Method for the authentication of applications

US 9,143,888 B2
Filed: 07/16/2014
Issued: 09/22/2015
Est. Priority Date: 11/27/2003
Status: Active Grant

First Claim

Patent Images

1. A mobile device, comprising:

equipment; and

a security module connected to the equipment,the equipment being configured to connect by a network to a control server,the mobile device being configured to transmit, to the control server, via the network, identification data including at least an identifier of the equipment and an identifier of the security module,the mobile device being configured to receive, from the control server, a protection profile defining resources of the security module that can be used by at least one application,the equipment being configured to receive, from the control server, the at least one application,the at least one application being at least one of loadable and executable via an application execution environment of the equipment, the at least one application being configured to use resources stored in the security module;

the mobile device being configured to receive, from the control server, a cryptogram, the cryptogram including a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources,the security module being configured to perform a verification operation of verifying the at least one application by comparing the digest extracted from the received cryptogram with a digest determined by the security module; and

the security module being configured to perform at least one of releasing and blocking access of certain resources of said security module to the at least one application based on the received protection profile,wherein, the mobile device is configured such that,when the at least one application and the cryptogram are not received at the mobile device at a same time,the at least one application requests, once the at least one application is loaded into the equipment, the cryptogram from the server,the at least one application requesting the cryptogram from the server at the time of an initialization of the at least one application;

the at least one application transmits the cryptogram to the security module; and

the security module transmits a confirmation message of acceptance or refusal of the cryptogram from the security module to the control server via the at least one application, andthe security module performs the verification operation when the cryptogram is accepted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authentication method of at least one application using resources stored in a security module associated to an equipment connected to a control server via a network. The control server receives via the network, analyzes and verifies identification data comprising at least an identifier of the equipment and an identifier of the security module, generates a cryptogram comprising a digest of the application, the identification data and instructions intended for the security module and transmits the cryptogram, via the network and the equipment, to the security module. The latter verifies the application by comparing the digest extracted from the cryptogram with a calculated digest, wherein, during at least one of initialization and activation of the application, the security module executes the instructions extracted from the cryptogram and either releases or blocks access to certain resources of said security module according to a result of the verification of the application.

32 Citations

View as Search Results

13 Claims

1. A mobile device, comprising:
- equipment; and
  
  a security module connected to the equipment,the equipment being configured to connect by a network to a control server,the mobile device being configured to transmit, to the control server, via the network, identification data including at least an identifier of the equipment and an identifier of the security module,the mobile device being configured to receive, from the control server, a protection profile defining resources of the security module that can be used by at least one application,the equipment being configured to receive, from the control server, the at least one application,the at least one application being at least one of loadable and executable via an application execution environment of the equipment, the at least one application being configured to use resources stored in the security module;
  
  the mobile device being configured to receive, from the control server, a cryptogram, the cryptogram including a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources,the security module being configured to perform a verification operation of verifying the at least one application by comparing the digest extracted from the received cryptogram with a digest determined by the security module; and
  
  the security module being configured to perform at least one of releasing and blocking access of certain resources of said security module to the at least one application based on the received protection profile,wherein, the mobile device is configured such that,when the at least one application and the cryptogram are not received at the mobile device at a same time,the at least one application requests, once the at least one application is loaded into the equipment, the cryptogram from the server,the at least one application requesting the cryptogram from the server at the time of an initialization of the at least one application;
  
  the at least one application transmits the cryptogram to the security module; and
  
  the security module transmits a confirmation message of acceptance or refusal of the cryptogram from the security module to the control server via the at least one application, andthe security module performs the verification operation when the cryptogram is accepted.
- View Dependent Claims (2, 3)
- - 2. The mobile device of claim 1, wherein the mobile device is configured such that the verification operation is performed by the security module periodically at a rate given by the control server, during at least one of a first initialization of the at least one application, a first use of the at least one application, and each initialization of the at least one application.
  - 3. The mobile device of claim 2, wherein the mobile device is configured such that mobile device receives the protection profile from the control server in response to at least one of,an updating of a version of a software installed in the equipment,a downloading of a new application in the equipment,an updating period of the protection profile,a number of connections of the equipment to the network, anda technology used by the mobile device for accessing the network.

4. A control server for connecting by a network to a mobile device which includes equipment and a security module, the control server comprising:
- a processor,the control sever being configured to,receive, via the network, identification data including at least an identifier of the equipment and an identifier of the security module;
  
  analyze and verify the identification data;
  
  create a protection profile based on the analysis and verification, such that the protection profile defines resources of the security module that can be used by at least one application and causes the security module to perform at least one of releasing and blocking access of certain resources of the security module to the at least one application based on the received protection profile;
  
  transmit, from the control server to the mobile device, the protection profile;
  
  transmit, from the control server to the mobile device, an application,generate, at the control server, a cryptogram such that the cryptogram includes a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources;
  
  transmit, to the mobile device, the cryptogram; and
  
  receive, from the mobile device, an indication of a result of a verification operation that includes comparing the digest included in the transmitted cryptogram and a digest determined by the security module,wherein the control server is further configured such that,when the at least one application and the cryptogram are not transmitted from the control server to the mobile device at a same time,the control server receives, from the mobile device, a request requesting the control server to send the cryptogram to the mobile device,the request being received after the control server transmits the at least one application at a time of an initialization of the at least one application at the mobile device; and
  
  the control server receives, at the control server, a confirmation message of acceptance or refusal of the cryptogram from the security module.
- View Dependent Claims (5, 6, 7)
- - 5. The control server of claim 4, wherein the control server is configured such that,the control server transmits, from the control server to the mobile device, rate information that causes the security module to perform the verification operation periodically at a rate indicated by the rate information, during at least one of a first initialization of the at least one application, a first use of the at least one application, and each initialization of the at least one application.
  - 6. The control server of claim 5, wherein the control server is configured to create the protection profile based on at least one of,an updating of a version of a software installed in the equipment,a downloading of a new application in the equipment,an updating period of the protection profile,a number of connections of the equipment to the network, anda technology used by the mobile device for accessing the network.
  - 7. The control server of claim 6, wherein the control server is configured such that the at least one application transmitted by the control server is at least one of loadable and executable via an application execution environment of the equipment, and being configured to use resources stored in the security module.

8. A method of operating a mobile device, the mobile device including equipment and a security module, the equipment being connected by a network to a control server, the equipment being connected to the security module, the method comprising:
- transmitting, from the mobile device to the control server, via the network, identification data including at least an identifier of the equipment and an identifier of the security module;
  
  receiving, at the mobile device from the control server, a protection profile defining resources of the security module that can be used by at least one application;
  
  receiving, at the equipment from the control server, an application,the at least one application being at least one of loadable and executable via an application execution environment of the equipment, the at least one application being configured to use resources stored in the security module;
  
  receiving, at the mobile device from the control server, a cryptogram, the cryptogram including a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources;
  
  performing a verification operation of verifying, by the security module, the at least one application by comparing the digest extracted from the received cryptogram with a digest determined by the security module;
  
  performing, by the security module, at least one of releasing and blocking access of certain resources of said security module to the at least one application based on the received protection profile; and
  
  when the at least one application and the cryptogram are not received at the mobile device at a same time,requesting by the at least one application, once the at least one application is loaded into the equipment, the cryptogram from the server,the at least one application requesting the cryptogram from the server at the time of an initialization of the at least one application;
  
  transmitting the cryptogram from the at least one application to the security module; and
  
  transmitting a confirmation message of acceptance or refusal of the cryptogram from the security module to the control server via the at least one application,the verification operation being performed by the security module when the cryptogram is accepted.
- View Dependent Claims (9, 10)
- - 9. The method of claim 8, wherein the verification operation is performed by the security module periodically at a rate given by the control server, during at least one of a first initialization of the at least one application, a first use of the at least one application, and each initialization of the at least one application.
  - 10. The method of claim 9, wherein the receiving a protection profile includes receiving the protection profile at the mobile device from the control server in response to at least one of,an updating of a version of a software installed in the equipment,a downloading of a new application in the equipment,an updating period of the protection profile,a number of connections of the equipment to the network, anda technology used by the mobile device for accessing the network.

11. A method of operating a control server, the control server being connected by a network to a mobile device, the mobile device including equipment and a security module, the method comprising:
- receiving, at the control server from the mobile device to, via the network, identification data including at least an identifier of the equipment and an identifier of the security module;
  
  analyzing and verifying, by the control server, the identification data;
  
  creating, at the control server, a protection profile based on the analysis and verification, such that the protection profile defines resources of the security module that can be used by at least one application and causes the security module to perform at least one of releasing and blocking access of certain resources of the security module to the at least one application based on the received protection profile;
  
  transmitting, from the control server to the mobile device, the protection profile;
  
  transmitting, from the control server to the mobile device, an application,the at least one application transmitted by the control server being at least one of loadable and executable via an application execution environment of the equipment, and being configured to use resources stored in the security module;
  
  generating, at the control server, a cryptogram such that the cryptogram includes a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources;
  
  transmitting, from the control server to the mobile device, the cryptogram;
  
  receiving, at the control server from the mobile device, an indication of a result of a verification operation that includes comparing the digest included in the transmitted cryptogram and a digest determined by the security module; and
  
  when the at least one application and the cryptogram are not transmitted from the control server to the mobile device at a same time,receiving, from the mobile device, a request requesting the control server to send the cryptogram to the mobile device,the request being received after the control server transmits the at least one application at a time of an initialization of the at least one application at the mobile device; and
  
  receiving, at the control server, a confirmation message of acceptance or refusal of the cryptogram from the security module.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, further comprising:
    - transmitting, from the control server to the mobile device, rate information that causes the security module to perform the verification operation periodically at a rate indicated by the rate information, during at least one of a first initialization of the at least one application, a first use of the at least one application, and each initialization of the at least one application.
  - 13. The method of claim 12, wherein the creating a protection profile includes creating the protection profile at the control server based on at least one of,an updating of a version of a software installed in the equipment,a downloading of a new application in the equipment,an updating period of the protection profile,a number of connections of the equipment to the network, anda technology used by the mobile device for accessing the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nagravision SA (Kudelski SA)
Original Assignee
Nagravision SA (Kudelski SA)
Inventors
Ksontini, Rached, Cantini, Renato
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/332,946
Publication Number

US 20140321646A1
Time in Patent Office

433 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/34   involving the use of extern...

G06F 21/51   at application loading time...

G06F 21/554   involving event detection a...

G06F 2221/2107   File encryption

G06F 2221/2153   Using hardware token as a s...

G06F 8/65   Updates security arrangemen...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04W 12/08   Access security

H04W 12/10   Integrity

H04W 12/35   Protecting application or s...

H04W 4/60   Subscription-based services...

Method for the authentication of applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method for the authentication of applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links