WO2004062243A2 - System and method for distributed authorization for access to communications device - Google Patents
System and method for distributed authorization for access to communications device Download PDFInfo
- Publication number
- WO2004062243A2 WO2004062243A2 PCT/US2003/040125 US0340125W WO2004062243A2 WO 2004062243 A2 WO2004062243 A2 WO 2004062243A2 US 0340125 W US0340125 W US 0340125W WO 2004062243 A2 WO2004062243 A2 WO 2004062243A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- application
- access
- authorization
- specific data
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
- H04W8/20—Transfer of user or subscriber data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
- H04W8/183—Processing at user equipment or user record carrier
Definitions
- the invention relates to the field of communications, and more particularly to a distributed authorization system in which access to data on a mobile unit by onboard applications, such as phone book, hardware identifiers or other data on a cellular telephone or other device, may be regulated by an authorization process performed on a remote server or other resource.
- onboard applications such as phone book, hardware identifiers or other data on a cellular telephone or other device
- cellular telephones and other communications devices are now programmable in a variety of ways. For instance, many cellular telephones contain editable phone books to permit convenient storage and dialing of frequently-used or important numbers. Other cellular telephones or other devices have Web browsing, file sharing and other enhanced functionality, whether via graphical user interface, voice commands or other interfaces. Moreover, cellular telephones are becoming available which include integrated positioning capability, such as the ability to track, record and communicate handset position via GPS or other location service. Other services are being and will be deployed. Over-the-air programming (OAP) standards such as those employing the Java programming language have enhanced the delivery of such services, on an on-demand or other basis.
- OAP Over-the-air programming
- Handsets and other devices may have the storage capacity and intelligence to store a variety of sensitive or personal information, such as a handset's International Mobile Equipment Identity (IMEI) data, a subscriber identity module (SJJVI) ID or other related data, number assignment module (NAM) data, mobile identification number (MLN) data, electronic serial number (ESN) data, phone books, position tracking or other information.
- IMEI International Mobile Equipment Identity
- SJJVI subscriber identity module
- NAM number assignment module
- MSN mobile identification number
- ESN electronic serial number
- Devices which may accept Java or other over-the-air code could be presented with security risks due to malicious code such as viruses, disguised games or ring tones, or other code or data. Once a malicious process has invaded the device, the user's sensitive hardware, phone book, positioning or other data could be exposed and compromised.
- While user-facing security measures may be incorporated, such as requiring passwords on a handset interface before permitting access to hardware, phone book or other data, over-the-air and other threats may continue to test the integrity of the mobile device and its data, including by way of low-level code which insinuates into the device at comparatively low levels, such as application programming interfaces (APIs) and other open ports or interfaces. Better core level security on communications devices is desirable. Other problems exist.
- APIs application programming interfaces
- the invention overcoming these and other problems in the art relates in one regard to a system and method for distributed authorization for access to a communications device, in which a cellular handset of other communications device may be equipped to receive requests for sensitive onboard data by Java or other applications.
- an authorization process may be initiated via a remote server or other resource.
- the communications device may present an API to internally executing programs through which all requests for sensitive data may be made.
- the API may communicate those requests, for instance, via an over-the-air interface to a remote support server for authentication.
- authentication may be made against a permission access list, enumerating valid programs or processes which have access rights to requested levels of data. When a request is validated, permission may be returned to the communications device to permit the requesting code to obtain the desired data.
- FIG. 1 illustrates a distributed authorization architecture, according to an embodiment of the invention.
- Fig. 2 illustrates an illustrative table for storing authorization parameters, according to an embodiment of the invention.
- FIG. 3 illustrates a user interface on a communications device displaying an authorization notification, according to an embodiment of the invention.
- FIG. 4 illustrates a flowchart of authorization processing, according to an embodiment of the invention.
- Fig. 1 illustrates a distributed authorization architecture in which an embodiment of the invention may operate.
- a communications device 102 may wirelessly communicate with an authorization server 118 to initiate and validate requests for access to device-specific data 110 made by applications running on communications device 102.
- Communications device 102 may be or include, for instance, a cellular telephone, a network-enabled wireless device such as a personal digital assistant (PDA) or personal information manager (PJVI) equipped with an IEEE 802.11b or other wireless interface, a laptop or other portable computer equipped with an 802.11b or other wireless interface, or other communications or client devices.
- PDA personal digital assistant
- PJVI personal information manager
- Device-specific data 110 may be or include, for instance, LMEI data, data from a SIM, chip-level data, phone books or contact lists or other personalized user settings, position tracking, electronic wallet, scheduling, cellular service or other billing, messaging such as short message service (SMS) or other text or other messaging, or other hardware-related, user-based or other information.
- Device- specific data 110 may be stored in communications device 102, for instance, in electronically programmable memory (EPROM), flash cards, or other electronic, optical or other media.
- EPROM electronically programmable memory
- the communications device 102 may execute one or more application 104, for instance a Java application, which in embodiments may include a Java Micro Edition t application, C or C++ or other program or code.
- application 104 may be or include, for instance, a contact scheduler application, a phone book application, a Web browsing application, a financial application, a personal information manager (PLM) application, or other application or service.
- application 104 may conform to or be implemented using the Java mobile information device profile (MJDP) standard, which applications may be referred to as MIDlets, or other languages or environments.
- MJDP Java mobile information device profile
- application 104 may be received over the air via antenna 112, or received or stored from other sources, such as a cable- connected download.
- the application 104 may interact with an application programming interface
- Application programming interface 106 may present a programming interface to application 104 to mediate requests to the set of device-specific data 110 on communications device 102 and perform other tasks.
- application programming interface 106 may present application-accessible interfaces to data or object classes such as, for instance, network, user interface, data attributes and data content, and other resources.
- Native layer 108 may in embodiments operate at a comparatively low level in communications device 102, and act on requests passed by application programming interface 106 for device-specific data 110.
- Native layer 108 may for example in embodiments perform supervisory, file and memory management, and other tasks.
- application programming interface 106 may trap that access request 114 at the system level for offboard processing, before permitting any of device-specific data 110 to be released.
- application programming interface 106 may communicate with authorization server 118 to authorize that access request 114.
- application programming interface 106 may communicate with the authorization server 118 via server antenna 116, or other wireless or wired interfaces.
- Application programming interface 106 may transmit access request 114 containing, for instance, the type of data requested from the set of device-specific data 110, the name or other identifying information for application 104, access parameters such as time of last access, passwords if requested, or other data related to the access request 114 for part or all of device-specific data 110 to authorization server 118.
- Authorization server 118 may maintain a set of authorization parameters 120 against which to process the access request 114 for access to device-specific data 110. As illustrated in Fig. 2, for example, authorization parameters 120 may be maintained in authorization table 124, which may be stored in or accessed by authorization server 118. Authorization table 124 may contain a set of application identifiers 126 (APP IDENTIFIER!, APP IDENTIFIER 2 ... APP JDENTIFIER N , N arbitrary), which identifiers may in embodiments include a list application names or other identifiers, such as "phonebook.MID”, "contactlist.c", "positiontrack.exe” or other names or indicia.
- Authorization table 124 may likewise contain a set of associated access levels 128, correlated by application name or other indicia, which may indicate whether a given application 104 may be permitted to access device-specific data 110, and in embodiments at which levels or with what privileges (e.g., read, edit, or other) that access may be granted.
- authorization server 118 may transmit an authorization message 122 to communications device 102.
- the authorization message 122 may contain, for instance, a code, flag or other indication that application 104 may access device-specific data 110.
- the authorization message 122 may contain additional fields or variables by which access to device-specific data 110 may be regulated, for instance a privilege field or flag which indicates whether application 104 may have the right to read, to modify, erase or perform other actions on device-specific data 110.
- Authorization message 122 may likewise contain a timeout field which sets a period of time in which application 104 may access the desired data, but after which authorization may expire. Other security variables are possible.
- the authorization may be granted for a single application 104, or for more than one application, or for different applications at different times.
- authorization to access device- specific data 110 reflected in authorization message 122 may be made at differing levels for different parts of that data, depending on the sensitivity of the data, the nature of the application 104 making the access request 114, and other factors.
- the application programming interface 106 may pass the access request 114 to native layer 108 may retrieve the requested data from device- specific data 110. Native layer 108 may then communicate the retrieved device- specific data 110 and pass that data to application programming interface 106 to be delivered to application 104. Application 104 may then receive and read the requested part or whole of device-specific data 110, to operate on or modify that data. In embodiments, application 104 may also receive authorization to store modified data into device-specific data 110, to transmit the device-specific data 110 over the air interface of antenna 112, or take other action, depending on the type or level of authorization received, network security and other parameters.
- the authorization message 122 may contain a deny flag or other indicator that application 104 may not access part or any of device-specific data 110.
- the communications device 102 may notify the user that an application or service has been denied access to device-specific or sensitive information. As illustrated, that notification may be by way for instance of a pop-up message 132 presented on a text or graphical user interface 130 as shown, by a verbal message or otherwise. This notification may, for instance, assist the user in deciding to run an anti-virus or other utility on communications device 102, or take other action.
- denial of access to device-specific data 110 may trigger an automatic logging of application 104, automatic transmission of an anti-virus or other utility to communications device 102, or other action.
- step 402 application 104 may request one or more parts of device-specific data 110 from the communications device 102 via application programming interface 106 and native layer 108, at the API or other level.
- step 404 the access request 114 may be transmitted to the authorization server 118, for instance via an over-the-air protocol, which for example may be communicated using a secure or other protocol such as secure socket layer (SSL), hyper text transfer protocol secure (HTTPS) or other protocol or interface.
- SSL secure socket layer
- HTTPS hyper text transfer protocol secure
- the request may, in embodiments, encapsulate data such as the name or other identifier of application 104, the type of data in device-specific data 110 being requested, and other information.
- the authorization server 118 may check the access request 114 by application 104 against authorization parameters 120 or other security fields or templates, make an authorization determination and communicate an authorization message 122 to communications device 102.
- the authorization message 122 may contain an indication that the access request 114 is granted, denied, deferred, that further information will be required, or that other action may be taken.
- the native layer 108 may read out the one or more parts of device-specific data 110 which application 104 has been authorized to access.
- the native layer 108 may communicate the one or more parts of device-specific data 110 which application 104 has been authorized to access to application programming interface 106.
- the application programming interface 106 may communicate the requested device- specific data 110 to the application 104. Processing may then repeat, return to an earlier point, continue to further processing or terminate.
- communications device 102 may operate without that type of local layer, for instance with some functionality distributed to authorization server 118 or otherwise.
- Communications device 102 may conversely contain or operate on other or multiple supervisory layers.
- Other hardware, software or other resources described as singular may be implemented in multiple or distributed resources, while other hardware, software or other resources described as distributed may likewise be implemented as integrated resources.
- the scope of the invention is accordingly intended to be limited only by the following claims.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP03814848A EP1582053A4 (en) | 2002-12-31 | 2003-12-16 | System and method for distributed authorization for access to communications device |
JP2004565539A JP2006514763A (en) | 2002-12-31 | 2003-12-16 | Distributed authentication system and method for permitting connection to communication device |
AU2003297229A AU2003297229A1 (en) | 2002-12-31 | 2003-12-16 | System and method for distributed authorization for access to communications device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US33414102A | 2002-12-31 | 2002-12-31 | |
US10/334,141 | 2002-12-31 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2004062243A2 true WO2004062243A2 (en) | 2004-07-22 |
WO2004062243A3 WO2004062243A3 (en) | 2004-08-26 |
Family
ID=32710862
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2003/040125 WO2004062243A2 (en) | 2002-12-31 | 2003-12-16 | System and method for distributed authorization for access to communications device |
Country Status (6)
Country | Link |
---|---|
EP (1) | EP1582053A4 (en) |
JP (1) | JP2006514763A (en) |
KR (1) | KR20050096114A (en) |
CN (1) | CN1732674A (en) |
AU (1) | AU2003297229A1 (en) |
WO (1) | WO2004062243A2 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006164135A (en) * | 2004-12-10 | 2006-06-22 | Fujitsu Ltd | Service processing method and program |
WO2007076877A2 (en) * | 2005-12-30 | 2007-07-12 | Telecom Italia S.P.A. | Method for customizing the operation of a telephonic terminal |
JP2009509212A (en) * | 2005-07-28 | 2009-03-05 | エムフォメーション・テクノロジーズ・インコーポレイテッド | System and method for remotely controlling device functionality |
US8831223B2 (en) | 2008-01-21 | 2014-09-09 | Telefonaktiebolaget L M Ericsson (Publ) | Abstraction function for mobile handsets |
US20150195395A1 (en) * | 2014-01-06 | 2015-07-09 | Desiree Gina McDowell-White | Secure Cloud-Based Phonebook |
US9781109B2 (en) | 2013-07-08 | 2017-10-03 | Huawei Technologies Co., Ltd. | Method, terminal device, and network device for improving information security |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100785782B1 (en) * | 2005-11-17 | 2007-12-18 | 한국전자통신연구원 | System of Privilege Delegation and Method Thereof |
WO2008060300A1 (en) * | 2006-11-16 | 2008-05-22 | Dynomedia, Inc. | Systems and methods for distributed digital rights management |
US8321566B2 (en) * | 2011-02-24 | 2012-11-27 | Jibe Mobile | System and method to control application to application communication over a network |
CN104969176B (en) * | 2013-01-29 | 2019-12-27 | 黑莓有限公司 | Method, device and medium for managing access of application to certificate and secret key |
CN104951715A (en) * | 2015-06-11 | 2015-09-30 | 联想(北京)有限公司 | Information processing method and electronic equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6326918B1 (en) * | 1995-06-06 | 2001-12-04 | Wayport, Inc. | Method and apparatus for geographic-based communications service |
US20020068554A1 (en) * | 1999-04-09 | 2002-06-06 | Steve Dusse | Method and system facilitating web based provisioning of two-way mobile communications devices |
US6529732B1 (en) * | 1998-12-16 | 2003-03-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and service providing means for providing services in a telecommunication network |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH09319570A (en) * | 1996-05-29 | 1997-12-12 | Sanyo Electric Co Ltd | License managing system for software |
US5825877A (en) * | 1996-06-11 | 1998-10-20 | International Business Machines Corporation | Support for portable trusted software |
US6292833B1 (en) * | 1998-07-17 | 2001-09-18 | Openwave Systems Inc. | Method and apparatus for providing access control to local services of mobile devices |
JP2001117769A (en) * | 1999-10-20 | 2001-04-27 | Matsushita Electric Ind Co Ltd | Program executing device |
EP1107623A3 (en) * | 1999-12-06 | 2002-01-02 | Nokia Mobile Phones Ltd. | Mobile station providing user-defined private zone for restricting access to user application data |
JP2002041170A (en) * | 2000-07-27 | 2002-02-08 | Matsushita Electric Ind Co Ltd | Program performance controller |
JP3853140B2 (en) * | 2000-08-08 | 2006-12-06 | 株式会社シーイーシー | Software management system and accounting method |
FR2822334A1 (en) * | 2001-03-16 | 2002-09-20 | Schlumberger Systems & Service | Mobile telecommunications independent/secure subscriber identity module having module resource with control/associated policing control adapted controlling group command execution following function specific function police control. |
-
2003
- 2003-12-16 JP JP2004565539A patent/JP2006514763A/en active Pending
- 2003-12-16 WO PCT/US2003/040125 patent/WO2004062243A2/en not_active Application Discontinuation
- 2003-12-16 CN CNA2003801080253A patent/CN1732674A/en active Pending
- 2003-12-16 AU AU2003297229A patent/AU2003297229A1/en not_active Abandoned
- 2003-12-16 KR KR1020057012427A patent/KR20050096114A/en not_active Application Discontinuation
- 2003-12-16 EP EP03814848A patent/EP1582053A4/en not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6326918B1 (en) * | 1995-06-06 | 2001-12-04 | Wayport, Inc. | Method and apparatus for geographic-based communications service |
US6529732B1 (en) * | 1998-12-16 | 2003-03-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and service providing means for providing services in a telecommunication network |
US20020068554A1 (en) * | 1999-04-09 | 2002-06-06 | Steve Dusse | Method and system facilitating web based provisioning of two-way mobile communications devices |
Non-Patent Citations (1)
Title |
---|
See also references of EP1582053A2 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006164135A (en) * | 2004-12-10 | 2006-06-22 | Fujitsu Ltd | Service processing method and program |
JP2009509212A (en) * | 2005-07-28 | 2009-03-05 | エムフォメーション・テクノロジーズ・インコーポレイテッド | System and method for remotely controlling device functionality |
WO2007076877A2 (en) * | 2005-12-30 | 2007-07-12 | Telecom Italia S.P.A. | Method for customizing the operation of a telephonic terminal |
WO2007076877A3 (en) * | 2005-12-30 | 2007-09-20 | Telecom Italia Spa | Method for customizing the operation of a telephonic terminal |
US8831223B2 (en) | 2008-01-21 | 2014-09-09 | Telefonaktiebolaget L M Ericsson (Publ) | Abstraction function for mobile handsets |
US9781109B2 (en) | 2013-07-08 | 2017-10-03 | Huawei Technologies Co., Ltd. | Method, terminal device, and network device for improving information security |
US20150195395A1 (en) * | 2014-01-06 | 2015-07-09 | Desiree Gina McDowell-White | Secure Cloud-Based Phonebook |
Also Published As
Publication number | Publication date |
---|---|
WO2004062243A3 (en) | 2004-08-26 |
EP1582053A2 (en) | 2005-10-05 |
AU2003297229A8 (en) | 2004-07-29 |
CN1732674A (en) | 2006-02-08 |
JP2006514763A (en) | 2006-05-11 |
KR20050096114A (en) | 2005-10-05 |
EP1582053A4 (en) | 2006-04-12 |
AU2003297229A1 (en) | 2004-07-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6591095B1 (en) | Method and apparatus for designating administrative responsibilities in a mobile communications device | |
EP2941729B1 (en) | Protection and confidentiality of trusted service manager data | |
US8577334B1 (en) | Restricted testing access for electronic device | |
US9198026B2 (en) | SIM lock for multi-SIM environment | |
US11671832B2 (en) | Unified enterprise management of wireless devices in a controlled environment | |
EP1950681A1 (en) | Mobile terminal, access control management device, and access control management method | |
US20100062808A1 (en) | Universal integrated circuit card having a virtual subscriber identity module functionality | |
EP1542117A1 (en) | Binding content to a user | |
KR101514753B1 (en) | System and method for secure containment of sensitive financial information stored in a mobile communication terminal | |
EP1582052B1 (en) | System and method for distributed authorization and deployment of over the air provisioning for a communications device | |
EP1582053A2 (en) | System and method for distributed authorization for access to communications device | |
CN110876144A (en) | Mobile application method, device and system of identity certificate | |
CN115186254A (en) | Data access control method and device and terminal equipment | |
US10405183B2 (en) | Purposed device system and method for smartphone | |
US11838985B2 (en) | Policy-based management of embedded subscriber identity module (eSIM) profiles | |
US20200220858A1 (en) | Subscriber Identity Management | |
CN113286289A (en) | Permission confirmation method and electronic equipment | |
CN116669012A (en) | Method for managing communication functions in a user equipment | |
CN116491141A (en) | System and method for making SIM card micro platform | |
KR20090095697A (en) | Mobile communication terminal for limiting use, server for opening service of subscriber, system and method using the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2003814848 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2004565539 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020057012427 Country of ref document: KR Ref document number: 20038A80253 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 2003814848 Country of ref document: EP Ref document number: 1020057012427 Country of ref document: KR |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2003814848 Country of ref document: EP |