The system according to claim 21, further comprising, prior to the writing step:
    - providing, by the control software application, a second user with the second type of access to the at least one memory block;
      
      writing, by the control software application in the secure element, a second software application or second application data type to the at least one memory block; and
      
      reclaiming, by the control software application in the secure element, control of the at least one memory block without cooperation of the second user of the at least one memory block.

13. (canceled)

15. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Wall, Jonathan, Muehlberg, Alexej, Meyn, Hauke, von BEHREN, Rob, Paya, Ismail Cem

Granted Patent

US 8,621,168 B2
Time in Patent Office

Days
Field of Search
US Class Current

711/164
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06Q 20/3552   Downloading or loading of p...

G06Q 20/3563   Software being resident on ...

G06Q 20/35765   Access rights to memory zones

G07F 7/1008   Active credit-cards provide...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/08   Key distribution or managem...

H04L 9/0897   involving additional device...

H04W 12/35   Protecting application or s...

H04W 4/80   Services using short range ...

PARTITIONING THE NAMESPACE OF A CONTACTLESS SMART CARD

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

PARTITIONING THE NAMESPACE OF A CONTACTLESS SMART CARD

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links