Apparatus and method for secure delivery of data from a communication device

US 9,560,025 B2
Filed: 07/08/2016
Issued: 01/31/2017
Est. Priority Date: 11/27/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-readable storage device comprising executable instructions which, responsive to being executed by a secure device processor of a mobile communication device, cause the secure device processor to perform operations comprising:

receiving a user credential via a user interface;

providing the user credential to a secure element of the mobile communication device;

receiving a user authentication from the secure element based on the user credential;

responsive to the receiving of the user authentication, receiving an upload transport key and a data protection key from the secure element without receiving master keys, wherein the secure element stores master keys from which the upload transport key and the data protection key are generated by the secure element, wherein the secure element receives the master keys over a network from a remote management server;

responsive to an upload request, obtaining data for transmission to a recipient device;

encrypting the data using the data protection key to generate a single encrypted data; and

encrypting the single encrypted data using the upload transport key to generate a double encrypted data,wherein the mobile communication device comprises a mobile processor device that facilitates wireless communications by the secure device processor and by the secure element, andwherein the mobile processor device, the secure element and the secure device processor are physically separated components that are housed in the mobile communication device and are in communication with each other,wherein the secure device processor and the secure element perform a mutual authentication with each other utilizing a keyset received via the remote management server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that incorporates the subject disclosure may perform, for example, providing an upload request to a mobile communication device to cause a secure device processor of the mobile communication device to perform a modification of data according to a data protection key to generate modified data and to perform an encryption of the modified data according to an upload transport key to generate encrypted modified data where the secure device processor is separate from and in communication with a secure element of the mobile communication device, and where the secure element receives master keys from a remote management server and stores the master keys to enable the upload transport key and the data protection key to be generated by the secure element without providing the master keys to the secure device processor. Other embodiments are disclosed.

147 Citations

20 Claims

1. A computer-readable storage device comprising executable instructions which, responsive to being executed by a secure device processor of a mobile communication device, cause the secure device processor to perform operations comprising:
- receiving a user credential via a user interface;
  
  providing the user credential to a secure element of the mobile communication device;
  
  receiving a user authentication from the secure element based on the user credential;
  
  responsive to the receiving of the user authentication, receiving an upload transport key and a data protection key from the secure element without receiving master keys, wherein the secure element stores master keys from which the upload transport key and the data protection key are generated by the secure element, wherein the secure element receives the master keys over a network from a remote management server;
  
  responsive to an upload request, obtaining data for transmission to a recipient device;
  
  encrypting the data using the data protection key to generate a single encrypted data; and
  
  encrypting the single encrypted data using the upload transport key to generate a double encrypted data,wherein the mobile communication device comprises a mobile processor device that facilitates wireless communications by the secure device processor and by the secure element, andwherein the mobile processor device, the secure element and the secure device processor are physically separated components that are housed in the mobile communication device and are in communication with each other,wherein the secure device processor and the secure element perform a mutual authentication with each other utilizing a keyset received via the remote management server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-readable storage device of claim 1, wherein the upload request is received from a user input received at the mobile communication device.
  - 3. The computer-readable storage device of claim 1, wherein the upload request is received from the recipient device, another communication device, an application being executed by the mobile communication device, or a user input received at the mobile communication device.
  - 4. The computer-readable storage device of claim 1, wherein the secure element comprises a universal integrated circuit card, and wherein the operations further comprise:
    - facilitating establishing a communication channel with the recipient device; and
      
      providing the double encrypted data over the communication channel to the recipient device to enable the recipient device to perform a first decryption of the double encrypted data utilizing a corresponding upload transport key.
  - 5. The computer-readable storage device of claim 4, wherein the recipient device is one of an end user device or an application server, andwherein the recipient device receives, from the remote management server, the corresponding upload transport key or a master transport key for deriving the corresponding upload transport key.
  - 6. The computer-readable storage device of claim 1, wherein the recipient device is a removable memory device having a connection port to enable a physical coupling with the mobile communication device, and wherein the operations further comprise:
    - providing the double encrypted data to the removable memory device via the connection port to enable the recipient device to be removed from the mobile communication device and subsequently coupled with an end user device for transmission of the double encrypted data to the end user device to enable the end user device to perform a first decryption of the double encrypted data utilizing a corresponding upload transport key.

7. A communication device, comprising:
- a mobile processing device comprising a control element to control a transceiver of the communications device;
  
  a secure element having a secure element memory that stores first executable instructions that, when executed by the secure element, facilitate performance of first operations, comprising;
  
  receiving master keys over a network from a remote management server;
  
  storing the master keys in the secure element memory; and
  
  generating an upload transport key and a data protection key from the master keys;
  
  a secure device processor comprising a secure device processor memory that stores second executable instructions that, when executed by the secure device processor, facilitate performance of second operations, comprising;
  
  receiving the upload transport key and the data protection key from the secure element without receiving the master keys;
  
  responsive to an upload request, obtaining data for transmission to a recipient device;
  
  modifying the data using the data protection key to generate a modified data;
  
  encrypting the modified data using the upload transport key to generate an encrypted modified data; and
  
  deleting the upload transport key and the data protection key after the modifying the data and the encrypting the modified data,wherein the secure device processor, the secure element and the mobile processing device are separate components in communication with each other and are housed in the communication device, and wherein the secure device processor and the secure element perform a mutual authentication with each other utilizing a keyset received via the remote management server.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The communication device of claim 7, wherein the first operations further comprise:
    - receiving a request from the secure device processor for the upload transport key and the data protection key, wherein the generating of the upload transport key and the data protection key is in response to the request from the secure device processor; and
      
      wherein the second operations further comprise;
      
      providing the upload transport key, the data protection key, and the encrypted modified data to the recipient device.
  - 9. The communication device of claim 7, further comprising a device processor that is separate from the secure device processor and in communication with the secure device processor, wherein the device processor facilitates wireless communications between the communication device and the recipient device, wherein the secure element comprises a universal integrated circuit card, and wherein the modifying of the data to generate the modified data comprises adding additional information to the data and applying another encryption.
  - 10. The communication device of claim 9, wherein the first executable instructions are provisioned to the secure element memory and the second executable instructions are provisioned to the secure device processor memory from the remote management server utilizing a remote management keyset, and wherein the additional information includes permissions, authentication data or a combination thereof.
  - 11. The communication device of claim 7, further comprising a user interface, wherein the second operations further comprise:
    - receiving a user credential via the user interface;
      
      providing the user credential to the secure element;
      
      receiving a user authentication from the secure element; and
      
      requesting the upload transport key and the data protection key from the secure element in response to the receiving of the user authentication.
  - 12. The communication device of claim 7, wherein the upload request is received from the recipient device, another communication device, an application being executed by the communication device, or a user input received at the communication device,wherein the secure element comprises a universal integrated circuit card, and wherein the second operations further comprise:
    - providing the encrypted modified data over a communication channel to the recipient device to enable the recipient device to perform a decryption of the encrypted modified data utilizing a corresponding upload transport key.
  - 13. The communication device of claim 12, wherein the recipient device is one of an end user device or an application server, and wherein the recipient device receives from the remote management server a corresponding upload transport key or a master transport key for deriving the corresponding upload transport key.
  - 14. The communication device of claim 7, wherein the recipient device is a removable memory device having a connection port to enable a physical coupling with the communication device, and wherein the second operations further comprise:
    - providing the encrypted modified data to the removable memory device via the connection port to enable the recipient device to be removed from the communication device and subsequently coupled with an end user device for transmission of the encrypted modified data to the end user device to enable the end user device to perform a decryption of the encrypted modified data utilizing a corresponding upload transport key.

15. A method, comprising:
- receiving, by a server from a secure device processor of a mobile communication device, double encrypted data, wherein the double encrypted data is generated from data based on a data protection key that generates a single encrypted data and a second encryption of the single encrypted data according to an upload transport key, wherein the secure device processor is separate from and in communication with a secure element of the mobile communication device, wherein the secure element and the secure device processor are separate components in communication with each other and housed in the mobile communication device, wherein the secure element receives master keys over a network from a remote management server and stores the master keys to enable the upload transport key and the data protection key to be generated by the secure element without providing the master keys to the secure device processor;
  
  obtaining, by the server, a corresponding upload transport key;
  
  decrypting, by the server, the double encrypted data utilizing the corresponding upload transport key to obtain the single encrypted data; and
  
  storing, by the server, the single encrypted data in a memory accessible to the server, wherein the secure device processor and the secure element perform a mutual authentication with each other utilizing a keyset received via the remote management server.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein the obtaining of the corresponding upload transport key comprises:
    - receiving, by the server from the remote management server, a master transport key;
      
      generating, by the server, the corresponding upload transport key from the master transport key; and
      
      deleting, by the server, the corresponding upload transport key after the decrypting of the double encrypted data.
  - 17. The method of claim 15, wherein the obtaining of the corresponding upload transport key comprises receiving, by the server from the remote management server, the corresponding upload transport key, and further comprising:
    - deleting, by the server, the corresponding upload transport key after the decrypting of the double encrypted data.
  - 18. The method of claim 15, wherein the server does not have access to a corresponding data protection key for decrypting the single encrypted data, and further comprising:
    - receiving, by the server from the mobile communication device, a download request associated with the data;
      
      generating, by the server, a second upload transport key from a master transport key received from the remote management server, wherein the obtaining of the corresponding upload transport key comprises deriving, by the server, the corresponding upload transport key from the master transport key;
      
      encrypting, by the server, the single encrypted data using the second upload transport key to generate the double encrypted data; and
      
      providing, by the server, the double encrypted data to the mobile communication device to enable the secure device processor to decrypt the double encrypted data utilizing a corresponding second transport key generated by the secure element from the master keys without providing the master keys to the secure device processor.
  - 19. The method of claim 15, comprising:
    - receiving, by the server from the remote management server, a master protection key;
      
      storing, by the server, the master protection key;
      
      generating, by the server, a corresponding data protection key from the master protection key;
      
      decrypting, by the server, the single encrypted data utilizing the corresponding data protection key to obtain the data; and
      
      deleting, by the server, the corresponding data protection key after the decrypting of the single encrypted data.
  - 20. The method of claim 15, comprising:
    - receiving, by the server from the remote management server, a corresponding data protection key;
      
      decrypting, by the server, the single encrypted data utilizing the corresponding data protection key to obtain the data; and
      
      deleting, by the server, the corresponding data protection key after the decrypting of the single encrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chastain, Walter Cooper, Chin, Stephen Emille
Primary Examiner(s)
Okeke, Izunna

Application Number

US15/205,402
Publication Number

US 20160323255A1
Time in Patent Office

207 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/061   applying further key deriva...

H04L 63/0478   applying multiple layers of...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0869   for achieving mutual authen...

H04L 9/0877   using additional device, e....

Apparatus and method for secure delivery of data from a communication device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

147 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for secure delivery of data from a communication device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links