EP1582053A2 - Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication - Google Patents
Systeme et procede d'autorisation repartie pour acceder a un dispositif de communicationInfo
- Publication number
- EP1582053A2 EP1582053A2 EP03814848A EP03814848A EP1582053A2 EP 1582053 A2 EP1582053 A2 EP 1582053A2 EP 03814848 A EP03814848 A EP 03814848A EP 03814848 A EP03814848 A EP 03814848A EP 1582053 A2 EP1582053 A2 EP 1582053A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- information
- application
- access
- authorization
- specific data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
- H04W8/20—Transfer of user or subscriber data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
- H04W8/183—Processing at user equipment or user record carrier
Definitions
- the invention relates to the field of communications, and more particularly to a distributed authorization system in which access to data on a mobile unit by onboard applications, such as phone book, hardware identifiers or other data on a cellular telephone or other device, may be regulated by an authorization process performed on a remote server or other resource.
- onboard applications such as phone book, hardware identifiers or other data on a cellular telephone or other device
- cellular telephones and other communications devices are now programmable in a variety of ways. For instance, many cellular telephones contain editable phone books to permit convenient storage and dialing of frequently-used or important numbers. Other cellular telephones or other devices have Web browsing, file sharing and other enhanced functionality, whether via graphical user interface, voice commands or other interfaces. Moreover, cellular telephones are becoming available which include integrated positioning capability, such as the ability to track, record and communicate handset position via GPS or other location service. Other services are being and will be deployed. Over-the-air programming (OAP) standards such as those employing the Java programming language have enhanced the delivery of such services, on an on-demand or other basis.
- OAP Over-the-air programming
- Handsets and other devices may have the storage capacity and intelligence to store a variety of sensitive or personal information, such as a handset's International Mobile Equipment Identity (IMEI) data, a subscriber identity module (SJJVI) ID or other related data, number assignment module (NAM) data, mobile identification number (MLN) data, electronic serial number (ESN) data, phone books, position tracking or other information.
- IMEI International Mobile Equipment Identity
- SJJVI subscriber identity module
- NAM number assignment module
- MSN mobile identification number
- ESN electronic serial number
- Devices which may accept Java or other over-the-air code could be presented with security risks due to malicious code such as viruses, disguised games or ring tones, or other code or data. Once a malicious process has invaded the device, the user's sensitive hardware, phone book, positioning or other data could be exposed and compromised.
- While user-facing security measures may be incorporated, such as requiring passwords on a handset interface before permitting access to hardware, phone book or other data, over-the-air and other threats may continue to test the integrity of the mobile device and its data, including by way of low-level code which insinuates into the device at comparatively low levels, such as application programming interfaces (APIs) and other open ports or interfaces. Better core level security on communications devices is desirable. Other problems exist.
- APIs application programming interfaces
- the invention overcoming these and other problems in the art relates in one regard to a system and method for distributed authorization for access to a communications device, in which a cellular handset of other communications device may be equipped to receive requests for sensitive onboard data by Java or other applications.
- an authorization process may be initiated via a remote server or other resource.
- the communications device may present an API to internally executing programs through which all requests for sensitive data may be made.
- the API may communicate those requests, for instance, via an over-the-air interface to a remote support server for authentication.
- authentication may be made against a permission access list, enumerating valid programs or processes which have access rights to requested levels of data. When a request is validated, permission may be returned to the communications device to permit the requesting code to obtain the desired data.
- FIG. 1 illustrates a distributed authorization architecture, according to an embodiment of the invention.
- Fig. 2 illustrates an illustrative table for storing authorization parameters, according to an embodiment of the invention.
- FIG. 3 illustrates a user interface on a communications device displaying an authorization notification, according to an embodiment of the invention.
- FIG. 4 illustrates a flowchart of authorization processing, according to an embodiment of the invention.
- Fig. 1 illustrates a distributed authorization architecture in which an embodiment of the invention may operate.
- a communications device 102 may wirelessly communicate with an authorization server 118 to initiate and validate requests for access to device-specific data 110 made by applications running on communications device 102.
- Communications device 102 may be or include, for instance, a cellular telephone, a network-enabled wireless device such as a personal digital assistant (PDA) or personal information manager (PJVI) equipped with an IEEE 802.11b or other wireless interface, a laptop or other portable computer equipped with an 802.11b or other wireless interface, or other communications or client devices.
- PDA personal digital assistant
- PJVI personal information manager
- Device-specific data 110 may be or include, for instance, LMEI data, data from a SIM, chip-level data, phone books or contact lists or other personalized user settings, position tracking, electronic wallet, scheduling, cellular service or other billing, messaging such as short message service (SMS) or other text or other messaging, or other hardware-related, user-based or other information.
- Device- specific data 110 may be stored in communications device 102, for instance, in electronically programmable memory (EPROM), flash cards, or other electronic, optical or other media.
- EPROM electronically programmable memory
- the communications device 102 may execute one or more application 104, for instance a Java application, which in embodiments may include a Java Micro Edition t application, C or C++ or other program or code.
- application 104 may be or include, for instance, a contact scheduler application, a phone book application, a Web browsing application, a financial application, a personal information manager (PLM) application, or other application or service.
- application 104 may conform to or be implemented using the Java mobile information device profile (MJDP) standard, which applications may be referred to as MIDlets, or other languages or environments.
- MJDP Java mobile information device profile
- application 104 may be received over the air via antenna 112, or received or stored from other sources, such as a cable- connected download.
- the application 104 may interact with an application programming interface
- Application programming interface 106 may present a programming interface to application 104 to mediate requests to the set of device-specific data 110 on communications device 102 and perform other tasks.
- application programming interface 106 may present application-accessible interfaces to data or object classes such as, for instance, network, user interface, data attributes and data content, and other resources.
- Native layer 108 may in embodiments operate at a comparatively low level in communications device 102, and act on requests passed by application programming interface 106 for device-specific data 110.
- Native layer 108 may for example in embodiments perform supervisory, file and memory management, and other tasks.
- application programming interface 106 may trap that access request 114 at the system level for offboard processing, before permitting any of device-specific data 110 to be released.
- application programming interface 106 may communicate with authorization server 118 to authorize that access request 114.
- application programming interface 106 may communicate with the authorization server 118 via server antenna 116, or other wireless or wired interfaces.
- Application programming interface 106 may transmit access request 114 containing, for instance, the type of data requested from the set of device-specific data 110, the name or other identifying information for application 104, access parameters such as time of last access, passwords if requested, or other data related to the access request 114 for part or all of device-specific data 110 to authorization server 118.
- Authorization server 118 may maintain a set of authorization parameters 120 against which to process the access request 114 for access to device-specific data 110. As illustrated in Fig. 2, for example, authorization parameters 120 may be maintained in authorization table 124, which may be stored in or accessed by authorization server 118. Authorization table 124 may contain a set of application identifiers 126 (APP IDENTIFIER!, APP IDENTIFIER 2 ... APP JDENTIFIER N , N arbitrary), which identifiers may in embodiments include a list application names or other identifiers, such as "phonebook.MID”, "contactlist.c", "positiontrack.exe” or other names or indicia.
- Authorization table 124 may likewise contain a set of associated access levels 128, correlated by application name or other indicia, which may indicate whether a given application 104 may be permitted to access device-specific data 110, and in embodiments at which levels or with what privileges (e.g., read, edit, or other) that access may be granted.
- authorization server 118 may transmit an authorization message 122 to communications device 102.
- the authorization message 122 may contain, for instance, a code, flag or other indication that application 104 may access device-specific data 110.
- the authorization message 122 may contain additional fields or variables by which access to device-specific data 110 may be regulated, for instance a privilege field or flag which indicates whether application 104 may have the right to read, to modify, erase or perform other actions on device-specific data 110.
- Authorization message 122 may likewise contain a timeout field which sets a period of time in which application 104 may access the desired data, but after which authorization may expire. Other security variables are possible.
- the authorization may be granted for a single application 104, or for more than one application, or for different applications at different times.
- authorization to access device- specific data 110 reflected in authorization message 122 may be made at differing levels for different parts of that data, depending on the sensitivity of the data, the nature of the application 104 making the access request 114, and other factors.
- the application programming interface 106 may pass the access request 114 to native layer 108 may retrieve the requested data from device- specific data 110. Native layer 108 may then communicate the retrieved device- specific data 110 and pass that data to application programming interface 106 to be delivered to application 104. Application 104 may then receive and read the requested part or whole of device-specific data 110, to operate on or modify that data. In embodiments, application 104 may also receive authorization to store modified data into device-specific data 110, to transmit the device-specific data 110 over the air interface of antenna 112, or take other action, depending on the type or level of authorization received, network security and other parameters.
- the authorization message 122 may contain a deny flag or other indicator that application 104 may not access part or any of device-specific data 110.
- the communications device 102 may notify the user that an application or service has been denied access to device-specific or sensitive information. As illustrated, that notification may be by way for instance of a pop-up message 132 presented on a text or graphical user interface 130 as shown, by a verbal message or otherwise. This notification may, for instance, assist the user in deciding to run an anti-virus or other utility on communications device 102, or take other action.
- denial of access to device-specific data 110 may trigger an automatic logging of application 104, automatic transmission of an anti-virus or other utility to communications device 102, or other action.
- step 402 application 104 may request one or more parts of device-specific data 110 from the communications device 102 via application programming interface 106 and native layer 108, at the API or other level.
- step 404 the access request 114 may be transmitted to the authorization server 118, for instance via an over-the-air protocol, which for example may be communicated using a secure or other protocol such as secure socket layer (SSL), hyper text transfer protocol secure (HTTPS) or other protocol or interface.
- SSL secure socket layer
- HTTPS hyper text transfer protocol secure
- the request may, in embodiments, encapsulate data such as the name or other identifier of application 104, the type of data in device-specific data 110 being requested, and other information.
- the authorization server 118 may check the access request 114 by application 104 against authorization parameters 120 or other security fields or templates, make an authorization determination and communicate an authorization message 122 to communications device 102.
- the authorization message 122 may contain an indication that the access request 114 is granted, denied, deferred, that further information will be required, or that other action may be taken.
- the native layer 108 may read out the one or more parts of device-specific data 110 which application 104 has been authorized to access.
- the native layer 108 may communicate the one or more parts of device-specific data 110 which application 104 has been authorized to access to application programming interface 106.
- the application programming interface 106 may communicate the requested device- specific data 110 to the application 104. Processing may then repeat, return to an earlier point, continue to further processing or terminate.
- communications device 102 may operate without that type of local layer, for instance with some functionality distributed to authorization server 118 or otherwise.
- Communications device 102 may conversely contain or operate on other or multiple supervisory layers.
- Other hardware, software or other resources described as singular may be implemented in multiple or distributed resources, while other hardware, software or other resources described as distributed may likewise be implemented as integrated resources.
- the scope of the invention is accordingly intended to be limited only by the following claims.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US33414102A | 2002-12-31 | 2002-12-31 | |
US334141 | 2002-12-31 | ||
PCT/US2003/040125 WO2004062243A2 (fr) | 2002-12-31 | 2003-12-16 | Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1582053A2 true EP1582053A2 (fr) | 2005-10-05 |
EP1582053A4 EP1582053A4 (fr) | 2006-04-12 |
Family
ID=32710862
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP03814848A Withdrawn EP1582053A4 (fr) | 2002-12-31 | 2003-12-16 | Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP1582053A4 (fr) |
JP (1) | JP2006514763A (fr) |
KR (1) | KR20050096114A (fr) |
CN (1) | CN1732674A (fr) |
AU (1) | AU2003297229A1 (fr) |
WO (1) | WO2004062243A2 (fr) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4583152B2 (ja) * | 2004-12-10 | 2010-11-17 | 富士通株式会社 | サービス処理方法及びプログラム |
US7707632B2 (en) * | 2005-07-28 | 2010-04-27 | Mformation Technologies, Inc. | System and method for automatically altering device functionality |
KR100785782B1 (ko) * | 2005-11-17 | 2007-12-18 | 한국전자통신연구원 | 권한위임 시스템 및 방법 |
EP1967026A2 (fr) * | 2005-12-30 | 2008-09-10 | Telecom Italia S.p.A. | Procede pour personnaliser le fonctionnement d'un terminal telephonique |
WO2008060300A1 (fr) * | 2006-11-16 | 2008-05-22 | Dynomedia, Inc. | Systèmes et procédés de gestion de droits numériques distribués |
US8831223B2 (en) | 2008-01-21 | 2014-09-09 | Telefonaktiebolaget L M Ericsson (Publ) | Abstraction function for mobile handsets |
US8327006B2 (en) * | 2011-02-24 | 2012-12-04 | Jibe Mobile | Endpoint device and article of manufacture for application to application communication over a network |
EP2951676B1 (fr) | 2013-01-29 | 2020-12-30 | BlackBerry Limited | Gestion d'accès d'application à des donneés |
CN104283853B (zh) | 2013-07-08 | 2018-04-10 | 华为技术有限公司 | 一种提高信息安全性的方法、终端设备及网络设备 |
US20150195395A1 (en) * | 2014-01-06 | 2015-07-09 | Desiree Gina McDowell-White | Secure Cloud-Based Phonebook |
CN104951715A (zh) * | 2015-06-11 | 2015-09-30 | 联想(北京)有限公司 | 一种信息处理方法及电子设备 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0813132A2 (fr) * | 1996-06-11 | 1997-12-17 | International Business Machines Corporation | Support pour la distribution de logiciels sécurisés |
EP0973350A2 (fr) * | 1998-07-17 | 2000-01-19 | Phone.Com Inc. | Méthode et appareil permettant contrôle d'accès à services locales d'appareils mobiles |
EP1107623A2 (fr) * | 1999-12-06 | 2001-06-13 | Nokia Mobile Phones Ltd. | Station mobile permettant la définition par l'utilisateur d'une zone privée pour limiter l'accès aux données de programmes utilisateurs |
FR2822334A1 (fr) * | 2001-03-16 | 2002-09-20 | Schlumberger Systems & Service | Module d'idente d'abonne a gestion independante et securisee d'une pluralite de commandes d'au moins une appliquette, notamment pour un equipement mobile de communication |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5835061A (en) * | 1995-06-06 | 1998-11-10 | Wayport, Inc. | Method and apparatus for geographic-based communications service |
JPH09319570A (ja) * | 1996-05-29 | 1997-12-12 | Sanyo Electric Co Ltd | ソフトウエアのライセンス管理システム |
EP1011274A1 (fr) * | 1998-12-16 | 2000-06-21 | TELEFONAKTIEBOLAGET L M ERICSSON (publ) | Procédé et dispositif pour mettre à la disposition des services dans un réseau de télécommunications |
US6647260B2 (en) * | 1999-04-09 | 2003-11-11 | Openwave Systems Inc. | Method and system facilitating web based provisioning of two-way mobile communications devices |
JP2001117769A (ja) * | 1999-10-20 | 2001-04-27 | Matsushita Electric Ind Co Ltd | プログラム実行装置 |
JP2002041170A (ja) * | 2000-07-27 | 2002-02-08 | Matsushita Electric Ind Co Ltd | プログラム実行制御装置 |
JP3853140B2 (ja) * | 2000-08-08 | 2006-12-06 | 株式会社シーイーシー | ソフトウェア管理システム及び課金方法 |
-
2003
- 2003-12-16 WO PCT/US2003/040125 patent/WO2004062243A2/fr not_active Application Discontinuation
- 2003-12-16 JP JP2004565539A patent/JP2006514763A/ja active Pending
- 2003-12-16 AU AU2003297229A patent/AU2003297229A1/en not_active Abandoned
- 2003-12-16 KR KR1020057012427A patent/KR20050096114A/ko not_active Application Discontinuation
- 2003-12-16 EP EP03814848A patent/EP1582053A4/fr not_active Withdrawn
- 2003-12-16 CN CNA2003801080253A patent/CN1732674A/zh active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0813132A2 (fr) * | 1996-06-11 | 1997-12-17 | International Business Machines Corporation | Support pour la distribution de logiciels sécurisés |
EP0973350A2 (fr) * | 1998-07-17 | 2000-01-19 | Phone.Com Inc. | Méthode et appareil permettant contrôle d'accès à services locales d'appareils mobiles |
EP1107623A2 (fr) * | 1999-12-06 | 2001-06-13 | Nokia Mobile Phones Ltd. | Station mobile permettant la définition par l'utilisateur d'une zone privée pour limiter l'accès aux données de programmes utilisateurs |
FR2822334A1 (fr) * | 2001-03-16 | 2002-09-20 | Schlumberger Systems & Service | Module d'idente d'abonne a gestion independante et securisee d'une pluralite de commandes d'au moins une appliquette, notamment pour un equipement mobile de communication |
Non-Patent Citations (1)
Title |
---|
See also references of WO2004062243A2 * |
Also Published As
Publication number | Publication date |
---|---|
JP2006514763A (ja) | 2006-05-11 |
WO2004062243A3 (fr) | 2004-08-26 |
CN1732674A (zh) | 2006-02-08 |
AU2003297229A1 (en) | 2004-07-29 |
AU2003297229A8 (en) | 2004-07-29 |
WO2004062243A2 (fr) | 2004-07-22 |
KR20050096114A (ko) | 2005-10-05 |
EP1582053A4 (fr) | 2006-04-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6591095B1 (en) | Method and apparatus for designating administrative responsibilities in a mobile communications device | |
EP2941729B1 (fr) | Protection et confidentialité de données de gestionnaire de service fiables | |
US8577334B1 (en) | Restricted testing access for electronic device | |
US9198026B2 (en) | SIM lock for multi-SIM environment | |
US11671832B2 (en) | Unified enterprise management of wireless devices in a controlled environment | |
EP1950681A1 (fr) | Terminal mobile, dispositif de gestion de contrôle d accès et procédé de gestion de contrôle d accès | |
US20100062808A1 (en) | Universal integrated circuit card having a virtual subscriber identity module functionality | |
EP1542117A1 (fr) | Lier un contenu à un utilisateur | |
KR101514753B1 (ko) | 이동통신 단말기에 저장되는 중요 금융 정보의 보안 저장소를 위한 시스템 및 방법 | |
CN110876144B (zh) | 一种身份凭证的移动应用方法、装置及系统 | |
EP1582052B1 (fr) | Systeme et procede pour l'autorisation et le deploiement repartis d'approvisionnement par voie radio pour un dispositif de communication | |
WO2004062243A2 (fr) | Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication | |
US20210203652A1 (en) | Subscriber Identity Management | |
CN115186254A (zh) | 一种数据访问控制方法及装置、终端设备 | |
US10405183B2 (en) | Purposed device system and method for smartphone | |
US11838985B2 (en) | Policy-based management of embedded subscriber identity module (eSIM) profiles | |
US12127000B2 (en) | Unified enterprise management of wireless devices in a controlled environment | |
CN113286289A (zh) | 一种权限确认方法及电子设备 | |
CN116669012A (zh) | 管理用户设备中的通信功能的方法 | |
CN116491141A (zh) | 使sim卡成为微平台的系统和方法 | |
Siyaka et al. | Mobile Phone Cloning: A Conceptual Review | |
KR20090095697A (ko) | 사용 제한이 가능한 이동 통신 단말기, 가입자 개통 서버,그를 이용한 사용 제한 시스템 및 방법 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20050801 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL LT LV MK |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20060228 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04Q 7/32 20060101ALI20060222BHEP Ipc: H04Q 7/20 20060101ALI20060222BHEP Ipc: H04M 3/00 20060101AFI20050627BHEP |
|
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20061219 |
|
P01 | Opt-out of the competence of the unified patent court (upc) registered |
Effective date: 20230520 |