EP1582053A4 - System and method for distributed authorization for access to communications device - Google Patents
System and method for distributed authorization for access to communications deviceInfo
- Publication number
- EP1582053A4 EP1582053A4 EP03814848A EP03814848A EP1582053A4 EP 1582053 A4 EP1582053 A4 EP 1582053A4 EP 03814848 A EP03814848 A EP 03814848A EP 03814848 A EP03814848 A EP 03814848A EP 1582053 A4 EP1582053 A4 EP 1582053A4
- Authority
- EP
- European Patent Office
- Prior art keywords
- information
- application
- access
- authorization
- specific data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
- H04W8/20—Transfer of user or subscriber data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
- H04W8/183—Processing at user equipment or user record carrier
Definitions
- the invention relates to the field of communications, and more particularly to a distributed authorization system in which access to data on a mobile unit by onboard applications, such as phone book, hardware identifiers or other data on a cellular telephone or other device, may be regulated by an authorization process performed on a remote server or other resource.
- onboard applications such as phone book, hardware identifiers or other data on a cellular telephone or other device
- cellular telephones and other communications devices are now programmable in a variety of ways. For instance, many cellular telephones contain editable phone books to permit convenient storage and dialing of frequently-used or important numbers. Other cellular telephones or other devices have Web browsing, file sharing and other enhanced functionality, whether via graphical user interface, voice commands or other interfaces. Moreover, cellular telephones are becoming available which include integrated positioning capability, such as the ability to track, record and communicate handset position via GPS or other location service. Other services are being and will be deployed. Over-the-air programming (OAP) standards such as those employing the Java programming language have enhanced the delivery of such services, on an on-demand or other basis.
- OAP Over-the-air programming
- Handsets and other devices may have the storage capacity and intelligence to store a variety of sensitive or personal information, such as a handset's International Mobile Equipment Identity (IMEI) data, a subscriber identity module (SJJVI) ID or other related data, number assignment module (NAM) data, mobile identification number (MLN) data, electronic serial number (ESN) data, phone books, position tracking or other information.
- IMEI International Mobile Equipment Identity
- SJJVI subscriber identity module
- NAM number assignment module
- MSN mobile identification number
- ESN electronic serial number
- Devices which may accept Java or other over-the-air code could be presented with security risks due to malicious code such as viruses, disguised games or ring tones, or other code or data. Once a malicious process has invaded the device, the user's sensitive hardware, phone book, positioning or other data could be exposed and compromised.
- While user-facing security measures may be incorporated, such as requiring passwords on a handset interface before permitting access to hardware, phone book or other data, over-the-air and other threats may continue to test the integrity of the mobile device and its data, including by way of low-level code which insinuates into the device at comparatively low levels, such as application programming interfaces (APIs) and other open ports or interfaces. Better core level security on communications devices is desirable. Other problems exist.
- APIs application programming interfaces
- the invention overcoming these and other problems in the art relates in one regard to a system and method for distributed authorization for access to a communications device, in which a cellular handset of other communications device may be equipped to receive requests for sensitive onboard data by Java or other applications.
- an authorization process may be initiated via a remote server or other resource.
- the communications device may present an API to internally executing programs through which all requests for sensitive data may be made.
- the API may communicate those requests, for instance, via an over-the-air interface to a remote support server for authentication.
- authentication may be made against a permission access list, enumerating valid programs or processes which have access rights to requested levels of data. When a request is validated, permission may be returned to the communications device to permit the requesting code to obtain the desired data.
- FIG. 1 illustrates a distributed authorization architecture, according to an embodiment of the invention.
- Fig. 2 illustrates an illustrative table for storing authorization parameters, according to an embodiment of the invention.
- FIG. 3 illustrates a user interface on a communications device displaying an authorization notification, according to an embodiment of the invention.
- FIG. 4 illustrates a flowchart of authorization processing, according to an embodiment of the invention.
- Fig. 1 illustrates a distributed authorization architecture in which an embodiment of the invention may operate.
- a communications device 102 may wirelessly communicate with an authorization server 118 to initiate and validate requests for access to device-specific data 110 made by applications running on communications device 102.
- Communications device 102 may be or include, for instance, a cellular telephone, a network-enabled wireless device such as a personal digital assistant (PDA) or personal information manager (PJVI) equipped with an IEEE 802.11b or other wireless interface, a laptop or other portable computer equipped with an 802.11b or other wireless interface, or other communications or client devices.
- PDA personal digital assistant
- PJVI personal information manager
- Device-specific data 110 may be or include, for instance, LMEI data, data from a SIM, chip-level data, phone books or contact lists or other personalized user settings, position tracking, electronic wallet, scheduling, cellular service or other billing, messaging such as short message service (SMS) or other text or other messaging, or other hardware-related, user-based or other information.
- Device- specific data 110 may be stored in communications device 102, for instance, in electronically programmable memory (EPROM), flash cards, or other electronic, optical or other media.
- EPROM electronically programmable memory
- the communications device 102 may execute one or more application 104, for instance a Java application, which in embodiments may include a Java Micro Edition t application, C or C++ or other program or code.
- application 104 may be or include, for instance, a contact scheduler application, a phone book application, a Web browsing application, a financial application, a personal information manager (PLM) application, or other application or service.
- application 104 may conform to or be implemented using the Java mobile information device profile (MJDP) standard, which applications may be referred to as MIDlets, or other languages or environments.
- MJDP Java mobile information device profile
- application 104 may be received over the air via antenna 112, or received or stored from other sources, such as a cable- connected download.
- the application 104 may interact with an application programming interface
- Application programming interface 106 may present a programming interface to application 104 to mediate requests to the set of device-specific data 110 on communications device 102 and perform other tasks.
- application programming interface 106 may present application-accessible interfaces to data or object classes such as, for instance, network, user interface, data attributes and data content, and other resources.
- Native layer 108 may in embodiments operate at a comparatively low level in communications device 102, and act on requests passed by application programming interface 106 for device-specific data 110.
- Native layer 108 may for example in embodiments perform supervisory, file and memory management, and other tasks.
- application programming interface 106 may trap that access request 114 at the system level for offboard processing, before permitting any of device-specific data 110 to be released.
- application programming interface 106 may communicate with authorization server 118 to authorize that access request 114.
- application programming interface 106 may communicate with the authorization server 118 via server antenna 116, or other wireless or wired interfaces.
- Application programming interface 106 may transmit access request 114 containing, for instance, the type of data requested from the set of device-specific data 110, the name or other identifying information for application 104, access parameters such as time of last access, passwords if requested, or other data related to the access request 114 for part or all of device-specific data 110 to authorization server 118.
- Authorization server 118 may maintain a set of authorization parameters 120 against which to process the access request 114 for access to device-specific data 110. As illustrated in Fig. 2, for example, authorization parameters 120 may be maintained in authorization table 124, which may be stored in or accessed by authorization server 118. Authorization table 124 may contain a set of application identifiers 126 (APP IDENTIFIER!, APP IDENTIFIER 2 ... APP JDENTIFIER N , N arbitrary), which identifiers may in embodiments include a list application names or other identifiers, such as "phonebook.MID”, "contactlist.c", "positiontrack.exe” or other names or indicia.
- Authorization table 124 may likewise contain a set of associated access levels 128, correlated by application name or other indicia, which may indicate whether a given application 104 may be permitted to access device-specific data 110, and in embodiments at which levels or with what privileges (e.g., read, edit, or other) that access may be granted.
- authorization server 118 may transmit an authorization message 122 to communications device 102.
- the authorization message 122 may contain, for instance, a code, flag or other indication that application 104 may access device-specific data 110.
- the authorization message 122 may contain additional fields or variables by which access to device-specific data 110 may be regulated, for instance a privilege field or flag which indicates whether application 104 may have the right to read, to modify, erase or perform other actions on device-specific data 110.
- Authorization message 122 may likewise contain a timeout field which sets a period of time in which application 104 may access the desired data, but after which authorization may expire. Other security variables are possible.
- the authorization may be granted for a single application 104, or for more than one application, or for different applications at different times.
- authorization to access device- specific data 110 reflected in authorization message 122 may be made at differing levels for different parts of that data, depending on the sensitivity of the data, the nature of the application 104 making the access request 114, and other factors.
- the application programming interface 106 may pass the access request 114 to native layer 108 may retrieve the requested data from device- specific data 110. Native layer 108 may then communicate the retrieved device- specific data 110 and pass that data to application programming interface 106 to be delivered to application 104. Application 104 may then receive and read the requested part or whole of device-specific data 110, to operate on or modify that data. In embodiments, application 104 may also receive authorization to store modified data into device-specific data 110, to transmit the device-specific data 110 over the air interface of antenna 112, or take other action, depending on the type or level of authorization received, network security and other parameters.
- the authorization message 122 may contain a deny flag or other indicator that application 104 may not access part or any of device-specific data 110.
- the communications device 102 may notify the user that an application or service has been denied access to device-specific or sensitive information. As illustrated, that notification may be by way for instance of a pop-up message 132 presented on a text or graphical user interface 130 as shown, by a verbal message or otherwise. This notification may, for instance, assist the user in deciding to run an anti-virus or other utility on communications device 102, or take other action.
- denial of access to device-specific data 110 may trigger an automatic logging of application 104, automatic transmission of an anti-virus or other utility to communications device 102, or other action.
- step 402 application 104 may request one or more parts of device-specific data 110 from the communications device 102 via application programming interface 106 and native layer 108, at the API or other level.
- step 404 the access request 114 may be transmitted to the authorization server 118, for instance via an over-the-air protocol, which for example may be communicated using a secure or other protocol such as secure socket layer (SSL), hyper text transfer protocol secure (HTTPS) or other protocol or interface.
- SSL secure socket layer
- HTTPS hyper text transfer protocol secure
- the request may, in embodiments, encapsulate data such as the name or other identifier of application 104, the type of data in device-specific data 110 being requested, and other information.
- the authorization server 118 may check the access request 114 by application 104 against authorization parameters 120 or other security fields or templates, make an authorization determination and communicate an authorization message 122 to communications device 102.
- the authorization message 122 may contain an indication that the access request 114 is granted, denied, deferred, that further information will be required, or that other action may be taken.
- the native layer 108 may read out the one or more parts of device-specific data 110 which application 104 has been authorized to access.
- the native layer 108 may communicate the one or more parts of device-specific data 110 which application 104 has been authorized to access to application programming interface 106.
- the application programming interface 106 may communicate the requested device- specific data 110 to the application 104. Processing may then repeat, return to an earlier point, continue to further processing or terminate.
- communications device 102 may operate without that type of local layer, for instance with some functionality distributed to authorization server 118 or otherwise.
- Communications device 102 may conversely contain or operate on other or multiple supervisory layers.
- Other hardware, software or other resources described as singular may be implemented in multiple or distributed resources, while other hardware, software or other resources described as distributed may likewise be implemented as integrated resources.
- the scope of the invention is accordingly intended to be limited only by the following claims.
Abstract
Description
Claims
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US33414102A | 2002-12-31 | 2002-12-31 | |
US334141 | 2002-12-31 | ||
PCT/US2003/040125 WO2004062243A2 (en) | 2002-12-31 | 2003-12-16 | System and method for distributed authorization for access to communications device |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1582053A2 EP1582053A2 (en) | 2005-10-05 |
EP1582053A4 true EP1582053A4 (en) | 2006-04-12 |
Family
ID=32710862
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP03814848A Withdrawn EP1582053A4 (en) | 2002-12-31 | 2003-12-16 | System and method for distributed authorization for access to communications device |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP1582053A4 (en) |
JP (1) | JP2006514763A (en) |
KR (1) | KR20050096114A (en) |
CN (1) | CN1732674A (en) |
AU (1) | AU2003297229A1 (en) |
WO (1) | WO2004062243A2 (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4583152B2 (en) * | 2004-12-10 | 2010-11-17 | 富士通株式会社 | Service processing method and program |
EP1907901B1 (en) * | 2005-07-28 | 2017-01-18 | Alcatel Lucent | System and method for remotely controlling device functionality |
KR100785782B1 (en) * | 2005-11-17 | 2007-12-18 | 한국전자통신연구원 | System of Privilege Delegation and Method Thereof |
EP1967026A2 (en) * | 2005-12-30 | 2008-09-10 | Telecom Italia S.p.A. | Method for customizing the operation of a telephonic terminal |
WO2008060300A1 (en) * | 2006-11-16 | 2008-05-22 | Dynomedia, Inc. | Systems and methods for distributed digital rights management |
CN101926187A (en) * | 2008-01-21 | 2010-12-22 | 艾利森电话股份有限公司 | Abstraction function for mobile handsets |
US8327005B2 (en) * | 2011-02-24 | 2012-12-04 | Jibe Mobile | Method to set up application to application communication over a network between applications running on endpoint devices |
WO2014117247A1 (en) | 2013-01-29 | 2014-08-07 | Blackberry Limited | Managing application access to certificates and keys |
CN104283853B (en) | 2013-07-08 | 2018-04-10 | 华为技术有限公司 | A kind of method, terminal device and network equipment for improving Information Security |
US20150195395A1 (en) * | 2014-01-06 | 2015-07-09 | Desiree Gina McDowell-White | Secure Cloud-Based Phonebook |
CN104951715A (en) * | 2015-06-11 | 2015-09-30 | 联想(北京)有限公司 | Information processing method and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0813132A2 (en) * | 1996-06-11 | 1997-12-17 | International Business Machines Corporation | Support for trusted software distribution |
EP0973350A2 (en) * | 1998-07-17 | 2000-01-19 | Phone.Com Inc. | Method and apparatus for providing access control to local services of mobile devices |
EP1107623A2 (en) * | 1999-12-06 | 2001-06-13 | Nokia Mobile Phones Ltd. | Mobile station providing user-defined private zone for restricting access to user application data |
FR2822334A1 (en) * | 2001-03-16 | 2002-09-20 | Schlumberger Systems & Service | Mobile telecommunications independent/secure subscriber identity module having module resource with control/associated policing control adapted controlling group command execution following function specific function police control. |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5835061A (en) * | 1995-06-06 | 1998-11-10 | Wayport, Inc. | Method and apparatus for geographic-based communications service |
JPH09319570A (en) * | 1996-05-29 | 1997-12-12 | Sanyo Electric Co Ltd | License managing system for software |
EP1011274A1 (en) * | 1998-12-16 | 2000-06-21 | TELEFONAKTIEBOLAGET L M ERICSSON (publ) | Method and service providing means for providing services in a telecommunication network |
US6647260B2 (en) * | 1999-04-09 | 2003-11-11 | Openwave Systems Inc. | Method and system facilitating web based provisioning of two-way mobile communications devices |
JP2001117769A (en) * | 1999-10-20 | 2001-04-27 | Matsushita Electric Ind Co Ltd | Program executing device |
JP2002041170A (en) * | 2000-07-27 | 2002-02-08 | Matsushita Electric Ind Co Ltd | Program performance controller |
JP3853140B2 (en) * | 2000-08-08 | 2006-12-06 | 株式会社シーイーシー | Software management system and accounting method |
-
2003
- 2003-12-16 CN CNA2003801080253A patent/CN1732674A/en active Pending
- 2003-12-16 AU AU2003297229A patent/AU2003297229A1/en not_active Abandoned
- 2003-12-16 EP EP03814848A patent/EP1582053A4/en not_active Withdrawn
- 2003-12-16 WO PCT/US2003/040125 patent/WO2004062243A2/en not_active Application Discontinuation
- 2003-12-16 KR KR1020057012427A patent/KR20050096114A/en not_active Application Discontinuation
- 2003-12-16 JP JP2004565539A patent/JP2006514763A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0813132A2 (en) * | 1996-06-11 | 1997-12-17 | International Business Machines Corporation | Support for trusted software distribution |
EP0973350A2 (en) * | 1998-07-17 | 2000-01-19 | Phone.Com Inc. | Method and apparatus for providing access control to local services of mobile devices |
EP1107623A2 (en) * | 1999-12-06 | 2001-06-13 | Nokia Mobile Phones Ltd. | Mobile station providing user-defined private zone for restricting access to user application data |
FR2822334A1 (en) * | 2001-03-16 | 2002-09-20 | Schlumberger Systems & Service | Mobile telecommunications independent/secure subscriber identity module having module resource with control/associated policing control adapted controlling group command execution following function specific function police control. |
Also Published As
Publication number | Publication date |
---|---|
CN1732674A (en) | 2006-02-08 |
EP1582053A2 (en) | 2005-10-05 |
WO2004062243A3 (en) | 2004-08-26 |
KR20050096114A (en) | 2005-10-05 |
WO2004062243A2 (en) | 2004-07-22 |
AU2003297229A8 (en) | 2004-07-29 |
JP2006514763A (en) | 2006-05-11 |
AU2003297229A1 (en) | 2004-07-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6591095B1 (en) | Method and apparatus for designating administrative responsibilities in a mobile communications device | |
EP2941729B1 (en) | Protection and confidentiality of trusted service manager data | |
US8577334B1 (en) | Restricted testing access for electronic device | |
US9198026B2 (en) | SIM lock for multi-SIM environment | |
US11671832B2 (en) | Unified enterprise management of wireless devices in a controlled environment | |
EP1950681A1 (en) | Mobile terminal, access control management device, and access control management method | |
US20100062808A1 (en) | Universal integrated circuit card having a virtual subscriber identity module functionality | |
EP1542117A1 (en) | Binding content to a user | |
KR101514753B1 (en) | System and method for secure containment of sensitive financial information stored in a mobile communication terminal | |
CN110876144B (en) | Mobile application method, device and system for identity certificate | |
EP1582052B1 (en) | System and method for distributed authorization and deployment of over the air provisioning for a communications device | |
EP1582053A2 (en) | System and method for distributed authorization for access to communications device | |
KR101386363B1 (en) | One-time passwords generator for generating one-time passwords in trusted execution environment of mobile device and method thereof | |
CN115186254A (en) | Data access control method and device and terminal equipment | |
US10405183B2 (en) | Purposed device system and method for smartphone | |
US11838985B2 (en) | Policy-based management of embedded subscriber identity module (eSIM) profiles | |
US20200220858A1 (en) | Subscriber Identity Management | |
CN113286289A (en) | Permission confirmation method and electronic equipment | |
CN116669012A (en) | Method for managing communication functions in a user equipment | |
CN116491141A (en) | System and method for making SIM card micro platform | |
KR20090095697A (en) | Mobile communication terminal for limiting use, server for opening service of subscriber, system and method using the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20050801 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20060228 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04Q 7/32 20060101ALI20060222BHEP Ipc: H04Q 7/20 20060101ALI20060222BHEP Ipc: H04M 3/00 20060101AFI20050627BHEP |
|
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20061219 |
|
P01 | Opt-out of the competence of the unified patent court (upc) registered |
Effective date: 20230520 |