ESTABLISHING CONNECTIONS FOR SECURE ELEMENT COMMUNICATIONS

US 20150195281A1
Filed: 01/07/2014
Published: 07/09/2015
Est. Priority Date: 01/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a request from a device to establish a first secure connection;

establishing the first secure connection with the device in response to the received request;

sending a request to a Trusted Service Manager (TSM), wherein the sent request instructs the TSM to establish a second secure connection between the TSM and a secure memory associated with the device;

receiving an authentication request from the TSM to establish the second secure connection; and

forwarding the authentication request to the device over the first secure connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server is configured to establish connections for secure element communication sessions. The server receives a request from a device to establish a first secure connection, and establishes the first secure connection with the device in response to the received request. The server sends a request to a Trusted Service Manager (TSM). The sent request instructs the TSM to establish a second secure connection between the TSM and a secure memory. The server receives an authentication request from the TSM to establish the second secure connection, and forwards the authentication request to the device over the first secure connection.

Citations

24 Claims

1. A method, comprising:
- receiving a request from a device to establish a first secure connection;
  
  establishing the first secure connection with the device in response to the received request;
  
  sending a request to a Trusted Service Manager (TSM), wherein the sent request instructs the TSM to establish a second secure connection between the TSM and a secure memory associated with the device;
  
  receiving an authentication request from the TSM to establish the second secure connection; and
  
  forwarding the authentication request to the device over the first secure connection.

2. The method of claim 2, wherein the secure memory comprises a secure element (SE) or a Trusted Execution Environment (TEE).
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 3. The method of claim 2, wherein the received request is initiated by a client application to provision the SE to conduct transactions with a service provider, and further wherein the SE is provisioned to receive at least one of a secure application or secure data.
  - 4. The method of claim 3, wherein the secure application include at least one of a credit card application, a debit card application, a loyalty program application, a ticketing applications, a building access application, or a travel application.
  - 5. The method of claim 2, wherein the first secure connection supports a Transmission Control Protocol/Internet Protocol (TCP/IP) session, and further comprises:
    - authenticating, mutually with the device, the first secure connection using at least one of Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  - 6. The method of claim 5, wherein the first connection supports TCP/IP as a primary connection for forwarding the authentication request, and supports SMS as a secondary connection for forwarding the authentication request when the TCP/IP connection is unavailable.
  - 7. The method of claim 2, wherein the received authentication request is a ciphered authentication request provided once by the TSM.
  - 8. The method of claim 2, wherein the second secure connection supports a Bearer Independent Protocol (BIP) session securely established between the SE and the TSM, and exchanges Global Platform commands over the BIP session.
  - 9. The method of claim 3, wherein the TSM comprises a Mobile Network Operator (MNO) TSM and a Service Provider (SP) TSM, the method further comprising:
    - providing the sent request to establish the second secure connection between the SP TSM and the SE to the SP TSM, and in response, the SP TSM creates the authentication request and sends it to the MNO TSM; and
      
      receiving the authentication request from the MNO TSM.
  - 10. The method of claim 9, wherein a secure application update is provided by the SP TSM over the second secure connection after the SE has been provisioned.
  - 11. The method of claim 3, wherein the TSM comprises a Mobile Network Operator (MNO) TSM and a Service Provider (SP) TSM, the method further comprising:
    - providing the sent request to establish the second secure connection between the SP TSM and the SE to the SP TSM, and in response, the SP TSM creates the authentication request and sends it directly to the MNO AS.
  - 12. The method of claim 3, wherein the TSM comprises a Mobile Network Operator (MNO) TSM and a Service Provider (SP) TSM, the method further comprising:
    - providing the sent request to establish the second secure connection between the MNO TSM and the SE to the MNO TSM, and in response, the MNO TSM creates the authentication request and sends it directly to the MNO AS.
  - 13. The method of claim 2, wherein the SE includes a secure memory which is partitioned intoan Issuer Security Domain (ISD) having a dedicated storage area accessible only to a Mobile Network Operator (MNO), anda plurality of Service Provider (SP) security domains, each having a dedicated storage area accessible only to a respective service provider entity, wherein the forwarded authentication request is routed to the appropriate SP security domain based on an application identifier included within the authentication request.

14. An application server, comprising:
- a communication interface connected to an external network;
  
  a memory configured to store instructions; and
  
  a processor configured to execute the instructions stored in the memory to;
  
  receive a request from a device to establish a first secure connection,establish the first secure connection with the device in response to the received request,send a request to a Trusted Service Manager (TSM), wherein the sent request instructs the TSM to establish a second secure connection between the TSM and a secure memory associated with the device,receive an authentication request from the TSM to establish the second secure connection, andforward the authentication request to the device over the first secure connection.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The application server of claim 14, wherein the secure memory comprises a secure element (SE) or a Trusted Execution Environment (TEE).
  - 16. The application server of claim 15, wherein the received request is initiated by a client application to provision the SE to conduct transactions with a service provider, and further wherein the SE is provisioned to receive at least one of a secure application or secure data.
  - 17. The application server of claim 16, wherein the secure application include at least one of a credit card application, a debit card application, a loyalty program application, a ticketing applications, a building access application, or a travel application.
  - 18. The application server of claim 15, wherein the first secure connection supports a Transmission Control Protocol/Internet Protocol (TCP/IP) session, and the processor is further configured to:
    - authenticate, mutually with the device, the first secure connection using at least one of Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  - 19. The application server of claim 15, wherein the received authentication request is a ciphered authentication request provided once by the TSM.
  - 20. The application server of claim 15, wherein the second secure connection supports a Bearer Independent Protocol (BIP) session securely established between the SE and the TSM, and wherein the TSM and the SE exchange Global Platform commands over the BIP session.
  - 21. The application server of claim 15, wherein the TSM comprises a Mobile Network Operator (MNO) TSM and a Service Provider (SP) TSM, and the processor is configured to:
    - provide the sent request to establish the second secure connection between the SP TSM and the SE to the SP TSM, and in response, the SP TSM creates the authentication request and sends it to the MNO TSM; and
      
      receive the authentication request from the MNO TSM.
  - 22. The application server of claim 21, wherein a secure application update is provided by the SP TSM over the second secure connection after the SE has been provisioned.
  - 23. The application server of claim 15, wherein the SE includes a secure memory which is partitioned intoan Issuer Security Domain (ISD) having a dedicated storage area accessible only to a Mobile Network Operator (MNO), anda plurality of Service Provider (SP) security domains, each having a dedicated storage area accessible only to a respective service provider entity, wherein the forwarded authentication request is routed to the appropriate SP security domain based on an application identifier included within the authentication request.

24. A non-transitory computer-readable medium comprising instructions, which, when executed by a processor, cause the processor to:
- receive a request from a device to establish a first secure connection;
  
  establish the first secure connection with the device in response to the received request;
  
  send a request to a Trusted Service Manager (TSM), wherein the sent request instructs the TSM to establish a second secure connection between the TSM and a secure memory associated with the device;
  
  receive an authentication request from the TSM to establish the second secure connection; and
  
  forward the authentication request to the device over the first secure connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Original Assignee
Cellco Partnership, Inc. (Verizon Communications Inc.)
Inventors
Venkataramu, Praveen, Cuadrat, Ruben, Caceres, Manuel Enrique, Xanthos, James A.

Granted Patent

US 9,203,842 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0492   by using a location-limited...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

ESTABLISHING CONNECTIONS FOR SECURE ELEMENT COMMUNICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

ESTABLISHING CONNECTIONS FOR SECURE ELEMENT COMMUNICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links