Method of performing a secure application in an NFC device

US 8,850,527 B2
Filed: 07/07/2011
Issued: 09/30/2014
Est. Priority Date: 07/08/2010
Status: Active Grant

First Claim

Patent Images

1. A method of executing a secure application in a Near Field Communication (NFC) device, the method comprising:

establishing a contactless link between a first NFC device and a second NFC device, the first NFC device comprising a secure processor,transmitting a secure processor identifier identifying the secure processor of the first NFC device from the first NFC device to the second NFC device over the contactless link,transmitting an application identifier from the second NFC device to the first NFC device over the contactless link,transmitting secure processor authentication data for authenticating the secure processor of the first NFC device, from the secure processor to the second NFC device over the contactless link,transmitting the secure processor authentication data from the second NFC device to an application server,transmitting the secure processor authentication data and application authentication data for authenticating an application corresponding to the application identifier, from the application server to an authentication server, andin the authentication server, verifying the secure processor authentication data and the application authentication data and authorizing the first and second NFC devices to execute the application only if the secure processor and the application are authenticated by way of the secure processor authentication data and the application authentication data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method of executing a secure application in an NFC device, the method comprising steps during which: a contactless link is established between first and second NFC devices, the first NFC device transmits by the contactless link an identifier of a secure processor of the first NFC device, the second NFC device transmits by the contactless link an application identifier, the secure processor transmits by the contactless link first authentication data allowing the authentication of the secure processor of the first NFC device, the second NFC device transmits to an application server the first authentication data, the application server transmits to an authentication server the first authentication data and second authentication data) to authenticate the application and authorizes the two NFC devices to execute the application only if the secure processor and the application are authenticated.

Citations

22 Claims

1. A method of executing a secure application in a Near Field Communication (NFC) device, the method comprising:
- establishing a contactless link between a first NFC device and a second NFC device, the first NFC device comprising a secure processor,transmitting a secure processor identifier identifying the secure processor of the first NFC device from the first NFC device to the second NFC device over the contactless link,transmitting an application identifier from the second NFC device to the first NFC device over the contactless link,transmitting secure processor authentication data for authenticating the secure processor of the first NFC device, from the secure processor to the second NFC device over the contactless link,transmitting the secure processor authentication data from the second NFC device to an application server,transmitting the secure processor authentication data and application authentication data for authenticating an application corresponding to the application identifier, from the application server to an authentication server, andin the authentication server, verifying the secure processor authentication data and the application authentication data and authorizing the first and second NFC devices to execute the application only if the secure processor and the application are authenticated by way of the secure processor authentication data and the application authentication data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21, 22)
- - 2. The method according to claim 1, wherein:
    - the first NFC device transmits to the authentication server an application installation request comprising an application identifier of an application to install and the secure processor authentication data,the authentication server verifies the secure processor authentication data, and if the secure processor is authenticated, transmits to the first NFC device an application download address, andthe first NFC device downloads the application from the received download address and installs the downloaded application.
  - 3. The method according to claim 2, wherein, after the installation of the application, the first NFC device informs the authentication server of the installation of the application by supplying thereto the identifier of the installed application and the secure processor authentication data, andthe authentication server verifies the secure processor authentication data, and if the secure processor is authenticated, the authentication server stores the application identifier in association with the identifier of the secure processor of the first NFC device.
  - 4. The method according to claim 3, wherein the authentication server does not transmit to the first NFC device an application download address if the application identifier is already stored in association with the identifier of the secure processor of the first NFC device.
  - 5. The method according to claim 1, wherein the authentication server does not authorize the execution of the application by the first and second NFC devices if the application identifier is not stored in association with the identifier of the secure processor of the first NFC device.
  - 6. The method according to claim 1, wherein the secure processor authentication data comprises the identifier of the secure processor and a first cryptogram calculated by the secure processor by applying a cryptographic calculation using a secret key stored by the secure processor to the identifier of the secure processor.
  - 7. The method according to claim 1, wherein the application authentication data comprises the identifier of the secure processor, the application identifier, and a second cryptogram calculated by the application server by applying a cryptographic calculation using a secret key specific to the application identifier.
  - 8. The method according to claim 7, wherein the second cryptogram is calculated by applying the cryptographic calculation to the application identifier and to the first cryptogram.
  - 9. The method according to claim 6, wherein the first cryptogram is calculated by a symmetric encryption algorithm using a secret key, or an asymmetric encryption algorithm using a private key, or a hashing function applied to the data to encrypt and to the secret key.
  - 10. The method according to claim 6, wherein the verification of the first cryptogram and/or second cryptogram is performed by recalculating the cryptogram from the same data and by using an encryption key accessible to the authentication server.
  - 21. The method according to claim 7, wherein the second cryptogram is calculated by a symmetric encryption algorithm using a secret key, or an asymmetric encryption algorithm using a private key, or a hashing function applied to the data to encrypt and to the secret key.
  - 22. The method according to claim 7, wherein the verification of the second cryptogram is performed by recalculating the second cryptogram from the same data and by using an encryption key accessible to the authentication server.

11. A system for executing a secure application in a Near Field Communication NFC) device, comprising:
- a first NFC device comprising an NFC component to establish a contactless communication with another NFC device, and a secure processor connected to the NFC component,a second NFC device connected to an application server to execute an application with another NFC device, andan authentication server accessible to the application server and to the first NFC device, the system being configured to;
  
  establish a contactless link between the first NFC device and the second NFC device;
  
  transmit an identifier of the secure processor of the first NFC device from the first NFC device to the second NFC device over the contactless link;
  
  transmit an application identifier from the second NFC device to the first NFC device over the contactless link;
  
  transmit secure processor authentication data for authenticating the secure processor of the first NFC device, from the first NFC device to the second NFC device over the contactless link;
  
  transmit the secure processor authentication data from the second NFC device to an application server;
  
  transmit the secure processor authentication data and application authentication data for authenticating an application corresponding to the application identifier from the application server to an authentication server; and
  
  in the authentication server, verify the secure processor authentication data and the application authentication data and authorize the first and second NFC devices to execute the application only if the secure processor and the application are authenticated by way of the secure processor authentication data and the application authentication data.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system according to claim 11, wherein:
    - the first NFC device is configured to transmit to the authentication server an application installation request comprising an application identifier of an application to install and the secure processor authentication data, receive a download address of the application, download the application from the received download address and install the downloaded application, andthe authentication server is configured to verify the secure processor authentication data, and if the secure processor is authenticated, transmit to the first NFC device the application download address.
  - 13. The system according to claim 12, wherein:
    - the first NFC device is configured to inform the authentication server of the installation of the application after the installation of the application, by supplying to the authentication server the identifier of the installed application and the secure processor authentication data, andthe authentication server is configured to verify the secure processor authentication data, and if the secure processor is authenticated, the authentication server stores the application identifier in association with the identifier of the secure processor of the first NFC device.
  - 14. The system according to claim 13, wherein the authentication server is configured to not transmit to the first NFC device an application download address if the application identifier is already stored in association with the identifier of the secure processor of the first NFC device.
  - 15. The system according to claim 13, wherein the authentication server is configured to refuse the execution of the application by the first and second NFC devices if the application identifier is not stored in association with the identifier of the secure processor of the first NFC device.
  - 16. The system according to claim 11, wherein the secure processor authentication data comprises the identifier of the secure processor and a first cryptogram calculated by the secure processor by applying a cryptographic calculation using a secret key stored by the secure processor to the identifier of the secure processor.
  - 17. The system according to claim 16, wherein the application authentication data comprises the identifier of the secure processor, the application identifier, and a second cryptogram calculated by the application server by applying a cryptographic calculation using a secret key specific to the application to the application identifier.
  - 18. The system according to claim 17, wherein the second cryptogram is calculated by applying the cryptographic calculation to the application identifier and to the first cryptogram.
  - 19. The system according to claim 16, wherein the first and/or the second cryptograms are calculated with the aid of a symmetric encryption algorithm using a secret key, or of an asymmetric encryption algorithm using a private key, or of a hashing function applied to the data to encrypt and to the secret key.
  - 20. The system according to claim 16, wherein the verification of each of the first and second cryptograms is performed by recalculating the cryptogram from the same data and by using an encryption key accessible to the authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verimatrix Incorporated (Verimatrix SA)
Original Assignee
Inside Secure SA
Inventors
Chew, Gary, Walton, Charles
Primary Examiner(s)
Zele, Krista
Assistant Examiner(s)
DESAI, MARGISHI V

Application Number

US13/178,043
Publication Number

US 20120011572A1
Time in Patent Office

1,181 Days
Field of Search

705/2, 455/411, 726/4
US Class Current

726/4
CPC Class Codes

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04W 12/06   Authentication

H04W 12/068   using credential vaults, e....

H04W 12/08   Access security

H04W 4/00   Services specially adapted ...

H04W 4/80   Services using short range ...

Method of performing a secure application in an NFC device

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method of performing a secure application in an NFC device

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links