RU2436254C2 - Managing information associated with protected module applications - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: mobile communication device (10) can accommodate a protected module (20), which contains at least one protected module application (25). The device allows for connection with a protected module. A processing module (11) is configured to obtain from the protected module information on at least one protected module application. The processing module is further configured to check whether a compatible complementary application is present in the device based on the obtained information. A communication module (18) is configured to obtain a compatible complementary application from an external source if there is no complementary application in said device.

EFFECT: wider range of technological tools.

21 cl, 5 dwg

Description

FIELD OF TECHNOLOGY

The present invention relates to the management of information related to applications for secure elements or secure modules.

BACKGROUND

Traditionally, the work of applications related to payments and / or tickets is based on the use of a secure chip built into a plastic smart card the size of a credit card.

Recently, when the practice of contactless payment / ticket issuance has become generally accepted, the installation of secure chips containing means for paying and / or issuing tickets for travel in public transport to mobile phones has begun. In one embodiment, the mobile device includes a smart card module and a short-range communication module, which may be a radio frequency identification module (RFID). A smart card module is a secure element that contains the application required for the secure element, for example, to pay / issue a ticket. The application for the protected element can be launched by the user or automatically based on the context and / or location of the mobile device. For example, if the mobile device is located in the sales area of a commercial terminal, the application for the protected item may start automatically. The short-range module will be activated, and subsequently a contactless payment transaction can be made.

Now that the protected elements containing applications for the protected element are installed in mobile phones, there is a convenient opportunity, namely: to create a user interface for providing the telephone user with a means of monitoring and managing various applications stored in the protected element. The user interface of the mobile device can be used as the user interface of the secure element. As a rule, this requires two applications: the first application (application for the protected element) installed in the protected element and designed to protect critical functionality, and the second application (application "user interface") installed on the mobile phone to create the interface user and control of the first application in case an appropriate level of protection is provided. Having two separate applications to provide full functionality leads to the risk that these two applications will go out of sync, and this will disrupt the operation properly.

In other words, whenever a situation arises in which the mobile device for some reason does not have the specified complementary application (the "user interface" application), the functionality of the user interface will be blocked. This can happen, for example, when a protected element is moved from one mobile device to another (if the latter does not contain the specified application) or when the phone software is updated.

SUMMARY OF THE INVENTION

According to a first aspect of the present invention, there is provided an apparatus for securing a secure module, which comprises at least one application for the secure module, wherein

the device is configured so that it can connect to a protected module and contains:

a processing module configured to receive information from the protected module about at least one application for the protected module, the processing module is further configured to check based on the received information whether a compatible complementary application is present in the device, and

a communication module connected to the processing module and configured to receive a compatible add-on application from an external source if the device does not have a compatible add-on application.

In one embodiment, the complementary application is a compatible application located (located) in a device outside the secure module. In one embodiment, the complementary application is an application that is designed to work in conjunction with a security element application. In one embodiment, the complementary application is an application that provides a user interface for a secure module in a mobile station. In one embodiment, the complementary application is an application for controlling the operation of a protected module from the outside. In yet another embodiment, the complementary application is another application that controls the operation of a secure module.

According to a second aspect of the present invention, there is provided an apparatus comprising:

a secure module that contains at least one application for the secure module, and the device further comprises:

a processing module configured to receive information from the protected module about at least one application for the protected module, the processing module is further configured to check based on the received information whether a compatible complementary application is present in the device, and

a communication module connected to the processing module and configured to receive a compatible add-on application from an external source if the device does not have a compatible add-on application.

In one embodiment of the present invention, a placement device, such as a mobile terminal, is accessible via interface information in a secure module. In one embodiment of the present invention, the available information includes instructions for obtaining terminal software for managing or creating a user interface from one or more remote sources. In cases where this software is not yet installed in the mobile terminal, the software can be delivered. Using the delivered software, the terminal user can access and manage various protected modular applications stored in the protected module.

According to a third aspect of the present invention, there is provided a secure module comprising:

a processing element for installing in the protected module at least one application for the protected module and

a memory associated with a processing element for storing in a secure module information identifying a compatible complementary application for that secure module.

In one embodiment of the present invention, said secure module may be a physical integrated circuit (for security reasons specific to a particular application), a special registry or a database that contains relevant data for managing the application (s) stored in the protected element, using the user interface in the mobile terminal.

According to a fourth aspect of the present invention, there is provided a method for controlling a device for hosting a secure module, which comprises at least one application for the secure module, comprising:

obtaining from the protected module information about at least one application for the protected module;

based on the information received, checking the availability of a compatible complementary application in the device and

in case the device does not have a compatible add-on application, obtain a compatible add-on application from an external source.

In one embodiment of the present invention, the application registry for the secure module is integrated into the secure module. In one embodiment of the present invention, this registry contains an entry for each application for the secure module stored in the secure module. This record may contain various information, for example, name, provider, and instructions for reinstalling / updating the complementary application of the mobile terminal, for example, the user interface or control application. In one embodiment of the present invention, the registry may also contain other information related to the installation or connection of the user interface / control application. If the software corresponding to the application for the secure module is lost in the mobile terminal, or for some reason there is a need to update the user interface / control application, the software of the mobile terminal can access this registry to maintain and help maintain synchronization applications related to the user interface in the terminal, with the application (s) stored in the protected module.

According to a fifth aspect of the present invention, there is provided a method for controlling a secure module, comprising:

installing at least one application for the protected module in the protected module and storing in the protected module information identifying a compatible complementary application that relates to at least one application for the protected module.

In one embodiment of the present invention, the secure module is a secure smart card chip that is in direct communication with the short-range communication module or radio frequency communication module (RFID) of the device that provides the module, which allows you to use applications for the secure module, for example, for contactless payment / issuance of tickets.

According to a sixth aspect of the present invention, there is provided a computer program stored on a computer readable medium and comprising executable computer code that causes a device to implement the method of the fourth aspect of the present invention.

According to a seventh aspect of the present invention, there is provided a computer program stored on a computer readable medium and comprising executable computer code that causes the device to implement the method of the fifth aspect of the present invention.

According to an eighth aspect of the present invention, there is provided an apparatus for securing a secure module, which comprises at least one application for the secure module, said device comprising:

means for providing connectivity to the secure module;

means for obtaining from the protected module information about at least one application for the protected module, wherein said device comprises:

means for checking, based on the received information, the availability of a compatible complementary application in the device and

means for receiving a compatible add-on application from an external source if the device does not have a compatible add-on application.

Various embodiments of the present invention are illustrated only in the framework of some of its aspects. It should be understood that relevant embodiments of the present invention may relate to other aspects.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is described below by way of example only with reference to the accompanying drawings, wherein:

figure 1 shows a device according to one embodiment of the present invention;

figure 2 shows a registry table according to one embodiment of the present invention;

figure 3 shows various methods of installing and / or updating applications in a device according to one embodiment of the present invention;

figure 4 shows the sequence of operations according to one of the embodiments of the present invention; and

5 is a flowchart according to another embodiment of the present invention.

DETAILED DESCRIPTION

Figure 1 shows a device according to one embodiment of the present invention. The device 10 comprises a processor 11, a memory 12, and software 13, which is stored in the memory 12. The software 13 contains program code including instructions that the processor 11 executes to control the operation of the device 10. In one embodiment, the device 10 is mobile terminal or mobile phone.

In addition, the device 10 comprises a secure module or element 20, which includes a processor 21, an operating system 26, and one or more applications 25 for the secure element. In one embodiment of the present invention, the security element 20 is a smart card or chip integrated in the device 10, permanently attached to it, or removably mounted therein. In one embodiment of the present invention, the device includes a smart card slot into which the security element 20 can be inserted. In an embodiment of the invention, the security element 20 is a subscriber identity module. Typically, the security element 20 should be protected from unauthorized interference.

The device 10 may be connected to the security element 20. In practice, the device 10 may include a smart card interface or an interface module (not shown) that is in contact with the physical contacts of the security element. The interface may be connected to the processor 11 via a data bus (not shown). The security element 20 may determine different levels of security for various information contained therein. The device 10 may request information from the secure element 20 via an interface. Depending on the level of protection of the required information, the secure element 20 provides the required information to the device 10. For this purpose, the secure element 20 may comprise, for example, a security check module or a similar unit (not shown). This module may be implemented using software or an appropriate combination of software and hardware. It classifies different information by different levels of protection and checks whether the requestor (for example, device 10 or device software 13) has the appropriate rights to receive the requested information from the protected module 20.

The security element application 25 may be, for example, a payment application or a ticket issuing application. Application 25 is controlled by a secure element processor 21. If the operating system 26 of the secure element 20 is Java, the application 25 for the secure element may be called an applet. The secure element 20 provides an interface for accessing (usually passive) to the secure element from the outside. This interface can be created using software or related devices that use software and / or hardware and / or physical devices, such as connectors.

In addition, the device 10 includes a module 14 short-range communication with the antenna. The short-range communication module 14 is connected to the processor 11 and to the protected element 20. In one embodiment of the present invention, the short-range communication module 14 is an RFID communication module, for example, an RFID reader with means for working also in the RFID mode. An external device, such as a point-of-sale terminal or a proximity reader (not shown in FIG. 1), can communicate with the protected element 20 through the short-range communication module 14.

The device 10 also contains user interface applications 15 that are run by the processor 11. They can be called midlets. There must be one user interface application 15 for each application 25 for the secure element. The user interface application 15 implements the user interface for the corresponding application 25 for the secure element. Thus, the keyboard and display of the device 10 can be used as a user interface for the security element application 25.

Protected element 20 has a registry table or database 27. Table 27 may exist as a standalone application in a secure element chip. Alternatively, this feature may be implemented in the security element operating system 26. This table stores information about installed applications 25 for the protected element and complementary applications 15 of the user interface. For each application 25 for the protected element, this table contains information identifying the complementary application 15 that must be present in the device 10. This information can be represented in various ways. For example, this information may include the name (or some other identifier) and version number of the required complementary application 15. In an alternative embodiment of the present invention, table 27 contains both the name and the provider. In yet another alternative embodiment of the present invention, table 27 contains instructions for installing / updating the required add-on application 15. If the device does not have a specified add-on application 15 or a given version of the application, installation or update can be performed by following the instructions. These instructions may include, for example, the address of a network resource from which an application or update can be downloaded. This address can be represented as a uniform resource locator (URL, Uniform Resource Locator).

Figure 2 shows an embodiment of table 27. In this embodiment of the present invention, the table for each application 25 for the protected element (identified, for example, by the application identifier and version) contains information that accurately identifies the supplementing application 15 (name and version) and the place in Networks from where this application or update can be downloaded.

Figure 3 shows various ways of installing and / or updating applications in a device according to one embodiment of the present invention. In one embodiment, the secure element application or application update is installed in a non-contact manner using short-range communication. The application and / or installation file is transferred from the proximity reader 50 via short-range communication to the short-range communication module 14, and from there to the protected element 20 in which the installation is performed. According to another embodiment, the security element application or application update is installed via a radio installation (OTA, on-the air). In this embodiment, the application and / or installation file is transferred from the OTA server 30 via the communication network 40 to the device 10 using a cellular service, whether or not requiring a connection. To this end, the device contains a transceiver 18 of a cellular radio communication associated with the processor 11.

4 is a flowchart illustrating an installation process of an application for a protected item or updating an application. After receiving the application file or installation, the protected element processor 21 installs (step 41) the application for the protected element or updates the application to the protected element memory 20 (not shown for simplicity). If the new application is installed, create (step 42) an entry in table 27. As mentioned above, this entry contains (see step 43), for example, information that accurately identifies the supplementing application 15, as well as instructions on where to get it. If the installation consists in updating the existing application 25 for the protected element, if necessary, update (step 44) the corresponding section in the table. The need for updating the table may arise, for example, if the updated application 25 for the protected element requires updating supplementing application 15.

5 is a flowchart illustrating a process for synchronizing the operation of an application 25 for a secure element and a complementary application 15 according to one embodiment of the present invention. This process can be performed in specific situations; for example, when you turn on the device or immediately after updating the device software (the software of the device itself or the software of the protected item). At step 51, the processor 11, under the control of the device software 13, reads the protected element table 27 and at step 52 checks the complementary application 15 installed in the device 10. The device knows which applications are available in it. This information may be stored in the memory of device 12, for example, in a registry or database or similar device (not shown). The processor 11 refers to this source of information at step 52. If, based on the comparison at step 53, it is found that one or more additional applications are missing or, for example, have the wrong version, then they start or offer (step 54) an update or installation. The device software 13 may trigger an update or installation so that they are automatically performed without user intervention, for example, by radio through a cellular radio transceiver 18. Alternatively, device software 13 may ask the user if he wants to download the update or installation file. The device software may prompt the user to upgrade or install via a pop-up window or similar means and continue to work in accordance with the user's response.

Various embodiments of the present invention have been described. Although the term “user interface application” has been widely used, it is understood that the complementary application is not limited only to the user interface application, and other complementary applications may exist, for example, controlling or managing applications.

It should be understood that, in this document, each of the expressions “comprises”, “includes” and “consists of” is used as an open list, not implying exclusivity.

The previous description was made by means of non-limiting examples of the specific implementation and its implementation, as a complete and informative description of the preferred, from the point of view of the inventors, method and apparatus for implementing the invention. However, it will be apparent to those skilled in the art that the invention is not limited to the details of the embodiments presented above, and the invention can be carried out in other embodiments using equivalent means without departing from the features of the invention.

In addition, some of the features of the embodiments of the present invention disclosed above can be used to advantage without the corresponding use of other features. The previous description should be considered merely illustrative of the principles of the present invention, and not be construed as limiting. Therefore, the scope of the invention is limited only by the claims.

Claims (21)

1. A mobile communication device capable of accommodating a secure module in it that contains at least one application for the secure module, wherein the mobile communication device is configured to provide connectivity to the secure module, and comprises:
a short-range communication module configured to provide an interface for a secure module for interacting with an external source,
a processor configured to receive information from the secure module about at least one application for the secure module, and at least one application for the secure module is configured to execute an application related to payments and / or tickets, for the mobile device to contact a contactless transaction with an external source, while the processor is additionally configured to, based on the information received, check whether a compatible device is present in the mobile communication device a complementary application and a complementary application are configured to provide a user interface for a corresponding secure module application in a mobile communication device; and
a communication module connected to the processor and configured to receive a compatible add-on application from an external source if the device does not have a compatible add-on application. 2. The mobile communication device according to claim 1, which contains an interface for connecting to a secure module. 3. The mobile communication device according to claim 1, wherein the processor is configured to send a command to receive a complementary application to the communication module. 4. The mobile communication device according to claim 1, wherein said information includes a name or title identifier and a version identifier of a compatible complementary application. 5. The mobile communication device according to claim 1, wherein said information includes instructions for installing or updating a required compatible complementary application. 6. The mobile communication device according to claim 1, wherein said information indicates a network resource from which a compatible complementary application or update for a complementary application can be downloaded. 7. A mobile communication device, including:
a secure module that contains at least one application for a secure module, the device further comprising:
a processor configured to receive information from the secure module about at least one application for the secure module, and at least one application for the secure module is configured to execute an application related to payments and / or tickets, for the mobile device to contact a contactless transaction with an external source, while the processor is additionally configured to, based on the information received, check whether a compatible device is present in the mobile communication device a complementary application and a complementary application are configured to provide a user interface for a corresponding secure module application in a mobile communication device; and
a communication module connected to the processor and configured to receive a compatible add-on application from an external source if the device does not have a compatible add-on application. 8. The mobile communication device according to claim 7, which comprises an interface for connecting to a secure module. 9. The mobile communication device according to claim 7, wherein said add-on application is configured to provide a user interface for a secure module or an application for a secure module. 10. The mobile communication device according to claim 7, which contains a short-range communication module for transmitting information between an external proximity reader and a secure module. 11. A secure module containing:
a processing element for installing at least one application for the protected module in the protected module, wherein at least one application for the protected module is configured to execute an application related to payments and / or tickets for the mobile device to communicate without contact with an external source, and
a memory associated with the processing element for storing in the secure module information identifying a compatible add-on application, wherein the add-on application is configured to provide a user interface for a corresponding secure module application in a mobile communication device. 12. The secure module of claim 11, which comprises an interface for accessing the secure module from the device for hosting the secure module. 13. The secure module according to item 12, which contains a security check module to verify that the requestor has the appropriate rights to receive the requested information from the secure module. 14. The secure module of claim 11, which is a smart card. 15. A method for controlling a mobile communication device capable of providing a secure module in it, which comprises at least one application for the secure module, including:
obtaining from the secure module information of at least one application for the secure module, wherein at least one application for the secure module is configured to execute an application related to payments and / or tickets for the mobile device to communicate without contact with an external source;
based on the information received, checking the availability of a compatible complementary application in the device, while the complementary application is configured to provide a user interface for the corresponding secure module application in the mobile communication device, and
in case the device does not have a compatible add-on application, obtain a compatible add-on application from an external source. 16. The method of claim 15, wherein said information includes a name or title identifier and a version identifier of a compatible complementary application. 17. The method of claim 15, wherein said information includes instructions for installing or updating a required compatible complementary application. 18. The method of claim 15, wherein said information indicates a network resource from which a compatible complementary application or update can be downloaded. 19. A method for managing a secure module, comprising: installing at least one application for the secure module in the secure module, wherein at least one application for the secure module is configured to execute an application related to payments and / or tickets for the mobile device to communicate contactless transaction with an external source; and
storing information in the secure unit identifying a compatible add-on application that relates to at least one application for the secure unit, the add-on application being configured to provide a user interface for the corresponding secure unit application in the mobile communication device. 20. Machine-readable medium containing a code that enables the device to perform steps according to any one of paragraphs.15-18. 21. Machine-readable medium containing a code that enables the device to perform the steps of claim 19.

Images