Method for managing the security of applications with a security module

US 8,001,615 B2
Filed: 11/03/2004
Issued: 08/16/2011
Est. Priority Date: 11/04/2003
Status: Active Grant

First Claim

Patent Images

1. A method for managing security of at least one additional application associated to a main application with a security module of an equipment connected, via a network, to a control server managed by an operator, the main application and the additional applications use resources as data or functions stored in the security module locally connected to said equipment, comprising:

the equipment, periodically sending via the network to the control server identification data including at least a type and software version of the equipment and a type and software version of the security module,analyzing and verifying by the control server the identification data upon an occurrence of at least one;

after each connection of the equipment to the network,after each updating of the software version of the equipment,after at least one of each activation and deactivation of the additional application on the equipment,after each updating of the software version of the security module,after each updating of resources on the security module, andperiodically at a rate given by the control server,generating, by the control server, a cryptogram from a result of the verification of the identification data by comparing the identification data to a subscriber database content,transmitting, by the control server, the cryptogram, via the network and the equipment, to the security module,receiving and analyzing the cryptogram by the security module for acting on specific applications according to instructions included in the cryptogram, andselectively activating or deactivating at least one resource as data or functions stored in said security module by executing the instructions included in the cryptogram and using the selected resource to condition the functioning of the at least one additional application stored in the equipment according to criteria established by at least one of a supplier of said additional application or the operator managing the control server,wherein the resources as data or functions of the security module used by the main application are left active for connection of the equipment to the network so as to obtain further cryptograms from the control server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for managing the security of applications with a security module associated to an equipment connected to a network managed by a control server of an operator. The applications use resources as data or functions stored in the security module locally connected to the equipment. The method may include steps of receiving, analyzing and verifying, by the control server, identification data from the equipment and the security module, generating a cryptogram from the result of the verification of the identification data, transmitting the cryptogram to the security module of the equipment, and selectively activating or selectively deactivating by the security module at least one resource as data or functions of the security module by executing instructions included in the cryptogram and conditioning the functioning of an application according to criteria established by a supplier of the application or the operator or a user of the equipment.

Citations

13 Claims

1. A method for managing security of at least one additional application associated to a main application with a security module of an equipment connected, via a network, to a control server managed by an operator, the main application and the additional applications use resources as data or functions stored in the security module locally connected to said equipment, comprising:
- the equipment, periodically sending via the network to the control server identification data including at least a type and software version of the equipment and a type and software version of the security module,analyzing and verifying by the control server the identification data upon an occurrence of at least one;
  
  after each connection of the equipment to the network,after each updating of the software version of the equipment,after at least one of each activation and deactivation of the additional application on the equipment,after each updating of the software version of the security module,after each updating of resources on the security module, andperiodically at a rate given by the control server,generating, by the control server, a cryptogram from a result of the verification of the identification data by comparing the identification data to a subscriber database content,transmitting, by the control server, the cryptogram, via the network and the equipment, to the security module,receiving and analyzing the cryptogram by the security module for acting on specific applications according to instructions included in the cryptogram, andselectively activating or deactivating at least one resource as data or functions stored in said security module by executing the instructions included in the cryptogram and using the selected resource to condition the functioning of the at least one additional application stored in the equipment according to criteria established by at least one of a supplier of said additional application or the operator managing the control server,wherein the resources as data or functions of the security module used by the main application are left active for connection of the equipment to the network so as to obtain further cryptograms from the control server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein the equipment is a mobile equipment of mobile telephony.
  - 3. The method according to claim 1, wherein the network is a mobile network of the GSM, GPRS or UMTS type.
  - 4. A method according to claim 1, wherein the security module is a subscriber module of a SIM card type inserted into a mobile equipment of mobile telephony.
  - 5. The method according to claim 4, wherein the identification data of at least one of the mobile equipment and the subscriber module comprises an identifier of the mobile equipment and an identifier of the subscriber module pertaining to a subscriber to the mobile network.
  - 6. The method according to claim 5, wherein the subscriber module, prior to the execution of the instructions included in the cryptogram, compares the identifier of the mobile equipment with that previously received and only initiates analyzing an verifying by the control server of the identification data if the identifier of the mobile equipment has changed.
  - 7. The method according to claim 5, wherein the control server, prior to the transmission of the cryptogram, compares the identifier of the mobile equipment with that previously received and only initiates analyzing and verifying the identification data if the identifier of the mobile equipment has changed.
  - 8. The method according to claim 5, wherein the cryptogram is made up of a message encrypted by the control server with the aid of an asymmetrical or symmetrical encryption key from a data set containing, among other data, the identifier of the mobile equipment, the identifier of the subscriber module, resource references of the subscriber module and a predictable variable.
  - 9. The method according to claim 8, wherein the subscriber module transmits to the control server, via the mobile equipment and the mobile network, a confirmation message when the subscriber module has received the cryptogram, said message confirming correct reception and the adequate processing of the cryptogram by the subscriber module.
  - 10. The method according to claim 1, wherein the criteria defines usage limits of the additional application according to risks associated to the additional application and to the type and the software version of the equipment that at least one of the operator, the application supplier and an user of the equipment take in account.
  - 11. The method according to claim 1, wherein the equipment is a Pay-TV decoder or a computer to which the security module is connected.

12. A system having a security module including resources as data or functions intended to be locally accessed by a main application and at least one additional application installed in an equipment connected, via a network, to a control server configured for managing security of the at least one additional application on at least one of each initialization, activation or deactivation of the at least one additional application, comprising:
- the equipment configured to read and transmit identification data periodically via the network to the control server including at least a type and software version of the equipment and a type and software version of the security module;
  
  the control server configured to analyze and verify the identification data upon an occurrence of at least one;
  
  after each connection of the equipment to the network,after each updating of the software version of the equipment,after at least one of each activation and deactivation of the additional application on the equipment,after each updating of the software version of the security module,after each updating of resources on the security module, andperiodically at a rate given by the control server,the control server configured to generate a cryptogram from a result of the verification of the identification data by comparing the identification data to a subscriber database content;
  
  the security module configured to receive and analyze the cryptogram for acting on specific applications according to instructions included in the cryptogram; and
  
  configured to selectively activate or deactivate at least one resource as data or functions stored in the security module by executing the instructions included in the cryptogram and using the selected resource to condition the functioning of the at least one additional application stored in the equipment according to criteria established by at least one of the supplier of said additional application or the operator managing the control server,wherein the resources as data or functions of the security module used by the main application are left active for connection of the equipment to the network so as to obtain further cryptograms from the control server.
- View Dependent Claims (13)
- - 13. The security module according to claim 12, constituting a subscriber module of a SIM card type connected to a mobile equipment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nagravision SA (Kudelski SA)
Original Assignee
Swisscom Mobile AG (Government of Switzerland), Nagravision SA (Kudelski SA)
Inventors
Ksontini, Rached, Cantini, Renato
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Vaughan, Michael R

Application Number

US10/577,158
Publication Number

US 20070274524A1
Time in Patent Office

2,477 Days
Field of Search

None
US Class Current

726/29
CPC Class Codes

H04W 12/126   Anti-theft arrangements, e....

H04W 12/48   using secure binding, e.g. ...

H04W 8/183   Processing at user equipmen...

Method for managing the security of applications with a security module

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method for managing the security of applications with a security module

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links