SYSTEMS AND METHODS FOR AUTHENTICATING APPLICATIONS FOR ACCESS TO SECURE DATA USING IDENTITY MODULES
First Claim
1. A mobile station, comprising:
- a wireless transceiver configured to provide communication for the mobile station via a mobile wireless communication network;
an identity module configured to provide secure storage for information relating to different identities of the mobile station associated with mobile station communication via the mobile wireless communication network;
at least one user interface element;
a processor coupled to the wireless transceiver and the at least one user interface element;
a memory accessible by the processor configured for program and data storage;
application programs stored in the memory; and
a secure domain controller program stored in the memory, wherein execution of the secure domain controller program by the processor configures the processor to perform functions, including functions to;
associate each of the application programs with a selected one of a plurality of personas to be implemented on the mobile station, each persona corresponding to one of the identities of the mobile station and at least one persona corresponding to each identity of the mobile station;
associate different secure data with each of the plurality of personas;
when executing each respective application program, allow the respective application program to access the secure data associated with the associated persona but prevent the respective application program from accessing the secure data associated with the other persona,wherein allowing the respective application program to access the secure data associated with the associated persona includes performing, upon receiving from the respective application program a request to access the secure data associated with the associated persona, authentication of the respective application program using a first authentication key retrieved from the secure data and a second authentication key associated with the respective application program and included in the request to access the secure data; and
while implementing each respective persona, provide communication for the mobile station via the mobile wireless communication network utilizing information relating to the corresponding identity from the identity module.
1 Assignment
0 Petitions
Accused Products
Abstract
A mobile station is configured to authenticate applications running thereon in order to control access by the authenticated applications to secure data stored in a subscriber identity module of the mobile station. Sensitive data securely stored in the subscriber identity module is associated with one of multiple personas implemented on the mobile station. When an application running on the mobile station requests access to the secure data, a secure domain controller processes the request and authenticates the application, for example based on an application authentication key. The secure domain controller further determines whether the application is associated with the same persona as the secure data identified in the request. If the application is authenticated, the secure domain controller then allows the application to access secure data associated with the same persona, but prevents the application from accessing secure data associated with other personas.
-
Citations
20 Claims
-
1. A mobile station, comprising:
-
a wireless transceiver configured to provide communication for the mobile station via a mobile wireless communication network; an identity module configured to provide secure storage for information relating to different identities of the mobile station associated with mobile station communication via the mobile wireless communication network; at least one user interface element; a processor coupled to the wireless transceiver and the at least one user interface element; a memory accessible by the processor configured for program and data storage; application programs stored in the memory; and a secure domain controller program stored in the memory, wherein execution of the secure domain controller program by the processor configures the processor to perform functions, including functions to; associate each of the application programs with a selected one of a plurality of personas to be implemented on the mobile station, each persona corresponding to one of the identities of the mobile station and at least one persona corresponding to each identity of the mobile station; associate different secure data with each of the plurality of personas; when executing each respective application program, allow the respective application program to access the secure data associated with the associated persona but prevent the respective application program from accessing the secure data associated with the other persona, wherein allowing the respective application program to access the secure data associated with the associated persona includes performing, upon receiving from the respective application program a request to access the secure data associated with the associated persona, authentication of the respective application program using a first authentication key retrieved from the secure data and a second authentication key associated with the respective application program and included in the request to access the secure data; and while implementing each respective persona, provide communication for the mobile station via the mobile wireless communication network utilizing information relating to the corresponding identity from the identity module. - View Dependent Claims (2, 3, 5, 7, 8)
-
-
4. (canceled)
-
6. (canceled)
-
9. A method comprising:
-
associating, in a mobile station having different identities associated with mobile station communication via a mobile wireless communication network, each of a plurality of application programs with a selected one of a plurality of personas to be implemented on the mobile station, each persona corresponding to one of the identities of the mobile station and at least one persona corresponding to each identity of the mobile station; associating, in the mobile station, different secure data with each of the plurality of personas; when a processor of the mobile station is executing each respective application program, allowing the respective application program to access the secure data associated with the associated persona in a memory of the mobile station, but preventing the respective application program from accessing the secure data associated with the other persona in the memory of the mobile station, wherein allowing the respective application program to access the secure data associated with the associated persona includes, when executing the respective application program, performing, upon receiving from the respective application program a request to access the secure data associated with the associated persona, authentication of the respective application program using a first authentication key retrieved from the secure data and a second authentication key associated with the respective application program and included in the request to access the secure data; and while implementing each respective persona, providing communication for the mobile station via the mobile wireless communication network utilizing information relating to the corresponding identity. - View Dependent Claims (10, 11, 13, 15)
-
-
12. (canceled)
-
14. (canceled)
-
16. An article of manufacture comprising:
-
a non-transitory storage device; and programming in the storage device for execution by a processor of a mobile station, wherein execution of the programming by the processor configures the mobile station to perform functions, including functions to; associate, in the mobile station having different identities associated with mobile station communication via a mobile wireless communication network, each of a plurality of application programs with a selected one of a plurality of personas to be implemented on the mobile station, each persona corresponding to one of the identities of the mobile station and at least one persona corresponding to each identity of the mobile station; associate different secure data with each of the plurality of personas; when executing each respective application program, allow the respective application program to access secure data associated with the associated persona in a memory of the mobile station, but prevent the respective application program from accessing secure data associated with the other persona in the memory of the mobile station, wherein allowing the respective application program to access the secure data associated with the associated persona includes performing, upon receiving from the respective application program a request to access the secure data associated with the associated persona, authentication of the respective application program using a first authentication key retrieved from the secure data and a second authentication key associated with the respective application program and included in the request to access the secure data; and while implementing each respective persona, provide communication for the mobile station via the mobile wireless communication network utilizing information relating to the corresponding identity. - View Dependent Claims (17, 18, 19, 20)
-
Specification