Method for secure transfer of an application from a server into a reading device unit

US 9,325,504 B2
Filed: 03/25/2011
Issued: 04/26/2016
Est. Priority Date: 03/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method for secure transfer of an application from a server into a reading device unit with authentication of a user by means of a data carrier unit, the reading device unit being a smart terminal including a security module, and the data carrier unit including an electronic identity token, the server making available the application to the reading device unit, the method comprising the steps:

setting up between the data carrier unit and the server a first cryptographically secured channel based on first cryptographic information;

setting up between the security module of the reading device unit and the server a second cryptographically secured channel based on second cryptographic information, wherein the security module of the reading device unit is a secure application module (SAM), the second cryptographically secured channel being set up between the security module of the reading device unit and the server after the first cryptographically secured channel is set up between the data carrier unit and the server;

transferring the application from the server to the reading device unit via the second cryptographically secured channel;

installing the application on the security module of the reading device unit; and

managing the application by the security module of the reading device unit,wherein the reading device unit is incorporated in a data processing device and the data processing device employs a secure data connection, through a transport layer security, to the server for setting up the first cryptographically secured channel or the second cryptographically secured channel.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and a system for secure transfer of an application from a server (S) into a reading device unit (2) with authentication of a user with a data carrier unit (1), the server (S) making available the application, wherein, between the data carrier unit (1) and the server (S), a first cryptographically secured channel (K1) is set up based on first cryptographic information (A), and between a security module (3) of the reading device unit (2) and the server (S) a second cryptographically secured channel (K2) is set up based on second cryptographic information (B). The application is transferred from the server to the reading device unit via the second cryptographically secured channel (K2).

32 Citations

View as Search Results

20 Claims

1. A method for secure transfer of an application from a server into a reading device unit with authentication of a user by means of a data carrier unit, the reading device unit being a smart terminal including a security module, and the data carrier unit including an electronic identity token, the server making available the application to the reading device unit, the method comprising the steps:
- setting up between the data carrier unit and the server a first cryptographically secured channel based on first cryptographic information;
  
  setting up between the security module of the reading device unit and the server a second cryptographically secured channel based on second cryptographic information, wherein the security module of the reading device unit is a secure application module (SAM), the second cryptographically secured channel being set up between the security module of the reading device unit and the server after the first cryptographically secured channel is set up between the data carrier unit and the server;
  
  transferring the application from the server to the reading device unit via the second cryptographically secured channel;
  
  installing the application on the security module of the reading device unit; and
  
  managing the application by the security module of the reading device unit,wherein the reading device unit is incorporated in a data processing device and the data processing device employs a secure data connection, through a transport layer security, to the server for setting up the first cryptographically secured channel or the second cryptographically secured channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the application is personalized for the user before the transfer.
  - 3. The method according to claim 1, wherein after the installation of the application, the application is personalized for the user on the security module of the reading device.
  - 4. The method according to claim 1, wherein the data carrier unit negotiates with the server a first cryptographic key via which the first cryptographically secured channel is set up, and the reading device unit negotiates with the server a second cryptographic key via which the second cryptographically secured channel is set up.
  - 5. The method according to claim 1, wherein the server is a signature terminal for electronic identity documents and via secure messaging, setting up, based on a password-based protocol, the first cryptographically secured channel or the second cryptographically secured channel between the signature terminal and the data carrier unit, said data carrier unit comprising an electronic identity document.
  - 6. The method according to claim 1, wherein the data carrier unit is used with a contactless interface, the security module of the reading device unit is used with a contactless interface, the contactless interface of the data carrier unit and of the security module being employed for setting up the first cryptographically secured channel.
  - 7. The method according to claim 1, wherein the security module in the reading device unit is used with a contactless interface or the reading device unit moreover is used with a contact-type interface, the contactless-type interface or the contact-type interface being employed for setting up the first cryptographically secured channel or the second cryptographically secured channel.
  - 8. The method according to claim 1, wherein, the data carrier unit is used with a contactless interface, the security module of the reading device unit is used with a contactless interface, the contactless interface of the data carrier unit and of the security module being employed for setting up the first cryptographically secured channel, wherein the reading device unit is incorporated in a data processing device and the data processing device employs a secure data connection, through a transport layer security, to the server for setting up the first cryptographically secured channel or the second cryptographically secured channel.
  - 9. The method according to claim 1, wherein, the security module in the reading device unit is used with a contactless interface or the reading device unit moreover is used with a contact-type interface, the contactless-type interface or the contact-type interface being employed for setting up the first cryptographically secured channel or the second cryptographically secured channel, and wherein the reading device unit and the security module are connected via the contact-type interface with the data processing device.
  - 10. The method according to claim 1, wherein the application is enabled only by authentication of the user by the data carrier unit at the reading device unit by restricted identification.

11. A system comprising:
- a server, a data carrier, and a reading device, whereinthe reading device is a smart terminal that includes a security module;
  
  the data carrier unit includes an electronic identity token;
  
  the server is configured to make available an application to the reading device unit andthe system is configured so that in the operation of the system;
  
  a first cryptographically is secured channel between a data carrier unit and a server,the first cryptographically secured channel being based on first cryptographic information for the purpose of the authentication of a user by the data carrier unit at the server;
  
  a second cryptographically is secured channel between a security module of a reading device unit and the server, the second cryptographically secured channel being based on second cryptographic information and the security module of the reading device unit being a secure application module (SAM)), the second cryptographically secured channel being set up between the security module of the reading device unit and the server after the first cryptographically secured channel is set up between the data carrier unit and the server;
  
  whereinthe application is transferred from the server to the reading device unit via the second cryptographically secured channel,the application, after the transfer, is installed and managed on the security module of the reading device unit; and
  
  the reading device unit is incorporated in a data processing device and the data processing device employs a secure data connection, through a transport layer security, to the server for setting up the first cryptographically secured channel or the second cryptographically secured channel.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system according to claim 11, wherein the system is configured to carry out a method comprising the steps of:
    - setting up between the data carrier unit and the server a first cryptographically secured channel based on first cryptographic information;
      
      setting up between a security module of the reading device unit and the server a second cryptographically secured channel based on second cryptographic information;
      
      transferring the application from the server to the reading device unit via the second cryptographically secured channel;
      
      installing the application on the security module of the reading device unit; and
      
      managing the application by the security module of the reading device unit.
  - 13. The system according to claim 11, wherein the application is personalized for the user before the transfer.
  - 14. The system according to claim 11, wherein after the installation of the application, the application is personalized for the user on the security module of the reading device.
  - 15. The system according to claim 11, wherein the data carrier unit is configured to negotiate with the server a first cryptographic key via which the first cryptographically secured channel is set up, and the reading device unit negotiates with the server a second cryptographic key via which the second cryptographically secured channel is set up.
  - 16. The system according to claim 11, wherein the server is a signature terminal for electronic identity documents and via secure messaging, setting up, based on a password-based protocol, the first cryptographically secured channel or the second cryptographically secured channel between the signature terminal and the data carrier unit, said data carrier unit comprising an electronic identity document.
  - 17. The system according to claim 11, wherein the data carrier unit is used with a contactless interface, the security module of the reading device unit is used with a contactless interface, the contactless interface of the data carrier unit and of the security module being employed for setting up the first cryptographically secured channel.
  - 18. The system according to claim 11, wherein the security module in the reading device unit is used with a contactless interface or the reading device unit moreover is used with a contact-type interface, the contactless-type interface or the contact-type interface being employed for setting up the first cryptographically secured channel or the second cryptographically secured channel.
  - 19. The system according to claim 11, wherein, the data carrier unit is used with a contactless interface, the security module of the reading device unit is used with a contactless interface, the contactless interface of the data carrier unit and of the security module being employed for setting up the first cryptographically secured channel, wherein the reading device unit is incorporated in a data processing device and the data processing device employs a secure data connection, through a transport layer security, to the server for setting up the first cryptographically secured channel or the second cryptographically secured channel.
  - 20. The system according to claim 11, wherein, the security module in the reading device unit is used with a contactless interface or the reading device unit moreover is used with a contact-type interface, the contactless-type interface or the contact-type interface being employed for setting up the first cryptographically secured channel or the second cryptographically secured channel, and wherein the reading device unit and the security module are connected via the contact-type interface with the data processing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Giesecke + Devrient Mobile Security GmBH (Giesecke & Devrient GmbH)
Original Assignee
Giesecke & Devrient GmbH
Inventors
Weiss, Dieter, Meister, Gisela, Eichholz, Jan, Gawlas, Florian
Primary Examiner(s)
Pyzocha, Michael

Application Number

US13/637,835
Publication Number

US 20130031357A1
Time in Patent Office

1,859 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 9/3215   using a plurality of channe...

H04L 9/3234   involving additional secure...

Method for secure transfer of an application from a server into a reading device unit

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for secure transfer of an application from a server into a reading device unit

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links