Apparatus and method for secure delivery of data from a communication device

US 9,413,759 B2
Filed: 11/27/2013
Issued: 08/09/2016
Est. Priority Date: 11/27/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage device comprising executable instructions which, responsive to being executed by a secure device processor of a mobile communication device, cause the secure device processor to perform operations comprising:

requesting an upload transport key and a data protection key from a secure element of the mobile communication device, and wherein the secure element stores master keys from which the upload transport key and the data protection key are generated by the secure element, wherein the secure element receives the master keys over a network from a remote management server, wherein the secure device processor and the secure element perform a mutual authentication with each other utilizing a keyset received via the remote management server;

receiving the upload transport key and the data protection key from the secure element without receiving the master keys;

receiving an upload request from a recipient device, another communication device, an application being executed by the mobile communication device, or a user input received at the mobile communication device;

obtaining data for transmission to the recipient device, wherein the obtaining of the data is in response to the receiving of the upload request;

encrypting the data using the data protection key to generate a single encrypted data; and

encrypting the single encrypted data using the upload transport key to generate a double encrypted data,wherein the mobile communication device comprises a mobile processor device that facilitates wireless communications by the secure device processor and by the secure element, andwherein the mobile processor device, the secure element and the secure device processor are physically separated components that are housed in the mobile communication device and are in communication with each other.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that incorporates the subject disclosure may perform, for example, providing an upload request to a mobile communication device to cause a secure device processor of the mobile communication device to perform a modification of data according to a data protection key to generate modified data and to perform an encryption of the modified data according to an upload transport key to generate encrypted modified data where the secure device processor is separate from and in communication with a secure element of the mobile communication device, and where the secure element receives master keys from a remote management server and stores the master keys to enable the upload transport key and the data protection key to be generated by the secure element without providing the master keys to the secure device processor. Other embodiments are disclosed.

121 Citations

19 Claims

1. A computer-readable storage device comprising executable instructions which, responsive to being executed by a secure device processor of a mobile communication device, cause the secure device processor to perform operations comprising:
- requesting an upload transport key and a data protection key from a secure element of the mobile communication device, and wherein the secure element stores master keys from which the upload transport key and the data protection key are generated by the secure element, wherein the secure element receives the master keys over a network from a remote management server, wherein the secure device processor and the secure element perform a mutual authentication with each other utilizing a keyset received via the remote management server;
  
  receiving the upload transport key and the data protection key from the secure element without receiving the master keys;
  
  receiving an upload request from a recipient device, another communication device, an application being executed by the mobile communication device, or a user input received at the mobile communication device;
  
  obtaining data for transmission to the recipient device, wherein the obtaining of the data is in response to the receiving of the upload request;
  
  encrypting the data using the data protection key to generate a single encrypted data; and
  
  encrypting the single encrypted data using the upload transport key to generate a double encrypted data,wherein the mobile communication device comprises a mobile processor device that facilitates wireless communications by the secure device processor and by the secure element, andwherein the mobile processor device, the secure element and the secure device processor are physically separated components that are housed in the mobile communication device and are in communication with each other.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-readable storage device of claim 1, wherein the operations further comprise:
    - receiving a user credential via a user interface;
      
      providing the user credential to the secure element; and
      
      receiving a user authentication from the secure element, wherein the requesting of the upload transport key and the data protection key from the secure element is responsive to the receiving of the user authentication.
  - 3. The computer-readable storage device of claim 2, wherein the secure element comprises a universal integrated circuit card, and wherein the operations further comprise:
    - facilitating establishing a communication channel with the recipient device; and
      
      providing the double encrypted data over the communication channel to the recipient device to enable the recipient device to perform a first decryption of the double encrypted data utilizing a corresponding upload transport key.
  - 4. The computer-readable storage device of claim 3, wherein the recipient device is one of an end user device or an application server, andwherein the recipient device receives from the remote management server the corresponding upload transport key or a master transport key for deriving the corresponding upload transport key.
  - 5. The computer-readable storage device of claim 1, wherein the recipient device is a removable memory device having a connection port to enable a physical coupling with the mobile communication device, and wherein the operations further comprise:
    - providing the double encrypted data to the removable memory device via the connection port to enable the recipient device to be removed from the mobile communication device and subsequently coupled with an end user device for transmission of the double encrypted data to the end user device to enable the end user device to perform a first decryption of the double encrypted data utilizing a corresponding upload transport key.

6. A communication device, comprising:
- a mobile processing device comprising a control element to control a transceiver of the communications device;
  
  a secure element having a secure element memory that stores first executable instructions that, when executed by the secure element, facilitate performance of first operations, comprising;
  
  receiving master keys over a network from a remote management server;
  
  storing the master keys in the secure element memory; and
  
  generating an upload transport key and a data protection key from the master keys;
  
  a secure device processor comprising a secure device processor memory that stores second executable instructions that, when executed by the secure device processor, facilitate performance of second operations, comprising;
  
  receiving the upload transport key and the data protection key from the secure element without receiving the master keys;
  
  receiving an upload request from a recipient device, another communication device, an application being executed by the communication device, or a user input received at the mobile communication device;
  
  obtaining data for transmission to a recipient device, wherein the obtaining of the data is in response to the receiving of the upload request;
  
  modifying the data using the data protection key to generate a modified data; and
  
  encrypting the modified data using the upload transport key to generate an encrypted modified data,wherein the secure device processor, the secure element and the mobile processing device are separate components in communication with each other and are housed in the communication device, and wherein the secure device processor and the secure element perform a mutual authentication with each other utilizing a keyset received via the remote management server.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The communication device of claim 6, wherein the first operations further comprise:
    - receiving a request from the secure device processor for the upload transport key and the data protection key, wherein the generating of the upload transport key and the data protection key is in response to the request from the secure device processor; and
      
      wherein the second operations further comprise;
      
      providing the upload transport key, the data protection key, and the encrypted modified data to the recipient device.
  - 8. The communication device of claim 6, further comprising a device processor that is separate from the secure device processor and in communication with the secure device processor, wherein the device processor facilitates wireless communications between the communication device and the recipient device, wherein the secure element comprises a universal integrated circuit card, and wherein the modifying of the data to generate the modified data comprises adding additional information to the data and applying another encryption.
  - 9. The communication device of claim 8, wherein the first executable instructions are provisioned to the secure element memory and the second executable instructions are provisioned to the secure device processor memory from the remote management server utilizing a remote management keyset, and wherein the additional information includes permissions, authentication data or a combination thereof.
  - 10. The communication device of claim 6, further comprising a user interface, wherein the second operations further comprise:
    - receiving a user credential via the user interface;
      
      providing the user credential to the secure element;
      
      receiving a user authentication from the secure element; and
      
      requesting the upload transport key and the data protection key from the secure element in response to the receiving of the user authentication.
  - 11. The communication device of claim 6, wherein the secure element comprises a universal integrated circuit card, and wherein the second operations further comprise:
    - providing the encrypted modified data over a communication channel to the recipient device to enable the recipient device to perform a decryption of the encrypted modified data utilizing a corresponding upload transport key.
  - 12. The communication device of claim 11, wherein the recipient device is one of an end user device or an application server, and wherein the recipient device receives from the remote management server a corresponding upload transport key or a master transport key for deriving the corresponding upload transport key.
  - 13. The communication device of claim 6, wherein the recipient device is a removable memory device having a connection port to enable a physical coupling with the communication device, and wherein the second operations further comprise:
    - providing the encrypted modified data to the removable memory device via the connection port to enable the recipient device to be removed from the communication device and subsequently coupled with an end user device for transmission of the encrypted modified data to the end user device to enable the end user device to perform a decryption of the encrypted modified data utilizing a corresponding upload transport key.

14. A method, comprising:
- providing, by a server including a processor, an upload request to a mobile communication device to cause a secure device processor of the mobile communication device to perform a first encryption of data according to a data protection key to generate a single encrypted data and to perform a second encryption of the single encrypted data according to an upload transport key to generate a double encrypted data, wherein the secure device processor is separate from and in communication with a secure element of the mobile communication device, wherein the mobile communication device comprises a mobile processor device that facilitates communications of by the secure device processor and by the secure element, wherein the mobile processor device, the secure element and the secure device processor are separate components in communication with each other and housed in the mobile communication device, and wherein the secure element receives master keys over a network from a remote management server and stores the master keys to enable the upload transport key and the data protection key to be generated by the secure element without providing the master keys to the secure device processor;
  
  receiving, by the server from the secure device processor, the double encrypted data;
  
  obtaining, by the server, a corresponding upload transport key;
  
  decrypting, by the server, the double encrypted data utilizing the corresponding upload transport key to obtain the single encrypted data; and
  
  storing, by the server, the single encrypted data in a memory accessible to the server wherein the secure device processor and the secure element perform a mutual authentication with each other utilizing a keyset received via the remote management server, wherein the upload request is received from another communication device, and wherein the data is obtained by the secure device processor in response to the upload request.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, wherein the obtaining of the corresponding upload transport key comprises:
    - receiving, by the server from the remote management server, a master transport key;
      
      generating, by the server, the corresponding upload transport key from the master transport key, and further comprising;
      
      deleting, by the server, the corresponding upload transport key after the decrypting of the double encrypted data.
  - 16. The method of claim 14, wherein the obtaining of the corresponding upload transport key comprises receiving, by the server from the remote management server, the corresponding upload transport key, and further comprising:
    - deleting, by the server, the corresponding upload transport key after the decrypting of the double encrypted data.
  - 17. The method of claim 14, wherein the server does not have access to a corresponding data protection key for decrypting the single encrypted data, and further comprising:
    - receiving, by the server from the mobile communication device, a download request associated with the data;
      
      generating, by the server, a second upload transport key from a master transport key received from the remote management server, wherein the obtaining of the corresponding upload transport key comprises deriving, by the server, the corresponding upload transport key from the master transport key;
      
      encrypting, by the server, the single encrypted data using the second upload transport key to generate the double encrypted data; and
      
      providing, by the server, the double encrypted data to the mobile communication device to enable the secure device processor to decrypt the double encrypted data utilizing a corresponding second transport key generated by the secure element from the master keys without providing the master keys to the secure device processor.
  - 18. The method of claim 14, comprising:
    - receiving, by the server from the remote management server, a master protection key;
      
      storing, by the server, the master protection key;
      
      generating, by the server, a corresponding data protection key from the master protection key;
      
      decrypting, by the server, the single encrypted data utilizing the corresponding data protection key to obtain the data; and
      
      deleting, by the server, the corresponding data protection key after the decrypting of the single encrypted data.
  - 19. The method of claim 14, comprising:
    - receiving, by the server from the remote management server, a corresponding data protection key;
      
      decrypting, by the server, the single encrypted data utilizing the corresponding data protection key to obtain the data; and
      
      deleting, by the server, the corresponding data protection key after the decrypting of the single encrypted data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chastain, Walter Cooper, Chin, Stephen Emille
Primary Examiner(s)
Okeke, Izunna

Application Number

US14/091,679
Publication Number

US 20150149776A1
Time in Patent Office

986 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/061   applying further key deriva...

H04L 63/0478   applying multiple layers of...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0869   for achieving mutual authen...

H04L 9/0877   using additional device, e....

Apparatus and method for secure delivery of data from a communication device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

121 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Apparatus and method for secure delivery of data from a communication device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others