Key storage administration

US 8,301,911 B2
Filed: 07/06/2004
Issued: 10/30/2012
Est. Priority Date: 07/04/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

allocating a storage area configured to store data for an application of a multiple of applications within a secure environment of a device to which access is restricted;

associating the storage area with an application identity of said application of said multiple applications to generate an associated identity, wherein said application identity of said application of said multiple of applications is generated by the device;

storing the associated identity within the secure environment; and

controlling access to the storage area by verifying correspondence between the associated identity and an accessing application identity so that only said application of said multiple applications can access the storage area;

wherein the application identity of said application is a digital signature created based on a private key, the digital signature being attached to said application, and the verification of the application identity is performed by verifying the digital signature with a public key that corresponds to said private key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to a method and a system for allowing multiple applications to manage their respective data in a device (100, 200) having a secure environment (104, 204, 211) to which access is strictly controlled. The idea of the invention is that a storage area is allocated (301) within the secure environment (104, 204, 211) of a device (100, 200). The storage area is associated (302) with an identity of an application, the associated identity is stored (303) in the secure environment (104, 204, 211) and access to the storage area is controlled (304) by verifying correspondence between the associated identity and the identity of an accessing application. This is advantageous, since it is possible for the accessing application to read, write and modify objects, such as cryptographic keys, intermediate cryptographic calculation results and passwords, in the allocated storage area.

11 Citations

12 Claims

1. A method comprising:
- allocating a storage area configured to store data for an application of a multiple of applications within a secure environment of a device to which access is restricted;
  
  associating the storage area with an application identity of said application of said multiple applications to generate an associated identity, wherein said application identity of said application of said multiple of applications is generated by the device;
  
  storing the associated identity within the secure environment; and
  
  controlling access to the storage area by verifying correspondence between the associated identity and an accessing application identity so that only said application of said multiple applications can access the storage area;
  
  wherein the application identity of said application is a digital signature created based on a private key, the digital signature being attached to said application, and the verification of the application identity is performed by verifying the digital signature with a public key that corresponds to said private key.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein the allocating of a storage area, associating the storage area with the application identity, storing the associated identity and controlling the access to the storage area are performed for an application of a first party and, subsequently, the same actions are performed for an application of a second party independent of the first party.
  - 3. The method according to claim 1, wherein the device stores a digital certificate issued by a trusted certification authority.
  - 4. The method according to claim 1, wherein the secure environment comprises a smart card.
  - 5. The method according to claim 1, wherein the allocating a storage area, associating the storage area with the application identity, storing the associated identity and controlling the access to the storage area are performed for an application of a first party and, subsequently, the same actions are performed for an application of a second party independent of the first party.

6. An apparatus comprising a control processing unit configured to:
- allocate a storage area configured to store data for an application of a multiple of applications within a secure environment of a device to which access is restricted;
  
  associate the storage area with an application identity of said application of said multiple applications to generate an associated identity, wherein said application identity of said application of said multiple of applications is generated by the device;
  
  store the associated identity within the secure environment; and
  
  control access to the storage area by verifying correspondence between the associated identity and an accessing application identity so that only said application of said multiple applications can access the storage area;
  
  wherein the application identity of said application is a digital signature created based on a private key, the digital signature being attached to said application, and the verification of the application identity is performed by decrypting the digital signature with a public key that corresponds to said private key.
- View Dependent Claims (7, 8)
- - 7. The apparatus according to claim 6, wherein the device is configured to store a digital certificate issued by a certification authority.
  - 8. The apparatus according to claim 6, wherein the secure environment comprises a smart card.

9. Circuitry for providing data security comprising:
- at least one storage circuit comprising at least one storage area configured to store data for an application of a multiple of applications within a secure environment of a device to which access is restricted;
  
  at least one processor configured to;
  
  associate the at least one storage area with an application identity of said application of said multiple applications to generate an associated identity, wherein said application identity of said application of said multiple of applications is generated by the device; and
  
  store the associated identity within the secure environment; and
  
  a register configured to enable said at least one processor to control access to said at least one storage area by verifying correspondence between the associated identity and an accessing application identity so that only said application of said multiple applications can access the at least one storage area;
  
  wherein the application identity of said application is a digital signature created based on a private key, the digital signature being attached to said application, and the verification of the application identity is performed by decrypting the digital signature with a public key that corresponds to said private key.
- View Dependent Claims (10)
- - 10. A mobile telecommunication terminal comprising circuitry for providing data security according to claim 9.

11. A computer-readable non-transitory storage medium storing computer-executable components, which when executed by a processor, performs:
- allocating a storage area configured to store data for an application of a multiple of applications within a secure environment of a device to which access is restricted;
  
  associating the storage area with an application identity of said application of said multiple applications to generate an associated identity, wherein said application identity of said application of said multiple of applications is generated by the device;
  
  storing the associated identity within the secure environment; and
  
  controlling access to the storage area by verifying correspondence between the associated identity and an accessing application identity so that only said application of said multiple applications can access the storage area;
  
  wherein the application identity of said application is a digital signature created based on a private key, the digital signature being attached to said application, and the verification of the application identity is performed by verifying the digital signature with a public key that corresponds to said private key.

12. An apparatus comprising:
- a processor configured for allocating a storage area configured to store data for an application of a multiple of applications within a secure environment of a device to which access is restricted;
  
  the processor further configured for associating the storage area with an application identity of said application of said multiple applications to generate an associated identity, wherein said application identity of said application of said multiple of applications is generated by the device;
  
  the storage area configured for storing the associated identity within the secure environment; and
  
  the processor further configured for controlling access to the storage area by verifying correspondence between the associated identity and an accessing application identity so that only said application of said multiple applications can access the storage area;
  
  wherein the application identity of said application is a digital signature created based on a private key, the digital signature being attached to said application, and the verification of the application identity is performed by verifying the digital signature with a public key that corresponds to said private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Paatero, Lauri, Cofta, Piotr
Primary Examiner(s)
Zee, Edward

Application Number

US10/887,474
Publication Number

US 20050044375A1
Time in Patent Office

3,038 Days
Field of Search

726/9, 726/17, 726/19, 726/20, 726 26- 28, 713/173, 713/193, 713/194, 713/185
US Class Current

713/193
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/74   operating in dual or compar...

G06F 21/78   to assure secure storage of...

G06F 2221/2105   Dual mode as a secondary as...

Key storage administration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Key storage administration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links