POLICY-BASED TECHNIQUES FOR MANAGING ACCESS CONTROL

US 20140143826A1
Filed: 11/21/2013
Published: 05/22/2014
Est. Priority Date: 11/21/2012
Status: Active Grant

First Claim

Patent Images

1. An electronic device, comprising a secure element, wherein the secure element includes:

an access-control element configured to identify a user of a service and to facilitate secure communication, wherein the access-control element is associated with a set of operations;

a processor; and

memory, coupled to the processor, which stores a program module configured to be executed by the processor and a credential-management module that specifies a profile with a set of privileges for logical entities associated with operations in the set of operations; and

wherein, for some of the operations, there are different privileges for some of the logical entities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy-based framework is described. This policy-based framework may be used to specify the privileges for logical entities to perform operations associated with an access-control element (such as an electronic Subscriber Identity Module) located within a secure element in an electronic device. Note that different logical entities may have different privileges for different operations associated with the same or different access-control elements. Moreover, the policy-based framework may specify types of credentials that are used by the logical entities during authentication, so that different types of credentials may be used for different operations and/or by different logical entities. Furthermore, the policy-based framework may specify the security protocols and security levels that are used by the logical entities during authentication, so that different security protocols and security levels may be used for different operations and/or by different logical entities.

Citations

20 Claims

1. An electronic device, comprising a secure element, wherein the secure element includes:
- an access-control element configured to identify a user of a service and to facilitate secure communication, wherein the access-control element is associated with a set of operations;
  
  a processor; and
  
  memory, coupled to the processor, which stores a program module configured to be executed by the processor and a credential-management module that specifies a profile with a set of privileges for logical entities associated with operations in the set of operations; and
  
  wherein, for some of the operations, there are different privileges for some of the logical entities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The electronic device of claim 1, wherein the credential-management module includes information that is used by the program module to specify the set of privileges.
  - 3. The electronic device of claim 1, wherein the access-control element includes an electronic subscriber identification module (eSIM).
  - 4. The electronic device of claim 1, wherein the logical entities are internal to the electronic device.
  - 5. The electronic device of claim 1, wherein the logical entities are external to the electronic device.
  - 6. The electronic device of claim 1, wherein the access-control element further includes information specifying a second set of privileges for at least one of the logical entity and the second logical entity.
  - 7. The electronic device of claim 6, wherein, in the event of a conflict between a security level associated with the set of privileges and a second security level associated with the second set of privileges, the secure element is configured to compare the security level and the second security level and to select the one of the set of privileges and the second set of privileges that is associated with stronger security.
  - 8. The electronic device of claim 6, wherein, in the event of a conflict between a security level associated with the set of privileges and a second security level associated with the second set of privileges, the secure element is configured to select the set of privileges.
  - 9. The electronic device of claim 1, wherein the set of operations includes one or more of:
    - loading the access-control element, enabling the access-control element, disabling the access-control element, exporting the access-control element, and deleting the access-control element.

10. A processor-implemented method for specifying a set of privileges for logical entities, wherein the method comprises:
- receiving credentials from a first logical entity and a second logical entity;
  
  using the processor, determining a set of privileges associated with a set of operations for the first logical entity and the second logical entity based on the credentials and a credential-management module; and
  
  providing information specifying the set of privileges of the first logical entity and the second logical entity to an access-control element in a secure element in an electronic device, wherein the access-control element identifies a user of a service and facilitates secure communication;
  
  wherein the access-control element is associated with a set of operations; and
  
  wherein, for some of the operations, there are different privileges for the first logical entity and the second logical entity.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10, wherein the method further includes executing a program module using the processor to provide the information.
  - 12. The method of claim 10, wherein the set of operations includes one or more of:
    - loading the access-control element, enabling the access-control element, disabling the access-control element, exporting the access-control element, and deleting the access-control element.
  - 13. The method of claim 10, wherein the access-control element includes an electronic subscriber identification module (eSIM).

14. An electronic device, comprising a secure element, wherein the secure element includes:
- an access-control element configured to identify a user of a service and to facilitate secure communication, wherein the access-control element is associated with a set of operations;
  
  a processor; and
  
  memory, coupled to the processor, which stores a program module configured to be executed by the processor and a credential-management module that specifies a profile with a set of privileges for logical entities associated with operations in the set of operations;
  
  wherein, for some of the operations, there are different privileges for some of the logical entities;
  
  wherein the credential-management module includes cryptographic keys associated with the set of operations; and
  
  wherein a given cryptographic key facilitates the privileges associated with at least a given operation in the set of operations.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The electronic device of claim 14, wherein the credential-management module includes information that is used by the program module to specify the set of privileges.
  - 16. The electronic device of claim 14, wherein the access-control element includes an electronic subscriber identification module (eSIM).
  - 17. The electronic device of claim 14, wherein the set of operations includes one or more of:
    - loading the access-control element, enabling the access-control element, disabling the access-control element, exporting the access-control element, and deleting the access-control element.
  - 18. The electronic device of claim 14, wherein the access-control element further includes information specifying a second set of privileges for at least one of the logical entity and the second logical entity.
  - 19. The electronic device of claim 18, wherein, in the event of a conflict between a security level associated with the set of privileges and a second security level associated with the second set of privileges, the secure element is further configured to:
    - compare the security level and the second security level; and
      
      select the one of the set of privileges and the second set of privileges that is associated with stronger security.
  - 20. The electronic device of claim 18, wherein, in the event of a conflict between a security level associated with the set of privileges and a second security level associated with the second set of privileges, the secure element is further configured to select the set of privileges.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Li, Li, Hauck, Jerrold V., Mathias, Arun G., Yang, Xiangying, Sharp, Christopher B., Vaid, Yousuf H., McLaughlin, Kevin P.

Granted Patent

US 9,098,714 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04W 12/08   Access security

H04W 12/086   using security domains

POLICY-BASED TECHNIQUES FOR MANAGING ACCESS CONTROL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

POLICY-BASED TECHNIQUES FOR MANAGING ACCESS CONTROL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links