Methods and systems for IC card application loading

US 7,523,495 B2
Filed: 04/19/2007
Issued: 04/21/2009
Est. Priority Date: 04/19/2006
Status: Active Grant

First Claim

Patent Images

1. A method for securely loading an application, comprising the steps of:

communicating at least one application load unit, said application load unit comprising the application and security data for authentication and protection of code and data associated with the application, to a selected one of a plurality of devices, the at least one application load unit being encrypted using cryptographic keys provided in a first plaintext key transformation unit, the first plaintext key transformation unit being encrypted using a common key, wherein the common key and at least one application load unit are furnished by an application provider and the common key is common to the plurality of devices; and

communicating the common key to the selected device in a second plaintext key transformation unit, the second plaintext key transformation unit being encrypted using a public key of said selected device, whereineach of the step of communicating at least one application load unit and the step of communicating the common key is secured using a secret key of the application provider.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described that provide a new type of application load unit for use in the secure loading of applications and/or data onto integrated circuit cards or smart cards. Plaintext key transformation units can be created for each of a plurality of smart cards that are to be loaded with a desired or selected application. A plaintext key transformation unit may be individually encrypted using the public keys associated with target smart cards. An application provider can create one or more application load unit using known means and can then create one or more additional plaintext key transformation unit, one for each target smart card using corresponding public keys which can be obtained taken from a database of card public keys.

Citations

13 Claims

1. A method for securely loading an application, comprising the steps of:
- communicating at least one application load unit, said application load unit comprising the application and security data for authentication and protection of code and data associated with the application, to a selected one of a plurality of devices, the at least one application load unit being encrypted using cryptographic keys provided in a first plaintext key transformation unit, the first plaintext key transformation unit being encrypted using a common key, wherein the common key and at least one application load unit are furnished by an application provider and the common key is common to the plurality of devices; and
  
  communicating the common key to the selected device in a second plaintext key transformation unit, the second plaintext key transformation unit being encrypted using a public key of said selected device, whereineach of the step of communicating at least one application load unit and the step of communicating the common key is secured using a secret key of the application provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method according to claim 1, wherein the step of communicating the common key to the selected device is preceded by a step of verifying the public key of said selected device by a key management authority.
  - 3. A method according to claim 1, wherein the second plaintext key transformation units are encrypted using symmetric encryption.
  - 4. A method according to claim 3, wherein the symmetric encryption is Triple DES.
  - 5. A method according to claim 3, wherein the symmetric encryption is AES.
  - 6. A method according to claim 1, wherein the device-specific secret key and the device-specific public key are provided using an asymmetric technique.
  - 7. A method according to claim 6, wherein the asymmetric technique is RSA.
  - 8. A method according to claim 1, wherein the cryptographic keys comprise certified public and secret keys furnished by a certification authority, and further comprising the steps of:
    - encrypting a public key of the application provider using a certified secret key to obtain a provider-specific public key certificate;
      
      signing the encrypted application load unit using the secret key of the application provider to obtain a digital signature; and
      
      signing the second key transformation unit using the secret key of the application provider to obtain a digital signature.
  - 9. A method according to claim 8, and further comprising the step of verifying the provider-specific public key certificate with a certified public key.
  - 10. A method according to claim 9, and further comprising the steps of:
    - deriving the public key of the application provider from a decrypted public key certificate associated with the application provider; and
      
      verifying the digital signatures of the application and second plaintext key transformation unit based on the derived public key.
  - 11. A method according to claim 10, wherein the decrypted public key certificate contains application-specific information.
  - 12. A method according to claim 10, and further comprising the steps of:
    - decrypting the verified second plaintext key transformation unit using a verified secret key of said selected device; and
      
      verifying the first plaintext key transformation unit is intended for the selected device, the verifying comprisingcomparing the identity of the selected device with a device identification in the first plaintext key transformation unit,confirming that a plurality of cryptographic keys stored on the selected device includes the common key,decrypting the first plaintext key transformation unit associated with the application using the common key,associating the first plaintext key transformation unit with the decrypted second plaintext key transformation unit, anddecrypting the application using the cryptographic keys provided in the first plaintext key transformation unit.

13. A device comprising a computing device and storage, the device configured to receive an encrypted application load unit, said application load unit comprising an application and security data for authentication and protection of code and data associated with the application, wherein:
- the storage maintains a plurality of cryptographic keys including a secret key of said device and a common key; and
  
  the computing device is configured to decrypt the encrypted application load unit using the secret key and the common key, wherein;
  
  the encrypted application load unit is encrypted using cryptographic keys provided in a first plaintext key transformation unit, the first plaintext key transformation unit being encrypted using the common key, wherein the common key and the one or more applications are furnished by an application provider;
  
  the common key is provided to the device in a second plaintext key transformation unit, the second plaintext key transformation unit being encrypted using a public key of the device; and
  
  the encrypted application and the common key are provided to the device using a secret key of the application provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Multos Ltd (Thales SA)
Original Assignee
Multos Ltd (Thales SA)
Inventors
Johnson, Alan E.
Primary Examiner(s)
Hoffman; Brandon S

Application Number

US11/737,712
Publication Number

US 20080005559A1
Time in Patent Office

733 Days
Field of Search

None
US Class Current

726/20
CPC Class Codes

G06Q 20/355   Personalisation of cards fo...

G06Q 20/3552   Downloading or loading of p...

G07F 7/1008   Active credit-cards provide...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 9/083   involving central third par...

H04L 9/3249   using RSA or related signat...

H04L 9/3263   involving certificates, e.g...

Methods and systems for IC card application loading

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for IC card application loading

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links