Credential provisioning

US 8,724,819 B2
Filed: 10/16/2007
Issued: 05/13/2014
Est. Priority Date: 10/16/2007
Status: Active Grant

First Claim

Patent Images

1. A method performed by a provisioning apparatus comprising a processing unit and a memory, the method comprising:

choosing a family key, a family key defining a family of applications;

submitting the family key to a security element in a secured manner;

choosing credentials;

deriving protection keys based on the family key;

protecting the credentials using the protection keys for securing credential data;

submitting said secured credential data to the security element;

using the family key for binding a credential application to the family; and

submitting said binding to the security element.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method in a provisioning apparatus. The method comprises obtaining a family key, a family key defining a family; submitting the family key to a security element in a secure manner (2-2); using the family key for securing credential data; submitting said secured credential data to the security element (2-4); using the family key for binding an application to the family; and submitting said binding to the security element (2-5). Also a method in a related security element and related apparatuses, systems and computer programs are disclosed.

Citations

35 Claims

1. A method performed by a provisioning apparatus comprising a processing unit and a memory, the method comprising:
- choosing a family key, a family key defining a family of applications;
  
  submitting the family key to a security element in a secured manner;
  
  choosing credentials;
  
  deriving protection keys based on the family key;
  
  protecting the credentials using the protection keys for securing credential data;
  
  submitting said secured credential data to the security element;
  
  using the family key for binding a credential application to the family; and
  
  submitting said binding to the security element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - using public key cryptography for securing the family key;
      
      orusing a secure submission channel for securing the family key.
  - 3. The method of claim 2, wherein the application is secured with a public key associated with the security element or with said family key.
  - 4. The method of claim 1, further comprising:
    - securing an application,submitting said secured application to the security element; and
      
      using said family key for binding said application to said family.
  - 5. The method of claim 1, further comprising:
    - submitting said secured credential data to the security element with an associated family identification information, andsubmitting said binding to the security element with associated family identification information.
  - 6. The method of claim 1, wherein choosing the family key comprises:
    - choosing a previously used family key, orgenerating a Previously Presented family key.
  - 7. The method of claim 1, wherein the family key is a symmetric key.
  - 8. The method of claim 1, further comprising:
    - using the family key for securing a plurality of credential data; and
      
      submitting said plurality of secured credential data to the security element.
  - 9. The method of claim 1, further comprising:
    - using the family key for binding a plurality of applications to the family; and
      
      submitting said plurality of bindings to the security element.

10. A method performed by a security element comprising a processing unit and a memory, the method comprising:
- receiving a family key transmitted in a secured manner, the family key defining a family of applications;
  
  receiving credential data secured with protection keys derived based on the family key;
  
  receiving information binding at least one credential application to the family; and
  
  limiting access to said credential data for applications not having a binding to said family.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the family key is secured with public key cryptography;
    - or the family key is secured by using a secure submission channel for transmitting the family key.
  - 12. The method of claim 10, further comprising:
    - receiving in secured form said at least one application binding to the family.
  - 13. The method of claim 12, wherein the application is secured with a public key associated with the security element or with said family key.
  - 14. The method of claim 10, further comprising:
    - receiving said secured credential data with an associated family identification information,receiving said binding information with an associated family identification information, andusing said family identification information for checking, whether a given application and given credentials have a binding to the same family.
  - 15. The method of claim 10, wherein the family key is a symmetric key.
  - 16. The method of claims 10, further comprising:
    - receiving a plurality credential data secured with said family key.
  - 17. The method of claim 10, further comprising:
    - receiving information binding a plurality of applications to said family.

18. A provisioning apparatus comprising:
- a memory,a processing unit coupled to the memory, wherein the processing unit with the memory is configured to cause the provisioning apparatus at least to;
  
  choose a family key, a family key defining a family of applications;
  
  submit the family key to a security element in a secured manner;
  
  choose credentials;
  
  derive protection keys based on the family key;
  
  protect the credentials using the protection keys for securing credential data;
  
  submit said secured credential data to the security element;
  
  use the family key for binding a credential application to the family; and
  
  submit said binding to the security element.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The provisioning apparatus of claim 18, wherein the processing unit is configured to:
    - use public key cryptography for securing the family key;
      
      oruse a secure submission channel for securing the family key.
  - 20. The provisioning apparatus of claim 18, wherein the processing unit is configured to:
    - secure an application,submit said secured application to the security element; and
      
      use said family key for binding said application to said family.
  - 21. The provisioning apparatus of claim 20, wherein the processing unit is configured to secure the application with a public key associated with the security element or with said family key.
  - 22. The provisioning apparatus of claim 18, wherein the processing unit is configured to:
    - submit said secured credential data to the security element with an associated family identification information, andsubmit said binding to the security element with an associated family identification information.
  - 23. The provisioning apparatus of claim 18, wherein the processing unit is configured to choose the family key by:
    - choosing a previously used family key, orgenerating a Previously Presented family key.
  - 24. The provisioning apparatus of claim 18, wherein the family key is a symmetric key.
  - 25. The provisioning apparatus of claim 18, wherein the processing unit is configured to:
    - use the family key for securing a plurality of credential data; and
      
      submit said plurality of secured credential data to the security element.
  - 26. The provisioning apparatus of claim 18, wherein the processing unit is configured to:
    - use the family key for binding a plurality of applications to the family; and
      
      submit said plurality of bindings to the security element.

27. A security element comprising:
- a memory,a processing unit coupled to the memory, wherein the processing unit with the memory is configured to cause the security element at least to;
  
  receive a family key transmitted in a secured manner, the family key defining a family of applications;
  
  receive credential data secured with protection keys derived based on the family key;
  
  receive information binding at least one credential application to the family; and
  
  limit access to said credential data for applications not having a binding to said family.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
- - 28. The security element of claim 27, wherein the family key is secured with public key cryptography;
    - or the family key is secured by using a secure submission channel for transmitting the family key.
  - 29. The security element of claim 27, wherein the processing unit is configured to:
    - receive in secured form said at least one application binding to the family.
  - 30. The security element of claim 29, wherein the application is secured with a public key associated with the security element or with said family key.
  - 31. The security element of claim 27, wherein the processing unit is configured to:
    - receive said secured credential data with an associated family identification information,receive said binding information with an associated family identification information, anduse said family identification information for checking, whether a given application and given credentials have a binding to the same family.
  - 32. The security element of claim 27, wherein the family key is a symmetric key.
  - 33. The security element of claim 27, wherein the processing unit is configured to:
    - receive a plurality credential data secured with said family key.
  - 34. The security element of claim 27, wherein the processing unit is configured to:
    - receive information binding a plurality of applications to said family.
  - 35. The security element of claim 27, wherein the security element is an independent physical element, or a dedicated computational hardware unit of an end user device, or a security functionality of a processing unit of an end user device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Asokan, Nadarajah, Ekberg, Jan-Erik, Rantala, Aarne, Kylnp, Markku
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US12/738,616
Publication Number

US 20100266128A1
Time in Patent Office

2,401 Days
Field of Search

713/150, 380/278
US Class Current

380/278
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/0853   using an additional device,...

H04L 9/0833   involving conference or gro...

H04L 9/3271   using challenge-response

H04W 12/04   Key management, e.g. using ...

H04W 12/35   Protecting application or s...

Credential provisioning

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Credential provisioning

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links