Uniform framework for security tokens

US 20040123152A1
Filed: 04/01/2003
Published: 06/24/2004
Est. Priority Date: 12/18/2002
Status: Abandoned Application

First Claim

Patent Images

1. A uniform security applications architecture for deployment in a security token comprising:

a plurality of security applications functionally coupled to a shareable interface; and

a security domain control services application operatively coupled to a runtime operating environment and including said sharable interface, one or more security policies associated with each of said plurality of security applications and control means for controlling said plurality of security applications by enforcement of said one or more security policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention provides a security token architecture which supports modular security application installations without loss of existing data or requiring the reinstallation of existing applications served by the security application modules. The architecture is compliant with the international standard ISO/IEC 7816-4, “Information technology—Identification tokens—Integrated circuit(s) tokens with contacts—Part 4: Interindustry commands for interchange.” An application is integrated into a security domain which serves as a centralized security applications programming interface between one or more token service applications and a series of security application modules. The API provides a more uniform security application interface which improves overall interoperability of the modular security applications and simplifies security application development. The API provides a separate shareable interface which facilitates changes in security applications without disruption of existing application dependencies and allows customization of security properties associated with the installed security applications.

107 Citations

View as Search Results

62 Claims

1. A uniform security applications architecture for deployment in a security token comprising:
- a plurality of security applications functionally coupled to a shareable interface; and
  
  a security domain control services application operatively coupled to a runtime operating environment and including said sharable interface, one or more security policies associated with each of said plurality of security applications and control means for controlling said plurality of security applications by enforcement of said one or more security policies.
- View Dependent Claims (3, 4, 5, 11, 12, 13)
- - 3. The uniform security applications architecture according to claim 1 or 2 wherein said security domain control services application includes a predefined architecture associated with said shareable interface.
  - 4. The uniform security applications architecture according to claim 3 wherein at least one of said plurality of security applications includes means for manipulating said plurality of security parameters.
  - 5. The uniform security applications architecture according to claim 4 wherein manipulation of said plurality of security parameters facilitates at least the addition, replacement or removal of any of said plurality of security applications without disruption of said predefined architecture.
  - 11. The uniform security applications architecture according to claim 1, 2 or 6 further including a plurality of interface modules, wherein said plurality of interface modules are incorporated into each of said plurality of security applications.
  - 12. The uniform security applications architecture according to claim 11, wherein said plurality of interface modules are linked to said plurality of security applications at time of installation.
  - 13. The uniform security applications architecture according to claim 11, wherein said plurality of interface modules are separate modules functionally coupled to said plurality of security applications.

2. A uniform security applications architecture for deployment in a security token comprising:
- a plurality of security applications functionally coupled to a security domain control services application through a shareable interface, one or more security policies readable by said security domain control services application and associated with each of said plurality of security applications, and said security domain control services application operatively coupled to a runtime operating environment and including control means for reading and controlling said plurality of security applications by enforcement of said one or more security policies.

6. A uniform security applications architecture for deployment in a security token comprising:
- a security domain control services application functionally coupled to a plurality of security applications through a shareable interface, said security domain control services application including at least one registry and a predefined architecture associated with said shareable interface;
  
  said at least one registry including a plurality of security parameters associated with each of said plurality of security applications; and
  
  at least one of said plurality of security applications executable to manipulate said plurality of security parameters, wherein manipulation of said plurality of security parameters facilitates at least the addition, replacement or removal of any of said plurality of security applications without disruption of said predefined architecture.
- View Dependent Claims (7, 8, 9, 10, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 54, 55, 56, 57, 58)
- - 7. The uniform security applications architecture according to claim 6 further including one or more logic based rules associated with each of said plurality of security applications.
  - 8. The uniform security applications architecture according to claim 7 wherein the aggregate of said one or more logic based rules and said plurality of security parameters comprises one or more security policies.
  - 9. The uniform security applications architecture according to claim 8 wherein said security domain control services application further includes means for enforcing said one or more security policies.
  - 10. The uniform security applications architecture according to claim 9 wherein said one or more security policies controls at least one functional aspect of each of said plurality of security applications.
  - 14. The uniform security applications architecture according to claim 8 wherein said plurality of security applications includes at least one token services application, at least one token administrative services application and at least one token security services application.
  - 15. The uniform security applications architecture according to claim 14 wherein said at least one of said one or more security applications is incorporated into said security domain control application.
  - 16. The uniform security applications architecture according to claim 14 wherein the functionality of said at least one token services application includes secure storage, public key infrastructure cryptography, application loading or electronic wallet.
  - 17. The uniform security applications architecture according to claim 14 wherein the functionality of said at least one token administrative services application includes configuration or management of said one or more associated security policies.
  - 18. The uniform security applications architecture according to claim 17 wherein the functionality of said at least one token administrative services application further includes management of one or more accounting policies, management of token security state or overall token security control.
  - 19. The uniform security applications architecture according to claim 14 wherein the functionality of said at least one token security services application includes authentication, authorization, token unlock or secure messaging.
  - 20. The uniform security applications architecture according to claim 8 wherein said one or more logic based rules includes at least one set of access control rules.
  - 21. The uniform security applications architecture according to claim 8 wherein said one or more logic based rules includes at least one set of lock control rules.
  - 22. The uniform security applications architecture according to claim 8 wherein said one or more logic based rules includes at least one set of unlock control rules.
  - 23. The uniform security applications architecture according to claim 8 wherein said one or more logic based rules includes at least one set of security control methods.
  - 24. The uniform security applications architecture according to claim 8 wherein said one or more logic based rules includes at least one set of authorization methods.
  - 25. The uniform security applications architecture according to claim 18 wherein said one or more accounting policies are included in at least one accounting data file.
  - 26. The uniform security applications architecture according to claim 8 wherein said one or more associated security policies includes at least one access control rule and at least one unique service identifier.
  - 27. The uniform security applications architecture according to claim 26 wherein said one or more associated security policies further includes one or more of the following of said plurality of security parameters:
    - at least one unique credential identifier, a security state flag associated with said at least one unique credential identifier, at least one cryptographic key unique identifier and a session active flag associated with said at least one cryptographic key unique identifier.
  - 28. The uniform security applications architecture according to claim 27 wherein said plurality of security parameters further includes one or more of the following security parameters:
    - service type, enablement flag, functional control element, credential descriptor, security state flag, attempted access counter, maximum attempt limit, lock status flag, expired status flag, maximum usage limit, current use counter, lock rule identifier, key descriptor, an active session flag, an instruction step.
  - 29. The uniform security applications architecture according to claim 8 wherein said security domain control application is coded in a native language of said security token.
  - 30. The uniform security applications architecture according to claim 8 wherein said one or more security policies controls an association between at least one of said plurality of security applications with either cryptographic keys or credentials.
  - 31. The uniform security applications architecture according to claim 8 wherein said security domain control application is coded in a high level language.
  - 54. The uniform security applications architecture according to claim 8 wherein said plurality of security parameters includes an enablement flag alterable by at least one of said plurality of security applications.
  - 55. The uniform security applications architecture according to claim 8 wherein said plurality of security parameters includes at least one functional control element, said functional control element operable for control at least one functional aspect of at least one of said plurality of security applications.
  - 56. The uniform security applications architecture according to claim 8 wherein said one or more security policies further comprises:
    - at least one of security control method including one or more parameters readable by a token security services application for determining which credential or cryptographic key is to be used in conjunction with at least one access control rule, and said at least one access control rule including one or more logic based rules associated with said token security services application.
  - 57. The uniform security applications architecture according to claim 8 wherein said one or more security policies further comprise at least one authorization method for evaluating a parameter for an operational limitation.
  - 58. The uniform security applications architecture according to claim 57 wherein said parameter is either internal to said security token or received from an external host.

32. A method for functionally installing a security application inside a security token comprising the steps of:
- a. functionally receiving a security domain control services application downloadable, b. receiving a security application downloadable, c. registering said security application downloadable with said security domain control services application downloadable, d. configuring one or more security policies for said security application downloadable, and e. setting at one or more security states for said security application downloadable.
- View Dependent Claims (33, 34)
- - 33. The method for functionally installing a security application inside a security token according to claim 32 further comprising;
    - a. repeating steps 32.b.-32.e. if additional security application downloadables are to be installed.
  - 34. The method according to claim 32 further comprising:
    - a. registering said security domain control services downloadable with another security domain control services application.

35. A method for initializing a security application functionally installed inside a security token comprising the steps of:
- a. performing an authentication in accordance with one or more associated security control methods, and b. setting an authentication state.
- View Dependent Claims (36, 37, 38)
- - 36. The method according to claim 35 further comprising the steps of:
    - a. determining if a secure messaging session is required by one or more associated security policies, b. establishing a secure messaging session in accordance with said one or more associated security control methods, and c. setting a secure messaging state required by said one or more associated security policies.
  - 37. The method according to claim 35 or 36 further comprising the step of:
    - a. validating authorization parameters in accordance with one or more associated authorization rules.
  - 38. The method according to claim 37 further comprising the step of:
    - a. recording transaction accounting data in accordance with one or more associated accounting policies.

39. A method for using a security application functionally installed inside a security token comprising the steps of:
- a. executing a security application, b. verifying that said security application is enabled, c. verifying that a functional control element of said security application is enabled, d. retrieving one or more security policies associated with said security application, and e. validating said one or more security policies.

40. A computer program product embodied in a tangible form readable by a processor having executable instructions stored thereon for installing a security application, said executable instructions comprising:
- a. causing a security domain control services application downloadable to be received by a security token, b. causing a security application downloadable to be received by said security token, c. causing said security application downloadable to be registered with said security domain control services application downloadable, d. causing configuration parameters of one or more security policies to be established in a registry for said security application downloadable, and e. causing one or more security states to be set for said security application downloadable.
- View Dependent Claims (41)
- - 41. The computer program product according to claim 40 further comprising the step of:
    - a. causing steps 40.b.-40.e. to be repeated for any additional security application downloadables to be installed.

42. A computer program product embodied in a tangible form readable by a processor having executable instructions stored thereon for initializing a security application, said executable instructions comprising:
- a. causing an authentication to be performed an in accordance with one or more associated security control methods, and b. causing an authentication state to be set.
- View Dependent Claims (43, 44, 45)
- - 43. The computer program product according to claim 42 further comprising the step of:
    - a. causing the determination of a secure messaging session requirement using said one or more associated security control methods. b. causing a secure messaging session to be established if required by one or more associated security policies, and c. causing a secure messaging state to be set if required by said one or more associated security policies.
  - 44. The computer program product according to claim 42 or 43 further comprising the step of:
    - a. causing the validation of one or more authorization parameters in accordance with one or more associated authorization rules.
  - 45. The computer program product according to claim 44 further comprising the step of:
    - a. causing transaction accounting data to be recorded in accordance with one or more associated accounting policies.

46. A computer program product embodied in a tangible form readable by a processor having executable instructions stored thereon for causing execution of a security application, said executable instructions comprising:
- a. causing an execution of a security application, b. causing an enablement verification of said security application, c. causing an enablement verification of a functional control element associated with said security application, d. causing a retrieval of one or more security policies associated with said security application, and e. causing a validation of said one or more security policies.

47. A uniform security applications architecture for deployment in a security token comprising:
- a security domain control services application including control means for controlling at least one functional aspect of a security application, a set of security policies having a functional relationship to said security application and readable by said security domain control services application, wherein said set of security policies are read by said control means for controlling said at least one functional aspect of a security application.

48. A uniform security applications architecture for deployment in a security token comprising:
- a security domain control services application including control means for controlling at least one functional aspect of a security application and a sharable interface functionally linked to at least one security application, a set of security policies having a functional relationship to said at least one security application and readable by said security domain control services application, wherein said set of security policies are read by said control means for controlling said link to said sharable interface.

49. A uniform security applications architecture for deployment in a security token comprising:
- a security domain control services application including a sharable interface and install means for installing at least one security application, wherein said install means includes means for performing an operation which functionally links said at least one security application to said sharable interface.
- View Dependent Claims (53)
- - 53. The uniform security applications architecture according to claim 49, 50, 51 or 52 wherein said operation is specific to said at least one security application.

50. A uniform security applications architecture for deployment in a security token comprising:
- a security domain control services application including a sharable interface and uninstall means for uninstalling at least one security application, wherein said uninstall means includes means for performing an operation which functionally unlinks said at least one security application from said sharable interface.

51. A uniform security application architecture for deployment in a security token comprising:
- a security domain control services application including a sharable interface, a registry and install means for installing at least one security application, wherein said install means includes means for performing an operation which functionally links said at least one security application to said sharable interface and registers said security application in said registry.

52. A uniform security applications architecture for deployment in a security token comprising:
- a security domain control services application including a sharable interface, a registry and uninstall means for uninstalling at least one security application, wherein said uninstall means includes means for performing an operation which functionally unlinks said at least one security application from said sharable interface and unregisters said security application from said registry.

59. A uniform security applications architecture for deployment in a security token comprising:
- a set of security policies readable by a security domain control services application, wherein said set of security policies includes prerequisite information associated with a token services application for performing a token service;
  
  said token services application having a functional relationship to said security domain control services application, said token services application including means for;
  
  receiving a request for services, sending a permissive request to perform said token service to said security domain control services application, receiving a determinative response from said security domain control services application determinative for performance of said token service, and performing a token service in accordance with at least a portion of said set of security policies. said security domain control services application including means for;
  
  receiving said permissive request sent from said token services application, determining applicable security policies for said permissive request, enforcing said set of security policies, and returning said determinative response to said token services application.
- View Dependent Claims (60, 61, 62)
- - 60. The system according to claim 59 wherein said permissive request includes at least one instruction step.
  - 61. The system according to claim 59 wherein said determinative response includes an address for a token security services application.
  - 62. The system according to claim 61 wherein said token services application further includes means for communicating directly with said token security services application in accordance with said at least a portion of said set of security policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ActivCard Co.
Original Assignee
ActivCard Co.
Inventors
Le Saint, Eric

Application Number

US10/402,960
Publication Number

US 20040123152A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/604   Tools and structures for ma...

G06F 21/77   in smart cards

G07F 7/02   by keys or other credit reg...

Uniform framework for security tokens

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

107 Citations

62 Claims

Specification

Solutions

Use Cases

Quick Links

Uniform framework for security tokens

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

62 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links