EP1872507A2 - Method and device for accessing a sim card housed in a mobile terminal - Google Patents

Method and device for accessing a sim card housed in a mobile terminal

Info

Publication number
EP1872507A2
EP1872507A2 EP06743638A EP06743638A EP1872507A2 EP 1872507 A2 EP1872507 A2 EP 1872507A2 EP 06743638 A EP06743638 A EP 06743638A EP 06743638 A EP06743638 A EP 06743638A EP 1872507 A2 EP1872507 A2 EP 1872507A2
Authority
EP
European Patent Office
Prior art keywords
cryptographic
terminal
sim card
entity
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP06743638A
Other languages
German (de)
French (fr)
Inventor
Sylvie Camus
David Picquenot
Anne-Sophie Dagorn
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Orange SA
Original Assignee
France Telecom SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by France Telecom SA filed Critical France Telecom SA
Publication of EP1872507A2 publication Critical patent/EP1872507A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

  • the invention relates to the field of secure telecommunications, and in particular remote services secured by public key systems.
  • secure services include, for example, VPN connections to a corporate private network from an Internet network, online electronic signature, or SSL person authentication.
  • a cryptographic key of a public key algorithm includes a public part and a private part.
  • the public part is generally distributed without restriction to different users.
  • the validity of a certificate attests to the trust that one can have in the public key associated with an identity.
  • a standard certificate used on the Internet is the X.509v3. This standard defines a certificate including: - the public key to be certified;
  • attributes defining the rights of use of the key message signing key or secure Internet server key for example; and a cryptographic signature of these data by the private key of a certification authority issuing the certificate.
  • a PKI public key infrastructure (known as the Public Key Infrastructure) is used for certificate management.
  • a PKI infrastructure serves on the one hand to create certificates but also to manage their life (revocation, renewal ).
  • the VPN technique establishes an encrypted IP tunnel between the user's terminal and the corporate network.
  • the VPN technology is usually low * ed on an authentication and encryption architecture based on a password OTP (One Time Password) generated single use by a calculator, on a PKI architecture based on certificates and signature algorithms stored in the hard disk of the user's terminal, on a smart card inserted into a card reader connected to the user's terminal, or on a smart card integrated in a dongle connected to the USB port of the user's terminal.
  • OTP One Time Password
  • a smart card inserted into a card reader in credit card format, or integrated in a USB dongle requires the user to have an additional smart card causing additional cost and risk of being lost.
  • a smart card in credit card format requires the user to have a card reader.
  • a SIM card of his mobile phone needs to be transferred to a card reader of the terminal to be used during a certificate generation. This transfer operation is not easy, especially since the SIM card is in "micro-SIM" format of reduced dimensions.
  • the present invention aims to overcome these disadvantages.
  • the invention also aims to make it possible to exploit public key cryptography applications.
  • the invention thus relates to a cryptographic device comprising a terminal and a mobile telephone capable of exchanging data via a non-wired link, said cryptographic device being able to implement public key cryptographic protocols with other cryptographic entities, and the secret key of the cryptographic device being stored in the mobile phone and not in the terminal.
  • said terminal is able to establish a wired or non-wired link with another cryptographic entity and able to exchange data with said cryptographic entity via this link.
  • said other cryptographic entity is an access server to a computer network, and said data exchanges allow the terminal to authenticate with said server.
  • the invention also relates to a method for implementing a public key cryptographic operation, comprising a step of implementing public key cryptographic protocols between at least one cryptographic entity and a device comprising a mobile telephone storing a secret key of the device and comprising a terminal not storing said secret key, said terminal and said mobile phone exchanging data over a wireless link.
  • the data exchanges of said cryptographic protocols between said cryptographic entity and said device are carried out by a wired or non-wired link between said terminal and said other cryptographic entity.
  • said other cryptographic entity is an access server to a computer network and said data exchanges are authentication exchanges of said terminal with said server.
  • FIG. 1 represents a user station connected in VPN to a private network, according to the invention
  • FIG. 2 represents the different software layers implemented in the user station, according to the invention.
  • FIG. 3 details the implementation of various PKCS # 11 functions
  • FIG. 4 represents a user station connected to a signed documents publication server.
  • the invention proposes to exploit the capabilities of a smart card housed in a mobile terminal and having public key cryptography applications.
  • the smart card is then used as a cryptographic calculation tool in a PKI architecture, for example to implement authentication, encryption or signature functions.
  • a terminal connected to a network has a wireless link with the mobile terminal and a library of cryptographic functions.
  • a cryptographic function called in the library transmits a cryptographic operation command to the smart card via the wireless link.
  • the smart card executes the cryptographic operation and transmits its result to the terminal.
  • FIG. 1 shows a user station 6 according to the invention.
  • This user station 6 comprises a terminal 1 equipped with a communication module 8 in VPN with a private network 7 and having access to a SIM card 3 enabling the user to be authenticated in the private network 7.
  • the access of the user terminal 1 to the private network 7 is managed by a VPN gateway 4.
  • a server 44 has elements for forming a PKI infrastructure, such as a registration authority and a certification authority.
  • the connection between the terminal 1 and the SIM card 3 is performed via a wireless link 5, for example of the Bluetooth type, between the terminal 1 and a mobile terminal 2 in which a SIM card 3 of authentication of the mobile terminal 2 in a mobile network.
  • a wireless link 5 for example of the Bluetooth type
  • the mobile terminal 2 and the terminal 1 implement a set of protocols and procedures called SAP (SIM Access Profile) developed to provide access to a SIM card housed in a terminal, through the Bluetooth 5 link, in a completely transparent way.
  • SAP SIM Access Profile
  • the mobile terminal 2 comprises an SAP server module 20 which exchanges messages on one side with the SIM card 3 via a reader 21 in accordance with the ISO 7816-3 standard, and the other with the Bluetooth link 5 via a layer 22 implementing the Serial Cable Emulation Protocol (RFCOMM) emulating a serial link, and a low level layer 23 making it possible to establish a Bluetooth radio link with other terminals.
  • SAP server module 20 which exchanges messages on one side with the SIM card 3 via a reader 21 in accordance with the ISO 7816-3 standard, and the other with the Bluetooth link 5 via a layer 22 implementing the Serial Cable Emulation Protocol (RFCOMM) emulating a serial link, and a low level layer 23 making it possible to establish a Bluetooth radio link with other terminals.
  • RCOMM Serial Cable Emulation Protocol
  • the SIM card 3 has a number of public key cryptography applications, including cryptographic operations for authentication, encryption or signature.
  • An application using cryptographic tools 35 uses a PKCS # 11 module 24 having access on the one hand to a communication module 26 and to a PC / interface module. SC 25 with a SIM card. PKCS # 11 24 and PC / SC 25 modules are standard.
  • the modules 24 use a library 40 of public key cryptographic operations functions when the user application 35 requires a public key cryptography operation to be performed in the smart card 3 housed in the mobile terminal 2.
  • the modules 24 also use SIM card access and control functions, performed by the PC / SC interface module 25.
  • a function of the library 40 called via its programming interface by the user application 35, thus applies a cryptographic operation command on the interface module 25.
  • the interface module 25 transmits this command as a message to a virtual driver 27.
  • the virtual driver 27 relays and adapts this message to an SAP module 31.
  • the library 40 is essential to allow the use of public key cryptography applications available in the smart card 3 housed in the reader 2.
  • the library 40 is, for example, example installed on a terminal 1 of type
  • the SIM card 3 housed in the terminal 2 is provided with applications 41 of public key cryptography.
  • the cryptography operations proposed by the card can notably include the generation or the verification of signature, encryption / decryption of data, generation of certificates or authentication.
  • These applications 41 are for example in the form of JavaCard (registered trademark) applets installed in the SIM card or in the form of a WIM module (for "Wireless Identity Module” in English) integrated in the SIM card.
  • a WIM module is typically used by WAP browsers located in a mobile terminal.
  • Public key cryptography applications 41 of the card can then be exploited so that the terminal 1 can execute applications using cryptographic operations, such as the VPN or the electronic signature.
  • the programming interface of the library 40 may be of the CAPI or PKCS # 11 type.
  • the standard PKCS # 11 API is public and free to use.
  • This programming interface provides low-level cryptographic functions such as key generation and storage, electronic signature, or data encryption and decryption.
  • This programming interface is called in a number of software to open their cryptography features to third-party providers.
  • the CAPI programming interface is exclusively available on Windows platforms. This programming interface provides application security functions and signature verification and chain management functions for trusted certificates.
  • the CAPI programming interface pools cryptographic resources of different user applications. Libraries of cryptographic functions called CSP (for "Crypto Service Provider" in English) interface with CAPI to provide security services.
  • CSP for "Crypto Service Provider” in English
  • SIM 3 is implemented as an applet and the library 40 is of the type
  • PKCS # 11 The data is thus exchanged in the form of ADPU (for "Application Protocol Data Unit” in English).
  • the table in Figure 3 illustrates different PKCS # 11 functions and their implementation according to Javacard or WIM.
  • the table also specifies the functions used during an authentication intended to form a virtual private network.
  • the abbreviations used are: QRD: reference data qualifier, RD: reference data,
  • VD verification data
  • FP file path
  • HO high offset
  • LO reduced offset
  • Lc Length of the data field.
  • the terminal 1 comprises an SAP client module 31, which communicates with the SAP server module 20 via a layer 32 implementing the RFCOMM protocol and a low level layer 33 of Bluetooth 5 radio link establishment, these three layers being collected in a Bluetooth module
  • the SAP server 20 and client 31 modules only exchange messages with the SIM card 3, and apply commands to it, such as commands for switching the SIM card on and off.
  • the SAP client module 31 is designed to execute a connection procedure with the SAP server module 20 via a Bluetooth link, and a disconnect procedure.
  • the SAP server module 20 is designed to interrogate the SIM card reader 21 and the SIM card that can be read by the reader 21, and send back to the SAP client module 31 information on the state of the reader 21, the presence of a SIM card in the reader 21 and the state of the SIM card 3.
  • the SAP client module 31 is in particular designed to issue commands for the SIM card 3 for switching on / off, initialization and control containing APDU (Application Protocol Data Unit) messages, the SAP server module being designed to relay these commands for application to the SIM card via the reader 21.
  • the SAP server module is also designed to notify the SAP client module 31 of all status change events of the SIM card 3 housed in the reader 21, for example as a result of a user action of inserting or removing the card from the reader.
  • the PC / SC interface module 25 is designed to communicate with several readers 39 of smart cards (memory cards or microprocessor) or SIM cards 42, through drivers 38 adapted to the readers.
  • a virtual pilot 27 is designed to relay and adapt the messages exchanged between the interface module 25 and the SAP module 31, these messages containing information exchanged with the SIM card 3.
  • the exchange of messages between the virtual pilot 27 and the SAP client 31 is for example performed using an exchange memory or communication 28 in which the messages to be transmitted are inserted.
  • the virtual pilot 27 is designed as a driver 38. It notably enables the user to select a mobile terminal or to add a mobile terminal in order to pair it with its terminal 1.
  • the PC / SC interface module comprises a resource management module 37 and a service provider module 36.
  • the resource management module 37 is designed to detect accessible smart cards and make this information available to several applications such as the user application 35. This module 37 is also designed to manage requests for access to smart cards issued by applications, and order smart cards.
  • the service provider module 36 is designed to offer applications high-level functions, linking several commands applied to a smart card to perform a single function of access or processing of information provided by it, these functions including in particular cryptographic and authenticating functions.
  • Figure 4 illustrates the application of the invention to the signing of documents and their publication.
  • a document is selected by a user of the terminal 1.
  • An application of the terminal 1 requires the library to generate a cryptographic signature command to the SIM card 3. This command and the document are transmitted to the mobile terminal 2 and to the SIM card 3 according to the mechanisms described previously.
  • the SIM card 3 processes the command and performs the cryptographic signature from a cryptographic application that it stores.
  • the SIM card 3 transmits the signed document to the terminal 1.
  • the terminal 1 then transmits the signed document to a server 43 for publication of signed documents.
  • the person skilled in the art can notably consider a wireless proximity link of the IrDA (infrared) or non-contact NFC type (defined in the ISO 14443 standard). All that is required is then to provide the mobile terminal with a software module for accessing the SIM for scanning the IrDA or contactless ports if necessary, and for providing the terminal 1 with a PC / SC interface 25 specific to a communication with this scanning software module.
  • a mobile terminal 2 of the card emulation mode (“card emulation mode" in English) can be passed for a contactless card. If the SIM card 3 is connected to its contactless communication module, the module 25 of the terminal 1 will be able to access the cryptographic applications of the SIM card.
  • the invention has been described in its application to the formation of a VPN connection or to the publication of signed documents, the invention can also be applied to other applications and in particular to User authentication when connecting to any network, including an IP network such as the Internet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention concerns a cryptographic device (6) comprising a terminal (1) and a mobile telephone (2) capable of exchanging data via a wireless link (5), said cryptographic device (6) being adapted to use public key cryptographic protocols with other cryptographic entities (4, 43), and the secret key of the cryptographic device is stored in the mobile telephone (2) and not in the terminal.

Description

PROCÉDÉ ET DISPOSITIF D'ACCES A UNE CARTE SIM LOGÉE DANS UN TERMINAL MOBILE METHOD AND DEVICE FOR ACCESSING A SIM CARD HOSTED IN A MOBILE TERMINAL
L'invention concerne le domaine des télécommunications sécurisées, et en particulier les services à distance sécurisés par des systèmes à clés publiques. De tels services sécurisés comprennent par exemple les connexions en VPN à un réseau privé d'entreprise depuis un réseau Internet, la signature électronique en ligne ou l'authentification d'une personne selon le protocole SSL.The invention relates to the field of secure telecommunications, and in particular remote services secured by public key systems. Such secure services include, for example, VPN connections to a corporate private network from an Internet network, online electronic signature, or SSL person authentication.
Une clé cryptographique d'un algorithme à clé publique comprend une partie publique et une partie privée. La partie publique est généralement diffusée sans restriction à différents utilisateurs. La validité d'un certificat atteste de la confiance que l'on peut avoir dans la clé publique associée à une identité. Un standard de certificat utilisé sur Internet est le X.509v3. Ce standard définit un certificat comprenant notamment : -la clé publique à certifier ;A cryptographic key of a public key algorithm includes a public part and a private part. The public part is generally distributed without restriction to different users. The validity of a certificate attests to the trust that one can have in the public key associated with an identity. A standard certificate used on the Internet is the X.509v3. This standard defines a certificate including: - the public key to be certified;
-l'identité de son détenteur ; -la période de validité de la clé ;-the identity of its holder; -the validity period of the key;
-des attributs définissant les droits d'utilisation de la clé : clé de signature de message ou clé de serveur Internet sécurisé par exemple ; et -une signature cryptographique de ces données par la clé privée d'une autorité de certification émettrice du certificat.attributes defining the rights of use of the key: message signing key or secure Internet server key for example; and a cryptographic signature of these data by the private key of a certification authority issuing the certificate.
Une infrastructure à clé publique PKI (désignée par le terme « Public Key Infrastructure » en anglais) est utilisée pour la gestion des certificats. Une infrastructure PKI sert d'une part à créer des certificats mais aussi à gérer leur vie (révocation, renouvellement... ).A PKI public key infrastructure (known as the Public Key Infrastructure) is used for certificate management. A PKI infrastructure serves on the one hand to create certificates but also to manage their life (revocation, renewal ...).
Pour créer un accès sécurisé à un réseau privé d'entreprise depuis un réseau ouvert de type Internet, la technique du VPN établit un tunnel IP chiffré entre le terminal de l'utilisateur et le réseau d'entreprise. La technique du VPN est usuellement bas*ée sur une architecture d'authentification et de chiffrement reposant sur un mot de passe OTP (One Time Password) à usage unique généré par une calculette, sur une architecture PKI basée sur des certificats et des algorithmes de signature stockés dans le disque dur du terminal de l'utilisateur, sur une carte à puce insérée dans un lecteur de cartes connecté au terminal de l'utilisateur, ou sur une carte à puce intégrée dans un dongle connecté au port USB du terminal de l'utilisateur.To create secure access to a corporate private network from an open Internet-like network, the VPN technique establishes an encrypted IP tunnel between the user's terminal and the corporate network. The VPN technology is usually low * ed on an authentication and encryption architecture based on a password OTP (One Time Password) generated single use by a calculator, on a PKI architecture based on certificates and signature algorithms stored in the hard disk of the user's terminal, on a smart card inserted into a card reader connected to the user's terminal, or on a smart card integrated in a dongle connected to the USB port of the user's terminal.
Ces différentes alternatives présentent des inconvénients. L'ergonomie d'une calculette de génération de mots de passe à usage unique est limitée : l'utilisateur doit d'abord lire le code sur la calculette, puis le saisir sur son terminal. Un certificat logiciel mémorisé dans un disque dur est relativement vulnérable aux attaques.These different alternatives have disadvantages. The ergonomics of a calculator for generating one-time passwords is limited: the user must first read the code on the calculator and then enter it on his terminal. A software certificate stored in a hard disk is relatively vulnerable to attack.
Une carte à puce, insérée dans un lecteur de cartes au format carte de crédit, ou intégrée dans un dongle USB oblige l'utilisateur à disposer d'une carte à puce supplémentaire occasionnant un surcoût et risquant d'être perdue. De plus, une carte à puce au format carte de crédit impose à l'utilisateur de disposer d'un lecteur de cartes. Une carte SIM de son téléphone mobile nécessite d'être transférée dans un lecteur de carte du terminal pour être utilisée lors d'une génération de certificat. Cette opération de transfert s'avère peu aisée, d'autant plus que la carte SIM est au format « micro-SIM » de dimensions réduites. La présente invention a pour but de remédier à ces inconvénients.A smart card, inserted into a card reader in credit card format, or integrated in a USB dongle requires the user to have an additional smart card causing additional cost and risk of being lost. In addition, a smart card in credit card format requires the user to have a card reader. A SIM card of his mobile phone needs to be transferred to a card reader of the terminal to be used during a certificate generation. This transfer operation is not easy, especially since the SIM card is in "micro-SIM" format of reduced dimensions. The present invention aims to overcome these disadvantages.
L'invention vise également à permettre d'exploiter des applications de cryptographie à clé publique. L'invention porte ainsi sur un dispositif cryptographique comprenant un terminal et un téléphone mobile pouvant échanger des données via une liaison non-filaire, ledit dispositif cryptographique étant apte à mettre en œuvre des protocoles cryptographiques à clé publique avec d'autres entités cryptographiques, et la clé secrète du dispositif cryptographique étant mémorisée dans le téléphone mobile et pas dans le terminal.The invention also aims to make it possible to exploit public key cryptography applications. The invention thus relates to a cryptographic device comprising a terminal and a mobile telephone capable of exchanging data via a non-wired link, said cryptographic device being able to implement public key cryptographic protocols with other cryptographic entities, and the secret key of the cryptographic device being stored in the mobile phone and not in the terminal.
Avantageusement, le vol éventuel du terminal seul, ou du téléphone mobile seul, ne permettrait pas au voleur d'usurper l'identité du dispositif cryptographique selon l'invention. Selon une variante, ledit terminal est apte à établir une liaison filaire ou non-filaire avec une autre entité cryptographique et apte à échanger des données avec ladite entité cryptographique par l'intermédiaire de cette liaison.Advantageously, the possible theft of the terminal alone, or the mobile phone alone, would not allow the thief to impersonate the cryptographic device according to the invention. According to a variant, said terminal is able to establish a wired or non-wired link with another cryptographic entity and able to exchange data with said cryptographic entity via this link.
Selon encore une variante, ladite autre entité cryptographique est un serveur d'accès à un réseau informatique, et lesdits échanges de données permettent au terminal de s'authentifier auprès dudit serveur.According to another variant, said other cryptographic entity is an access server to a computer network, and said data exchanges allow the terminal to authenticate with said server.
L'invention porte également sur un procédé de mise en œuvre d'une opération de cryptographie à clé publique, comprenant une étape de mise en œuvre de protocoles cryptographiques à clé publique entre au moins une entité cryptographique et un dispositif comprenant un téléphone mobile mémorisant une clé secrète du dispositif et comprenant un terminal ne mémorisant pas ladite clé secrète, ledit terminal et ledit téléphone mobile échangeant des données par une liaison sans fil.The invention also relates to a method for implementing a public key cryptographic operation, comprising a step of implementing public key cryptographic protocols between at least one cryptographic entity and a device comprising a mobile telephone storing a secret key of the device and comprising a terminal not storing said secret key, said terminal and said mobile phone exchanging data over a wireless link.
Selon une variante, les échanges de données desdits protocoles cryptographiques entre ladite entité cryptographique et ledit dispositif sont effectués par une liaison filaire ou non-filaire entre ledit terminal et ladite autre entité cryptographique.According to one variant, the data exchanges of said cryptographic protocols between said cryptographic entity and said device are carried out by a wired or non-wired link between said terminal and said other cryptographic entity.
Selon encore une variante, ladite autre entité cryptographique est un serveur d'accès à un réseau informatique et lesdits échanges de données sont des échanges d'authentification dudit terminal auprès dudit serveur.According to another variant, said other cryptographic entity is an access server to a computer network and said data exchanges are authentication exchanges of said terminal with said server.
D'autres caractéristiques et avantages de l'invention ressortiront clairement de la description qui en est faite ci-après, à titre indicatif et nullement limitatif, en référence aux dessins annexés, dans lesquels :Other characteristics and advantages of the invention will emerge clearly from the description which is given hereinafter, by way of indication and in no way limitative, with reference to the appended drawings, in which:
-la figure 1 représente un poste d'utilisateur connecté en VPN à un réseau privé, selon l'invention ;FIG. 1 represents a user station connected in VPN to a private network, according to the invention;
-la figure 2 représente les différentes couches logicielles mises en œuvre dans le poste d'utilisateur, selon l'invention ;FIG. 2 represents the different software layers implemented in the user station, according to the invention;
-la figure 3 détaille la mise en œuvre de différentes fonctions PKCS#11; -la figure 4 représente un poste d'utilisateur connecté à un serveur de publication de documents signés. L'invention propose d'exploiter les capacités d'une carte à puce logée dans un terminal mobile et disposant d'applications de cryptographie à clé publique. La carte à puce est alors utilisée comme outil de calcul cryptographique dans une architecture de PKI, par exemple pour mettre en œuvre des fonctions d'authentification, de chiffrement ou de signature. Un terminal connecté à un réseau dispose d'une liaison sans fil avec le terminal mobile et d'une librairie de fonctions cryptographiques. Une fonction cryptographique appelée dans la librairie transmet une commande d'opération cryptographique à la carte à puce par l'intermédiaire de la liaison sans fil. La carte à puce exécute l'opération cryptographique et transmet son résultat au terminal.FIG. 3 details the implementation of various PKCS # 11 functions; FIG. 4 represents a user station connected to a signed documents publication server. The invention proposes to exploit the capabilities of a smart card housed in a mobile terminal and having public key cryptography applications. The smart card is then used as a cryptographic calculation tool in a PKI architecture, for example to implement authentication, encryption or signature functions. A terminal connected to a network has a wireless link with the mobile terminal and a library of cryptographic functions. A cryptographic function called in the library transmits a cryptographic operation command to the smart card via the wireless link. The smart card executes the cryptographic operation and transmits its result to the terminal.
La figure 1 représente un poste d'utilisateur 6 selon l'invention. Ce poste utilisateur 6 comprend un terminal 1 équipé d'un module de communication 8 en VPN avec un réseau privé 7 et ayant accès à une carte SIM 3 permettant à l'utilisateur d'être authentifié dans le réseau privé 7. L'accès du terminal 1 au réseau privé 7 est géré par une passerelle VPN 4. Un serveur 44 dispose d'éléments destinés à former une infrastructure PKI, tels qu'une autorité d'enregistrement et une autorité de certification.Figure 1 shows a user station 6 according to the invention. This user station 6 comprises a terminal 1 equipped with a communication module 8 in VPN with a private network 7 and having access to a SIM card 3 enabling the user to be authenticated in the private network 7. The access of the user terminal 1 to the private network 7 is managed by a VPN gateway 4. A server 44 has elements for forming a PKI infrastructure, such as a registration authority and a certification authority.
La liaison entre le terminal 1 et la carte SIM 3 est effectuée par l'intermédiaire d'une liaison sans fil 5, par exemple de type Bluetooth, entre le terminal 1 et un terminal mobile 2 dans lequel est logée une carte SIM 3 d'authentification du terminal mobile 2 dans un réseau mobile.The connection between the terminal 1 and the SIM card 3 is performed via a wireless link 5, for example of the Bluetooth type, between the terminal 1 and a mobile terminal 2 in which a SIM card 3 of authentication of the mobile terminal 2 in a mobile network.
De cette manière, l'utilisateur n'a pas besoin de disposer d'une carte SIM spécifique pour accéder au réseau 7 ou de manipuler la carte SIM de son terminal mobile 2 pour l'insérer dans un autre lecteur connecté à son terminal 1. Dans le cadre du protocole Bluetooth, le terminal mobile 2 et le terminal 1 mettent en œuvre un ensemble de protocoles et de procédures appelées SAP (SIM Access Profile) développées pour donner accès à une carte SIM logée dans un terminal, par l'intermédiaire de la liaison Bluetooth 5, d'une manière totalement transparente. Ainsi, sur la figure 2, le terminal mobile 2 comprend un module serveur SAP 20 qui échange des messages d'un côté avec la carte SIM 3 par l'intermédiaire d'un lecteur 21 conforme à la norme ISO 7816-3, et de l'autre avec la liaison Bluetooth 5 par l'intermédiaire d'une couche 22 implémentant le protocole RFCOMM (Sériai Cable Emulation Protocol) émulant une liaison série, et une couche de bas niveau 23 permettant d'établir une liaison radio Bluetooth avec d'autres terminaux.In this way, the user does not need to have a specific SIM card to access the network 7 or to manipulate the SIM card of his mobile terminal 2 to insert it into another reader connected to his terminal 1. As part of the Bluetooth protocol, the mobile terminal 2 and the terminal 1 implement a set of protocols and procedures called SAP (SIM Access Profile) developed to provide access to a SIM card housed in a terminal, through the Bluetooth 5 link, in a completely transparent way. Thus, in FIG. 2, the mobile terminal 2 comprises an SAP server module 20 which exchanges messages on one side with the SIM card 3 via a reader 21 in accordance with the ISO 7816-3 standard, and the other with the Bluetooth link 5 via a layer 22 implementing the Serial Cable Emulation Protocol (RFCOMM) emulating a serial link, and a low level layer 23 making it possible to establish a Bluetooth radio link with other terminals.
La carte SIM 3 dispose d'un certain nombre d'applications de cryptographie à clé publique, permettant notamment de réaliser des opérations cryptographiques d'authentification, de chiffrement ou de signature.The SIM card 3 has a number of public key cryptography applications, including cryptographic operations for authentication, encryption or signature.
Une application utilisatrice d'outils cryptographiques 35, utilisée en lien avec l'accès au réseau 7, fait appel à un module PKCS#11 24 ayant accès d'une part à un module de communication 26 et à un module d'interface PC/SC 25 avec une carte SIM. Les modules PKCS#11 24 et PC/SC 25 sont standards. Les modules 24 font appel à une librairie 40 de fonctions d'opérations de cryptographie à clé publique lorsque l'application utilisatrice 35 requiert qu'une opération de cryptographie à clé publique soit réalisée dans la carte à puce 3 logée dans le terminal mobile 2. Les modules 24 font aussi appel à des fonctions d'accès et de commande de carte SIM, réalisées par le module d'interface PC/SC 25. Une fonction de la librairie 40 appelée par l'intermédiaire de son interface de programmation par l'application utilisatrice 35, applique ainsi une commande d'opération de cryptographie sur le module d'interface 25. Le module d'interface 25 transmet cette commande sous forme de message à un pilote virtuel 27. Le pilote virtuel 27 relaye et adapte ce message à un module SAP 31. La librairie 40 est indispensable pour permettre d'utiliser les applications de cryptographie à clé publiques disponibles dans la carte à puce 3 logée dans le lecteur 2. La librairie 40 est par exemple installée sur un terminal 1 de type PC.An application using cryptographic tools 35, used in connection with network access 7, uses a PKCS # 11 module 24 having access on the one hand to a communication module 26 and to a PC / interface module. SC 25 with a SIM card. PKCS # 11 24 and PC / SC 25 modules are standard. The modules 24 use a library 40 of public key cryptographic operations functions when the user application 35 requires a public key cryptography operation to be performed in the smart card 3 housed in the mobile terminal 2. The modules 24 also use SIM card access and control functions, performed by the PC / SC interface module 25. A function of the library 40 called via its programming interface by the user application 35, thus applies a cryptographic operation command on the interface module 25. The interface module 25 transmits this command as a message to a virtual driver 27. The virtual driver 27 relays and adapts this message to an SAP module 31. The library 40 is essential to allow the use of public key cryptography applications available in the smart card 3 housed in the reader 2. The library 40 is, for example, example installed on a terminal 1 of type PC.
La carte SIM 3 logée dans le terminal 2 est munie d'applications 41 de cryptographie à clé publique. Les opérations de cryptographie proposées par la carte peuvent notamment comprendre la génération ou la vérification de signature, le chiffrement/déchiffrement de données, la génération de certificats ou Pauthentification. Ces applications 41 se présentent par exemple sous la forme d'applets JavaCard (marque déposée) installés dans la carte SIM ou sous la forme d'un module WIM (pour « Wireless Identity Module » en anglais) intégré à la carte SIM. Un module WIM est typiquement utilisé par des navigateurs WAP localisés dans un terminal mobile.The SIM card 3 housed in the terminal 2 is provided with applications 41 of public key cryptography. The cryptography operations proposed by the card can notably include the generation or the verification of signature, encryption / decryption of data, generation of certificates or authentication. These applications 41 are for example in the form of JavaCard (registered trademark) applets installed in the SIM card or in the form of a WIM module (for "Wireless Identity Module" in English) integrated in the SIM card. A WIM module is typically used by WAP browsers located in a mobile terminal.
Des applications 41 de cryptographie à clé publique de la carte peuvent alors être exploitées pour que le terminal 1 puisse exécuter des applications utilisatrices d'opérations cryptographiques, telles que le VPN ou la signature électronique.Public key cryptography applications 41 of the card can then be exploited so that the terminal 1 can execute applications using cryptographic operations, such as the VPN or the electronic signature.
L'interface de programmation de la librairie 40 peut être du type CAPI ou PKCS#11.The programming interface of the library 40 may be of the CAPI or PKCS # 11 type.
Le standard de l'interface de programmation PKCS#11 est public et libre d'utilisation. Cette interface de programmation propose des fonctions cryptographiques de bas niveau telles que la génération et le stockage d'une clef, la signature électronique, ou le chiffrement et le déchiffrement des données. Cette interface de programmation est appelée dans un certain nombre de logiciels visant à ouvrir leurs fonctionnalités de cryptographie à des fournisseurs tiers.The standard PKCS # 11 API is public and free to use. This programming interface provides low-level cryptographic functions such as key generation and storage, electronic signature, or data encryption and decryption. This programming interface is called in a number of software to open their cryptography features to third-party providers.
L'interface de programmation CAPI est exclusivement disponible sur les plates-formes Windows. Cette interface de programmation offre des fonctions de sécurité applicative et des fonctions de vérification de signature et de gestion de chaîne de certificats de confiance. L'interface de programmation CAPI mutualise des ressources cryptographiques des différentes applications utilisatrices. Des librairies de fonctions cryptographiques appelées CSP (pour « Crypto Service Provider » en anglais) s'interfacent sous CAPI pour offrir des services de sécurité.The CAPI programming interface is exclusively available on Windows platforms. This programming interface provides application security functions and signature verification and chain management functions for trusted certificates. The CAPI programming interface pools cryptographic resources of different user applications. Libraries of cryptographic functions called CSP (for "Crypto Service Provider" in English) interface with CAPI to provide security services.
Un exemple d'échanges entre la librairie 40 et la carte SIM 3 logée dans le terminal 2 est détaillé ci-dessous. Dans cet exemple, l'application 41 de la carteAn example of exchanges between the library 40 and the SIM card 3 housed in the terminal 2 is detailed below. In this example, the map application 41
SIM 3 est mise en œuvre sous forme d'applet et la librairie 40 est du typeSIM 3 is implemented as an applet and the library 40 is of the type
PKCS#11. Les données sont ainsi échangées sous forme d'ADPU (pour « Application Protocol Data Unit » en anglais). PKCS # 11. The data is thus exchanged in the form of ADPU (for "Application Protocol Data Unit" in English).
Le tableau de la figure 3 illustre différentes fonctions PKCS#11 et leur mise en œuvre selon Javacard ou WIM. Le tableau précise également les fonctions utilisées lors d'une authentification destinée à former un réseau privé virtuel. Les abréviations utilisées sont les suivantes : QRD : qualificateur des données de référence, RD : données de référence,The table in Figure 3 illustrates different PKCS # 11 functions and their implementation according to Javacard or WIM. The table also specifies the functions used during an authentication intended to form a virtual private network. The abbreviations used are: QRD: reference data qualifier, RD: reference data,
VD : données de vérification, FP : chemin d'accès au fichier, HO : décalage élevé,VD: verification data, FP: file path, HO: high offset,
LO : décalage réduit, Lc : Longueur du champ de données.LO: reduced offset, Lc: Length of the data field.
On va maintenant détailler les mécanismes de communication entre le terminal 1 et la carte SIM 3. Le terminal 1 comprend un module client SAP 31, qui communique avec le module serveur SAP 20 par l'intermédiaire d'une couche 32 implémentant le protocole RFCOMM et une couche de bas niveau 33 d'établissement de liaison radio Bluetooth 5, ces trois couches étant rassemblées dans un module BluetoothWe will now detail the communication mechanisms between the terminal 1 and the SIM card 3. The terminal 1 comprises an SAP client module 31, which communicates with the SAP server module 20 via a layer 32 implementing the RFCOMM protocol and a low level layer 33 of Bluetooth 5 radio link establishment, these three layers being collected in a Bluetooth module
30. Les modules SAP serveur 20 et client 31 ne font qu'échanger des messages avec la carte SIM 3, et lui appliquer des commandes, telles que des commandes de mise sous/hors tension de la carte SIM.30. The SAP server 20 and client 31 modules only exchange messages with the SIM card 3, and apply commands to it, such as commands for switching the SIM card on and off.
Le module SAP client 31 est conçu pour exécuter une procédure de connexion avec le module SAP serveur 20 par l'intermédiaire d'une liaison Bluetooth, et une procédure de déconnexion. Lorsqu'une liaison est établie, le module SAP serveur 20 est conçu pour interroger le lecteur 21 de carte SIM et la carte SIM susceptible d'être lue par le lecteur 21, et renvoyer au module SAP client 31 des informations sur l'état du lecteur 21, sur la présence d'une carte SIM dans le lecteur 21 et sur l'état de la carte SIM 3.The SAP client module 31 is designed to execute a connection procedure with the SAP server module 20 via a Bluetooth link, and a disconnect procedure. When a link is established, the SAP server module 20 is designed to interrogate the SIM card reader 21 and the SIM card that can be read by the reader 21, and send back to the SAP client module 31 information on the state of the reader 21, the presence of a SIM card in the reader 21 and the state of the SIM card 3.
Le module SAP client 31 est en particulier conçu pour émettre des ordres destinés à la carte SIM 3 de mise sous / hors tension, d'initialisation, et de commande contenant des messages APDU (Application Protocol Data Unit), le module SAP serveur étant conçu pour relayer ces commandes pour les appliquer à la carte SIM via le lecteur 21. Le module SAP serveur est également conçu pour avertir le module SAP client 31 de tous les événements de changement d'état de la carte SIM 3 logée dans le lecteur 21, par exemple à la suite d'une action de l'utilisateur d'insertion ou de retrait de la carte du lecteur.The SAP client module 31 is in particular designed to issue commands for the SIM card 3 for switching on / off, initialization and control containing APDU (Application Protocol Data Unit) messages, the SAP server module being designed to relay these commands for application to the SIM card via the reader 21. The SAP server module is also designed to notify the SAP client module 31 of all status change events of the SIM card 3 housed in the reader 21, for example as a result of a user action of inserting or removing the card from the reader.
Le module d'interface PC/SC 25 est conçu pour communiquer avec plusieurs lecteurs 39 de cartes à puce (cartes à mémoire ou à microprocesseur) ou de cartes SIM 42, par l'intermédiaire de pilotes 38 adaptés aux lecteurs. Un pilote virtuel 27 est conçu pour relayer et adapter les messages échangés entre le module d'interface 25 et le module SAP 31, ces messages contenant des informations échangées avec la carte SIM 3. L'échange des messages entre le pilote virtuel 27 et le client SAP 31 est par exemple effectué à l'aide d'une mémoire d'échange ou de communication 28 dans laquelle les messages à transmettre sont insérés. Le pilote virtuel 27 est conçu comme un pilote 38. Il permet notamment à l'utilisateur de sélectionner un terminal mobile ou d'ajouter un terminal mobile afin de l'appairer avec son terminal 1.The PC / SC interface module 25 is designed to communicate with several readers 39 of smart cards (memory cards or microprocessor) or SIM cards 42, through drivers 38 adapted to the readers. A virtual pilot 27 is designed to relay and adapt the messages exchanged between the interface module 25 and the SAP module 31, these messages containing information exchanged with the SIM card 3. The exchange of messages between the virtual pilot 27 and the SAP client 31 is for example performed using an exchange memory or communication 28 in which the messages to be transmitted are inserted. The virtual pilot 27 is designed as a driver 38. It notably enables the user to select a mobile terminal or to add a mobile terminal in order to pair it with its terminal 1.
Pour communiquer avec plusieurs pilotes 27, 38, le module d'interface PC/SC comprend un module de gestion de ressources 37 et un module fournisseur de services 36. Le module de gestion de ressources 37 est conçu pour détecter les cartes à puces accessibles et rendre ces informations disponibles à plusieurs applications telles que l'application utilisatrice 35. Ce module 37 est également conçu pour gérer les demandes d'accès aux cartes à puces émises par les applications, et commander les cartes à puce. Le module fournisseur de services 36 est conçu pour offrir aux applications des fonctions de haut niveau, enchaînant plusieurs commandes appliquées à une carte à puce pour réaliser une seule fonction d'accès ou de traitement des informations fournies par celle-ci, ces fonctions incluant notamment des fonctions cryptographiques et d'authentifïcation.To communicate with several drivers 27, 38, the PC / SC interface module comprises a resource management module 37 and a service provider module 36. The resource management module 37 is designed to detect accessible smart cards and make this information available to several applications such as the user application 35. This module 37 is also designed to manage requests for access to smart cards issued by applications, and order smart cards. The service provider module 36 is designed to offer applications high-level functions, linking several commands applied to a smart card to perform a single function of access or processing of information provided by it, these functions including in particular cryptographic and authenticating functions.
La figure 4 illustre l'application de l'invention à la signature de documents et à leur publication. Un document est sélectionné par un utilisateur du terminal 1. Une application du terminal 1 requiert que la librairie génère une commande de signature cryptographique à la carte SIM 3. Cette commande et le document sont transmis au terminal mobile 2 et à la carte SIM 3 selon les mécanismes décrits auparavant. La carte SIM 3 traite la commande et réalise la signature cryptographique à partir d'une application cryptographique qu'elle mémorise. La carte SIM 3 transmet le document signé au terminal 1. Le terminal 1 transmet alors le document signé à un serveur 43 de publication de documents signés. Bien que l'exemple qui précède ait été décrit dans le cadre d'une liaison sans fil Bluetooth entre le terminal mobile et le terminal 1, l'invention s'applique également lorsque cette liaison sans fil est d'un autre type. L'homme du métier peut notamment envisager une liaison sans fil de proximité de type IrDA (infrarouge) ou sans contact NFC (définie dans la norme ISO 14443). Il suffit alors de munir le terminal mobile d'un module logiciel d'accès à la SIM de scrutation des ports IrDA ou sans contact le cas échéant, et de munir le terminal 1 d'une interface PC/SC 25 spécifique à une communication avec ce module logiciel de scrutation. Pour une liaison sans contact NFC, un terminal mobile 2 du type à mode d'émulation de carte (« card émulation mode » en anglais) peut se faire passer pour une carte sans contact. Si la carte SIM 3 est connectée à son module de communication sans contact, le module 25 du terminal 1 pourra accéder aux applications de cryptographie de la carte SIM.Figure 4 illustrates the application of the invention to the signing of documents and their publication. A document is selected by a user of the terminal 1. An application of the terminal 1 requires the library to generate a cryptographic signature command to the SIM card 3. This command and the document are transmitted to the mobile terminal 2 and to the SIM card 3 according to the mechanisms described previously. The SIM card 3 processes the command and performs the cryptographic signature from a cryptographic application that it stores. The SIM card 3 transmits the signed document to the terminal 1. The terminal 1 then transmits the signed document to a server 43 for publication of signed documents. Although the above example has been described in connection with a Bluetooth wireless link between the mobile terminal and the terminal 1, the invention also applies when this wireless link is of another type. The person skilled in the art can notably consider a wireless proximity link of the IrDA (infrared) or non-contact NFC type (defined in the ISO 14443 standard). All that is required is then to provide the mobile terminal with a software module for accessing the SIM for scanning the IrDA or contactless ports if necessary, and for providing the terminal 1 with a PC / SC interface 25 specific to a communication with this scanning software module. For a non-contact NFC link, a mobile terminal 2 of the card emulation mode ("card emulation mode" in English) can be passed for a contactless card. If the SIM card 3 is connected to its contactless communication module, the module 25 of the terminal 1 will be able to access the cryptographic applications of the SIM card.
Par ailleurs, bien qu'on ait décrit l'invention dans son application à la formation d'une connexion VPN ou à la publication de documents signés, l'invention peut également s'appliquer à d'autres applications et notamment à Pauthentification d'un utilisateur lorsqu'il se connecte à tout réseau et notamment à un réseau IP tel qu'Internet. Furthermore, although the invention has been described in its application to the formation of a VPN connection or to the publication of signed documents, the invention can also be applied to other applications and in particular to User authentication when connecting to any network, including an IP network such as the Internet.

Claims

REVENDICATIONS
1. Dispositif cryptographique (6) comprenant un terminal (1) et un téléphone mobile (2) pouvant échanger des données via une liaison non-filaire (5), caractérisé en ce que ledit dispositif cryptographique est apte à mettre en œuvre des protocoles cryptographiques à clé publique avec d'autres entités cryptographiques (4, 43), et en ce que la clé secrète du dispositif cryptographique est mémorisée dans le téléphone mobile et pas dans le terminal.Cryptographic device (6) comprising a terminal (1) and a mobile telephone (2) capable of exchanging data via a non-wired link (5), characterized in that said cryptographic device is able to implement cryptographic protocols public key with other cryptographic entities (4, 43), and in that the secret key of the cryptographic device is stored in the mobile phone and not in the terminal.
2. Dispositif selon la revendication 1, dans lequel ledit terminal (1) est apte à établir une liaison filaire ou non-filaire avec une autre entité cryptographique (4, 43) et apte à échanger des données avec ladite entité cryptographique par l'intermédiaire de cette liaison.2. Device according to claim 1, wherein said terminal (1) is able to establish a wired or non-wired link with another cryptographic entity (4, 43) and able to exchange data with said cryptographic entity via this link.
3. Dispositif selon la revendication 2, dans lequel ladite autre entité cryptographique est un serveur d'accès (4) à un réseau informatique (7), et lesdits échanges de données permettent au terminal (1) de s'authentifier auprès dudit serveur.3. Device according to claim 2, wherein said other cryptographic entity is an access server (4) to a computer network (7), and said data exchanges allow the terminal (1) to authenticate with said server.
4. Procédé de mise en œuvre d'une opération de cryptographie à clé publique, comprenant une étape de mise en œuvre de protocoles cryptographiques à clé publique entre au moins une entité cryptographique (4, 43) et un dispositif (6) comprenant un téléphone mobile (2) mémorisant une clé secrète du dispositif et comprenant un terminal (1) ne mémorisant pas ladite clé secrète, ledit terminal et ledit téléphone mobile échangeant des données par une liaison sans fil.4. A method for implementing a public key cryptographic operation, comprising a step of implementing public key cryptographic protocols between at least one cryptographic entity (4, 43) and a device (6) comprising a telephone mobile device (2) storing a secret key of the device and comprising a terminal (1) not storing said secret key, said terminal and said mobile phone exchanging data over a wireless link.
5. Procédé selon la revendication 4, dans lequel les échanges de données desdits protocoles cryptographiques entre ladite entité cryptographique (4, 43) et ledit dispositif (6) sont effectués par une liaison filaire ou non-filaire entre ledit terminal (1) et ladite autre entité cryptographique (4, 43).5. Method according to claim 4, wherein the data exchanges of said cryptographic protocols between said cryptographic entity (4, 43) and said device (6) are performed by a wired or non-wired link between said terminal (1) and said other cryptographic entity (4, 43).
6. Procédé selon la revendication 5, dans lequel ladite autre entité cryptographique est un serveur d'accès (4) à un réseau informatique (7) et dans lequel lesdits échanges de données sont des échanges d'authentification dudit terminal auprès dudit serveur. 6. Method according to claim 5, wherein said other cryptographic entity is an access server (4) to a computer network (7) and wherein said data exchanges are authentication exchanges of said terminal with said server.
EP06743638A 2005-04-21 2006-04-05 Method and device for accessing a sim card housed in a mobile terminal Withdrawn EP1872507A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0504000 2005-04-21
PCT/FR2006/000753 WO2006111626A2 (en) 2005-04-21 2006-04-05 Method and device for accessing a sim card housed in a mobile terminal

Publications (1)

Publication Number Publication Date
EP1872507A2 true EP1872507A2 (en) 2008-01-02

Family

ID=34955316

Family Applications (1)

Application Number Title Priority Date Filing Date
EP06743638A Withdrawn EP1872507A2 (en) 2005-04-21 2006-04-05 Method and device for accessing a sim card housed in a mobile terminal

Country Status (6)

Country Link
US (1) US20080285755A1 (en)
EP (1) EP1872507A2 (en)
JP (1) JP2008538668A (en)
KR (1) KR20080007564A (en)
CN (1) CN101167298A (en)
WO (1) WO2006111626A2 (en)

Families Citing this family (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1237108A3 (en) 2001-02-23 2003-08-13 Navaho Networks Inc. Secure electronic commerce
US8600405B2 (en) 2008-08-12 2013-12-03 Apogee Technology Consultants, Llc Location-based recovery device and risk management system for portable computing devices and data
US8010636B2 (en) * 2008-12-02 2011-08-30 Verizon Patent And Licensing Inc. Generic broadband application and plug-ins
CN101753683B (en) * 2008-12-03 2013-09-04 深圳富泰宏精密工业有限公司 Mobile phone antitheft system
CN102185846A (en) * 2011-04-26 2011-09-14 深信服网络科技(深圳)有限公司 Method and system based on VPN (Virtual Private Network) for safely visiting data of mobile communication terminal
US9721243B2 (en) 2011-05-11 2017-08-01 Riavera Corp. Mobile payment system using subaccounts of account holder
US8616453B2 (en) 2012-02-15 2013-12-31 Mark Itwaru System and method for processing funds transfer between entities based on received optical machine readable image information
US9734498B2 (en) 2011-05-11 2017-08-15 Riavera Corp Mobile image payment system using short codes
US9785935B2 (en) 2011-05-11 2017-10-10 Riavera Corp. Split mobile payment system
US9715704B2 (en) 2011-05-11 2017-07-25 Riavera Corp Merchant ordering system using optical machine readable image representation of invoice information
US9547861B2 (en) * 2011-05-11 2017-01-17 Mark Itwaru System and method for wireless communication with an IC chip for submission of pin data
MX2013013164A (en) 2011-05-11 2014-09-01 Mark Itwaru Mobile image payment system using short codes.
US10223674B2 (en) 2011-05-11 2019-03-05 Riavera Corp. Customized transaction flow for multiple transaction types using encoded image representation of transaction information
US11144630B2 (en) 2011-12-30 2021-10-12 Bedrock Automation Platforms Inc. Image capture devices for a secure industrial control system
US9467297B2 (en) 2013-08-06 2016-10-11 Bedrock Automation Platforms Inc. Industrial control system redundant communications/control modules authentication
US8971072B2 (en) 2011-12-30 2015-03-03 Bedrock Automation Platforms Inc. Electromagnetic connector for an industrial control system
US8862802B2 (en) 2011-12-30 2014-10-14 Bedrock Automation Platforms Inc. Switch fabric having a serial communications interface and a parallel communications interface
US11314854B2 (en) 2011-12-30 2022-04-26 Bedrock Automation Platforms Inc. Image capture devices for a secure industrial control system
US9437967B2 (en) 2011-12-30 2016-09-06 Bedrock Automation Platforms, Inc. Electromagnetic connector for an industrial control system
US8868813B2 (en) 2011-12-30 2014-10-21 Bedrock Automation Platforms Inc. Communications control system with a serial communications interface and a parallel communications interface
US9727511B2 (en) 2011-12-30 2017-08-08 Bedrock Automation Platforms Inc. Input/output module with multi-channel switching capability
US10834094B2 (en) 2013-08-06 2020-11-10 Bedrock Automation Platforms Inc. Operator action authentication in an industrial control system
US11967839B2 (en) 2011-12-30 2024-04-23 Analog Devices, Inc. Electromagnetic connector for an industrial control system
US12061685B2 (en) 2011-12-30 2024-08-13 Analog Devices, Inc. Image capture devices for a secure industrial control system
US9191203B2 (en) 2013-08-06 2015-11-17 Bedrock Automation Platforms Inc. Secure industrial control system
US10834820B2 (en) 2013-08-06 2020-11-10 Bedrock Automation Platforms Inc. Industrial control system cable
US9600434B1 (en) 2011-12-30 2017-03-21 Bedrock Automation Platforms, Inc. Switch fabric having a serial communications interface and a parallel communications interface
US9596279B2 (en) 2013-02-08 2017-03-14 Dell Products L.P. Cloud-based streaming data receiver and persister
US9191432B2 (en) 2013-02-11 2015-11-17 Dell Products L.P. SAAS network-based backup system
US9442993B2 (en) 2013-02-11 2016-09-13 Dell Products L.P. Metadata manager for analytics system
US9787672B1 (en) * 2013-03-15 2017-10-10 Symantec Corporation Method and system for smartcard emulation
US9319088B2 (en) 2013-05-09 2016-04-19 Intel Corporation Radio communication devices and methods for controlling a radio communication device
US10613567B2 (en) 2013-08-06 2020-04-07 Bedrock Automation Platforms Inc. Secure power supply for an industrial control system
CN111293495B (en) 2014-07-07 2022-05-24 基岩自动化平台公司 Industrial control system cable
JP2016019281A (en) * 2014-07-07 2016-02-01 ベドロック・オートメーション・プラットフォームズ・インコーポレーテッド Operator action authentication in industrial control system
US10003959B2 (en) * 2015-07-30 2018-06-19 Qualcomm Incorporated Subscriber identity module (SIM) access profile (SAP)
JP6449131B2 (en) * 2015-10-23 2019-01-09 Kddi株式会社 COMMUNICATION DEVICE, COMMUNICATION METHOD, AND COMPUTER PROGRAM
JP6471112B2 (en) 2016-02-29 2019-02-13 Kddi株式会社 COMMUNICATION SYSTEM, TERMINAL DEVICE, COMMUNICATION METHOD, AND PROGRAM
JP7036705B2 (en) * 2018-12-03 2022-03-15 Kddi株式会社 Communication equipment, communication methods, and computer programs
JP7021376B2 (en) * 2021-01-06 2022-02-16 Kddi株式会社 Communication equipment, communication methods, and computer programs
CN114173312A (en) * 2021-12-14 2022-03-11 乾讯信息技术(无锡)有限公司 Method for realizing wireless network VPN cipher machine without any physical connection

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6038551A (en) * 1996-03-11 2000-03-14 Microsoft Corporation System and method for configuring and managing resources on a multi-purpose integrated circuit card using a personal computer
FR2748834B1 (en) * 1996-05-17 1999-02-12 Gemplus Card Int COMMUNICATION SYSTEM ALLOWING SECURE AND INDEPENDENT MANAGEMENT OF A PLURALITY OF APPLICATIONS BY EACH USER CARD, USER CARD AND CORRESPONDING MANAGEMENT METHOD
AUPR966001A0 (en) * 2001-12-20 2002-01-24 Canon Information Systems Research Australia Pty Ltd A microprocessor card defining a custom user interface
JP2005045557A (en) * 2003-07-22 2005-02-17 Sony Corp Communication device
US7941660B2 (en) * 2003-11-13 2011-05-10 Gemalto Sa System and method for data communications allowing slave device to be network peers
US20050222961A1 (en) * 2004-04-05 2005-10-06 Philippe Staib System and method of facilitating contactless payment transactions across different payment systems using a common mobile device acting as a stored value device
US20060160569A1 (en) * 2005-01-14 2006-07-20 Mediatek Inc. Cellular phone and portable storage device using the same
US20060183462A1 (en) * 2005-02-11 2006-08-17 Nokia Corporation Managing an access account using personal area networks and credentials on a mobile device
US7128274B2 (en) * 2005-03-24 2006-10-31 International Business Machines Corporation Secure credit card with near field communications
US7706778B2 (en) * 2005-04-05 2010-04-27 Assa Abloy Ab System and method for remotely assigning and revoking access credentials using a near field communication equipped mobile phone

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2006111626A2 *

Also Published As

Publication number Publication date
WO2006111626A2 (en) 2006-10-26
CN101167298A (en) 2008-04-23
JP2008538668A (en) 2008-10-30
KR20080007564A (en) 2008-01-22
US20080285755A1 (en) 2008-11-20
WO2006111626A3 (en) 2006-12-14

Similar Documents

Publication Publication Date Title
EP1872507A2 (en) Method and device for accessing a sim card housed in a mobile terminal
US10380361B2 (en) Secure transaction method from a non-secure terminal
EP1004101B1 (en) Terminal and system for implementing secure electronic transactions
EP2053827B1 (en) Method for secure personalisation of an NFC chipset
EP3221815B1 (en) Method for securing a payment token
EP1909431B1 (en) Mutual authentication method between a communication interface and a host processor of an NFC chipset
US7380125B2 (en) Smart card data transaction system and methods for providing high levels of storage and transmission security
EP1933252A1 (en) Dynamic OTP Token
US20090307142A1 (en) Trusted service manager (tsm) architectures and methods
EP1549011A1 (en) Communication method and system between a terminal and at least a communication device
EP1862948A1 (en) IC card with OTP client
WO2009039771A1 (en) Mobile payment terminal and payment method based on pki technology
EP2912594A1 (en) Method of providing a secured service
WO2021007472A1 (en) Methods and systems for securing and utilizing a personal data store on a mobile device
Mantoro et al. Smart card authentication for Internet applications using NFC enabled phone
US20120089830A1 (en) Method and device for digitally attesting the authenticity of binding interactions
EP1636767B1 (en) A method for allocation of secure resources in a security module
Ortiz-Yepes Enhancing Authentication in eBanking with NFC-enabled mobile phones
Pisko Mobile electronic signatures: progression from mobile service to mobile application unit
Fernandes Reliable electronic certification on mobile devices
Laidi Using smart card in e-business applications: an e-business model
Giessmann Transparency and Security for Client-Side Encrypting Cloud Storage Applications
EP2411935A1 (en) Method and device for digitally attesting the authenticity of binding interactions

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20070919

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU LV MC NL PL PT RO SE SI SK TR

DAX Request for extension of the european patent (deleted)
RIN1 Information on inventor provided before grant (corrected)

Inventor name: DAGORN, ANNE-SOPHIE

Inventor name: CAMUS, SYLVIE

Inventor name: PICQUENOT, DAVID

17Q First examination report despatched

Effective date: 20100517

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20100928