SYSTEMS AND METHODS FOR AUTHENTICATING APPLICATIONS FOR ACCESS TO SECURE DATA USING IDENTITY MODULES

US 20130310003A1
Filed: 05/17/2012
Published: 11/21/2013
Est. Priority Date: 05/17/2012
Status: Active Grant

First Claim

Patent Images

1. A mobile station, comprising:

a wireless transceiver configured to provide communication for the mobile station via a mobile wireless communication network;

an identity module configured to provide secure storage for information relating to different identities of the mobile station associated with mobile station communication via the mobile wireless communication network;

at least one user interface element;

a processor coupled to the wireless transceiver and the at least one user interface element;

a memory accessible by the processor configured for program and data storage;

application programs stored in the memory; and

a secure domain controller program stored in the memory, wherein execution of the secure domain controller program by the processor configures the processor to perform functions, including functions to;

associate each of the application programs with a selected one of a plurality of personas to be implemented on the mobile station, each persona corresponding to one of the identities of the mobile station and at least one persona corresponding to each identity of the mobile station;

associate different secure data with each of the plurality of personas;

when executing each respective application program, allow the respective application program to access the secure data associated with the associated persona but prevent the respective application program from accessing the secure data associated with the other persona,wherein allowing the respective application program to access the secure data associated with the associated persona includes performing, upon receiving from the respective application program a request to access the secure data associated with the associated persona, authentication of the respective application program using a first authentication key retrieved from the secure data and a second authentication key associated with the respective application program and included in the request to access the secure data; and

while implementing each respective persona, provide communication for the mobile station via the mobile wireless communication network utilizing information relating to the corresponding identity from the identity module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile station is configured to authenticate applications running thereon in order to control access by the authenticated applications to secure data stored in a subscriber identity module of the mobile station. Sensitive data securely stored in the subscriber identity module is associated with one of multiple personas implemented on the mobile station. When an application running on the mobile station requests access to the secure data, a secure domain controller processes the request and authenticates the application, for example based on an application authentication key. The secure domain controller further determines whether the application is associated with the same persona as the secure data identified in the request. If the application is authenticated, the secure domain controller then allows the application to access secure data associated with the same persona, but prevents the application from accessing secure data associated with other personas.

Citations

20 Claims

1. A mobile station, comprising:
- a wireless transceiver configured to provide communication for the mobile station via a mobile wireless communication network;
  
  an identity module configured to provide secure storage for information relating to different identities of the mobile station associated with mobile station communication via the mobile wireless communication network;
  
  at least one user interface element;
  
  a processor coupled to the wireless transceiver and the at least one user interface element;
  
  a memory accessible by the processor configured for program and data storage;
  
  application programs stored in the memory; and
  
  a secure domain controller program stored in the memory, wherein execution of the secure domain controller program by the processor configures the processor to perform functions, including functions to;
  
  associate each of the application programs with a selected one of a plurality of personas to be implemented on the mobile station, each persona corresponding to one of the identities of the mobile station and at least one persona corresponding to each identity of the mobile station;
  
  associate different secure data with each of the plurality of personas;
  
  when executing each respective application program, allow the respective application program to access the secure data associated with the associated persona but prevent the respective application program from accessing the secure data associated with the other persona,wherein allowing the respective application program to access the secure data associated with the associated persona includes performing, upon receiving from the respective application program a request to access the secure data associated with the associated persona, authentication of the respective application program using a first authentication key retrieved from the secure data and a second authentication key associated with the respective application program and included in the request to access the secure data; and
  
  while implementing each respective persona, provide communication for the mobile station via the mobile wireless communication network utilizing information relating to the corresponding identity from the identity module.
- View Dependent Claims (2, 3, 5, 7, 8)
- - 2. The mobile station of claim 1, wherein the identity module is further configured to provide separate secure storage for the secure data associated with each of the plurality of personas.
  - 3. The mobile station of claim 1, wherein:
    - each identity of the different identities of the mobile station has a different associated mobile device number (MDN) or mobile telephone number (MTN); and
      
      each of the selected one of the plurality of personas corresponds to a different user profile on the mobile station.
  - 5. The mobile station of claim 1, wherein the first authentication key is retrieved from the secure storage provided by the identity module.
  - 7. The mobile station of claim 1, wherein the second authentication key is retrieved from the memory configured for program and data storage for inclusion in the request from the application program.
  - 8. The mobile station of claim 1, wherein the identity module is a subscriber identity module (SIM) storing a network hash key used in identifying and authenticating the mobile station on a wireless carrier network.

4. (canceled)

6. (canceled)

9. A method comprising:
- associating, in a mobile station having different identities associated with mobile station communication via a mobile wireless communication network, each of a plurality of application programs with a selected one of a plurality of personas to be implemented on the mobile station, each persona corresponding to one of the identities of the mobile station and at least one persona corresponding to each identity of the mobile station;
  
  associating, in the mobile station, different secure data with each of the plurality of personas;
  
  when a processor of the mobile station is executing each respective application program, allowing the respective application program to access the secure data associated with the associated persona in a memory of the mobile station, but preventing the respective application program from accessing the secure data associated with the other persona in the memory of the mobile station,wherein allowing the respective application program to access the secure data associated with the associated persona includes, when executing the respective application program, performing, upon receiving from the respective application program a request to access the secure data associated with the associated persona, authentication of the respective application program using a first authentication key retrieved from the secure data and a second authentication key associated with the respective application program and included in the request to access the secure data; and
  
  while implementing each respective persona, providing communication for the mobile station via the mobile wireless communication network utilizing information relating to the corresponding identity.
- View Dependent Claims (10, 11, 13, 15)
- - 10. The method of claim 9, further comprising:
    - retrieving the secure data, from an identity module configured to provide secure storage for information relating to the different identities of the mobile station and for secure data associated with each of the personas, when the respective application program is allowed to access secure data associated with the associated persona.
  - 11. The method of claim 9, wherein:
    - each identity of the different identities of the mobile station has a different associated mobile device number (MDN) or mobile telephone number (MTN); and
      
      each of the selected one of the plurality of personas corresponds to a different user profile on the mobile station.
  - 13. The method of claim 9, further comprising:
    - retrieving the first authentication key from the secure storage provided by an identity module configured to provide secure storage for information relating to the different identities of the mobile station.
  - 15. The method of claim 9, further comprising:
    - retrieving the second authentication key from a memory of the mobile station configured for program and data storage for inclusion in the request from the application program.

12. (canceled)

14. (canceled)

16. An article of manufacture comprising:
- a non-transitory storage device; and
  
  programming in the storage device for execution by a processor of a mobile station, wherein execution of the programming by the processor configures the mobile station to perform functions, including functions to;
  
  associate, in the mobile station having different identities associated with mobile station communication via a mobile wireless communication network, each of a plurality of application programs with a selected one of a plurality of personas to be implemented on the mobile station, each persona corresponding to one of the identities of the mobile station and at least one persona corresponding to each identity of the mobile station;
  
  associate different secure data with each of the plurality of personas;
  
  when executing each respective application program, allow the respective application program to access secure data associated with the associated persona in a memory of the mobile station, but prevent the respective application program from accessing secure data associated with the other persona in the memory of the mobile station,wherein allowing the respective application program to access the secure data associated with the associated persona includes performing, upon receiving from the respective application program a request to access the secure data associated with the associated persona, authentication of the respective application program using a first authentication key retrieved from the secure data and a second authentication key associated with the respective application program and included in the request to access the secure data; and
  
  while implementing each respective persona, provide communication for the mobile station via the mobile wireless communication network utilizing information relating to the corresponding identity.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The article of manufacture of claim 16, wherein:
    - the storage device is configured to provide separate secure storage for the secure data associated with each of the plurality of personas.
  - 18. The article of manufacture of claim 16, wherein:
    - each identity of the different identities of the mobile station has a different associated mobile device number (MDN) or mobile telephone number (MTN); and
      
      each of the selected one of the plurality of personas corresponds to a different user profile on the mobile station.
  - 19. The article of manufacture of claim 16, wherein the first authentication key is retrieved from the secure storage provided by the storage device.
  - 20. The article of manufacture of claim 16, wherein the second authentication key is retrieved from the memory of the mobile station.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Original Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Inventors
Sadhvani, Rita, Zhang, Ning, Kamal, Mohammad Ashfaq

Granted Patent

US 8,600,355 B1
Time in Patent Office

Days
Field of Search
US Class Current

455/411
CPC Class Codes

H04W 12/069 using certificates or pre-s...

SYSTEMS AND METHODS FOR AUTHENTICATING APPLICATIONS FOR ACCESS TO SECURE DATA USING IDENTITY MODULES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR AUTHENTICATING APPLICATIONS FOR ACCESS TO SECURE DATA USING IDENTITY MODULES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links