Enhanced security using service provider authentication

US 9,313,214 B2
Filed: 08/06/2004
Issued: 04/12/2016
Est. Priority Date: 08/06/2004
Status: Active Grant

First Claim

Patent Images

1. An apparatus for processing an application, comprising:

a network interface comprising a receiver for receiving an application suite over a communications network, the application suite including an application, security information associated with the application, and a first carrier identification associated with the application, the first carrier identification identifying a first communication service provider whose customers are intended recipients of the application; and

a hardware processor configured to;

responsive to receiving the application suite, authenticate the security information against a root certificate to determine whether the application is bound to a trusted protection domain;

when the application is bound to a trusted protected domain, compare the first carrier identification to a second carrier identification responsive to receipt of the application suite, the second carrier identification identifying a second communication service provider that is providing communication service to the apparatus, andresponsive to identifying a match between the first and second carrier identifications, assign permissions to the application that provide access to privileged functionality on the apparatus.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method (100) and an apparatus (e.g., a network node (210)) for providing enhanced security using service provider authentication. In addition to authenticating an application signature (245) against a root certificate (235) stored on the network node (210), a first carrier identification (250) associated with the application (240) is compared to a second carrier identification (255). If the first and second carrier identifications match, then the application can be assigned to a trusted protection domain and granted permissions which provide privileged access to the network node. For example, the application can be granted permission to be installed and/or executed on the network node. Otherwise the application can be denied privileged access. Accordingly, a carrier'"'"'s applications will be only installed onto network nodes that are intended recipients of the applications.

Citations

21 Claims

1. An apparatus for processing an application, comprising:
- a network interface comprising a receiver for receiving an application suite over a communications network, the application suite including an application, security information associated with the application, and a first carrier identification associated with the application, the first carrier identification identifying a first communication service provider whose customers are intended recipients of the application; and
  
  a hardware processor configured to;
  
  responsive to receiving the application suite, authenticate the security information against a root certificate to determine whether the application is bound to a trusted protection domain;
  
  when the application is bound to a trusted protected domain, compare the first carrier identification to a second carrier identification responsive to receipt of the application suite, the second carrier identification identifying a second communication service provider that is providing communication service to the apparatus, andresponsive to identifying a match between the first and second carrier identifications, assign permissions to the application that provide access to privileged functionality on the apparatus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein said processor further authenticates a signature associated with the application against a root certificate stored in the apparatus.
  - 3. The apparatus of claim 1, wherein the application suite is a Mobile Information Device Profile application (MIDlet) suite and wherein the processor parses the MIDlet suite and identifies the first carrier identification from the parsed MIDlet suite.
  - 4. The apparatus of claim 3, wherein the first carrier identification is identified in at least one file selected from the group consisting of a manifest of an archive file and a descriptor file.
  - 5. The apparatus if claim 3, wherein the first carrier identification is identified in a manifest of an archive file and from a descriptor file.
  - 6. The apparatus of claim 1, wherein the communications network is a wireless communications network.
  - 7. The apparatus of claim 1, wherein the apparatus receives the second carrier identification over the communications network.
  - 8. The apparatus of claim 1, wherein the second carrier identification is retrieved from a data store within the apparatus.
  - 9. The apparatus of claim 8, wherein the data store is a subscriber identity module (SIM) card.

10. A method for providing enhanced security at a mobile communication device that is in communication with a communication network, the method comprising:
- receiving, by a receiver of the mobile communication device from the communications network, an application suite that includes an application, security information associated with the application, and a first carrier identification associated with the application, the first carrier identification identifying a first wireless service provider whose customers are intended recipients of the application, the application being executable by the mobile communication device;
  
  responsive to receiving the application suite, authenticating the security information against a root certificate to determine whether the application is bound to a trusted protection domain;
  
  when the application is bound to a trusted protected domain, subsequent to receiving the application suite, comparing, by the mobile communication device, the first carrier identification to a second carrier identification, the second carrier identification identifying a second wireless service provider that is providing wireless communication service to the mobile communication device; and
  
  responsive to identifying a match between the first carrier identification and the second carrier identification, assigning, by the mobile communication device, permissions to the application to enable the application to access privileged functionality within the mobile communication device.
- View Dependent Claims (11, 12, 13)
- - 11. The method according to claim 10, further comprising:
    - prior to comparing the first carrier identification to the second carrier identification, determining, by the mobile communication device, whether the application is bound to a trusted protection domain; and
      
      wherein the step of comparing comprises;
      
      comparing the first carrier identification to the second carrier identification if the application is bound to a trusted protection domain.
  - 12. The method according to claim 11, wherein the application includes security information, and the method further comprises:
    - storing, by the mobile communication device, the root certificate; and
      
      wherein the step of authenticating the security information against a root certificate comprises;
      
      comparing, by the mobile communication device, the root certificate to the security information to determine whether the application is bound to a trusted protection domain.
  - 13. The method according to claim 10, further comprising:
    - responsive to identifying a mismatch between the first carrier identification and the second carrier identification, denying the application access to privileged functionality within the mobile communication device.

14. A method for providing enhanced security on a network node, the method comprising:
- receiving, by a receiver of the network node, an application suite from a communications network, the application suite including at least one application, security information associated with the at least one application, and a first carrier identification associated with the at least one application, the first carrier identification identifying a first communication service provider whose customers are intended recipients of the at least one application;
  
  responsive to receiving the application suite, authenticating the security information against a root certificate stored on the network node to determine whether the at least one application is bound to a trusted protection domain;
  
  when the at least one application is bound to a trusted protected domain, comparing the first carrier identification to a second carrier identification, the second carrier identification identifying a second communication service provider that is providing communication service to the network node; and
  
  when the first carrier identification matches the second carrier identification, assigning, by the network node, permissions to the at least one application that provide access to privileged functionality on the network node.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14, further comprising:
    - when the at least one application is not bounded to a trusted protection domain, denying the at least one application access to privileged functionality on the network node.
  - 16. The method of claim 14, further comprising:
    - when the first carrier identification does not match the second carrier identification, denying the at least one application access to privileged functionality on the network node.
  - 17. The method of claim 14, wherein the second carrier identification is stored on the network node.
  - 18. The method of claim 14, further comprising:
    - responsive to receiving the application suite and prior to comparing the first carrier identification to the second carrier identification,sending, by the network node, a request to a server to provide the second carrier identification, andresponsive to the request, receiving, by the network node, the second carrier identification from the server via the communications network.
  - 19. The method of claim 14, wherein the security information includes a signature associated with the at least one application and wherein authenticating the security information against a root certificate comprises:
    - authenticating the signature against the root certificate.
  - 20. The method of claim 14, wherein the security information includes the first carrier identification.
  - 21. The method of claim 14, wherein the network node is a mobile communication device and wherein the application suite is a Mobile Information Device Profile application (MIDlet) suite, the method further comprising:
    - prior to comparing the first carrier identification to the second carrier identification,parsing the MIDlet suite, andretrieving the first carrier identification from the parsed MIDlet suite.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Inventors
Lin, Jyh-Han, Smith, Ronald R., Zhuang, Ruiqiang, Xiao, Ji
Primary Examiner(s)
Holder, Bradley
Assistant Examiner(s)
Le, Canh

Application Number

US10/913,919
Publication Number

US 20060031941A1
Time in Patent Office

4,267 Days
Field of Search

713156-157, 713/173, 713/175, 713176-177, 713/180, 726 2- 10, 726/17, 726 20- 21, 726 26- 30, 455/411, 709/225, 709/226, 709/227, 709/229
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

H04L 2209/80   Wireless

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04W 12/06   Authentication

H04W 12/086   using security domains

Enhanced security using service provider authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced security using service provider authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links