Method for the authentication of applications
First Claim
1. A mobile device, comprising:
- equipment; and
a security module connected to the equipment,the equipment being configured to connect by a network to a control server,the mobile device being configured to transmit, to the control server, via the network, identification data including at least an identifier of the equipment and an identifier of the security module,the mobile device being configured to receive, from the control server, a protection profile defining resources of the security module that can be used by at least one application,the equipment being configured to receive, from the control server, the at least one application,the at least one application being at least one of loadable and executable via an application execution environment of the equipment, the at least one application being configured to use resources stored in the security module;
the mobile device being configured to receive, from the control server, a cryptogram, the cryptogram including a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources,the security module being configured to perform a verification operation of verifying the at least one application by comparing the digest extracted from the received cryptogram with a digest determined by the security module; and
the security module being configured to perform at least one of releasing and blocking access of certain resources of said security module to the at least one application based on the received protection profile,wherein, the mobile device is configured such that,when the at least one application and the cryptogram are not received at the mobile device at a same time,the at least one application requests, once the at least one application is loaded into the equipment, the cryptogram from the server,the at least one application requesting the cryptogram from the server at the time of an initialization of the at least one application;
the at least one application transmits the cryptogram to the security module; and
the security module transmits a confirmation message of acceptance or refusal of the cryptogram from the security module to the control server via the at least one application, andthe security module performs the verification operation when the cryptogram is accepted.
2 Assignments
0 Petitions
Accused Products
Abstract
Authentication method of at least one application using resources stored in a security module associated to an equipment connected to a control server via a network. The control server receives via the network, analyzes and verifies identification data comprising at least an identifier of the equipment and an identifier of the security module, generates a cryptogram comprising a digest of the application, the identification data and instructions intended for the security module and transmits the cryptogram, via the network and the equipment, to the security module. The latter verifies the application by comparing the digest extracted from the cryptogram with a calculated digest, wherein, during at least one of initialization and activation of the application, the security module executes the instructions extracted from the cryptogram and either releases or blocks access to certain resources of said security module according to a result of the verification of the application.
32 Citations
13 Claims
-
1. A mobile device, comprising:
-
equipment; and a security module connected to the equipment, the equipment being configured to connect by a network to a control server, the mobile device being configured to transmit, to the control server, via the network, identification data including at least an identifier of the equipment and an identifier of the security module, the mobile device being configured to receive, from the control server, a protection profile defining resources of the security module that can be used by at least one application, the equipment being configured to receive, from the control server, the at least one application, the at least one application being at least one of loadable and executable via an application execution environment of the equipment, the at least one application being configured to use resources stored in the security module; the mobile device being configured to receive, from the control server, a cryptogram, the cryptogram including a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources, the security module being configured to perform a verification operation of verifying the at least one application by comparing the digest extracted from the received cryptogram with a digest determined by the security module; and the security module being configured to perform at least one of releasing and blocking access of certain resources of said security module to the at least one application based on the received protection profile, wherein, the mobile device is configured such that, when the at least one application and the cryptogram are not received at the mobile device at a same time, the at least one application requests, once the at least one application is loaded into the equipment, the cryptogram from the server, the at least one application requesting the cryptogram from the server at the time of an initialization of the at least one application; the at least one application transmits the cryptogram to the security module; and the security module transmits a confirmation message of acceptance or refusal of the cryptogram from the security module to the control server via the at least one application, and the security module performs the verification operation when the cryptogram is accepted. - View Dependent Claims (2, 3)
-
-
4. A control server for connecting by a network to a mobile device which includes equipment and a security module, the control server comprising:
-
a processor, the control sever being configured to, receive, via the network, identification data including at least an identifier of the equipment and an identifier of the security module; analyze and verify the identification data; create a protection profile based on the analysis and verification, such that the protection profile defines resources of the security module that can be used by at least one application and causes the security module to perform at least one of releasing and blocking access of certain resources of the security module to the at least one application based on the received protection profile; transmit, from the control server to the mobile device, the protection profile; transmit, from the control server to the mobile device, an application, generate, at the control server, a cryptogram such that the cryptogram includes a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources; transmit, to the mobile device, the cryptogram; and receive, from the mobile device, an indication of a result of a verification operation that includes comparing the digest included in the transmitted cryptogram and a digest determined by the security module, wherein the control server is further configured such that, when the at least one application and the cryptogram are not transmitted from the control server to the mobile device at a same time, the control server receives, from the mobile device, a request requesting the control server to send the cryptogram to the mobile device, the request being received after the control server transmits the at least one application at a time of an initialization of the at least one application at the mobile device; and the control server receives, at the control server, a confirmation message of acceptance or refusal of the cryptogram from the security module. - View Dependent Claims (5, 6, 7)
-
-
8. A method of operating a mobile device, the mobile device including equipment and a security module, the equipment being connected by a network to a control server, the equipment being connected to the security module, the method comprising:
-
transmitting, from the mobile device to the control server, via the network, identification data including at least an identifier of the equipment and an identifier of the security module; receiving, at the mobile device from the control server, a protection profile defining resources of the security module that can be used by at least one application; receiving, at the equipment from the control server, an application, the at least one application being at least one of loadable and executable via an application execution environment of the equipment, the at least one application being configured to use resources stored in the security module; receiving, at the mobile device from the control server, a cryptogram, the cryptogram including a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources; performing a verification operation of verifying, by the security module, the at least one application by comparing the digest extracted from the received cryptogram with a digest determined by the security module; performing, by the security module, at least one of releasing and blocking access of certain resources of said security module to the at least one application based on the received protection profile; and when the at least one application and the cryptogram are not received at the mobile device at a same time, requesting by the at least one application, once the at least one application is loaded into the equipment, the cryptogram from the server, the at least one application requesting the cryptogram from the server at the time of an initialization of the at least one application; transmitting the cryptogram from the at least one application to the security module; and transmitting a confirmation message of acceptance or refusal of the cryptogram from the security module to the control server via the at least one application, the verification operation being performed by the security module when the cryptogram is accepted. - View Dependent Claims (9, 10)
-
-
11. A method of operating a control server, the control server being connected by a network to a mobile device, the mobile device including equipment and a security module, the method comprising:
-
receiving, at the control server from the mobile device to, via the network, identification data including at least an identifier of the equipment and an identifier of the security module; analyzing and verifying, by the control server, the identification data; creating, at the control server, a protection profile based on the analysis and verification, such that the protection profile defines resources of the security module that can be used by at least one application and causes the security module to perform at least one of releasing and blocking access of certain resources of the security module to the at least one application based on the received protection profile; transmitting, from the control server to the mobile device, the protection profile; transmitting, from the control server to the mobile device, an application, the at least one application transmitted by the control server being at least one of loadable and executable via an application execution environment of the equipment, and being configured to use resources stored in the security module; generating, at the control server, a cryptogram such that the cryptogram includes a digest of the at least one application, the identification data, the protection profile and at least one of an identifier of the at least one application and an identifier of security module resources; transmitting, from the control server to the mobile device, the cryptogram; receiving, at the control server from the mobile device, an indication of a result of a verification operation that includes comparing the digest included in the transmitted cryptogram and a digest determined by the security module; and when the at least one application and the cryptogram are not transmitted from the control server to the mobile device at a same time, receiving, from the mobile device, a request requesting the control server to send the cryptogram to the mobile device, the request being received after the control server transmits the at least one application at a time of an initialization of the at least one application at the mobile device; and receiving, at the control server, a confirmation message of acceptance or refusal of the cryptogram from the security module. - View Dependent Claims (12, 13)
-
Specification