WO2010067171A1 - Methods, apparatuses, and computer program products for protecting data - Google Patents

Methods, apparatuses, and computer program products for protecting data Download PDF

Info

Publication number
WO2010067171A1
WO2010067171A1 PCT/IB2009/007659 IB2009007659W WO2010067171A1 WO 2010067171 A1 WO2010067171 A1 WO 2010067171A1 IB 2009007659 W IB2009007659 W IB 2009007659W WO 2010067171 A1 WO2010067171 A1 WO 2010067171A1
Authority
WO
WIPO (PCT)
Prior art keywords
device management
data
encrypted
management data
shared secret
Prior art date
Application number
PCT/IB2009/007659
Other languages
French (fr)
Inventor
Tommi Olavi Rantanen
Mikko Tasa
Original Assignee
Nokia Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation filed Critical Nokia Corporation
Publication of WO2010067171A1 publication Critical patent/WO2010067171A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • Embodiments of the present invention relate generally to communication technology and, more particularly, relate to methods, apparatuses, and computer program products for protecting data.
  • a network service provider domain may comprise a server or other device management entity configured to manage network devices.
  • OMA DM Open Mobile Alliance Device Management
  • OMA DM protocol data is exchanged between a client device and device management server (DMS), which are known to and trusted by each other. Establishment of the trust may be facilitated by an authentication, authorization, and accounting (AAA) server, which is also located in the domain of the network service provider. Confidentiality of data exchanged between the DMS and client device is maintained during transmission from the DMS to the client device in accordance with OMA DM standards.
  • OMA DM does not provide any standardized mechanisms to encrypt data exchanged between the DMS and a client device. Accordingly, client devices that are not run as a closed environment may be vulnerable to security attacks where a malicious party may intercept the data as it is communicated over a bus or other interface within the client device. This security vulnerability may be particularly troublesome because data received by a client device from a DMS is often confidential data, such as authentication credentials, and may include confidential management objects.
  • Methods, apparatuses, and computer program products are therefore provided for protecting data, such as data related to remote management of a client device.
  • methods, apparatuses, and computer program products are provided that facilitate encryption of data using a static shared secret known both to the client device and an entity of a network service provider.
  • the client device and entity of the network service provider knowing the static shared secret have a pre-established trust and thus embodiments of the invention leverage the shared secret using an encryption protocol known to both the client device and an entity of the network service provider to encrypt data sent to the client device based at least in part upon the shared secret.
  • a data consumer within the client device then decrypts the data inside of a secure environment of the client device using the shared secret so that malicious third parties are inhibited from intercepting confidential data.
  • Embodiments of the invention are particularly advantageous for use in systems providing remote management of client devices where confidential data, such as device management data, is communicated to client devices. If not encrypted, the confidential data may be intercepted by third parties following receipt by a client device when the data is communicated over unsecure interfaces of the client device.
  • embodiments of the invention are advantageous as an addition to OMA DM, TR-069, and other device management protocols to enhance security of device management objects transferred between a client device and a device management server.
  • a method may include receiving, at a client device, encrypted data from a data server.
  • the data may be encrypted using a shared secret known to the client device and an authentication server.
  • the method may further include decrypting the encrypted data using the shared secret.
  • the encrypted data comprises device management data related to remote management of the client device.
  • the device management data may comprise an OMA DM management object.
  • the data server may accordingly be embodied as a device management server located in the domain of a network service provider.
  • the received encrypted data may comprise a flag, parameter, or other indication that the data is encrypted.
  • a node of an OMA DM management object may indicate whether at least a portion of the OMA DM management object is encrypted.
  • the shared secret may comprise any static shared secret known to the client device and any component or entity in the network domain.
  • the shared secret may be known to the authentication server and/or data server.
  • the shared secret comprises a device certificate.
  • the device certificate may comprise an X.509 Worldwide Interoperability for Microwave Access (WiMax) device certificate.
  • a method may include a data server sending a data encryption request to an authentication server.
  • the data encryption request may include an indication of a client device to which the data server intends to send encrypted data.
  • the method may further include receiving a response to the data encryption request.
  • the method may additionally include sending encrypted data to the client device.
  • the encrypted data may be encrypted based at least in part upon a secret shared known to the client device and the authentication server.
  • the encrypted data may comprise an indication that the encrypted data is encrypted.
  • the data encryption request may comprise data that the data server requests the authentication server to encrypt based at least in part upon the shared secret known to the authentication server.
  • the response to the data encryption request may then comprise the encrypted data.
  • the data encryption request may comprise a request that the authentication server send the shared secret known to the authentication server and client device to the data server.
  • the data server may then encrypt data to be sent to the client device based at least in part upon the shared secret.
  • the data server comprises a DMS configured to manage the client device in accordance with OMA DM protocol.
  • the encrypted data may comprise device management data, such as OMA DM device management objects.
  • the encrypted data sent to the client device may comprise an indication that the data has been encrypted. This indication may comprise a node in a device management object indicating that at least a portion of the device management object is encrypted.
  • a method may include receiving, at an authentication server, a data encryption request from a data server.
  • the data encryption request may include an indication of a client device.
  • the method may further include responding to the data encryption request.
  • the data encryption request may comprise data that the data server requests to be encrypted based at least in part upon a shared secret known to the authentication server and the client device indicated in the data encryption request.
  • the data may comprise device management data.
  • the device management data may comprise an OMA DM management object.
  • the method may further include the authentication server encrypting the data received from the data server based at least in part upon the shared secret.
  • the authentication server may retrieve the appropriate shared secret to use to encrypt the data from a memory storing shared secrets for a plurality of client devices based at least in part upon the indication of the client device received in the data encryption request.
  • the authentication server may respond to the data encryption request by sending the encrypted data to the data server.
  • the data encryption request may comprise a request that the authentication server send a shared secret known to the data server and client device indicated in the data encryption request.
  • the method may accordingly further include retrieving the appropriate shared secret from a memory storing shared secrets for a plurality of client devices based at least in part upon the indication of the client device received in the data encryption request.
  • the authentication server may respond to the data encryption request by sending the retrieved shared secret to the data server.
  • the authorization server comprises an authentication, authorization, and accounting server.
  • a computer program product may include at least one computer-readable storage medium having computer-readable program instructions stored therein.
  • the computer-readable program instructions may include a plurality of program instructions.
  • the first program instruction is for receiving, at a client device, encrypted data from a data server.
  • the data may be encrypted using a shared secret known to the client device and an authentication server.
  • the second program instruction is for decrypting the encrypted data using the shared secret.
  • a computer program product may include at least one computer-readable storage medium having computer-readable program instructions stored therein.
  • the computer-readable program instructions may include a plurality of program instructions.
  • the first program instruction is for sending a data encryption request to an authentication server.
  • the data encryption request may include an indication of a client device to which the data server intends to send encrypted data.
  • the second program instruction is for receiving a response to the data encryption request.
  • the third program instruction is for sending encrypted data to the client device.
  • the encrypted data may be encrypted based at least in part upon a secret shared known to the client device and the authentication server.
  • a computer program product may include at least one computer-readable storage medium having computer-readable program instructions stored therein.
  • the computer-readable program instructions may include a plurality of program instructions.
  • the first program instruction is for receiving a data encryption request from a data server.
  • the data encryption request may include an indication of a client device.
  • the second program instruction is for responding to the data encryption request.
  • an apparatus may include a processor configured to receive encrypted data from a data server.
  • the data may be encrypted using a shared secret known to the client device and an authentication server.
  • the processor may be further configured to decrypt the encrypted data using the shared secret.
  • an apparatus may include a processor configured to send a data encryption request to an authentication server.
  • the data encryption request may include an indication of a client device to which the data server intends to send encrypted data.
  • the processor may be further configured to receive a response to the data encryption request.
  • the processor may additionally be configured to send encrypted data to the client device.
  • the encrypted data may be encrypted based at least in part upon a shared secret known to the client device and the authentication server.
  • an apparatus is provided, which may include a processor configured to receive a data encryption request from a data server.
  • the data encryption request may include an indication of a client device.
  • the processor may further be configured to respond to the data encryption request.
  • FIG. 1 illustrates a block diagram of a system that may benefit from embodiments of the present invention
  • FIG. 2 illustrates a block diagram of a system 200 for protecting data, such as may be related to remote management of a client device, according to an exemplary embodiment of the present invention
  • FIG. 3 is a schematic block diagram of a mobile terminal according to an exemplary embodiment of the present invention
  • FIGs. 4-6 are flowcharts according to an exemplary method for protecting data, such as may be related to remote management of a client device, according to an exemplary embodiment of the present invention.
  • FIG. 1 illustrates a block diagram of a system 100 that may benefit from embodiments of the present invention.
  • FIG. 1 illustrates a client device 102 configured to communicate with network service provider domain entities in accordance with OMA DM protocol.
  • the client device 102 may additionally or alternatively be configured to communicate with network service provider domain entities in accordance with other device management protocols, such as TR-069, and indeed embodiments of the invention may also benefit systems implementing other such device management protocols through encryption of at least some data transmitted to a client device.
  • the client device 102 is configured to communicate with a device management server (DMS) 104 over the interface 108 and with an authentication, authorization, and accounting (AAA) server 106 over the interface 1 10.
  • DMS device management server
  • AAA authentication, authorization, and accounting
  • the DMS 104 and AAA server 106 may be in communication with each other over the interface 1 12.
  • the interface 1 12 may comprise a wireline network, wireless network, cellular network, the Internet, and/or some combination thereof.
  • the interfaces 108 and 110 comprise wireless interfaces in conformance with WiMax protocol.
  • the interfaces 108 and 1 10 are established in accordance with some other communications protocol and may instead comprise wireline interfaces and/or wireless interfaces using a protocol other than WiMax.
  • the interfaces 108, 1 10, and 1 12 may comprise an integrated network (e.g., a wireless network, wired network, cellular network, the Internet, and/or some combination thereof) and devices of the system 100 may communicate with each other through the integrated network.
  • an integrated network e.g., a wireless network, wired network, cellular network, the Internet, and/or some combination thereof
  • the client device 102 comprises a WiMax network interface ("WiMax L2") 1 14 configured to engage in WiMax communications with the DMS 104 over the interface 108 and the AAA server over the interface 1 10.
  • the WiMax network interface 1 14 may be at least partially implemented in hardware and may comprise a processor.
  • the client device 102 further comprises an internet protocol (IP) stack 1 16 configured to support IP communications between the client device 102 and other devices of the system 100, such as the DMS 104.
  • IP stack 116 is configured to communicate with the secure hypertext transfer protocol stack (HTTPS) 120 over the interface 120, which may, for example, comprise an internal bus or other internal interface of the client device 102.
  • HTTPS secure hypertext transfer protocol stack
  • the interfaces 122, 128, and/or 132 may comprise an internal interface of the client device 102.
  • the HTTPS 120 may support transport layer security (TLS). Accordingly, confidentiality of data exchanged over the interface 118 may be maintained through use of TLS.
  • the OMA DM client 124 is configured to receive data, such as may have been sent to the client device 102 by the DMS 104 over the interface 122.
  • the OMA DM client may store the received data in the database 126.
  • the extensible authentication protocol (EAP) stack 130 comprises a data consumer and may access data from the database 126 over the interface 128.
  • the EAP stack 130 is further configured to exchange data with the AAA server 106 over the interfaces 132 and 1 10 using the WiMax network interface 1 14.
  • EAP-TTLS EAP Tunneled Transport Layer Security
  • the EAP stack 130 may comprise software, which may, for example, be executed by the WiMax network interface 1 14 or into some other hardware processing entity within the client device 102.
  • An illustrative data flow to which embodiments of the invention may be applied comprises the DMS server 104 sending data to the OMA DM client 124 via the interfaces 108, 1 18, and 122.
  • the OMA DM client 124 may store the received data in the database 126.
  • the data may comprise confidential data, such as management objects.
  • the EAP stack 130 then accesses or receives the data over the interface 128 and consumes or otherwise uses the data, such as in accordance with OMA DM protocol.
  • the client device 102 or at least some components thereof are run in an open environment, the data may be exposed when communicated over the interfaces 122 and 128 if it is not encrypted.
  • embodiments of the present invention provide means for encrypting data, such as OMA DM management objects, sent to a client device through the use of a shared secret known both to the client device and to a network entity that encrypts data to send to the client device.
  • embodiments of the present invention may be applied to systems implementing OMA DM, TR-069 or some other device management protocol used for remote management of a computing device.
  • FIG. 2 illustrates a block diagram of a system 200 for protecting data, such as may be related to remote management of a client device.
  • exemplary merely means an example and as such represents one example embodiment for the invention and should not be construed to narrow the scope or spirit of the invention in any way. It will be appreciated that the scope of the invention encompasses many potential embodiments in addition to those illustrated and described herein. As such, while FIG. 2 illustrates one example of a configuration of a system for protecting data, numerous other configurations may also be used to implement embodiments of the present invention. Referring now to FIG.
  • the system 200 may include a client device 202, data server 204, and authentication server 206 configured to communicate with each other over the network 208.
  • the client device 202 may be embodied as a server, desktop computer, laptop computer, mobile terminal, mobile computer, mobile phone, mobile communication device, game device, digital camera/camcorder, audio/video player, television device, radio receiver, digital video recorder, positioning device, any combination thereof, and/or the like.
  • the client device 202 may be configured to be remotely managed by a network service provider entity (e.g., the data server 204), such as in accordance with OMA DM protocol, TR- 069, and/or some other device management protocol.
  • the client device 202 is embodied as a mobile terminal, such as that illustrated in FIG. 3.
  • FIG. 3 illustrates a block diagram of a mobile terminal 10 representative of one embodiment of a client device 202 in accordance with embodiments of the present invention. It should be understood, however, that the mobile terminal 10 illustrated and hereinafter described is merely illustrative of one type of client device 202 that may benefit from embodiments of the present invention and, therefore, should not be taken to limit the scope of the present invention.
  • the mobile terminal 10 may include an antenna 12 (or multiple antennas 12) in communication with a transmitter 14 and a receiver 16.
  • the mobile terminal may also include a controller 20 or other processor(s) that provides signals to and receives signals from the transmitter and receiver, respectively.
  • These signals may include signaling information in accordance with an air interface standard of an applicable cellular system, and/or any number of different wireline or wireless networking techniques, comprising but not limited to WiMAX,
  • Wireless-Fidelity Wi-Fi
  • Wi-Fi wireless local access network
  • WLAN wireless local access network
  • these signals may include speech data, user generated data, user requested data, and/or the like.
  • the mobile terminal may be capable of operating with one or more air interface standards, communication protocols, modulation types, access types, and/or the like. More particularly, the mobile terminal may be capable of operating in accordance with various first generation (IG), second generation (2G), 2.5G, third-generation (3G) communication protocols, fourth-generation (4G) communication protocols, and/or the like.
  • IG first generation
  • 2G second generation
  • 2.5G 2.5G
  • third-generation (3G) communication protocols fourth-generation (4G) communication protocols
  • the mobile terminal may be capable of operating in accordance with 2G wireless communication protocols IS- 136 (Time Division Multiple Access (TDMA)), Global System for Mobile communications (GSM), IS-95 (Code Division Multiple Access (CDMA)), and/or the like.
  • the mobile terminal may be capable of operating in accordance with 2.5G wireless communication protocols General Packet Radio Service (GPRS), Enhanced Data GSM Environment (EDGE), and/or the like.
  • GPRS General Packet Radio Service
  • EDGE Enhanced Data GSM Environment
  • the mobile terminal may be capable of operating in accordance with 3G wireless communication protocols such as Universal Mobile Telecommunications System (UMTS), Code Division Multiple Access 2000 (CDMA2000), Wideband Code Division Multiple Access (WCDMA), Time Division-Synchronous Code Division Multiple Access (TD-SCDMA), and/or the like.
  • UMTS Universal Mobile Telecommunications System
  • CDMA2000 Code Division Multiple Access 2000
  • WCDMA Wideband Code Division Multiple Access
  • TD-SCDMA Time Division-Synchronous Code Division Multiple
  • the mobile terminal may be additionally capable of operating in accordance with 3.9G wireless communication protocols such as Long Term Evolution (LTE) or Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and/or the like. Additionally, for example, the mobile terminal may be capable of operating in accordance with fourth-generation (4G) wireless communication protocols and/or the like as well as similar wireless communication protocols that may be developed in the future.
  • LTE Long Term Evolution
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • NAMPS Narrow-band Advanced Mobile Phone System
  • TACS Total Access Communication System
  • mobile terminals may also benefit from embodiments of this invention, as should dual or higher mode phones (e.g., digital/analog or TDMA/CDMA/analog phones). Additionally, the mobile terminal 10 may be capable of operating according to Wireless Fidelity (Wi-Fi) or WiMax protocols.
  • Wi-Fi Wireless Fidelity
  • WiMax Wireless Fidelity
  • the controller 20 may comprise circuitry for implementing audio/video and logic functions of the mobile terminal 10.
  • the controller 20 may comprise a digital signal processor device, a microprocessor device, an analog-to-digital converter, a digital-to-analog converter, and/or the like. Control and signal processing functions of the mobile terminal may be allocated between these devices according to their respective capabilities.
  • the controller may additionally comprise an internal voice coder (VC) 20a, an internal data modem (DM) 20b, and/or the like.
  • the controller may comprise functionality to operate one or more software programs, which may be stored in memory.
  • the controller 20 may be capable of operating a connectivity program, such as a web browser.
  • the connectivity program may allow the mobile terminal 10 to transmit and receive web content, such as location-based content, according to a protocol, such as Wireless Application Protocol (WAP), hypertext transfer protocol (HTTP), and/or the like.
  • WAP Wireless Application Protocol
  • HTTP hypertext transfer protocol
  • the mobile terminal 10 may be capable of using a Transmission Control Protocol/Internet Protocol (TCP/IP) to transmit and receive web content across the internet or other networks.
  • TCP/IP Transmission Control Protocol/Internet Protocol
  • the mobile terminal 10 may also comprise a user interface which may include, for example, an earphone or speaker 24, a ringer 22, a microphone 26, a display 28, a user input interface, and/or the like, which may be operationally coupled to the controller 20.
  • the mobile terminal may comprise a battery for powering various circuits related to the mobile terminal, for example, a circuit to provide mechanical vibration as a detectable output.
  • the user input interface may comprise devices allowing the mobile terminal to receive data, such as a keypad 30, a touch display (not shown), a joystick (not shown), and/or other input device.
  • the keypad may comprise numeric (0-9) and related keys (#, *), and/or other keys for operating the mobile terminal.
  • the mobile terminal 10 may include a positioning sensor (not illustrated).
  • the positioning sensor may include, for example, a global positioning system (GPS) sensor, an assisted global positioning system (Assisted-GPS) sensor, etc. In one embodiment, however, the positioning sensor may include a pedometer or inertial sensor. In some embodiments, the positioning sensor is additionally or alternatively configured to determine a location of the mobile terminal using short-range radio signals, such as, for example, WLAN signals, Blue Tooth signals, and/or the like. Further, the positioning sensor may determine the location of the mobile terminal based upon signal triangulation or other mechanisms.
  • GPS global positioning system
  • Assisted-GPS assisted global positioning system
  • the positioning sensor may include a pedometer or inertial sensor.
  • the positioning sensor is additionally or alternatively configured to determine a location of the mobile terminal using short-range radio signals, such as, for example, WLAN signals, Blue Tooth signals, and/or the like. Further, the positioning sensor may determine the location of the mobile terminal based upon signal triangulation or other mechanisms.
  • the positioning sensor may be configured to determine a location of the mobile terminal, such as latitude and longitude coordinates of the mobile terminal or a position relative to a reference point such as a destination or a start point. Information from the positioning sensor may be communicated to a memory of the mobile terminal or to another memory device to be stored as a position history or location information. Furthermore, a memory of the mobile terminal may store instructions for determining cell id information. In this regard, the memory may store an application program for execution by the controller 20, which may determine an identity of the current cell, i.e., cell id identity or cell id information, with which the mobile terminal is in communication. In conjunction with the positioning sensor, the cell id information may be configured to more accurately determine a location of the mobile terminal.
  • the mobile terminal 10 may also include one or more means for sharing and/or obtaining data.
  • the mobile terminal may comprise a short-range radio frequency (RF) transceiver and/or interrogator 64 so data may be shared with and/or obtained from electronic devices in accordance with RF techniques.
  • the mobile terminal may comprise other short-range transceivers, such as, for example, an infrared (IR) transceiver 66, a BluetoothTM (BT) transceiver 68 operating using BluetoothTM brand wireless technology developed by the BluetoothTM Special Interest Group, a wireless universal serial bus (USB) transceiver 70 and/or the like.
  • IR infrared
  • BT BluetoothTM
  • USB wireless universal serial bus
  • the BluetoothTM transceiver 68 may be capable of operating according to ultra-low power BluetoothTM technology (e.g., WibreeTM) radio standards.
  • the mobile terminal 10 and, in particular, the short-range transceiver may be capable of transmitting data to and/or receiving data from electronic devices within a proximity of the mobile terminal, such as within 10 meters, for example.
  • the mobile terminal may be capable of transmitting and/or receiving data from electronic devices according to various wireless networking techniques, including WiMAX, Wireless Fidelity (Wi-Fi), WLAN techniques such as IEEE 802.1 1 techniques, and/or the like.
  • the mobile terminal 10 may comprise memory, such as a subscriber identity module (SIM) 38, a removable user identity module (R-UEM), and/or the like, which may store information elements related to a mobile subscriber. In addition to the SEM, the mobile terminal may comprise other removable and/or fixed memory.
  • the mobile terminal 10 may include volatile memory 40 and/or non-volatile memory 42.
  • volatile memory 40 may include Random Access Memory (RAM) including dynamic and/or static RAM, on-chip or off- chip cache memory, and/or the like.
  • RAM Random Access Memory
  • Non-volatile memory 42 which may be embedded and/or removable, may include, for example, read-only memory, flash memory, magnetic storage devices (e.g., hard disks, floppy disk drives, magnetic tape, etc.), optical disc drives and/or media, non-volatile random access memory (NVRAM), and/or the like.
  • NVRAM non-volatile random access memory
  • the memories may store one or more software programs, instructions, pieces of information, data, and/or the like which may be used by the mobile terminal for performing functions of the mobile terminal.
  • the memories may comprise an identifier, such as an international mobile equipment identification (EMEI) code, capable of uniquely identifying the mobile terminal 10.
  • EMEI international mobile equipment identification
  • the data server 204 may comprise any computing device or plurality of computing devices configured to provide data to the client device 202 over the network 208.
  • the data may comprise device management data, such as OMA DM management objects.
  • the data server 204 is embodied as a DMS, such as the DMS 104, that is configured to provide encrypted data to the client device 202 in accordance with embodiments of the invention.
  • the Authentication server 206 is configured to facilitate authentication of the client device 202 to the data server 204 and vice versa. Accordingly, the authentication server 206 may be configured to facilitate authentication between a client device 202 and a network service domain configured to provide remote management data to the client device 202.
  • the authentication server is embodied as a AAA server, such as the AAA server 206, that is configured to facilitate encryption of data communicated to the client device 202 by the data server 204 in conformance with embodiments of the invention.
  • the client device 202 may include various means, such as a processor 210, memory 212, communication interface 214, device management client 216, and data consumer unit 218 for performing the various functions herein described.
  • These means of the client device 202 as described herein may be embodied as, for example, hardware elements (e.g., a suitably programmed processor, combinational logic circuit, and/or the like), computer code (e.g., software or firmware) embodied on a computer-readable medium (e.g. memory 212) that is executable by a suitably configured processing device (e.g., the processor 210), or some combination thereof.
  • the processor 210 may, for example, be embodied as various means including a microprocessor, a coprocessor, a controller, or various other processing elements including integrated circuits such as, for example, an ASIC (application specific integrated circuit) or FPGA (field programmable gate array).
  • the processor 210 may be embodied as or otherwise comprise the controller 20.
  • the processor 210 is configured to execute instructions stored in the memory 212 or otherwise accessible to the processor 210.
  • the processor 210 comprises a plurality of processors.
  • the memory 212 may include, for example, volatile and/or non-volatile memory.
  • the memory 212 may be configured to store information, data, applications, instructions, or the like for enabling the client device 202 to carry out various functions in accordance with exemplary embodiments of the present invention.
  • the memory 212 is configured to buffer input data for processing by the processor 210.
  • the memory 212 is configured to store program instructions for execution by the processor 210.
  • the memory 212 may comprise one or more databases that store information in the form of static and/or dynamic information. This stored information may be stored and/or used by the device management client 216 and/or data consumer unit 218 during the course of performing their functionalities.
  • the communication interface 214 may be embodied as any device or means embodied in hardware, software, firmware, or a combination thereof that is configured to receive and/or transmit data from/to a remote device, such as the data server 204 and/or authentication server 206 over the network 208.
  • the communication interface 214 is at least partially embodied as or otherwise controlled by the processor 210.
  • the communication interface 214 may include, for example, an antenna, a transmitter, a receiver, a transceiver and/or supporting hardware or software for enabling communications with other entities of the system 200.
  • the communication interface 214 may be configured to receive and/or transmit data using any protocol that may be used for communications between computing devices of the system 200.
  • the communication interface 214 may be configured to receive and/or transmit data in accordance with OMA DM protocol standards.
  • the communication interface 214 comprises the WiMax network interface 1 14, IP stack 1 16, and/or HTTPS 120 illustrated in FIG. 1.
  • the communication interface 214 may additionally be in communication with the memory 212, device management client 216, and/or data consumer unit 218, such as via a bus.
  • the data management client 216 may be embodied as various means, such as hardware, software, firmware, or some combination thereof and, in one embodiment, is embodied as or otherwise controlled by the processor 210. In embodiments where the device management client 216 is embodied separately from the processor 210, the device management client 216 may be in communication with the processor 210. The device management client 216 is configured to receive data, such as may comprise device management data, from the data server 204. The device management client 216 may store the received data in a memory, such as the memory 212 or in another memory, which may be embodied on the device management client 216. In some embodiments the device management client 216 comprises an OMA DM client.
  • the device management client 216 does not necessarily comprise an integrated data base or other memory, such as the database 126 illustrated in the OMA DM client 124 of FIG. 1, although in an exemplary embodiment, the device management client 216 may comprise an integrated database.
  • the device management client 216 is further configured to provide the data consumer unit 218 with access to data received from the data server 204.
  • the data consumer unit 218 may be embodied as various means, such as hardware, software, firmware, or some combination thereof and, in one embodiment, is embodied as or otherwise controlled by the processor 210.
  • the data consumer unit 218 may be in communication with the processor 210.
  • the data consumer unit 218 is configured to consume or otherwise use data, such device management data.
  • the data consumer unit 218 is configured to receive or otherwise access data from the device management client 216.
  • the data consumer unit 218 is embodied as an EAP stack.
  • embodiments of the data server 204 may include various means, such as a processor 220, memory 222, communication interface 224, and data provision unit 226 for performing the various functions herein described.
  • These means of the data server 204 as described herein may be embodied as, for example, hardware elements (e.g., a suitably programmed processor, combinational logic circuit, and/or the like), computer code (e.g., software or firmware) embodied on a computer-readable medium (e.g. memory 222) that is executable by a suitably configured processing device (e.g., the processor 220), or some combination thereof.
  • the processor 220 may, for example, be embodied as various means including a microprocessor, a coprocessor, a controller, or various other processing elements including integrated circuits such as, for example, an ASIC (application specific integrated circuit) or FPGA (field programmable gate array).
  • the processor 220 is configured to execute instructions stored in the memory 222 or otherwise accessible to the processor 220.
  • the processor 220 comprises a plurality of processors, which may operate cooperatively, such as in parallel.
  • the plurality of processors may be embodied in a single computing device or in a plurality of computing devices operating cooperatively to implement the data server 204.
  • the memory 222 may include, for example, volatile and/or non-volatile memory.
  • the memory 222 may be configured to store information, data, applications, instructions, or the like.
  • the memory 222 is configured to buffer input data for processing by the processor 220.
  • the memory 222 is configured in at least some embodiments to store program instructions for execution by the processor 220.
  • the memory 222 may comprise one or more databases that store information in the form of static and/or dynamic information. This stored information may be stored and/or used by the data provision unit 226 during the course of performing its functionalities.
  • the communication interface 224 may be embodied as any device or means embodied in hardware, software, firmware, or a combination thereof that is configured to receive and/or transmit data from/to a remote device, such as the client device 202 and/or authentication server 206 over the network 208.
  • the communication interface 224 is at least partially embodied as or otherwise controlled by the processor 220.
  • the communication interface 224 may include, for example, an antenna, a transmitter, a receiver, a transceiver and/or supporting hardware or software for enabling communications with other entities of the system 200.
  • the communication interface 224 may be configured to receive and/or transmit data using any protocol that may be used for communications between computing devices of the system 200. In this regard, the communication interface 224 may be configured to receive and/or transmit data in accordance with OMA DM protocol standards.
  • the communication interface 224 may additionally be in communication with the memory 222 and/or data provision unit 226, such as via a bus.
  • the data provision unit 226 may be embodied as various means, such as hardware, software, firmware, or some combination thereof and, in one embodiment, is embodied as or otherwise controlled by the processor 220. In embodiments wherein the data provision unit 226 is embodied separately from the processor 220, the data provision unit 226 may be in communication with the processor 220.
  • the data provision unit 226 is configured to send encrypted data, such as encrypted device management data (e.g., device management objects in accordance with OMA DM protocol) to the client device 202.
  • encrypted device management data e.g., device management objects in accordance with OMA DM protocol
  • embodiments of the authentication server 206 may include various means, such as a processor 230, memory 232, communication interface 234, and security unit 236 for performing the various functions herein described.
  • These means of the authentication server 206 as described herein may be embodied as, for example, hardware elements (e.g., a suitably programmed processor, combinational logic circuit, and/or the like), computer code (e.g., software or firmware) embodied on a computer-readable medium (e.g. memory 232) that is executable by a suitably configured processing device (e.g., the processor 230), or some combination thereof.
  • the processor 230 may, for example, be embodied as various means including a microprocessor, a coprocessor, a controller, or various other processing elements including integrated circuits such as, for example, an ASIC (application specific integrated circuit) or FPGA (field programmable gate array).
  • the processor 230 is configured to execute instructions stored in the memory 232 or otherwise accessible to the processor 230.
  • the processor 230 comprises a plurality of processors, which may operate cooperatively, such as in parallel.
  • the plurality of processors may be embodied in a single computing device or in a plurality of computing devices operating cooperatively to implement the authentication server 206.
  • the memory 232 may include, for example, volatile and/or non-volatile memory.
  • the memory 232 may be configured to store information, data, applications, instructions, or the like.
  • the memory 232 is configured to buffer input data for processing by the processor 230.
  • the memory 232 is configured in at least some embodiments to store program instructions for execution by the processor 230.
  • the memory 232 may comprise one or more databases that store information in the form of static and/or dynamic information.
  • the memory 232 may store a shared secret known to the authentication server 206 and the client device 202. This stored information may be stored and/or used by security unit 236 during the course of performing its functionalities.
  • the communication interface 234 may be embodied as any device or means embodied in hardware, software, firmware, or a combination thereof that is configured to receive and/or transmit data from/to a remote device, such as the data server 204 and/or client device 202 over the network 208.
  • the communication interface 234 is at least partially embodied as or otherwise controlled by the processor 230.
  • the communication interface 234 may include, for example, an antenna, a transmitter, a receiver, a transceiver and/or supporting hardware or software for enabling communications with other entities of the system 200.
  • the communication interface 234 may be configured to receive and/or transmit data using any protocol that may be used for communications between computing devices of the system 200. In this regard, the communication interface 234 may be configured to receive and/or transmit data in accordance with OMA DM protocol standards
  • the communication interface 234 may additionally be in communication with the memory 232 and/or security unit 236, such as via a bus.
  • the security unit 236 may be embodied as various means, such as hardware, software, firmware, or some combination thereof and, in one embodiment, is embodied as or otherwise controlled by the processor 230. In embodiments wherein the security unit 236 is embodied separately from the processor 230, the security unit 236 may be in communication with the processor 230. In at least some embodiments, when the data provision unit 226 needs to send data to the client device 202, the data provision unit 226 is configured to send a data encryption request to the authentication server 206.
  • the data to be sent to the client device 202 may comprise device management data related to remote management of the client device 202.
  • the device management data may comprise an OMA DM management object.
  • the data encryption request may include an indication of an identity of the client device 202 so that the authentication server may identify the client device 202 associated with the data encryption request.
  • the data encryption request may comprise at least a portion of the data that the data provision unit 226 needs to send to the client device 202 so that the authentication server 206 may encrypt the data for the data provision unit 226 based at least in part upon a shared secret known to the authentication server 206 and the client device 202.
  • the data encryption request may comprise a request that the authentication server encrypt at least a portion of data included in the data encryption request (e.g., in embodiments wherein the authentication server 306 is responsible for encrypting data to be sent to the client device 202 and does not share the shared secret with the data server 204).
  • the data encryption request may comprise a request that the authentication server 206 send the shared secret known to the authentication server 206 and client device 202 to the data server 204 (e.g., in embodiments wherein the authentication server 206 shares shared secrets with the data server 204 and the data server 204 is responsible for encrypting data to be sent to the client device 202).
  • the security unit 236 of the authentication server is configured to receive the data encryption request.
  • the security unit 236 may be further configured to retrieve the shared secret known to both the authentication server 206 and client device 202 based at least in part upon the identity of the client device 202 included in the received data encryption request.
  • the security unit 236 may retrieve the shared secret from a memory, such as the memory 232 that may store a plurality of shared secrets, each of which may be associated with a particular client device 202.
  • the shared secret may comprise any static secret shared known to the client device and authentication server.
  • the shared secret comprises a device certificate.
  • the device certificate may comprise, for example, an X.509 WiMax device certificate or a certificate used for secure HTTP communications between the client device 202 and authentication server 206. It will be appreciated, however, that the shared secret may comprise any shared secret known to both the client device 202 and any component or entity of the system 200, such as the authentication server 206 and/or data server 204.
  • the security unit 236 is configured to encrypt the unencrypted data based at least in part upon the shared secret.
  • the security unit 236 may be configured to encrypt the data using the shared secret in accordance with any encryption algorithm or protocol known to both the security unit 236 and data consumer unit 218.
  • the security unit 236 is further configured to send a response to the data encryption request to the data server 204 comprising the encrypted data.
  • the security unit 236 is configured to send a response to the data encryption request comprising the retrieved shared secret.
  • the data provision unit 226 is accordingly configured to receive the response to the data encryption request.
  • the data server 204 encrypts data to be sent to the client device 202 (e.g., in embodiments wherein the authentication server 206 shares shared secrets with the data server 204 and the data server 204 is responsible for encrypting data to be sent to the client device 202)
  • the data provision unit 226 is further configured to extract the shared secret from the response and encrypt the data to be sent to the client device 202 based at least in part upon the shared secret.
  • the data provision unit 226 may be configured to encrypt the data using the shared secret in accordance with any encryption algorithm or protocol known to both the data provision unit 226 and data consumer unit 218.
  • the data provision unit 226 may be configured to extract the encrypted data from the response so that it may be sent to the client device 202.
  • the data server 204 or some component thereof, such as the data provision unit 226, has access to the shared secret at the outset and accordingly, the data provision unit 226 does not need to send a data encryption request to the authentication server 206.
  • the data provision unit 226 may be configured to access the shared secret, such as from the memory 222 and encrypt the data to be sent to the client device 202 based at least in part upon the shared secret using any encryption algorithm or protocol known to both the data provision unit 226 and data consumer unit 218.
  • the data provision unit 226 is configured to send a data encryption request to a network entity or component other than the authentication server 206 that has access to the shared secret.
  • the data provision unit 226 may send a data encryption request to the network entity or component in order to obtain the shared secret and/or to have the network entity or component encrypt data included in the data encryption request using the shared secret, such as described in connection with the security unit 236.
  • the data provision unit 226 is further configured to send the encrypted data to the client device 202.
  • the data provision unit 226 may be configured to send the encrypted data to the client device 202 in accordance with OMA DM protocol, TR-069 standards, and/or the like.
  • the data provision unit 226 may be configured to send the encrypted data with an indication that the encrypted data is encrypted.
  • the indication may comprise a flag, parameter, or other indication that the data is encrypted.
  • a node of a OMA DM management object that is at least partially encrypted may indicate that the at least a portion of the OMA DM management object is encrypted.
  • the device management client 216 is configured to receive the encrypted data from the data server 204.
  • the device management client 216 may receive the encrypted data over a bus or other interface internal to the client device 202 from the communication interface 214.
  • the device management client 216 may store the received encrypted data in a database, which may be embodied on memory 212 or some other memory, which may be embodied on the device management client 216.
  • the device management client 216 is configured to provide the data consumer unit 218 with access to the encrypted data.
  • the device management client 216 may be configured to allow the data consumer unit 218 to access the encrypted data from where it was stored by the device management client 216.
  • the device management client 216 may be configured to send the encrypted data to the data consumer unit 218 over a bus or other interface within the client device 202, such as in response to a request by the data consumer unit 218.
  • the data consumer unit 218 is configured to receive or otherwise access the encrypted data directly from the communication interface 214, rather than from the device management client 216.
  • the data consumer unit 218 is configured to decrypt the encrypted data based at least in part upon the shared secret. If the data consumer unit 218 does not already know the shared secret, the data consumer unit 218 may be configured to retrieve the shared secret from the authentication server 206 or some other entity of the client device 202 having access to the shared secret.
  • the data consumer unit 218 may be configured to decrypt the encrypted data using the shared secret in accordance with the encryption algorithm used by the data provision unit 226 or security unit 236 to encrypt the encrypted data.
  • the data consumer unit 218 may be configured to determine whether data accessed from the device management client 216 is encrypted prior to decrypting the data, since data that is not encrypted does not need to be decrypted. In this regard, the data consumer unit 218 may be configured to determine whether the accessed data comprises an indication that the data is encrypted. This indication may comprise any of the above-described indications that may be included with the encrypted data by the data provision unit 226.
  • FIGs. 4-6 are flowcharts of systems, methods, and computer program products according to exemplary embodiments of the invention. It will be understood that each block or step of the flowcharts, and combinations of blocks in the flowcharts, may be implemented by various means, such as hardware, firmware, and/or software including one or more computer program instructions. For example, one or more of the procedures described above may be embodied by computer program instructions.
  • the computer program instructions which embody the procedures described above may be stored by a memory device of a mobile terminal, server, or other computing device and executed by a processor in the computing device.
  • the computer program instructions which embody the procedures described above may be stored by memory devices of a plurality of computing devices.
  • any such computer program instructions may be loaded onto a computer or other programmable apparatus to produce a machine, such that the instructions which execute on the computer or other programmable apparatus create means for implementing the functions specified in the flowchart block(s) or step(s).
  • These computer program instructions may also be stored in a computer- readable memory that can direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart block(s) or step(s).
  • the computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block(s) or step(s).
  • blocks or steps of the flowcharts support combinations of means for performing the specified functions, combinations of steps for performing the specified functions and program instruction means for performing the specified functions. It will also be understood that one or more blocks or steps of the flowcharts, and combinations of blocks or steps in the flowcharts, may be implemented by special purpose hardware-based computer systems which perform the specified functions or steps, or combinations of special purpose hardware and computer instructions.
  • FIG. 4 illustrates operations which may occur at a client device 202.
  • the method comprises the device management client 216 and/or data consumer unit 218 receiving encrypted data that was sent to the client device 202 by the data server 204, at operation 400.
  • Operation 410 comprises the data consumer unit 218 decrypting the encrypted data using a shared secret known to the client device 202 and authentication server 206.
  • Operation 420 comprises the data consumer unit 218 consuming the decrypted data.
  • FIG. 5 illustrates a flowchart according to an exemplary method for protecting data, such as may be related to remote management of a client device, according to an exemplary embodiment of the present invention. In this regard, FIG. 5 illustrates operationswhich may occur at a data server 204.
  • the method comprises the data provision unit 226 sending a data encryption request to the authentication server 206, at operation 500.
  • Operation 510 comprises the data provision unit 226 receiving a response to the data encryption request.
  • Operation 520 comprises the data provision unit 226 sending encrypted data to the client device 202.
  • FIG. 6 illustrates a flowchart according to an exemplary method for protecting data, such as may be related to remote management of a client device, according to an exemplary embodiment of the present invention.
  • FIG. 6 illustrates operations which may occur at an authentication server 206.
  • the method comprises the security unit 236 receiving a data encryption request sent by the data server 204, at operation 600.
  • the data encryption request may comprise an indication of an identity of a client device 202.
  • Operation 610 comprises the data provision unit 226 retrieving a shared secret known to the authentication server 206 and the client device 202 identified in the data encryption request.
  • Operation 620 comprises the security unit 236 responding to the data encryption request.
  • a suitably configured processor may provide all or a portion of the elements of the invention.
  • all or a portion of the elements of the invention may be configured by and operate under control of a computer program product.
  • the computer program product for performing the methods of embodiments of the invention may include a computer-readable storage medium, such as the non-volatile storage medium, and computer-readable program code portions, such as a series of computer instructions, embodied in the computer-readable storage medium.
  • Embodiments of the invention provide several advantages to computing devices, such as a client device 202.
  • Embodiments of the invention facilitate encryption of data using a static shared secret known both to the client device and an entity of a network service provider.
  • the client device and entity of the network service provider knowing the static shared secret have a pre-established trust and thus embodiments of the invention leverage the shared secret using an encryption protocol known to both the client device and an entity of the network service provider to encrypt data sent to the client device based at least in part upon the shared secret.
  • a data consumer within the client device then decrypts the data inside of a secure environment of the client device using the shared secret so that malicious third parties are inhibited from intercepting confidential data.
  • Embodiments of the invention are particularly advantageous for use in systems providing remote management of client devices where confidential data, such as device management data, is communicated to client devices. If not encrypted, the confidential data may be intercepted by third parties following receipt by a client device when the data is communicated over unsecure interfaces of the client device.
  • embodiments of the invention are advantageous as an addition to OMA DM, TR-069, and other device management protocols to enhance security of device management objects transferred between a client device and a device management server.

Abstract

A method, apparatus, and computer program product are provided for protecting data, such as may be related to remote management of a client device. An apparatus may include a processor configured to send a data encryption request to an authentication server. The processor may be further configured to receive a response to the data encryption request. The processor may additionally be configured to send encrypted data to the client device that is encrypted based at least in part upon a shared secret known to the client device and the authentication server. Corresponding methods and computer program products are also provided.

Description

METHODS, APPARATUSES, AND COMPUTER PROGRAM PRODUCTS FOR
PROTECTING DATA
TECHNICAL FIELD Embodiments of the present invention relate generally to communication technology and, more particularly, relate to methods, apparatuses, and computer program products for protecting data.
BACKGROUND The modern communications era has brought about a tremendous expansion of wireline and wireless networks. Computer networks, television networks, and telephony networks are experiencing an unprecedented technological expansion, fueled by consumer demand. Wireless and mobile networking technologies have addressed related consumer demands, while providing more flexibility and immediacy of information transfer. Current and future networking technologies as well as evolved computing devices making use of networking technologies continue to facilitate ease of information transfer and convenience to users. Many networks now facilitate remote management of network devices, such as mobile devices, through a network service provider. In this regard, a network service provider domain may comprise a server or other device management entity configured to manage network devices. One protocol providing for remote management of network devices is the Open Mobile Alliance Device Management (OMA DM) protocol.
In OMA DM protocol, data is exchanged between a client device and device management server (DMS), which are known to and trusted by each other. Establishment of the trust may be facilitated by an authentication, authorization, and accounting (AAA) server, which is also located in the domain of the network service provider. Confidentiality of data exchanged between the DMS and client device is maintained during transmission from the DMS to the client device in accordance with OMA DM standards. However, OMA DM does not provide any standardized mechanisms to encrypt data exchanged between the DMS and a client device. Accordingly, client devices that are not run as a closed environment may be vulnerable to security attacks where a malicious party may intercept the data as it is communicated over a bus or other interface within the client device. This security vulnerability may be particularly troublesome because data received by a client device from a DMS is often confidential data, such as authentication credentials, and may include confidential management objects.
Accordingly, it would be advantageous to provide methods, apparatuses, and computer program products for protecting data, and in particular for protecting data related to remote management of a client device. BRIEF SUMMARY OF SOME EXAMPLE EMBODIMENTS OF THE INVENTION
Methods, apparatuses, and computer program products are therefore provided for protecting data, such as data related to remote management of a client device. In this regard, methods, apparatuses, and computer program products are provided that facilitate encryption of data using a static shared secret known both to the client device and an entity of a network service provider. The client device and entity of the network service provider knowing the static shared secret have a pre-established trust and thus embodiments of the invention leverage the shared secret using an encryption protocol known to both the client device and an entity of the network service provider to encrypt data sent to the client device based at least in part upon the shared secret. A data consumer within the client device then decrypts the data inside of a secure environment of the client device using the shared secret so that malicious third parties are inhibited from intercepting confidential data. Embodiments of the invention are particularly advantageous for use in systems providing remote management of client devices where confidential data, such as device management data, is communicated to client devices. If not encrypted, the confidential data may be intercepted by third parties following receipt by a client device when the data is communicated over unsecure interfaces of the client device. In particular, embodiments of the invention are advantageous as an addition to OMA DM, TR-069, and other device management protocols to enhance security of device management objects transferred between a client device and a device management server.
In a first exemplary embodiment, a method is provided, which may include receiving, at a client device, encrypted data from a data server. The data may be encrypted using a shared secret known to the client device and an authentication server. The method may further include decrypting the encrypted data using the shared secret. In at least some embodiments, the encrypted data comprises device management data related to remote management of the client device. The device management data may comprise an OMA DM management object. The data server may accordingly be embodied as a device management server located in the domain of a network service provider. The received encrypted data may comprise a flag, parameter, or other indication that the data is encrypted. In some embodiments, a node of an OMA DM management object may indicate whether at least a portion of the OMA DM management object is encrypted. The shared secret may comprise any static shared secret known to the client device and any component or entity in the network domain. In this regard, the shared secret may be known to the authentication server and/or data server. In some embodiments, the shared secret comprises a device certificate. The device certificate may comprise an X.509 Worldwide Interoperability for Microwave Access (WiMax) device certificate.
In another exemplary embodiment, a method is provided, which may include a data server sending a data encryption request to an authentication server. The data encryption request may include an indication of a client device to which the data server intends to send encrypted data. The method may further include receiving a response to the data encryption request. The method may additionally include sending encrypted data to the client device. The encrypted data may be encrypted based at least in part upon a secret shared known to the client device and the authentication server. The encrypted data may comprise an indication that the encrypted data is encrypted.
In some embodiments, the data encryption request may comprise data that the data server requests the authentication server to encrypt based at least in part upon the shared secret known to the authentication server. The response to the data encryption request may then comprise the encrypted data.
In some embodiments, the data encryption request may comprise a request that the authentication server send the shared secret known to the authentication server and client device to the data server. The data server may then encrypt data to be sent to the client device based at least in part upon the shared secret. In some embodiments, the data server comprises a DMS configured to manage the client device in accordance with OMA DM protocol. The encrypted data may comprise device management data, such as OMA DM device management objects. In some embodiments, the encrypted data sent to the client device may comprise an indication that the data has been encrypted. This indication may comprise a node in a device management object indicating that at least a portion of the device management object is encrypted.
In another exemplary embodiment, a method is provided, which may include receiving, at an authentication server, a data encryption request from a data server. The data encryption request may include an indication of a client device. The method may further include responding to the data encryption request. In some embodiments, the data encryption request may comprise data that the data server requests to be encrypted based at least in part upon a shared secret known to the authentication server and the client device indicated in the data encryption request. The data may comprise device management data. The device management data may comprise an OMA DM management object. Accordingly, the method may further include the authentication server encrypting the data received from the data server based at least in part upon the shared secret. The authentication server may retrieve the appropriate shared secret to use to encrypt the data from a memory storing shared secrets for a plurality of client devices based at least in part upon the indication of the client device received in the data encryption request. The authentication server may respond to the data encryption request by sending the encrypted data to the data server. In some embodiments, the data encryption request may comprise a request that the authentication server send a shared secret known to the data server and client device indicated in the data encryption request. The method may accordingly further include retrieving the appropriate shared secret from a memory storing shared secrets for a plurality of client devices based at least in part upon the indication of the client device received in the data encryption request. The authentication server may respond to the data encryption request by sending the retrieved shared secret to the data server. In some embodiments, the authorization server comprises an authentication, authorization, and accounting server.
In another exemplary embodiment, a computer program product is provided. The computer program product may include at least one computer-readable storage medium having computer-readable program instructions stored therein. The computer-readable program instructions may include a plurality of program instructions. Although in this summary, the program instructions are ordered, it will be appreciated that this summary is provided merely for purposes of example and the ordering is merely to facilitate summarizing the computer program product. The example ordering in no way limits the implementation of the associated computer program instructions. The first program instruction is for receiving, at a client device, encrypted data from a data server. The data may be encrypted using a shared secret known to the client device and an authentication server. The second program instruction is for decrypting the encrypted data using the shared secret.
In another exemplary embodiment, a computer program product is provided. The computer program product may include at least one computer-readable storage medium having computer-readable program instructions stored therein. The computer-readable program instructions may include a plurality of program instructions. Although in this summary, the program instructions are ordered, it will be appreciated that this summary is provided merely for purposes of example and the ordering is merely to facilitate summarizing the computer program product. The example ordering in no way limits the implementation of the associated computer program instructions. The first program instruction is for sending a data encryption request to an authentication server. The data encryption request may include an indication of a client device to which the data server intends to send encrypted data. The second program instruction is for receiving a response to the data encryption request. The third program instruction is for sending encrypted data to the client device. The encrypted data may be encrypted based at least in part upon a secret shared known to the client device and the authentication server.
In another exemplary embodiment, a computer program product is provided. The computer program product may include at least one computer-readable storage medium having computer-readable program instructions stored therein. The computer-readable program instructions may include a plurality of program instructions. Although in this summary, the program instructions are ordered, it will be appreciated that this summary is provided merely for purposes of example and the ordering is merely to facilitate summarizing the computer program product. The example ordering in no way limits the implementation of the associated computer program instructions. The first program instruction is for receiving a data encryption request from a data server. The data encryption request may include an indication of a client device. The second program instruction is for responding to the data encryption request.
In another exemplary embodiment, an apparatus is provided, which may include a processor configured to receive encrypted data from a data server. The data may be encrypted using a shared secret known to the client device and an authentication server. The processor may be further configured to decrypt the encrypted data using the shared secret.
In another exemplary embodiment, an apparatus is provided, which may include a processor configured to send a data encryption request to an authentication server. The data encryption request may include an indication of a client device to which the data server intends to send encrypted data. The processor may be further configured to receive a response to the data encryption request. The processor may additionally be configured to send encrypted data to the client device. The encrypted data may be encrypted based at least in part upon a shared secret known to the client device and the authentication server. In another exemplary embodiment, an apparatus is provided, which may include a processor configured to receive a data encryption request from a data server. The data encryption request may include an indication of a client device. The processor may further be configured to respond to the data encryption request.
The above summary is provided merely for purposes of summarizing some example embodiments of the invention so as to provide a basic understanding of some aspects of the invention. Accordingly, it will be appreciated that the above described example embodiments are merely examples and should not be construed to narrow the scope or spirit of the invention in any way. It will be appreciated that the scope of the invention encompasses many potential embodiments, some of which will be further described below, in addition to those here summarized.
BRIEF DESCRIPTION OF THE DRAWINGS
Having thus described embodiments of the invention in general terms, reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein: FIG. 1 illustrates a block diagram of a system that may benefit from embodiments of the present invention;
FIG. 2 illustrates a block diagram of a system 200 for protecting data, such as may be related to remote management of a client device, according to an exemplary embodiment of the present invention; FIG. 3 is a schematic block diagram of a mobile terminal according to an exemplary embodiment of the present invention; FIGs. 4-6 are flowcharts according to an exemplary method for protecting data, such as may be related to remote management of a client device, according to an exemplary embodiment of the present invention.
DETAILED DESCRIPTION
Some embodiments of the present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. Indeed, the invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy applicable legal requirements. Like reference numerals refer to like elements throughout.
FIG. 1 illustrates a block diagram of a system 100 that may benefit from embodiments of the present invention. In this regard, FIG. 1 illustrates a client device 102 configured to communicate with network service provider domain entities in accordance with OMA DM protocol. However, the client device 102 may additionally or alternatively be configured to communicate with network service provider domain entities in accordance with other device management protocols, such as TR-069, and indeed embodiments of the invention may also benefit systems implementing other such device management protocols through encryption of at least some data transmitted to a client device. In this regard, the client device 102 is configured to communicate with a device management server (DMS) 104 over the interface 108 and with an authentication, authorization, and accounting (AAA) server 106 over the interface 1 10. The DMS 104 and AAA server 106 may be in communication with each other over the interface 1 12. The interface 1 12 may comprise a wireline network, wireless network, cellular network, the Internet, and/or some combination thereof. In the system 100 illustrated in FIG. 1 , the interfaces 108 and 110 comprise wireless interfaces in conformance with WiMax protocol. However, it will be appreciated that embodiments of the present invention are also beneficial to systems wherein the interfaces 108 and 1 10 are established in accordance with some other communications protocol and may instead comprise wireline interfaces and/or wireless interfaces using a protocol other than WiMax. In some embodiments, the interfaces 108, 1 10, and 1 12 may comprise an integrated network (e.g., a wireless network, wired network, cellular network, the Internet, and/or some combination thereof) and devices of the system 100 may communicate with each other through the integrated network.
The client device 102 comprises a WiMax network interface ("WiMax L2") 1 14 configured to engage in WiMax communications with the DMS 104 over the interface 108 and the AAA server over the interface 1 10. The WiMax network interface 1 14 may be at least partially implemented in hardware and may comprise a processor. The client device 102 further comprises an internet protocol (IP) stack 1 16 configured to support IP communications between the client device 102 and other devices of the system 100, such as the DMS 104. The IP stack 116 is configured to communicate with the secure hypertext transfer protocol stack (HTTPS) 120 over the interface 120, which may, for example, comprise an internal bus or other internal interface of the client device 102. Similarly, the interfaces 122, 128, and/or 132 may comprise an internal interface of the client device 102. The HTTPS 120 may support transport layer security (TLS). Accordingly, confidentiality of data exchanged over the interface 118 may be maintained through use of TLS. The OMA DM client 124 is configured to receive data, such as may have been sent to the client device 102 by the DMS 104 over the interface 122. The OMA DM client may store the received data in the database 126. The extensible authentication protocol (EAP) stack 130 comprises a data consumer and may access data from the database 126 over the interface 128. The EAP stack 130 is further configured to exchange data with the AAA server 106 over the interfaces 132 and 1 10 using the WiMax network interface 1 14. Confidentiality of data exchanged over the interfaces 132 and 1 10 may be protected through EAP Tunneled Transport Layer Security (EAP-TTLS) or through some other means. The EAP stack 130 may comprise software, which may, for example, be executed by the WiMax network interface 1 14 or into some other hardware processing entity within the client device 102.
An illustrative data flow to which embodiments of the invention may be applied comprises the DMS server 104 sending data to the OMA DM client 124 via the interfaces 108, 1 18, and 122. The OMA DM client 124 may store the received data in the database 126. The data may comprise confidential data, such as management objects. The EAP stack 130 then accesses or receives the data over the interface 128 and consumes or otherwise uses the data, such as in accordance with OMA DM protocol. In embodiments wherein the client device 102 or at least some components thereof are run in an open environment, the data may be exposed when communicated over the interfaces 122 and 128 if it is not encrypted. However, as previously mentioned, there is no pre-existing standardized mechanism enabling protection of data sent from the DMS server 104 to the client device 102 so that confidentiality of the data may be maintained even when communicated over internal interfaces of the client device 102 outside of a secure environment, such as the interfaces 122 and 128. Accordingly, embodiments of the present invention provide means for encrypting data, such as OMA DM management objects, sent to a client device through the use of a shared secret known both to the client device and to a network entity that encrypts data to send to the client device. In this regard, embodiments of the present invention may be applied to systems implementing OMA DM, TR-069 or some other device management protocol used for remote management of a computing device.
Accordingly, FIG. 2 illustrates a block diagram of a system 200 for protecting data, such as may be related to remote management of a client device. As used herein, "exemplary" merely means an example and as such represents one example embodiment for the invention and should not be construed to narrow the scope or spirit of the invention in any way. It will be appreciated that the scope of the invention encompasses many potential embodiments in addition to those illustrated and described herein. As such, while FIG. 2 illustrates one example of a configuration of a system for protecting data, numerous other configurations may also be used to implement embodiments of the present invention. Referring now to FIG. 2, in at least some embodiments, the system 200 may include a client device 202, data server 204, and authentication server 206 configured to communicate with each other over the network 208. The client device 202 may be embodied as a server, desktop computer, laptop computer, mobile terminal, mobile computer, mobile phone, mobile communication device, game device, digital camera/camcorder, audio/video player, television device, radio receiver, digital video recorder, positioning device, any combination thereof, and/or the like. The client device 202 may be configured to be remotely managed by a network service provider entity (e.g., the data server 204), such as in accordance with OMA DM protocol, TR- 069, and/or some other device management protocol. In an exemplary embodiment, the client device 202 is embodied as a mobile terminal, such as that illustrated in FIG. 3. In this regard, FIG. 3 illustrates a block diagram of a mobile terminal 10 representative of one embodiment of a client device 202 in accordance with embodiments of the present invention. It should be understood, however, that the mobile terminal 10 illustrated and hereinafter described is merely illustrative of one type of client device 202 that may benefit from embodiments of the present invention and, therefore, should not be taken to limit the scope of the present invention. While several embodiments of the electronic device are illustrated and will be hereinafter described for purposes of example, other types of electronic devices, such as mobile telephones, mobile computers, portable digital assistants (PDAs), pagers, laptop computers, desktop computers, gaming devices, televisions, and other types of electronic systems, may employ embodiments of the present invention. As shown, the mobile terminal 10 may include an antenna 12 (or multiple antennas 12) in communication with a transmitter 14 and a receiver 16. The mobile terminal may also include a controller 20 or other processor(s) that provides signals to and receives signals from the transmitter and receiver, respectively. These signals may include signaling information in accordance with an air interface standard of an applicable cellular system, and/or any number of different wireline or wireless networking techniques, comprising but not limited to WiMAX,
Wireless-Fidelity (Wi-Fi), wireless local access network (WLAN) techniques such as Institute of Electrical and Electronics Engineers (IEEE) 802.1 1 , and/or the like. In addition, these signals may include speech data, user generated data, user requested data, and/or the like. In this regard, the mobile terminal may be capable of operating with one or more air interface standards, communication protocols, modulation types, access types, and/or the like. More particularly, the mobile terminal may be capable of operating in accordance with various first generation (IG), second generation (2G), 2.5G, third-generation (3G) communication protocols, fourth-generation (4G) communication protocols, and/or the like. For example, the mobile terminal may be capable of operating in accordance with 2G wireless communication protocols IS- 136 (Time Division Multiple Access (TDMA)), Global System for Mobile communications (GSM), IS-95 (Code Division Multiple Access (CDMA)), and/or the like. Also, for example, the mobile terminal may be capable of operating in accordance with 2.5G wireless communication protocols General Packet Radio Service (GPRS), Enhanced Data GSM Environment (EDGE), and/or the like. Further, for example, the mobile terminal may be capable of operating in accordance with 3G wireless communication protocols such as Universal Mobile Telecommunications System (UMTS), Code Division Multiple Access 2000 (CDMA2000), Wideband Code Division Multiple Access (WCDMA), Time Division-Synchronous Code Division Multiple Access (TD-SCDMA), and/or the like. The mobile terminal may be additionally capable of operating in accordance with 3.9G wireless communication protocols such as Long Term Evolution (LTE) or Evolved Universal Terrestrial Radio Access Network (E-UTRAN) and/or the like. Additionally, for example, the mobile terminal may be capable of operating in accordance with fourth-generation (4G) wireless communication protocols and/or the like as well as similar wireless communication protocols that may be developed in the future.
Some Narrow-band Advanced Mobile Phone System (NAMPS), as well as Total Access Communication System (TACS), mobile terminals may also benefit from embodiments of this invention, as should dual or higher mode phones (e.g., digital/analog or TDMA/CDMA/analog phones). Additionally, the mobile terminal 10 may be capable of operating according to Wireless Fidelity (Wi-Fi) or WiMax protocols.
It is understood that the controller 20 may comprise circuitry for implementing audio/video and logic functions of the mobile terminal 10. For example, the controller 20 may comprise a digital signal processor device, a microprocessor device, an analog-to-digital converter, a digital-to-analog converter, and/or the like. Control and signal processing functions of the mobile terminal may be allocated between these devices according to their respective capabilities. The controller may additionally comprise an internal voice coder (VC) 20a, an internal data modem (DM) 20b, and/or the like. Further, the controller may comprise functionality to operate one or more software programs, which may be stored in memory. For example, the controller 20 may be capable of operating a connectivity program, such as a web browser. The connectivity program may allow the mobile terminal 10 to transmit and receive web content, such as location-based content, according to a protocol, such as Wireless Application Protocol (WAP), hypertext transfer protocol (HTTP), and/or the like. The mobile terminal 10 may be capable of using a Transmission Control Protocol/Internet Protocol (TCP/IP) to transmit and receive web content across the internet or other networks.
The mobile terminal 10 may also comprise a user interface which may include, for example, an earphone or speaker 24, a ringer 22, a microphone 26, a display 28, a user input interface, and/or the like, which may be operationally coupled to the controller 20. Although not shown, the mobile terminal may comprise a battery for powering various circuits related to the mobile terminal, for example, a circuit to provide mechanical vibration as a detectable output. The user input interface may comprise devices allowing the mobile terminal to receive data, such as a keypad 30, a touch display (not shown), a joystick (not shown), and/or other input device. In embodiments including a keypad, the keypad may comprise numeric (0-9) and related keys (#, *), and/or other keys for operating the mobile terminal.
The mobile terminal 10 may include a positioning sensor (not illustrated). The positioning sensor may include, for example, a global positioning system (GPS) sensor, an assisted global positioning system (Assisted-GPS) sensor, etc. In one embodiment, however, the positioning sensor may include a pedometer or inertial sensor. In some embodiments, the positioning sensor is additionally or alternatively configured to determine a location of the mobile terminal using short-range radio signals, such as, for example, WLAN signals, Blue Tooth signals, and/or the like. Further, the positioning sensor may determine the location of the mobile terminal based upon signal triangulation or other mechanisms. The positioning sensor may be configured to determine a location of the mobile terminal, such as latitude and longitude coordinates of the mobile terminal or a position relative to a reference point such as a destination or a start point. Information from the positioning sensor may be communicated to a memory of the mobile terminal or to another memory device to be stored as a position history or location information. Furthermore, a memory of the mobile terminal may store instructions for determining cell id information. In this regard, the memory may store an application program for execution by the controller 20, which may determine an identity of the current cell, i.e., cell id identity or cell id information, with which the mobile terminal is in communication. In conjunction with the positioning sensor, the cell id information may be configured to more accurately determine a location of the mobile terminal.
As shown in Figure 3, the mobile terminal 10 may also include one or more means for sharing and/or obtaining data. For example, the mobile terminal may comprise a short-range radio frequency (RF) transceiver and/or interrogator 64 so data may be shared with and/or obtained from electronic devices in accordance with RF techniques. The mobile terminal may comprise other short-range transceivers, such as, for example, an infrared (IR) transceiver 66, a Bluetooth™ (BT) transceiver 68 operating using Bluetooth™ brand wireless technology developed by the Bluetooth™ Special Interest Group, a wireless universal serial bus (USB) transceiver 70 and/or the like. The Bluetooth™ transceiver 68 may be capable of operating according to ultra-low power Bluetooth™ technology (e.g., Wibree™) radio standards. In this regard, the mobile terminal 10 and, in particular, the short-range transceiver may be capable of transmitting data to and/or receiving data from electronic devices within a proximity of the mobile terminal, such as within 10 meters, for example. Although not shown, the mobile terminal may be capable of transmitting and/or receiving data from electronic devices according to various wireless networking techniques, including WiMAX, Wireless Fidelity (Wi-Fi), WLAN techniques such as IEEE 802.1 1 techniques, and/or the like.
The mobile terminal 10 may comprise memory, such as a subscriber identity module (SIM) 38, a removable user identity module (R-UEM), and/or the like, which may store information elements related to a mobile subscriber. In addition to the SEM, the mobile terminal may comprise other removable and/or fixed memory. The mobile terminal 10 may include volatile memory 40 and/or non-volatile memory 42. For example, volatile memory 40 may include Random Access Memory (RAM) including dynamic and/or static RAM, on-chip or off- chip cache memory, and/or the like. Non-volatile memory 42, which may be embedded and/or removable, may include, for example, read-only memory, flash memory, magnetic storage devices (e.g., hard disks, floppy disk drives, magnetic tape, etc.), optical disc drives and/or media, non-volatile random access memory (NVRAM), and/or the like. Like volatile memory 40 nonvolatile memory 42 may include a cache area for temporary storage of data. The memories may store one or more software programs, instructions, pieces of information, data, and/or the like which may be used by the mobile terminal for performing functions of the mobile terminal. For example, the memories may comprise an identifier, such as an international mobile equipment identification (EMEI) code, capable of uniquely identifying the mobile terminal 10.
Returning to FIG. 2, the data server 204 may comprise any computing device or plurality of computing devices configured to provide data to the client device 202 over the network 208. The data may comprise device management data, such as OMA DM management objects. Accordingly, in an exemplary embodiment, the data server 204 is embodied as a DMS, such as the DMS 104, that is configured to provide encrypted data to the client device 202 in accordance with embodiments of the invention. The Authentication server 206 is configured to facilitate authentication of the client device 202 to the data server 204 and vice versa. Accordingly, the authentication server 206 may be configured to facilitate authentication between a client device 202 and a network service domain configured to provide remote management data to the client device 202. In an exemplary embodiment, the authentication server is embodied as a AAA server, such as the AAA server 206, that is configured to facilitate encryption of data communicated to the client device 202 by the data server 204 in conformance with embodiments of the invention.
In an exemplary embodiment, the client device 202 may include various means, such as a processor 210, memory 212, communication interface 214, device management client 216, and data consumer unit 218 for performing the various functions herein described. These means of the client device 202 as described herein may be embodied as, for example, hardware elements (e.g., a suitably programmed processor, combinational logic circuit, and/or the like), computer code (e.g., software or firmware) embodied on a computer-readable medium (e.g. memory 212) that is executable by a suitably configured processing device (e.g., the processor 210), or some combination thereof. The processor 210 may, for example, be embodied as various means including a microprocessor, a coprocessor, a controller, or various other processing elements including integrated circuits such as, for example, an ASIC (application specific integrated circuit) or FPGA (field programmable gate array). In embodiments wherein the client device 202 is embodied as a mobile terminal 10, the processor 210 may be embodied as or otherwise comprise the controller 20. In an exemplary embodiment, the processor 210 is configured to execute instructions stored in the memory 212 or otherwise accessible to the processor 210. Although illustrated in FIG. 2 as a single processor, in some embodiments the processor 210 comprises a plurality of processors.
The memory 212 may include, for example, volatile and/or non-volatile memory. The memory 212 may be configured to store information, data, applications, instructions, or the like for enabling the client device 202 to carry out various functions in accordance with exemplary embodiments of the present invention. For example, in at least some embodiments, the memory 212 is configured to buffer input data for processing by the processor 210. Additionally or alternatively, in at least some embodiments, the memory 212 is configured to store program instructions for execution by the processor 210. The memory 212 may comprise one or more databases that store information in the form of static and/or dynamic information. This stored information may be stored and/or used by the device management client 216 and/or data consumer unit 218 during the course of performing their functionalities.
The communication interface 214 may be embodied as any device or means embodied in hardware, software, firmware, or a combination thereof that is configured to receive and/or transmit data from/to a remote device, such as the data server 204 and/or authentication server 206 over the network 208. In at least one embodiment, the communication interface 214 is at least partially embodied as or otherwise controlled by the processor 210. The communication interface 214 may include, for example, an antenna, a transmitter, a receiver, a transceiver and/or supporting hardware or software for enabling communications with other entities of the system 200. The communication interface 214 may be configured to receive and/or transmit data using any protocol that may be used for communications between computing devices of the system 200. In this regard, the communication interface 214 may be configured to receive and/or transmit data in accordance with OMA DM protocol standards. In at least some embodiments, the communication interface 214 comprises the WiMax network interface 1 14, IP stack 1 16, and/or HTTPS 120 illustrated in FIG. 1. The communication interface 214 may additionally be in communication with the memory 212, device management client 216, and/or data consumer unit 218, such as via a bus.
The data management client 216 may be embodied as various means, such as hardware, software, firmware, or some combination thereof and, in one embodiment, is embodied as or otherwise controlled by the processor 210. In embodiments where the device management client 216 is embodied separately from the processor 210, the device management client 216 may be in communication with the processor 210. The device management client 216 is configured to receive data, such as may comprise device management data, from the data server 204. The device management client 216 may store the received data in a memory, such as the memory 212 or in another memory, which may be embodied on the device management client 216. In some embodiments the device management client 216 comprises an OMA DM client. It will be appreciated, however, that in embodiments where the device management client 216 is embodied as an OMA DM client, the device management client 216 does not necessarily comprise an integrated data base or other memory, such as the database 126 illustrated in the OMA DM client 124 of FIG. 1, although in an exemplary embodiment, the device management client 216 may comprise an integrated database. The device management client 216 is further configured to provide the data consumer unit 218 with access to data received from the data server 204. The data consumer unit 218 may be embodied as various means, such as hardware, software, firmware, or some combination thereof and, in one embodiment, is embodied as or otherwise controlled by the processor 210. In embodiments where the data consumer unit 218 is embodied separately from the processor 210, the data consumer unit 218 may be in communication with the processor 210. The data consumer unit 218 is configured to consume or otherwise use data, such device management data. In this regard, the data consumer unit 218 is configured to receive or otherwise access data from the device management client 216. In at least some embodiments, the data consumer unit 218 is embodied as an EAP stack.
Referring now to the data server 204, embodiments of the data server 204 may include various means, such as a processor 220, memory 222, communication interface 224, and data provision unit 226 for performing the various functions herein described. These means of the data server 204 as described herein may be embodied as, for example, hardware elements (e.g., a suitably programmed processor, combinational logic circuit, and/or the like), computer code (e.g., software or firmware) embodied on a computer-readable medium (e.g. memory 222) that is executable by a suitably configured processing device (e.g., the processor 220), or some combination thereof. The processor 220 may, for example, be embodied as various means including a microprocessor, a coprocessor, a controller, or various other processing elements including integrated circuits such as, for example, an ASIC (application specific integrated circuit) or FPGA (field programmable gate array). In an exemplary embodiment, the processor 220 is configured to execute instructions stored in the memory 222 or otherwise accessible to the processor 220. Although illustrated in FIG. 2 as a single processor, in some embodiments, the processor 220 comprises a plurality of processors, which may operate cooperatively, such as in parallel. In embodiments wherein the processor 220 is embodied as a plurality of processors, the plurality of processors may be embodied in a single computing device or in a plurality of computing devices operating cooperatively to implement the data server 204.
The memory 222 may include, for example, volatile and/or non-volatile memory. The memory 222 may be configured to store information, data, applications, instructions, or the like. For example, in at least some embodiments, the memory 222 is configured to buffer input data for processing by the processor 220. Additionally or alternatively, the memory 222 is configured in at least some embodiments to store program instructions for execution by the processor 220. The memory 222 may comprise one or more databases that store information in the form of static and/or dynamic information. This stored information may be stored and/or used by the data provision unit 226 during the course of performing its functionalities.
The communication interface 224 may be embodied as any device or means embodied in hardware, software, firmware, or a combination thereof that is configured to receive and/or transmit data from/to a remote device, such as the client device 202 and/or authentication server 206 over the network 208. In one embodiment, the communication interface 224 is at least partially embodied as or otherwise controlled by the processor 220. The communication interface 224 may include, for example, an antenna, a transmitter, a receiver, a transceiver and/or supporting hardware or software for enabling communications with other entities of the system 200. The communication interface 224 may be configured to receive and/or transmit data using any protocol that may be used for communications between computing devices of the system 200. In this regard, the communication interface 224 may be configured to receive and/or transmit data in accordance with OMA DM protocol standards. The communication interface 224 may additionally be in communication with the memory 222 and/or data provision unit 226, such as via a bus.
The data provision unit 226 may be embodied as various means, such as hardware, software, firmware, or some combination thereof and, in one embodiment, is embodied as or otherwise controlled by the processor 220. In embodiments wherein the data provision unit 226 is embodied separately from the processor 220, the data provision unit 226 may be in communication with the processor 220. The data provision unit 226 is configured to send encrypted data, such as encrypted device management data (e.g., device management objects in accordance with OMA DM protocol) to the client device 202.
Referring now to the authentication server 206, embodiments of the authentication server 206 may include various means, such as a processor 230, memory 232, communication interface 234, and security unit 236 for performing the various functions herein described. These means of the authentication server 206 as described herein may be embodied as, for example, hardware elements (e.g., a suitably programmed processor, combinational logic circuit, and/or the like), computer code (e.g., software or firmware) embodied on a computer-readable medium (e.g. memory 232) that is executable by a suitably configured processing device (e.g., the processor 230), or some combination thereof. The processor 230 may, for example, be embodied as various means including a microprocessor, a coprocessor, a controller, or various other processing elements including integrated circuits such as, for example, an ASIC (application specific integrated circuit) or FPGA (field programmable gate array). In an exemplary embodiment, the processor 230 is configured to execute instructions stored in the memory 232 or otherwise accessible to the processor 230. Although illustrated in FIG. 2 as a single processor, in some embodiments, the processor 230 comprises a plurality of processors, which may operate cooperatively, such as in parallel. In embodiments wherein the processor 230 is embodied as a plurality of processors, the plurality of processors may be embodied in a single computing device or in a plurality of computing devices operating cooperatively to implement the authentication server 206.
The memory 232 may include, for example, volatile and/or non-volatile memory. The memory 232 may be configured to store information, data, applications, instructions, or the like. For example, in at least some embodiments, the memory 232 is configured to buffer input data for processing by the processor 230. Additionally or alternatively, the memory 232 is configured in at least some embodiments to store program instructions for execution by the processor 230. The memory 232 may comprise one or more databases that store information in the form of static and/or dynamic information. For example, the memory 232 may store a shared secret known to the authentication server 206 and the client device 202. This stored information may be stored and/or used by security unit 236 during the course of performing its functionalities.
The communication interface 234 may be embodied as any device or means embodied in hardware, software, firmware, or a combination thereof that is configured to receive and/or transmit data from/to a remote device, such as the data server 204 and/or client device 202 over the network 208. In one embodiment, the communication interface 234 is at least partially embodied as or otherwise controlled by the processor 230. The communication interface 234 may include, for example, an antenna, a transmitter, a receiver, a transceiver and/or supporting hardware or software for enabling communications with other entities of the system 200. The communication interface 234 may be configured to receive and/or transmit data using any protocol that may be used for communications between computing devices of the system 200. In this regard, the communication interface 234 may be configured to receive and/or transmit data in accordance with OMA DM protocol standards The communication interface 234 may additionally be in communication with the memory 232 and/or security unit 236, such as via a bus.
The security unit 236 may be embodied as various means, such as hardware, software, firmware, or some combination thereof and, in one embodiment, is embodied as or otherwise controlled by the processor 230. In embodiments wherein the security unit 236 is embodied separately from the processor 230, the security unit 236 may be in communication with the processor 230. In at least some embodiments, when the data provision unit 226 needs to send data to the client device 202, the data provision unit 226 is configured to send a data encryption request to the authentication server 206. The data to be sent to the client device 202 may comprise device management data related to remote management of the client device 202. The device management data may comprise an OMA DM management object. The data encryption request may include an indication of an identity of the client device 202 so that the authentication server may identify the client device 202 associated with the data encryption request. The data encryption request may comprise at least a portion of the data that the data provision unit 226 needs to send to the client device 202 so that the authentication server 206 may encrypt the data for the data provision unit 226 based at least in part upon a shared secret known to the authentication server 206 and the client device 202. In this regard, the data encryption request may comprise a request that the authentication server encrypt at least a portion of data included in the data encryption request (e.g., in embodiments wherein the authentication server 306 is responsible for encrypting data to be sent to the client device 202 and does not share the shared secret with the data server 204). Alternatively, the data encryption request may comprise a request that the authentication server 206 send the shared secret known to the authentication server 206 and client device 202 to the data server 204 (e.g., in embodiments wherein the authentication server 206 shares shared secrets with the data server 204 and the data server 204 is responsible for encrypting data to be sent to the client device 202). The security unit 236 of the authentication server is configured to receive the data encryption request. The security unit 236 may be further configured to retrieve the shared secret known to both the authentication server 206 and client device 202 based at least in part upon the identity of the client device 202 included in the received data encryption request. In this regard, the security unit 236 may retrieve the shared secret from a memory, such as the memory 232 that may store a plurality of shared secrets, each of which may be associated with a particular client device 202. The shared secret may comprise any static secret shared known to the client device and authentication server. In some embodiments, the shared secret comprises a device certificate. The device certificate may comprise, for example, an X.509 WiMax device certificate or a certificate used for secure HTTP communications between the client device 202 and authentication server 206. It will be appreciated, however, that the shared secret may comprise any shared secret known to both the client device 202 and any component or entity of the system 200, such as the authentication server 206 and/or data server 204.
If the data encryption request includes unencrypted data for the authentication server 206 to encrypt, the security unit 236 is configured to encrypt the unencrypted data based at least in part upon the shared secret. In this regard, the security unit 236 may be configured to encrypt the data using the shared secret in accordance with any encryption algorithm or protocol known to both the security unit 236 and data consumer unit 218. The security unit 236 is further configured to send a response to the data encryption request to the data server 204 comprising the encrypted data.
Alternatively, if the data encryption request comprises a request that the authentication server 206 send the shared secret known to the authentication server 206 and client device 202 to the data server 204, the security unit 236 is configured to send a response to the data encryption request comprising the retrieved shared secret.
The data provision unit 226 is accordingly configured to receive the response to the data encryption request. In at least some embodiments wherein the data server 204 encrypts data to be sent to the client device 202 (e.g., in embodiments wherein the authentication server 206 shares shared secrets with the data server 204 and the data server 204 is responsible for encrypting data to be sent to the client device 202), the data provision unit 226 is further configured to extract the shared secret from the response and encrypt the data to be sent to the client device 202 based at least in part upon the shared secret. In this regard, the data provision unit 226 may be configured to encrypt the data using the shared secret in accordance with any encryption algorithm or protocol known to both the data provision unit 226 and data consumer unit 218.
When the response comprises encrypted data (e.g., in embodiments wherein the authentication server 206 is responsible for encrypting data to be sent to the client device 202 and does not share the shared secret with the data server 204), the data provision unit 226 may be configured to extract the encrypted data from the response so that it may be sent to the client device 202.
In at least some embodiments, however, the data server 204 or some component thereof, such as the data provision unit 226, has access to the shared secret at the outset and accordingly, the data provision unit 226 does not need to send a data encryption request to the authentication server 206. In such embodiments, the data provision unit 226 may be configured to access the shared secret, such as from the memory 222 and encrypt the data to be sent to the client device 202 based at least in part upon the shared secret using any encryption algorithm or protocol known to both the data provision unit 226 and data consumer unit 218.
Further, in at least some embodiments, the data provision unit 226 is configured to send a data encryption request to a network entity or component other than the authentication server 206 that has access to the shared secret. In this regard, the data provision unit 226 may send a data encryption request to the network entity or component in order to obtain the shared secret and/or to have the network entity or component encrypt data included in the data encryption request using the shared secret, such as described in connection with the security unit 236.
The data provision unit 226 is further configured to send the encrypted data to the client device 202. The data provision unit 226 may be configured to send the encrypted data to the client device 202 in accordance with OMA DM protocol, TR-069 standards, and/or the like. The data provision unit 226 may be configured to send the encrypted data with an indication that the encrypted data is encrypted. The indication may comprise a flag, parameter, or other indication that the data is encrypted. In some embodiments, a node of a OMA DM management object that is at least partially encrypted may indicate that the at least a portion of the OMA DM management object is encrypted. The device management client 216 is configured to receive the encrypted data from the data server 204. In this regard, the device management client 216 may receive the encrypted data over a bus or other interface internal to the client device 202 from the communication interface 214. The device management client 216 may store the received encrypted data in a database, which may be embodied on memory 212 or some other memory, which may be embodied on the device management client 216. In some embodiments, the device management client 216 is configured to provide the data consumer unit 218 with access to the encrypted data. In this regard, the device management client 216 may be configured to allow the data consumer unit 218 to access the encrypted data from where it was stored by the device management client 216. Additionally or alternatively, the device management client 216 may be configured to send the encrypted data to the data consumer unit 218 over a bus or other interface within the client device 202, such as in response to a request by the data consumer unit 218.
In some embodiments, however, the data consumer unit 218 is configured to receive or otherwise access the encrypted data directly from the communication interface 214, rather than from the device management client 216. The data consumer unit 218 is configured to decrypt the encrypted data based at least in part upon the shared secret. If the data consumer unit 218 does not already know the shared secret, the data consumer unit 218 may be configured to retrieve the shared secret from the authentication server 206 or some other entity of the client device 202 having access to the shared secret. The data consumer unit 218 may be configured to decrypt the encrypted data using the shared secret in accordance with the encryption algorithm used by the data provision unit 226 or security unit 236 to encrypt the encrypted data.
The data consumer unit 218 may be configured to determine whether data accessed from the device management client 216 is encrypted prior to decrypting the data, since data that is not encrypted does not need to be decrypted. In this regard, the data consumer unit 218 may be configured to determine whether the accessed data comprises an indication that the data is encrypted. This indication may comprise any of the above-described indications that may be included with the encrypted data by the data provision unit 226.
Once the data consumer unit 218 has decrypted the encrypted data, the data consumer unit 218 may consume or otherwise use the data. If the data comprises device management data, such as an OMA DM management object, the data consumer unit 218 may be configured to take action based at least in part upon the contents of the management object. FIGs. 4-6 are flowcharts of systems, methods, and computer program products according to exemplary embodiments of the invention. It will be understood that each block or step of the flowcharts, and combinations of blocks in the flowcharts, may be implemented by various means, such as hardware, firmware, and/or software including one or more computer program instructions. For example, one or more of the procedures described above may be embodied by computer program instructions. In this regard, the computer program instructions which embody the procedures described above may be stored by a memory device of a mobile terminal, server, or other computing device and executed by a processor in the computing device. In some embodiments, the computer program instructions which embody the procedures described above may be stored by memory devices of a plurality of computing devices. As will be appreciated, any such computer program instructions may be loaded onto a computer or other programmable apparatus to produce a machine, such that the instructions which execute on the computer or other programmable apparatus create means for implementing the functions specified in the flowchart block(s) or step(s). These computer program instructions may also be stored in a computer- readable memory that can direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart block(s) or step(s). The computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart block(s) or step(s). Accordingly, blocks or steps of the flowcharts support combinations of means for performing the specified functions, combinations of steps for performing the specified functions and program instruction means for performing the specified functions. It will also be understood that one or more blocks or steps of the flowcharts, and combinations of blocks or steps in the flowcharts, may be implemented by special purpose hardware-based computer systems which perform the specified functions or steps, or combinations of special purpose hardware and computer instructions. In this regard, one exemplary method for protecting data, such as may be related to remote management of a client device, according to an exemplary embodiment of the present invention is illustrated in FIG. 4. In this regard, FIG. 4 illustrates operations which may occur at a client device 202. The method comprises the device management client 216 and/or data consumer unit 218 receiving encrypted data that was sent to the client device 202 by the data server 204, at operation 400. Operation 410 comprises the data consumer unit 218 decrypting the encrypted data using a shared secret known to the client device 202 and authentication server 206. Operation 420 comprises the data consumer unit 218 consuming the decrypted data. FIG. 5 illustrates a flowchart according to an exemplary method for protecting data, such as may be related to remote management of a client device, according to an exemplary embodiment of the present invention. In this regard, FIG. 5 illustrates operationswhich may occur at a data server 204. The method comprises the data provision unit 226 sending a data encryption request to the authentication server 206, at operation 500. Operation 510 comprises the data provision unit 226 receiving a response to the data encryption request. Operation 520 comprises the data provision unit 226 sending encrypted data to the client device 202.
FIG. 6 illustrates a flowchart according to an exemplary method for protecting data, such as may be related to remote management of a client device, according to an exemplary embodiment of the present invention. In this regard, FIG. 6 illustrates operations which may occur at an authentication server 206. The method comprises the security unit 236 receiving a data encryption request sent by the data server 204, at operation 600. The data encryption request may comprise an indication of an identity of a client device 202. Operation 610 comprises the data provision unit 226 retrieving a shared secret known to the authentication server 206 and the client device 202 identified in the data encryption request. Operation 620 comprises the security unit 236 responding to the data encryption request.
The above described functions may be carried out in many ways. For example, any suitable means for carrying out each of the functions described above may be employed to carry out embodiments of the invention. In one embodiment, a suitably configured processor may provide all or a portion of the elements of the invention. In another embodiment, all or a portion of the elements of the invention may be configured by and operate under control of a computer program product. The computer program product for performing the methods of embodiments of the invention may include a computer-readable storage medium, such as the non-volatile storage medium, and computer-readable program code portions, such as a series of computer instructions, embodied in the computer-readable storage medium.
As such, then, some embodiments of the invention provide several advantages to computing devices, such as a client device 202. Embodiments of the invention facilitate encryption of data using a static shared secret known both to the client device and an entity of a network service provider. The client device and entity of the network service provider knowing the static shared secret have a pre-established trust and thus embodiments of the invention leverage the shared secret using an encryption protocol known to both the client device and an entity of the network service provider to encrypt data sent to the client device based at least in part upon the shared secret. A data consumer within the client device then decrypts the data inside of a secure environment of the client device using the shared secret so that malicious third parties are inhibited from intercepting confidential data. Embodiments of the invention are particularly advantageous for use in systems providing remote management of client devices where confidential data, such as device management data, is communicated to client devices. If not encrypted, the confidential data may be intercepted by third parties following receipt by a client device when the data is communicated over unsecure interfaces of the client device. In particular, embodiments of the invention are advantageous as an addition to OMA DM, TR-069, and other device management protocols to enhance security of device management objects transferred between a client device and a device management server.
Many modifications and other embodiments of the inventions set forth herein will come to mind to one skilled in the art to which these inventions pertain having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the embodiments of the invention are not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Moreover, although the foregoing descriptions and the associated drawings describe exemplary embodiments in the context of certain exemplary combinations of elements and/or functions, it should be appreciated that different combinations of elements and/or functions may be provided by alternative embodiments without departing from the scope of the appended claims. In this regard, for example, different combinations of elements and/or functions than those explicitly described above are also contemplated as may be set forth in some of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

WHAT IS CLAIMED IS;
1. An apparatus comprising at least one processor and at least one memory storing computer program code, wherein the at least one memory and stored computer program code are configured to, with the at least one processor, cause the apparatus to at least: receive encrypted device management data for remotely managing the apparatus, wherein the encrypted device management data is encrypted using a shared secret known to both the apparatus and an entity that encrypted the encrypted device management data; and decrypt the encrypted device management data using the shared secret.
2. An apparatus according to claim 1, wherein the device management data comprises an open mobile alliance device management protocol management object.
3. An apparatus according to any one of claims 1-2, wherein the at least one memory and stored computer program code are configured to, with the at least one processor, further cause the apparatus to: direct conveyance of the encrypted device management data over an open environment interface of the apparatus to a secure environment of the apparatus; and decrypt the encrypted device management data within the secure environment of the apparatus.
4. An apparatus according to any one of claims 1 -3, wherein the encrypted device management data is received in a message comprising an indication indicating that the encrypted device management data is encrypted, and wherein the at least one memory and stored computer program code are configured to, with the at least one processor, further cause the apparatus to: determine that the message comprises the indication indicating that the encrypted device management data is encrypted; and decrypt the encrypted device management data in response to determining that the message comprises the indication indicating that the encrypted device management data is encrypted.
5. An apparatus according to claim 4, wherein the indication indicating that the encrypted device management data is encrypted comprises a node of an open mobile alliance device management protocol management object.
6. An apparatus according to any one of claims 1-5, wherein the at least one memory and stored computer program code are configured to, with the at least one processor, further cause the apparatus to: consume the decrypted data.
7. An apparatus according to claim 6, wherein the at least one memory and stored computer program code are configured to, with the at least one processor, cause the apparatus to consume the decrypted data by managing the apparatus in accordance with device management data included in the encrypted device management data.
8. An apparatus according to any one of claims 1 -7, wherein the encrypted device management data is sent to the apparatus by a device management server.
9. An apparatus according to any one of claims 1-8, wherein the shared secret comprises a device certificate.
10. An apparatus according to any one of claims 1-9, wherein the encrypted device management data is sent by a data server in accordance with open mobile alliance device management protocol.
1 1. A method comprising: receiving, at an apparatus, encrypted device management data for remotely managing the apparatus, wherein the encrypted device management data is encrypted using a shared secret known to both the apparatus and an entity that encrypted the encrypted device management data; and decrypting the encrypted device management data using the shared secret.
12. A method according to claim 1 1 , wherein the device management data comprises an open mobile alliance device management protocol management object.
13. A method according to any one of claims 1 1-12, further comprising: directing conveyance of the encrypted device management data over an open environment interface of the apparatus to a secure environment of the apparatus; and decrypting the encrypted device management data by decrypting the encrypted device management data within the secure environment of the apparatus.
14. A method according to any one of claims 1 1-13, wherein the encrypted device management data is received in a message comprising an indication indicating that the encrypted device management data is encrypted, and wherein the method further comprises: determining that the message comprises the indication indicating that the encrypted device management data is encrypted; and decrypting the encrypted device management data in response to determining that the message comprises the indication indicating that the encrypted device management data is encrypted.
15. A method according to claim 14, wherein the indication indicating that the encrypted device management data is encrypted comprises a node of an open mobile alliance device management protocol management object.
16. A method according to any one of claims 1 1-15, further comprising consuming the decrypted data.
17. A method according to claim 16, wherein consuming the decrypted data comprises managing the apparatus in accordance with device management data included in the encrypted device management data.
18. A method according to any one of claims 1 1-17, wherein the data server comprises a device management server.
19. A method according to any one of claims 1 1-18, wherein the shared secret comprises a device certificate.
20. A method according to any one of claims 1 1-19, wherein the encrypted device management data is sent by the data server in accordance with open mobile alliance device management protocol.
21. A computer program product comprising at least one computer-readable storage medium having computer-readable program instructions stored therein, the computer-readable program instructions comprising: program instructions configured to carry out a method according to any one of claims 1 1 - 20.
22. An apparatus comprising at least one processor and at least one memory storing computer program code, wherein the at least one memory and stored computer program code are configured to, with the at least one processor, cause the apparatus to at least: direct sending of a data encryption request to an authentication server, the data encryption request comprising an indication of a client device to which device management data for remotely managing the client device is to be sent; receive a response to the data encryption request; and direct sending of device management data to the client device, the device management data being encrypted using a shared secret known to both the client device and the authentication server.
23. An apparatus according to claim 22, wherein the authentication server is configured to encrypt device management data, and wherein the at least one memory and stored computer program code are configured to, with the at least one processor, cause the apparatus to: direct sending of the data encryption request by directing sending of a data encryption request comprising the device management data; receive the response by receiving a response to the data encryption request comprising encrypted device management data, the encrypted device management data being encrypted by the authentication server using the shared secret based at least in part upon the indication of the client device included in the data encryption request; and direct sending of the device management data by directing sending of the encrypted device management data received in the response to the client device.
24. An apparatus according to claim 22, wherein the at least one memory and stored computer program code are configured to, with the at least one processor, further cause the apparatus to: receive the response by receiving a response to the data encryption request comprising the shared secret; and encrypt the device management data using the received shared secret.
25. An apparatus according to any one of claims 22-24, wherein the at least one memory and stored computer program code are configured to, with the at least one processor, cause the apparatus to direct sending of the device management data by directing sending of the device management data in a message comprising an indication that the device management data is encrypted.
26. An apparatus according to claim 25, wherein the indication that the device management data is encrypted comprises a node of an open mobile alliance device management protocol management object.
27. An apparatus according to any one of claims 22-26, wherein the apparatus comprises a device management server.
28. An apparatus according to any one of claims 22-27, wherein the shared secret comprises a device certificate.
29. An apparatus according to any one of claims 22-28, wherein the device management data comprises an open mobile alliance device management protocol management object.
30. An apparatus according to any one of claims 22-29, wherein the at least one memory and stored computer program code are configured to, with the at least one processor, cause the apparatus to direct sending of the device management data by directing sending of the device management data in accordance with open mobile alliance device management protocol.
31. A method comprising: directing sending of a data encryption request to an authentication server, the data encryption request comprising an indication of a client device to which device management data for remotely managing the client device is to be sent; receiving a response to the data encryption request; and directing sending of device management data to the client device, the device management data being encrypted using a shared secret known to both the client device and the authentication server.
32. A method according to claim 31, wherein the authentication server is configured to encrypt device management data, and wherein: directing sending of the data encryption request comprises directing sending of a data encryption request comprising the device management data; receiving the response comprises receiving a response to the data encryption request comprising encrypted device management data, the encrypted device management data being encrypted by the authentication server using the shared secret based at least in part upon the indication of the client device included in the data encryption request; and directing sending of the device management data by directing sending of the encrypted device management data received in the response to the client device.
33. A method according to claim 31 , wherein receiving the response comprises receiving a response to the data encryption request comprising the shared secret; and further comprising: encrypting the device management data using the received shared secret.
34. A method according to any one of claims 31 -33, wherein directing sending of the device management data comprises directing sending of the device management data in a message comprising an indication that the device management data is encrypted.
35. A method according to claim 34, wherein the indication that the device management data is encrypted comprises a node of an open mobile alliance device management protocol management object.
36. A method according to any one of claims 31-35, wherein directing sending of device management data comprises directing sending of device management data from a device management server.
37. A method according to any one of claims 31-36, wherein the shared secret comprises a device certificate.
38. A method according to any one of claims 31 -37, wherein the device management data comprises an open mobile alliance device management protocol management object.
39. A method according to any one of claims 31 -38, wherein directing sending of the device management data comprises directing sending of the device management data in accordance with open mobile alliance device management protocol.
40. A computer program product comprising at least one computer-readable storage medium having computer-readable program instructions stored therein, the computer-readable program instructions comprising: program instructions configured to carry out a method according to any one of claims 31 -
39.
PCT/IB2009/007659 2008-12-09 2009-12-07 Methods, apparatuses, and computer program products for protecting data WO2010067171A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12093308P 2008-12-09 2008-12-09
US61/120,933 2008-12-09

Publications (1)

Publication Number Publication Date
WO2010067171A1 true WO2010067171A1 (en) 2010-06-17

Family

ID=42242390

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2009/007659 WO2010067171A1 (en) 2008-12-09 2009-12-07 Methods, apparatuses, and computer program products for protecting data

Country Status (1)

Country Link
WO (1) WO2010067171A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113423100A (en) * 2021-06-23 2021-09-21 宁夏隆基宁光仪表股份有限公司 NB instrument testing method, system and equipment based on AES encryption

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060173976A1 (en) * 2005-02-01 2006-08-03 Microsoft Corporation Configuration of WiFi network parameters
US20080144590A1 (en) * 2006-12-14 2008-06-19 Nokia Corporation Enabling settings provisioning process in WIMAX networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060173976A1 (en) * 2005-02-01 2006-08-03 Microsoft Corporation Configuration of WiFi network parameters
US20080144590A1 (en) * 2006-12-14 2008-06-19 Nokia Corporation Enabling settings provisioning process in WIMAX networks

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"How TLS/SSL Works", MICROSOFT TECHNET, 28 March 2003 (2003-03-28), XP003026417, Retrieved from the Internet <URL:http://technet.microsoft.com/en-us/library/cc783349(WS.10,printer).aspx> [retrieved on 20100316] *
"OMA Device Management Security, Candidate Version 1.2", OPEN MOBILE ALLIANCE, 2 June 2006 (2006-06-02), XP003026416, Retrieved from the Internet <URL:http://www.vallejo.cc/proyectos/envio%20sms_files/OMA-TS-DM_Security-V1_2-20060602-C.pdf> [retrieved on 20100316] *
DATABASE INSPEC 3 June 2008 (2008-06-03), Database accession no. 10042960 *
HUSAIN S. ET AL: "Remote device management of WiMAX devices in multi-mode multi-access environment", 31 March 2008 (2008-03-31) - 2 April 2008 (2008-04-02), XP031268632, Retrieved from the Internet <URL:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4536680> [retrieved on 20100316] *
STEPHANIE LIN ET AL: "An introduction to OMA Device Management, Improve the interoperability between devices and servers with the latest specification", 31 October 2006 (2006-10-31), XP003026418, Retrieved from the Internet <URL:https://www.ibm.com/developerworks/wireless/library/wi-oma/> [retrieved on 20100316] *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113423100A (en) * 2021-06-23 2021-09-21 宁夏隆基宁光仪表股份有限公司 NB instrument testing method, system and equipment based on AES encryption
CN113423100B (en) * 2021-06-23 2024-03-29 宁夏新立电子有限公司 AES encryption-based NB instrument inspection method, system and equipment

Similar Documents

Publication Publication Date Title
US11177946B2 (en) Quantum entropy distributed via software defined perimeter connections
US11616775B2 (en) Network access authentication method, apparatus, and system
US9674182B2 (en) Systems and methods for distributed trust computing and key management
EP2510713B1 (en) Preservation of user data privacy in a network
US9935954B2 (en) System and method for securing machine-to-machine communications
JP5340173B2 (en) Location information and method and apparatus for ensuring access control using location information
EP2235977B1 (en) Abstraction function for mobile handsets
US20130227656A1 (en) Method and apparatus for access credential provisioning
WO2023010727A1 (en) Key updating method and apparatus, file sharing method and apparatus, device, and computer storage medium
EP4021048A1 (en) Identity authentication method and apparatus
CN107646189A (en) System and method for the commission of cloud computing process
US20220200789A1 (en) Sharing keys for a wireless accessory
TW201330577A (en) Data protection system and method based on cloud storage
JP2015522199A (en) Method and apparatus for integrating a portion of a secure element component on a system on chip
JP4962237B2 (en) Program and method for managing information on location of portable device and file encryption key
EP3522056A1 (en) Distributed computing system for anonymized computation
WO2019214351A1 (en) Message processing method and device
CN104221321A (en) Method and apparatus for secured social networking
US11863977B2 (en) Key generation method, device, and system
WO2021089035A1 (en) Method and apparatus for managing subscription data
JP4933327B2 (en) File management system, file management method and program
EP3149883A1 (en) Management of cryptographic keys
WO2021082558A1 (en) Access control method for network slice, apparatus, and storage medium
WO2010067171A1 (en) Methods, apparatuses, and computer program products for protecting data
KR101106101B1 (en) System and Method for Reading a Classified Digital Document using Environmental Information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09831528

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09831528

Country of ref document: EP

Kind code of ref document: A1