Security apparatus session sharing

US 9,760,704 B2
Filed: 05/23/2014
Issued: 09/12/2017
Est. Priority Date: 05/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing, by a first application executing on an electronic device, a session with a security apparatus physically coupled to the electronic device upon receiving a valid security string to unlock the security apparatus, wherein the security apparatus comprises a smart card;

receiving, by the first application, a token in response to unlocking the security apparatus, the token enabling the first application to utilize the security apparatus;

providing, by the first application, the token to a second application executing on the electronic device using a file system on the electronic device in response to identifying the second application on a whitelist indicating that the first application is allowed to share the token with the second application, wherein the token authenticates the second application with the security apparatus, wherein the token is shared with a plurality of applications on the whitelist through the file system on the electronic device, and wherein the file system is accessible to the applications on the whitelist that are allowed to share the token; and

invalidating the token in response to locking the security apparatus, wherein the security apparatus is locked at least upon a power reset of the electronic device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An electronic device includes multiple applications that can access a smart card or other security apparatus. A first application that is to use the security apparatus prompts a user for a security string such as a PIN or password. Upon receipt of the PIN or password, the first application unlocks the security apparatus for use. Additionally, the first application receives a token from a security service that interfaces with the security apparatus. The token can be shared by the first application with other applications. For example, the first application can share the token with other trusted applications. The other applications that receive the token can refrain from issuing a prompt for a security string and receiving a response from the user. The token can be used instead of the security string to obtain access to the security apparatus.

55 Citations

View as Search Results

21 Claims

1. A method comprising:
- establishing, by a first application executing on an electronic device, a session with a security apparatus physically coupled to the electronic device upon receiving a valid security string to unlock the security apparatus, wherein the security apparatus comprises a smart card;
  
  receiving, by the first application, a token in response to unlocking the security apparatus, the token enabling the first application to utilize the security apparatus;
  
  providing, by the first application, the token to a second application executing on the electronic device using a file system on the electronic device in response to identifying the second application on a whitelist indicating that the first application is allowed to share the token with the second application, wherein the token authenticates the second application with the security apparatus, wherein the token is shared with a plurality of applications on the whitelist through the file system on the electronic device, and wherein the file system is accessible to the applications on the whitelist that are allowed to share the token; and
  
  invalidating the token in response to locking the security apparatus, wherein the security apparatus is locked at least upon a power reset of the electronic device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the first application and the second application are associated with an operating system domain of the electronic device, the electronic device comprising a mobile communications device.
  - 3. The method of claim 1, further comprising:
    - issuing, by the second application, a request for a security operation to be performed on the security apparatus, the request including the token.
  - 4. The method of claim 1, further comprising:
    - receiving a request to close the session; and
      
      locking the security apparatus in response to closing the session.
  - 5. The method of claim 4, further comprising:
    - establishing, by the first application or the second application, a new session with the smart card upon receiving the valid security string to unlock the smart card; and
      
      generating a new token by a security service executing on the electronic device, wherein the new token is generated in response to the smart card validating the security string.
  - 6. The method of claim 1, further comprising:
    - receiving, by the first application, the security string responsive to the first application prompting a user of the electronic device to input the security string; and
      
      providing the security string to the security apparatus.
  - 7. The method of claim 6, wherein the second application uses the token instead of the security string to obtain access to the security apparatus while the security apparatus is unlocked, and wherein the security apparatus is locked when the token has expired or upon the power reset of the electronic device.
  - 8. The method of claim 1, wherein the electronic device receives the whitelist from an administrator of a corporate network.

9. A non-transitory machine readable storage medium having stored thereon executable instructions for causing one or more processors to perform operations comprising:
- establishing, by a first application executing on an electronic device, a session with a security apparatus physically coupled to the electronic device upon receiving a valid security string to unlock the security apparatus, wherein the security apparatus comprises a smart card;
  
  receiving, by the first application, a token in response to unlocking the security apparatus, the token enabling the first application to utilize security apparatus;
  
  providing, by the first application, the token to a second application executing on the electronic device using a file system on the electronic device in response to identifying the second application on a whitelist indicating that the first application is allowed to share the token with the second application, wherein the token authenticates the second application with the security apparatus, wherein the token is shared with a plurality of applications on the whitelist through the file system on the electronic device, and wherein the file system is accessible to the applications on the whitelist that are allowed to share the token; and
  
  invalidating the token in response to locking the security apparatus, wherein the security apparatus is locked at least upon a power reset of the electronic device.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The non-transitory machine readable storage medium of claim 9, wherein the first application and the second application are associated with an operating system domain of the electronic device, the electronic device comprising a mobile communications device.
  - 11. The non-transitory machine readable storage medium of claim 9, wherein the operations further comprise:
    - issuing, by the second application, a request for a security operation to be performed on the security apparatus, the request including the token.
  - 12. The non-transitory machine readable storage medium of claim 11, wherein the operations further comprise receiving a response to the security operation from the security apparatus in response to validating the token.
  - 13. The non-transitory machine readable storage medium of claim 9, wherein the operations further comprise:
    - receiving a request to close the session; and
      
      locking the security apparatus in response to closing the session.
  - 14. The non-transitory machine readable storage medium of claim 13, wherein the operations further comprise:
    - establishing, by the first application or the second application, a new session with the smart card upon receiving the valid security string to unlock the smart card; and
      
      generating a new token by a security service executing on the electronic device, wherein the new token is generated in response to the smart card validating the security string.
  - 15. The non-transitory machine readable storage medium of claim 9, wherein the operations further comprise:
    - receiving, by the first application, the security string responsive to the first application prompting a user of the electronic device to input the security string; and
      
      providing the security string to the security apparatus.

16. An apparatus comprising:
- one or more processors; and
  
  a non-transitory machine readable storage medium communicably coupled to the one or more processors, the non-transitory machine readable storage medium configured to store instructions, that when executed by the one or more processors cause the apparatus to;
  
  establish, by a first application, a session with a security apparatus upon receiving a valid security string to unlock the security apparatus, wherein the security apparatus comprises a smart card physically coupled to the electronic device;
  
  receive, by the first application, a token in response to unlocking the security apparatus, the token enabling the first application to utilize the security apparatus;
  
  provide, by the first application, the token to a second application using a file system on the apparatus in response to identifying the second application on a whitelist indicating that the first application is allowed to share the token with the second application, wherein the token authenticates the second application with the security apparatus, wherein the token is shared with a plurality of applications on the whitelist through the file system on the apparatus, and wherein the file system is accessible to the applications on the whitelist that are allowed to share the token; and
  
  invalidate the token in response to locking the security apparatus, wherein the security apparatus is locked at least upon a power reset of the electronic device.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The apparatus of claim 16, wherein the first application and the second application are associated with an operating system domain of the apparatus, the apparatus comprising a mobile communications device.
  - 18. The apparatus of claim 17, wherein the first application comprises a domain manager for the operating system domain.
  - 19. The apparatus of claim 16, wherein the session is shared by the first application and the second application.
  - 20. The apparatus of claim 16, wherein the instructions further cause the apparatus to:
    - receive, by the first application, the security string responsive to the first application prompting a user of the apparatus to input the security string; and
      
      receive, by the first application, the token from a security service, wherein the token is generated in response to the security apparatus validating the security string.
  - 21. The apparatus of claim 20, wherein the security string comprises a Personal Identification Number (PIN), and wherein the token comprises a 256 bit key generated by a secure pseudo random number generator (PRNG).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Sherkin, Alexander
Primary Examiner(s)
LYNCH, SHARON S

Application Number

US14/286,766
Publication Number

US 20150339473A1
Time in Patent Office

1,208 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/34 involving the use of extern...

G06F 21/44 Program or device authentic...

Security apparatus session sharing

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Security apparatus session sharing

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links