Near field communication authentication and validation to access corporate data

US 8,494,576 B1
Filed: 05/03/2012
Issued: 07/23/2013
Est. Priority Date: 05/03/2012
Status: Active Grant

First Claim

Patent Images

1. A system for near field communication authentication and validation to access corporate data, comprising:

a mobile device comprising a near field communication transceiver and a main processor chipset,a security zone architecture embedded in the main processor chipset, the security zone architecture comprising a secure partition of hardware and software resources, which include a plurality of secure partition applications, with a trusted execution environment, wherein the plurality of secure partition applications runs on a first virtual processor that is configured to execute in a time-sliced manner relative to a second virtual processor that runs a plurality of non-secure partition applications;

a memory located within the secure partition of the mobile device that stores private enterprise credentials;

an enterprise server comprising a security zone server security zone architecture, the security zone architecture including a secure partition of hardware and software resources with a trusted execution environment,an enterprise network comprising a domain;

a building access sensor coupled to the enterprise server, wherein the building access sensor comprises a near field communication transceiver;

an application of the plurality of secure partition applications stored in the secure partition on the mobile device and executable in the trusted execution environment on the mobile device, wherein the application,establishes a wireless link to the building access sensor via the near field communication transceiver on the mobile device and the near field communication transceiver on the building access sensor,couples the near field communication transceiver on the mobile device with the memory in the secure partition of the mobile device, andtransmits the private enterprise credentials stored in the memory to the building access sensor via the near field communication transceiver on the mobile device and the near field communication transceiver on the building access sensor; and

an application stored in the secure partition of the enterprise server and executable on the trusted execution environment on the enterprise server, wherein the application,receives the private enterprise credentials via the building access sensor,authorizes access to the building based on the private enterprise credentials,authenticates the user identified by the private enterprise credentials, andgrants the user access to a computer accessing the domain on the enterprise network based on the authentication.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for near field communication authentication (NFC) and validation to access corporate data is provided. The system comprises a mobile phone, an enterprise server, a building access sensor coupled to the server, and an enterprise network comprising a domain. The sensor comprises a NFC transceiver. The phone comprises a NFC transceiver and a trusted security zone which comprises private enterprise credentials and an application, where the application establishes a wireless link to the sensor via the NFC transceiver, couples the NFC transceiver with memory storing the credentials, and transmits the credentials to the sensor via the NFC transceiver. The enterprise server comprises a trusted security zone and an application stored in the trusted security zone, where the application receives the credentials via the sensor, authorizes access to the building based on the credentials, and authenticates the user to the domain on the enterprise network.

210 Citations

20 Claims

1. A system for near field communication authentication and validation to access corporate data, comprising:
- a mobile device comprising a near field communication transceiver and a main processor chipset,a security zone architecture embedded in the main processor chipset, the security zone architecture comprising a secure partition of hardware and software resources, which include a plurality of secure partition applications, with a trusted execution environment, wherein the plurality of secure partition applications runs on a first virtual processor that is configured to execute in a time-sliced manner relative to a second virtual processor that runs a plurality of non-secure partition applications;
  
  a memory located within the secure partition of the mobile device that stores private enterprise credentials;
  
  an enterprise server comprising a security zone server security zone architecture, the security zone architecture including a secure partition of hardware and software resources with a trusted execution environment,an enterprise network comprising a domain;
  
  a building access sensor coupled to the enterprise server, wherein the building access sensor comprises a near field communication transceiver;
  
  an application of the plurality of secure partition applications stored in the secure partition on the mobile device and executable in the trusted execution environment on the mobile device, wherein the application,establishes a wireless link to the building access sensor via the near field communication transceiver on the mobile device and the near field communication transceiver on the building access sensor,couples the near field communication transceiver on the mobile device with the memory in the secure partition of the mobile device, andtransmits the private enterprise credentials stored in the memory to the building access sensor via the near field communication transceiver on the mobile device and the near field communication transceiver on the building access sensor; and
  
  an application stored in the secure partition of the enterprise server and executable on the trusted execution environment on the enterprise server, wherein the application,receives the private enterprise credentials via the building access sensor,authorizes access to the building based on the private enterprise credentials,authenticates the user identified by the private enterprise credentials, andgrants the user access to a computer accessing the domain on the enterprise network based on the authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the building access sensor further comprises a security zone architecture including a secure partition of hardware and software resources of the building access sensor with a trusted execution environment.
  - 3. The system of claim 1, wherein the security zone architecture of the mobile device includes a non-secure partition of hardware and software resources, which include the plurality of non-secure partition applications, with a non-secure execution environment.
  - 4. The system of claim 1, wherein the first virtual processor and the second virtual processor run on a single physical processor.
  - 5. The system of claim 3, wherein the mobile device includes a main mobile device operating system which runs in the non-secure execution environment, and wherein the main mobile device operating system is disabled when the application stored in the secure partition on the mobile device is executing in the trusted execution environment on the mobile device.
  - 6. The system of claim 1, wherein the enterprise server includes a non-secure partition of hardware and software resources with a non-secure execution environment and a main enterprise server operating system which runs in the non-secure execution environment, and wherein the main enterprise operating system is disabled when the application stored in the secure partition on the enterprise server is executing in the trusted execution environment on the enterprise server.
  - 7. The system of claim 1, wherein the enterprise server is configured to track the location of the mobile device as the mobile device moves throughout the building.

8. A method of near field communication authentication and validation to access corporate data, comprising:
- establishing, by an application of a plurality of secure partition applications, a near field communication wireless link between a building access sensor and a mobile device, wherein the mobile device comprises a main processor chipset with a security zone architecture embedded in the main processor chipset, wherein the security zone architecture comprises a secure partition of hardware and software resources, which include the plurality of secure partition applications, with a trusted execution environment, wherein the plurality of secure partition applications runs on a first virtual processor that is configured to execute in a time-sliced manner relative to a second virtual processor that runs a plurality of non-secure partition applications, and wherein the mobile device further comprises a memory located within the secure partition that stores private enterprise credentials;
  
  coupling, by the application of the plurality of secure partition applications, a near field communication transceiver in the mobile phone with the memory in;
  
  transmitting, by the application of the plurality of secure partition applications, the private enterprise credentials to the building access sensor via the near field communication wireless link;
  
  receiving, by an application executing on an enterprise server coupled to the building access sensor, the private enterprise credentials wherein the application executes on the enterprise server;
  
  authorizing access to the building based on the private enterprise credentials; and
  
  authenticating the user identified by the private enterprise credentials to a domain on an enterprise network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the building access sensor further comprises a security zone architecture that comprises a secure partition of hardware and software resources with a trusted execution environment.
  - 10. The method of claim 8, wherein the enterprise server is configured to track the location of the mobile device as the mobile device moves throughout the building.
  - 11. The method of claim 8, wherein functions executable in a non-secure partition of the mobile device, functions executable in a non-secure partition of the building access sensor, and functions executable in a non-secure partition of the enterprise server are disabled when the private security credentials are being transmitted.
  - 12. The method of claim 8, wherein the domain on the enterprise network is an active directory domain and the enterprise server is an active directory domain controller.
  - 13. The method of claim 8, wherein the mobile device is a personally owned device and wherein an information technology (IT) administrator of the enterprise network opens and secures the trusted execution environment on the mobile device and installs the private enterprise credentials in the trusted execution environment.
  - 14. The method of claim 8, further comprising granting access to a second enterprise server based on a location of the mobile device in the building and based on user access permissions granted by the private enterprise credentials of the mobile device.

15. A method of near field communication authentication and validation to access corporate data, comprising:
- establishing, by an application of a plurality of secure partition applications, a near field communication wireless link between a building access sensor and a mobile device, wherein the mobile device comprises a biometric reader and a main processor chipset with a security zone architecture embedded in the main processor chipset, wherein the security zone architecture comprises a secure partition of hardware and software resources, which include the plurality of secure partition applications, with a trusted execution environment, wherein the plurality of secure partition applications runs on a first virtual processor that is configured to execute in a time-sliced manner relative to a second virtual processor that runs a plurality of non-secure partition applications, and wherein the mobile device further comprises a memory located within the secure partition that stores private enterprise credentials;
  
  coupling, by the application of the plurality of secure partition applications, a near field communication transceiver in the mobile device with the memory;
  
  transmitting, by the application of the plurality of secure partition applications, the private enterprise credentials to the building access sensor via the near field communication wireless link;
  
  receiving, by an application executing on an enterprise server coupled to the building access sensor, the private enterprise credentialsauthorizing access to the building based on the private enterprise credentials;
  
  authenticating a user identified by the private enterprise credentials to a domain on an enterprise network;
  
  establishing a wireless link between a computer on the enterprise network and the mobile device; and
  
  authenticating, by the computer, the user of the mobile device based on identification sent from the biometric reader on the mobile device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the computer on the enterprise network comprises a security zone architecture, wherein the security zone architecture comprises a secure partition of hardware and software resources with a trusted execution environment.
  - 17. The method of claim 15, wherein authenticating the user of the mobile device on the computer further comprises authenticating the computer to the domain on the enterprise network.
  - 18. The method of claim 15, wherein the biometric reader comprises one of a fingerprint recognition system, a facial recognition system, a retinal recognition system, or a voice recognition system.
  - 19. The method of claim 15, further comprising the enterprise server notifying the computer on the enterprise network when the user identified by the private enterprise credentials is authenticated on the enterprise network.
  - 20. The method of claim 15, further comprising logging off the computer and the domain on the enterprise network when the wireless link between the computer and mobile device is broken.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Paczkowski, Lyle W., Bye, Stephen James
Primary Examiner(s)
SHEDRICK, CHARLES TERRELL

Application Number

US13/463,801
Time in Patent Office

446 Days
Field of Search

455/550.1, 455/41.1, 455/403, 713/182, 713/186
US Class Current

455/550.1
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G07C 2009/00777   by induction

G07C 9/00563   using personal physical dat...

G07C 9/00571   operated by interacting wit...

G07C 9/257   electronically G07C9/26 tak...

G07C 9/26   using a biometric sensor in...

G07C 9/27   with central registration

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/321   involving a third party or ...

H04L 9/3234   involving additional secure...

H04W 12/068   using credential vaults, e....

H04W 4/80   Services using short range ...

Near field communication authentication and validation to access corporate data

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

210 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Near field communication authentication and validation to access corporate data

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

210 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links