US20090138643A1 - Method and device for securely configuring a terminal - Google Patents

Method and device for securely configuring a terminal Download PDF

Info

Publication number
US20090138643A1
US20090138643A1 US12/279,991 US27999107A US2009138643A1 US 20090138643 A1 US20090138643 A1 US 20090138643A1 US 27999107 A US27999107 A US 27999107A US 2009138643 A1 US2009138643 A1 US 2009138643A1
Authority
US
United States
Prior art keywords
terminal
memory
driver
chip card
access module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/279,991
Inventor
Olivier Charles
Julien Tinnes
Eric Leclercq
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
FRANCE TE ECP
Orange SA
Original Assignee
FRANCE TE ECP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by FRANCE TE ECP filed Critical FRANCE TE ECP
Assigned to FRANCE TELECOM reassignment FRANCE TELECOM ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TINNES, JULIEN, LECLERCQ, ERIC, CHARLES, OLIVIER
Publication of US20090138643A1 publication Critical patent/US20090138643A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping

Definitions

  • the invention relates to the field of telecommunications and computing; it relates more precisely to a method and device for configuring a terminal.
  • the invention finds relevant applications in all travel situations, that is to say situations in which users of a computer terminal make remote use of the resources of a computer system or of a computer network.
  • travelling users use their own portable personal computer and connect it to the network of their company via the Internet network or the network of a telecommunication operator.
  • Computer security is a problem during these remote connections, on account in particular of the presence of risks such as viruses on the PC, eavesdropping on the communication, intrusion on the company's network. It is therefore obligatory that the software used be reliable, and therefore free of viruses, spyware, Trojan horses, etc, and that the connection between the computer and the company's network be made secure, for example by using a virtual private network. This is the reason why companies require that the connection be established from a terminal that they have provided the employee with and proscribe connections from machines whose content is not controlled. A consequence of this situation is that travelling users must routinely carry their portable computer around with them and do not have the possibility of using another personal computer, that of the house or of a friend for example.
  • the aim of the invention is to provide a device and a method for automatically configuring a terminal, with a view to accessing a predefined telecommunication network, on the basis of data of a computer environment that are stored in a memory.
  • the subject of the invention is, according to a first aspect, a method of configuring a terminal comprising a step of initializing said terminal and which automatically triggers at least:
  • the terminal is automatically configured to use a telecommunication network access module, this module being that of a telecommunication device, for example a mobile telephone.
  • This module is independent of the terminal used. It is preferably specific to a given user. Furthermore, its characteristics being known, it is possible to configure the terminal to access the telecommunication network on condition that the driver appropriate to this device is available.
  • the communication link between the terminal and the device will be established by USB link or by nonwired link.
  • the method furthermore comprises:
  • connection program is preconfigured to operate with the driver provided and the network access module.
  • the method furthermore comprises:
  • the method furthermore comprises:
  • a reliable and secure connection can thus be implemented when connecting the terminal to the communication network, the authentication procedure being able to succeed only if a PIN code (personal identification number) is provided to the chip card.
  • the method furthermore comprises:
  • a user's data can thus be stored in a secure manner in the memory and nevertheless be rendered readily accessible by a user of the terminal.
  • the method furthermore comprises:
  • the subject of the invention is a device for configuring a terminal, the device comprising at least,
  • said memory being accessible by a basic input/output system of said terminal during a phase of starting up of said terminal, said memory comprising,
  • the device according to the invention furthermore comprises
  • the operating system being able to start up the driver of the reading device.
  • the device furthermore comprises means for storing data comprising,
  • said memory, said access module and said chip card are integrated into a mobile telecommunication terminal.
  • the device making it possible to configure the terminal is readily portable. Furthermore, it is reliable and allows a user to easily transport his personal data.
  • FIG. 1 a is an illustration of a first embodiment of the device according to the invention.
  • FIG. 1 b is an illustration of a second embodiment of the device according to the invention.
  • FIG. 2 represents a flowchart of an embodiment of the method according to the invention.
  • FIG. 1 a illustrates a first embodiment of the device according to the invention.
  • the device represented in FIG. 1 a comprises:
  • the telecommunication network 50 is for example an Ethernet network, a GSM/GPRS cellular network, a UMTS cellular network, a WIFI network, the switched telephone network (STN), etc.
  • the invention is aimed at providing a device and a method for automatically configuring the terminal 10 , in order to access the telecommunication network 50 , and in particularin order to access a predefined server or gateway 60 .
  • This server 60 is for example a gateway controlling access to a second telecommunication network, this second telecommunication network being for example a company network (Intranet).
  • the invention allows a travelling user to access a predefined telecommunication network 50 by using the terminal 10 , even if this terminal 10 does not have means for accessing the telecommunication network 50 .
  • the terminal 10 is typically a personal computer, having at least a central data processing unit, a keyboard, a screen, and a communication bus for interconnecting peripherals to the central unit, for example a series bus meeting the USB (Universal Serial Bus) standard. It is not essential for the terminal to have a hard disk, insofar as the latter is not used for the implementation of the invention.
  • the terminal 10 furthermore comprises at least one USB port for linking up an external peripheral.
  • the terminal 10 furthermore comprises a memory in which the BIOS (Basic Input/Output System) is stored, a low level program allowing the detection, while the terminal 10 is starting up, of the peripherals connected to the terminal 10 , as well as the starting up of the operating system.
  • BIOS Basic Input/Output System
  • the recording medium 25 a is embodied for example in the form of a USB key, a CD-ROM, a removable hard disk, etc.
  • This recording medium is preferably a medium that can be readily carried around by a travelling user.
  • the telecommunication device 35 a is for example a mobile telecommunication terminal, the network access module in this case advantageously consisting of the telecommunication network access modem.
  • the telecommunication terminal is for example a mobile telephone or a personal assistant (PDA, Personal Data Assistant).
  • the network access module 30 a allows access to the telecommunication network 50 considered and is therefore compatible with the communication standards of this network.
  • the three peripherals 25 a , 35 a , 45 a are peripherals having a serial port in accordance with the USB standard and can be linked up by a USB bus cable to a USB port of the terminal 10 .
  • the repeater 15 a makes it possible to link up the three peripherals 25 a , 35 a , 45 a on one and the same USB port of the terminal 10 . Its role is in particular to multiplex the data arising from the various peripherals for access to the USB bus. The presence of such a repeater is however not necessary if the terminal 10 has sufficient USB ports. In this case, the three peripherals can be linked up directly to the terminal 10 , that is to say without the intermediary of the repeater.
  • this medium must be detected and recognized by the BIOS of the terminal 10 as a data storage peripheral liable to comprise the execution data of an operating system of the terminal 10 .
  • FIG. 1 b illustrates a second embodiment of the invention.
  • the repeater 15 b , the memory 20 b , the access module 30 b , the chip card 40 b form part of one and the same mobile telecommunication terminal 35 b .
  • This terminal 35 b comprises chip card reading means and in this sense constitutes a chip card reading device able to read and/or interrogate a chip card. It also has a USB port making it possible to establish a communication link with the terminal 10 .
  • This terminal is embodied for example in the form of a mobile telephone or personal assistant (PDA, Personal Data Assistant).
  • PDA Personal Data Assistant
  • This second embodiment has the advantage of being very compact and easy for a travelling user to carry around.
  • the telephone is seen by the terminal 10 either as a network card, or as a modem.
  • the following data are stored in the memory 20 a , 20 b:
  • each decipherment, respectively encipherment, key is associated with a partition or with a data block of a partition. In a simplified embodiment, it is the entire partition which is enciphered.
  • the enciphering keys are denoted KC i
  • the deciphering keys KD i with 0 ⁇ i ⁇ N, where N is the number of encipherment, respectively decipherment, keys.
  • the keys KC i and KD i are identical.
  • the enciphering and deciphering keys KC i and KD i are enciphered before being stored in the memory 20 a , 20 b .
  • the enciphered keys are denoted KCC i and KCD i respectively.
  • the execution data of the operating system themselves comprise:
  • the execution data of application packages themselves comprise:
  • the data access management driver is designed to dispatch to the chip card via the driver of the reading device a request to decipher one or more deciphering keys KCD i and to decipher all or some of the enciphered blocks by means of the deciphered deciphering keys KD i .
  • connection parameters are dependent on the telecommunication network used. These parameters comprise for example:
  • the chip card has encipherment and decipherment functions. It furthermore contains a first digital certificate for authentication during implementation of a secure link and a second digital certificate for data encipherment.
  • the chip card contains a digital certificate, a public key K pub , used for data encipherment, and a private key K pri used to decipher what has been enciphered by means of the public key.
  • the public key K pub can be transmitted to a program executing outside of the chip card with a view to encipherment, while the use of the private key K pri is reserved for the secure environment of the chip card and for the decipherment programs implemented in the chip card.
  • the keys KC i and KD i for enciphering and deciphering the data of the partitions of the user are themselves enciphered by means of the public key K pub of the digital encipherment certificate before being stored in the memory 20 a , 20 b .
  • the chip card is used in the context of the invention to decipher the enciphered keys KCC i and KCD i by means of the private key K pri of the digital encipherment certificate.
  • a rule defines which enciphering key, respectively deciphering key, must be used for a data partition or block. For example, if N enciphering keys (and therefore N deciphering keys) are used, and if there are Z memory blocks to be enciphered, the rule defines that a block x, 0 ⁇ x ⁇ Z, will be enciphered, respectively deciphered, by means of the enciphering key KC i , respectively deciphering key KD i , such that x is congruent to i modulo N.
  • step 100 the connection is effected between on the one hand the terminal 10 and on the other hand a device, designated under the general reference 35 .
  • the device 35 comprises in the embodiment of FIG. 1 a , the peripherals 25 a , 35 a , 45 a , and, in the embodiment of FIG. 1 b , the device 35 b.
  • step 105 the terminal is powered up and started.
  • step 110 the BIOS program of the terminal is started.
  • This BIOS program executes a procedure for detecting the peripherals present on the terminal or interconnected to this terminal. It searches, according to a predefined order in a configurable list which is specific to it, among the data recording media, for the first medium comprising a booting sector comprising data for booting the operating system.
  • the standard configuration of the startup lists indicates that the apparatuses connected to the USB bus must be interrogated before the hard disk of the terminal. Consequently, in the invention, it is the USB key memory boot sector which is used.
  • step 111 the memory responds to the presence detection.
  • the program of the BIOS therefore detects the presence of a storage memory 20 a , 20 b on the USB peripheral 25 a or 35 b .
  • step 112 the program of the BIOS read-accesses the memory.
  • step 115 the BIOS program triggers the execution of the startup program found in the memory. This startup program actually triggers the execution of the operating system stored in the memory 20 a , 20 b.
  • step 120 the operating system detects the presence of a chip card reader and runs the driver corresponding to this chip card reader, which driver is also stored in the memory 20 a , 20 b .
  • step 121 the chip card reader is started following the running of its driver.
  • step 125 the operating system runs the data access management driver, which driver is also stored in the memory 20 a , 20 b .
  • This driver dispatches a request to the driver of the reader of the chip card to ask the chip card to decipher deciphering keys KCD i .
  • step 126 the reader of the chip card asks the user to enter his identification code. In the event of erroneous entry, after three erroneous attempts, access to the chip card is denied and the method is interrupted. In the converse case, the chip card is unlatched and deciphers the deciphering key or keys KCD i , then returns deciphered keys KD i to the data access management driver.
  • step 130 the data access management driver sets up, that is to say constructs, on the basis of a part (a partition, a file, a block) of the memory 20 a , 20 b (physical mass medium) comprising the user's enciphered data, a virtual partition so that the enciphered data stored in this part is rendered accessible by a user of the terminal.
  • the part of the memory is thus rendered accessible by the user via a virtual storage peripheral containing an encrypted system of files.
  • the logical organization of the files stored in the part of the memory is seen by the user as a tree of directories and files, which tree is identical or similar to those customarily used for a hard disk partition, the data access management driver constructing this tree so as to render the data stored in the relevant part of the memory 20 a , 20 b accessible by a user of the terminal.
  • the data access management driver deciphers (respectively enciphers) on the fly the data block or blocks comprising this file by using the deciphered keys KD i , the whole of the data to be deciphered being projected into memory by the so-called mapping technique before decipherment and preserved in projection memory in deciphered form, so as to be able to be used or modified by the user of the terminal.
  • a virtual or logical mass medium the image of a part of the physical mass medium, is rendered accessible by the user by virtue of the data access management driver.
  • the user of the terminal has on the basis of the USB memory a conventional system of files, the driver being in charge of enciphering and deciphering the blocks of the USB memory during use.
  • step 140 the operating system detects the presence of a network access module 30 a , 30 b and runs the driver corresponding to this network access module, which driver is also stored in the memory 20 a , 20 b .
  • step 141 the network access module 30 a , 30 b is started up.
  • step 150 the operating system triggers the execution of the program for connecting to the telecommunication network 50 stored in the memory 20 a , 20 b .
  • This program dispatches commands to the network access module in order to establish the connection.
  • this connection program is preconfigured with connection parameters specific to the user, which are stored in the memory 20 a , 20 b . In this way, the user does not need to perform any manual configuration in order to establish this connection.
  • step 151 following the triggering of this program, the connection to the network is established by the module 30 a , 30 b for accessing the network 50 .
  • the user can access services on the network (Web, messaging, etc.).
  • step 155 the network connection program triggers a procedure for setting up a secure link or secure tunnel between the terminal 10 and the server 60 interconnected to the network 50 .
  • the procedure for establishing the secure link is either triggered automatically by the connection program or at the request of the user of the terminal 10 .
  • step 156 following step 55 and following an authentication request received from the server 60 by the terminal 10 during the procedure for establishing the secure link, the chip card reader or the device 35 b asks the user to enter his identification code, so as to unlatch access to the strong authentication certificate stored in the chip card in order to carry out a strong authentication operation.
  • this identification code can be different from the code used in step 126 .
  • step 160 in the event of successful authentication, the procedure for establishing the secure link continues.
  • the establishment of the secure link calls upon customary techniques for establishing virtual private networks, implementing in particular a secure protocol (IKE and IPSec for example).
  • IKE and IPSec for example.
  • step 161 following the establishment of the connection, the user is able to access the server 60 . In the case where this server serves as access gateway to a company network, the user will be able to access this company network.
  • the user can update his software environment by downloading, from this server or another server, correctives or new programs and insert them onto his memory module.
  • the device exhibits a very high security level on account of the coupled use of a memory, a network access card and a chip card.
  • a chip card makes it possible to use, during encipherment, much longer keys than a simple password and therefore improves the security level of the device. Furthermore, the chip card much improves the ergonomics of the device by limiting user entry to a short identification code (in general 4 digits), before authorizing access to the private data of the card. Finally, a chip card shuts down after three fruitless attempts at code entry, thereby making it possible to prevent attacks by exhaustive attempts.
  • PIN personal identification code
  • the hard disk of the terminal 10 is never invoked. Furthermore the user does not leave any personal data there. Moreover, the user cannot execute the programs that are resident on the hard disk of the machine, in particular viruses or malicious programs. Generally, only the programs that are present in the memory will be able to be executed.
  • the update management program comprises a downloaded software signature verification function to prevent the downloading of uncertified programs.
  • connection program is preconfigured to operate with a predefined network access module and in the context predefined by the telecommunication operator providing access to the network, and in particular with connection parameters specific to a user.
  • the operating system uses the resources of the network access module to allow access to the network by the user's programs.
  • connections pass through a network controlled by the user himself (company network or domestic network) or by his operator (mobile or WiFi network).
  • a wireless link can be used as an alternative to a USB bus-based wired link between the terminal and the device 35 a , 35 b , for example a WiFi or Bluetooth link.
  • a virtual driver such as that described in the patent document published under the number WO2005/036822 is preferably used for the terminal 10 .
  • Such a driver may be used equally well with a wired or nonwired link between the terminal and the device 35 a , 35 b . In this way, the terminal will be able to access the SIM card as if dealing with a chip card inserted into a local chip card reader, and therefore disregarding the USB link and access constraints related to the integration of the SIM card into the environment of the mobile terminal.
  • a virtual driver is also usable for driving the network access module, in such a way that the network access programs operate in the same manner as if the network access module was a module installed locally in the terminal 10 .
  • USB key in particular in the case of a relatively old personal computer 10 which cannot start up on the USB port, it is possible to use a CD-ROM for the first phase of configuring and starting up the operating system, then, once the operating system has been started and the USB peripherals are accessible, to search for the user data on the USB-based storage area or on a storage area accessible via another type of communication link, for example a memory area of the mobile terminal 35 b which would be accessible via a Bluetooth link established between the terminal 10 and the mobile terminal 35 b.
  • two recording media can be used: one for installing the operating system and drivers, the other for the user's data.
  • the first of the two media is accessible by the BIOS and detected as forming part of the list of media that the BIOS analyzes to detect therein the presence of a startup program.
  • the second of the two media is accessible from the terminal 10 by means of a storage peripheral management driver via a communication link between the terminal 10 and this recording medium.
  • USB memory In an embodiment where data storage volume will be favored over speed of execution, it will be possible to replace the USB memory by a mini hard disk.
  • the process for configuring the terminal 10 according to the invention is entirely automated.
  • the only moments at which the user intervenes are when entering personal identification codes, or optionally, for running the connection program or the program for establishing the secure link.
  • it therefore becomes extremely simple for a travelling user to configure any personal computer in order to access a network, or more simply, so as to work in a predefined software environment and with his own specific data. The integrity of the software environment and of the user's data is guaranteed.

Abstract

A method of configuring a terminal including initializing the terminal, and which automatically triggers at least: detecting presence of a memory by a basic input/output system of the terminal, accessing the memory by the basic input/output system, starting up an operating system stored in the memory, and starting up a driver of a telecommunication network access module, the driver of the access module being stored in the memory and configured to drive the access module through a communication link between the terminal and a telecommunication device including the access module.

Description

  • The invention relates to the field of telecommunications and computing; it relates more precisely to a method and device for configuring a terminal.
  • The invention finds relevant applications in all travel situations, that is to say situations in which users of a computer terminal make remote use of the resources of a computer system or of a computer network. Customarily, travelling users use their own portable personal computer and connect it to the network of their company via the Internet network or the network of a telecommunication operator.
  • Computer security is a problem during these remote connections, on account in particular of the presence of risks such as viruses on the PC, eavesdropping on the communication, intrusion on the company's network. It is therefore obligatory that the software used be reliable, and therefore free of viruses, spyware, Trojan horses, etc, and that the connection between the computer and the company's network be made secure, for example by using a virtual private network. This is the reason why companies require that the connection be established from a terminal that they have provided the employee with and proscribe connections from machines whose content is not controlled. A consequence of this situation is that travelling users must routinely carry their portable computer around with them and do not have the possibility of using another personal computer, that of the house or of a friend for example.
  • It is therefore important to have a technical solution for configuring and connecting a personal computer to a company network which guarantees that the software which will subsequently be used is fully reliable, whatever personal computer or terminal is used to implement the connection.
  • The most successful technical solutions in this field are the recording media of CD-ROM type comprising an operating system which will be booted when the computer is started up. The big defect of this system is not providing any means for storing the user's data.
  • The appearance of removable memories that can be connected to the USB (Universal Serial Bus) port of a personal computer and in which a complete operating system is stored in a format such that, when the computer is restarted, it is this operating system which will be run, is also beginning to be seen. Consequently only the software embedded in the removable memory will be invoked, and not the software initially installed on the hard disk of the computer. In this way, the security level offered depends solely on the software in the memory and not on the personal computer used.
  • However it is not simple for a user to configure the operating system of the personal computer so as to have access to the network. It is already necessary that he has the driver to operate the peripheral for accessing the network of the personal computer and that he knows how to configure the network access software with the connection parameters. It is not therefore possible to automate this phase since all these elements depend physically on the machine to be configured and on the manner in which it is connected to the network.
  • The aim of the invention is to provide a device and a method for automatically configuring a terminal, with a view to accessing a predefined telecommunication network, on the basis of data of a computer environment that are stored in a memory.
  • With this aim, the subject of the invention is, according to a first aspect, a method of configuring a terminal comprising a step of initializing said terminal and which automatically triggers at least:
      • a step of detecting presence of a memory by a basic input/output system of the terminal,
      • a step of accessing said memory by the basic input/output system, and
      • a step of starting up an operating system of said terminal, stored in said memory,
      • a step of starting up a driver of a telecommunication network access module, the driver of the access module being stored in said memory and able to drive the access module from said terminal through a communication link between said terminal and a telecommunication device comprising said access module.
  • By virtue of this method, the terminal is automatically configured to use a telecommunication network access module, this module being that of a telecommunication device, for example a mobile telephone. This module is independent of the terminal used. It is preferably specific to a given user. Furthermore, its characteristics being known, it is possible to configure the terminal to access the telecommunication network on condition that the driver appropriate to this device is available. Preferably, the communication link between the terminal and the device will be established by USB link or by nonwired link.
  • According to an embodiment, the method furthermore comprises:
      • a step of establishing a communication link between said terminal and said communication network, by means of said access module and of connection parameters stored in said memory.
  • In this way, the terminal can readily be configured to access a telecommunication network with connection parameters which are specific to the user. The connection program is preconfigured to operate with the driver provided and the network access module.
  • According to an embodiment, the method furthermore comprises:
      • a step of starting up a driver of a chip card reading device able to interrogate a chip card, the driver being stored in said memory and being able to drive the reading device through a communication link between said terminal and the reading device.
  • The presence of a chip card reading device makes it possible to afford robust functions for encipherment at the terminal level.
  • According to an embodiment, the method furthermore comprises:
      • a step of establishing a secure communication tunnel between said terminal and a server of said telecommunication network, during which step a strong authentication procedure is implemented by means of a chip card interrogatable via said driver of the chip card reading device.
  • A reliable and secure connection can thus be implemented when connecting the terminal to the communication network, the authentication procedure being able to succeed only if a PIN code (personal identification number) is provided to the chip card.
  • According to an embodiment, the method furthermore comprises:
      • a step of constructing at least one virtual partition on the basis of enciphered data stored in said memory with a view to rendering said enciphered data accessible by a user of said terminal.
  • A user's data can thus be stored in a secure manner in the memory and nevertheless be rendered readily accessible by a user of the terminal.
  • According to an embodiment, the method furthermore comprises:
      • a step of dispatching to a chip card, interrogatable via the driver of the chip card reading device, a request to decipher at least one enciphered deciphering key,
      • a step of deciphering at least part of the enciphered data stored in said memory by means of at least one deciphered deciphering key.
  • Thus access to the user's data is made secure on account of the intervention of the chip card in the data access process. Specifically, the decipherment of the enciphered key or of the enciphered keys by the chip card is performed only conditionally on providing the chip card with a PIN code.
  • Correlatively, the subject of the invention is a device for configuring a terminal, the device comprising at least,
      • a memory,
      • a telecommunication device comprising a telecommunication network access module,
  • said memory being accessible by a basic input/output system of said terminal during a phase of starting up of said terminal, said memory comprising,
      • an operating system of the terminal,
      • a driver of the access module able to drive said access module from said terminal through a communication link between said terminal and said telecommunication device,
  • the starting up of the terminal automatically triggering at least,
      • the detection by the basic input/output system of the terminal of the presence of said memory,
      • access by the basic input/output system to said memory, and
      • the starting up of the operating system stored in said memory,
      • the starting up of the driver of the access module.
  • According to an embodiment, the device according to the invention furthermore comprises
      • a chip card,
      • a reading device able to read and/or interrogate the chip card,
        said memory furthermore comprising,
      • a driver of the reading device able to drive the reading device from said terminal through a communication link between said terminal and the reading device,
  • the operating system being able to start up the driver of the reading device.
  • According to an embodiment, the device furthermore comprises means for storing data comprising,
      • enciphered data,
      • at least one enciphered deciphering key, said memory furthermore comprising,
        • a data access management driver able to construct at least one virtual partition on the basis of enciphered data stored in said means for storing data, so as to render said enciphered data accessible by a user of said terminal, the data access management driver being able to dispatch to the chip card via the driver of the reading device a request to decipher at least one enciphered deciphering key and able to trigger the decipherment of at least part of the enciphered data by means of at least one deciphered deciphering key,
  • wherein the operating system being able to trigger the execution of the deciphering driver.
  • The advantages stated for the method according to the invention are transposable to the device according to the invention and to its various embodiments.
  • According to an embodiment, said memory, said access module and said chip card are integrated into a mobile telecommunication terminal.
  • In this embodiment, the device making it possible to configure the terminal is readily portable. Furthermore, it is reliable and allows a user to easily transport his personal data.
  • Other aims, characteristics and advantages of the invention will become apparent through the description which follows, given solely by way of nonlimiting example, and with reference to the appended drawings in which:
  • FIG. 1 a is an illustration of a first embodiment of the device according to the invention;
  • FIG. 1 b is an illustration of a second embodiment of the device according to the invention;
  • FIG. 2 represents a flowchart of an embodiment of the method according to the invention.
    •
  • FIG. 1 a illustrates a first embodiment of the device according to the invention.
  • The device represented in FIG. 1 a comprises:
      • a terminal 10;
      • a multiport repeater 15 a (more commonly called a “hub”);
      • a data recording medium 25 a comprising a memory 20 a;
      • a chip card reading device 45 a, making it possible to read, to access or to interrogate a chip card 40 a;
      • a telecommunication device 35 a comprising a network access module 30 a for accessing a telecommunication network 50.
  • The telecommunication network 50 is for example an Ethernet network, a GSM/GPRS cellular network, a UMTS cellular network, a WIFI network, the switched telephone network (STN), etc.
  • The invention is aimed at providing a device and a method for automatically configuring the terminal 10, in order to access the telecommunication network 50, and in particularin order to access a predefined server or gateway 60. This server 60 is for example a gateway controlling access to a second telecommunication network, this second telecommunication network being for example a company network (Intranet). The invention allows a travelling user to access a predefined telecommunication network 50 by using the terminal 10, even if this terminal 10 does not have means for accessing the telecommunication network 50.
  • The terminal 10 is typically a personal computer, having at least a central data processing unit, a keyboard, a screen, and a communication bus for interconnecting peripherals to the central unit, for example a series bus meeting the USB (Universal Serial Bus) standard. It is not essential for the terminal to have a hard disk, insofar as the latter is not used for the implementation of the invention. The terminal 10 furthermore comprises at least one USB port for linking up an external peripheral.
  • The terminal 10 furthermore comprises a memory in which the BIOS (Basic Input/Output System) is stored, a low level program allowing the detection, while the terminal 10 is starting up, of the peripherals connected to the terminal 10, as well as the starting up of the operating system.
  • The recording medium 25 a is embodied for example in the form of a USB key, a CD-ROM, a removable hard disk, etc. This recording medium is preferably a medium that can be readily carried around by a travelling user.
  • The telecommunication device 35 a is for example a mobile telecommunication terminal, the network access module in this case advantageously consisting of the telecommunication network access modem. The telecommunication terminal is for example a mobile telephone or a personal assistant (PDA, Personal Data Assistant).
  • The network access module 30 a allows access to the telecommunication network 50 considered and is therefore compatible with the communication standards of this network.
  • In the exemplary embodiment described, the three peripherals 25 a, 35 a, 45 a are peripherals having a serial port in accordance with the USB standard and can be linked up by a USB bus cable to a USB port of the terminal 10.
  • The repeater 15 a makes it possible to link up the three peripherals 25 a, 35 a, 45 a on one and the same USB port of the terminal 10. Its role is in particular to multiplex the data arising from the various peripherals for access to the USB bus. The presence of such a repeater is however not necessary if the terminal 10 has sufficient USB ports. In this case, the three peripherals can be linked up directly to the terminal 10, that is to say without the intermediary of the repeater.
  • As a variant, other types of communication bus or other types of communication link can be used to effect the communication link between the terminal 10 and the three peripherals. However, as regards the recording medium, this medium must be detected and recognized by the BIOS of the terminal 10 as a data storage peripheral liable to comprise the execution data of an operating system of the terminal 10.
  • FIG. 1 b illustrates a second embodiment of the invention. In this second embodiment, the repeater 15 b, the memory 20 b, the access module 30 b, the chip card 40 b form part of one and the same mobile telecommunication terminal 35 b. This terminal 35 b comprises chip card reading means and in this sense constitutes a chip card reading device able to read and/or interrogate a chip card. It also has a USB port making it possible to establish a communication link with the terminal 10. This terminal is embodied for example in the form of a mobile telephone or personal assistant (PDA, Personal Data Assistant).
  • This second embodiment has the advantage of being very compact and easy for a travelling user to carry around.
  • By hooking up the mobile telephone to the terminal 10 by way of a USB cable, three peripherals are then accessible by the terminal 10 via the same USB port:
      • a memory or memory area, seen as a conventional USB key,
      • a network access module, which is in fact the mobile telephone's network access modem,
      • a chip card, which is in fact the SIM (Subscriber Identity Module) card of the network access module.
  • In this second embodiment, the telephone is seen by the terminal 10 either as a network card, or as a modem.
  • The subsequent description refers equally to the first embodiment and to the second embodiment.
  • For the implementation of the invention, the following data are stored in the memory 20 a, 20 b:
      • a starting sector with a program for starting an operating system of the terminal 10;
      • execution data of this operating system;
        • execution data of application packages, compatible with this operating system;
      • one or more partitions with enciphered data (programs, files, parameters, etc.) of a user of the terminal 10;
      • one or more keys for deciphering, respectively enciphering, the user's data.
  • With a view to encipherment, respectively decipherment, each decipherment, respectively encipherment, key is associated with a partition or with a data block of a partition. In a simplified embodiment, it is the entire partition which is enciphered. Subsequently in the description, the enciphering keys are denoted KCi, and the deciphering keys KDi with 0≦i<N, where N is the number of encipherment, respectively decipherment, keys. In the case where a symmetric encipherment procedure is used, the keys KCi and KDi are identical.
  • The enciphering and deciphering keys KCi and KDi are enciphered before being stored in the memory 20 a, 20 b. The enciphered keys are denoted KCCi and KCDi respectively.
  • The execution data of the operating system themselves comprise:
      • at least one file comprising the program of the operating system itself (image of the operating system, also called the kernel);
      • peripheral drivers, including a driver of the reader of the chip card 40 a, 40 b, a driver of the access module 30 a, 30 b as well as a data access management driver, managing access to enciphered data of the memory 20 a, 20 b and implementing encipherment and decipherment functions;
      • the execution parameters of the operating system as well as the parameters associated with the drivers.
  • The execution data of application packages themselves comprise:
      • application packages, including a program for connecting to a telecommunication network accessible via the access module 30 a, 30 b;
      • execution parameters of these application packages, in particular connection parameters to be used during the establishment of a connection to the network by the connection program.
  • The data access management driver is designed to dispatch to the chip card via the driver of the reading device a request to decipher one or more deciphering keys KCDi and to decipher all or some of the enciphered blocks by means of the deciphered deciphering keys KDi.
  • The connection parameters are dependent on the telecommunication network used. These parameters comprise for example:
      • for a connection to a GPRS (General Packet Radio Service) network: APN (Access Point Name), type of authentication protocol, an IP (Internet Protocol) address, etc.
      • for a connection to a WiFi network: name of the SSID (service set identifier) (e.g.: Orange); mode of authentication, mode of encipherment, enciphering key, etc.
      • for a connection to a telephone network via an ADSL modem: point-to-point protocol used (PPPOA or PPPOE), Internet access provider's client name and password, etc.
  • The chip card has encipherment and decipherment functions. It furthermore contains a first digital certificate for authentication during implementation of a secure link and a second digital certificate for data encipherment.
  • As regards data encipherment, use is made for example of asymmetric cryptography functions. In this case, the chip card contains a digital certificate, a public key Kpub, used for data encipherment, and a private key Kpri used to decipher what has been enciphered by means of the public key. The public key Kpub can be transmitted to a program executing outside of the chip card with a view to encipherment, while the use of the private key Kpri is reserved for the secure environment of the chip card and for the decipherment programs implemented in the chip card.
  • The keys KCi and KDi for enciphering and deciphering the data of the partitions of the user are themselves enciphered by means of the public key Kpub of the digital encipherment certificate before being stored in the memory 20 a, 20 b. The chip card is used in the context of the invention to decipher the enciphered keys KCCi and KCDi by means of the private key Kpri of the digital encipherment certificate.
  • A rule defines which enciphering key, respectively deciphering key, must be used for a data partition or block. For example, if N enciphering keys (and therefore N deciphering keys) are used, and if there are Z memory blocks to be enciphered, the rule defines that a block x, 0≦x<Z, will be enciphered, respectively deciphered, by means of the enciphering key KCi, respectively deciphering key KDi, such that x is congruent to i modulo N.
  • The method according to the invention is now described in greater detail by reference to FIG. 2.
  • In step 100, the connection is effected between on the one hand the terminal 10 and on the other hand a device, designated under the general reference 35. The device 35 comprises in the embodiment of FIG. 1 a, the peripherals 25 a, 35 a, 45 a, and, in the embodiment of FIG. 1 b, the device 35 b.
  • In step 105, the terminal is powered up and started.
  • In step 110 the BIOS program of the terminal is started. This BIOS program executes a procedure for detecting the peripherals present on the terminal or interconnected to this terminal. It searches, according to a predefined order in a configurable list which is specific to it, among the data recording media, for the first medium comprising a booting sector comprising data for booting the operating system. Traditionally, the standard configuration of the startup lists indicates that the apparatuses connected to the USB bus must be interrogated before the hard disk of the terminal. Consequently, in the invention, it is the USB key memory boot sector which is used.
  • In step 111, the memory responds to the presence detection. The program of the BIOS therefore detects the presence of a storage memory 20 a, 20 b on the USB peripheral 25 a or 35 b. In step 112, the program of the BIOS read-accesses the memory.
  • In step 115, the BIOS program triggers the execution of the startup program found in the memory. This startup program actually triggers the execution of the operating system stored in the memory 20 a, 20 b.
  • In step 120, the operating system detects the presence of a chip card reader and runs the driver corresponding to this chip card reader, which driver is also stored in the memory 20 a, 20 b. In step 121, the chip card reader is started following the running of its driver.
  • In step 125, the operating system runs the data access management driver, which driver is also stored in the memory 20 a, 20 b. This driver dispatches a request to the driver of the reader of the chip card to ask the chip card to decipher deciphering keys KCDi. In step 126, the reader of the chip card asks the user to enter his identification code. In the event of erroneous entry, after three erroneous attempts, access to the chip card is denied and the method is interrupted. In the converse case, the chip card is unlatched and deciphers the deciphering key or keys KCDi, then returns deciphered keys KDi to the data access management driver.
  • In step 130 the data access management driver sets up, that is to say constructs, on the basis of a part (a partition, a file, a block) of the memory 20 a, 20 b (physical mass medium) comprising the user's enciphered data, a virtual partition so that the enciphered data stored in this part is rendered accessible by a user of the terminal. The part of the memory is thus rendered accessible by the user via a virtual storage peripheral containing an encrypted system of files. The logical organization of the files stored in the part of the memory is seen by the user as a tree of directories and files, which tree is identical or similar to those customarily used for a hard disk partition, the data access management driver constructing this tree so as to render the data stored in the relevant part of the memory 20 a, 20 b accessible by a user of the terminal.
  • Following a request for read-access (respectively write-access) to a data file of this tree, the data access management driver deciphers (respectively enciphers) on the fly the data block or blocks comprising this file by using the deciphered keys KDi, the whole of the data to be deciphered being projected into memory by the so-called mapping technique before decipherment and preserved in projection memory in deciphered form, so as to be able to be used or modified by the user of the terminal. In this way a virtual or logical mass medium, the image of a part of the physical mass medium, is rendered accessible by the user by virtue of the data access management driver.
  • Advantageously, no memory swapping process will be used. The absence of swapping guarantees that the deciphered file will never be present on any disk, or even on another medium, thereby enhancing the security of the device.
  • In this way, the user of the terminal has on the basis of the USB memory a conventional system of files, the driver being in charge of enciphering and deciphering the blocks of the USB memory during use.
  • In step 140, the operating system detects the presence of a network access module 30 a, 30 b and runs the driver corresponding to this network access module, which driver is also stored in the memory 20 a, 20 b. In step 141 the network access module 30 a, 30 b is started up.
  • In step 150, the operating system triggers the execution of the program for connecting to the telecommunication network 50 stored in the memory 20 a, 20 b. This program dispatches commands to the network access module in order to establish the connection. Preferably, this connection program is preconfigured with connection parameters specific to the user, which are stored in the memory 20 a, 20 b. In this way, the user does not need to perform any manual configuration in order to establish this connection.
  • As an alternative, it is the user who manually triggers the execution of the network connection program.
  • In step 151, following the triggering of this program, the connection to the network is established by the module 30 a, 30 b for accessing the network 50. At this juncture, the user can access services on the network (Web, messaging, etc.).
  • In step 155, the network connection program triggers a procedure for setting up a secure link or secure tunnel between the terminal 10 and the server 60 interconnected to the network 50.
  • The procedure for establishing the secure link is either triggered automatically by the connection program or at the request of the user of the terminal 10.
  • In step 156, following step 55 and following an authentication request received from the server 60 by the terminal 10 during the procedure for establishing the secure link, the chip card reader or the device 35 b asks the user to enter his identification code, so as to unlatch access to the strong authentication certificate stored in the chip card in order to carry out a strong authentication operation. Optionally, this identification code can be different from the code used in step 126.
  • In step 160, in the event of successful authentication, the procedure for establishing the secure link continues. The establishment of the secure link calls upon customary techniques for establishing virtual private networks, implementing in particular a secure protocol (IKE and IPSec for example). In step 161, following the establishment of the connection, the user is able to access the server 60. In the case where this server serves as access gateway to a company network, the user will be able to access this company network.
  • Optionally, the user can update his software environment by downloading, from this server or another server, correctives or new programs and insert them onto his memory module.
  • To restore the initial configuration of the terminal 10, it suffices for the user to stop the terminal 10 and disconnect the peripherals 25 a, 35 a, 45 a (embodiment of FIG. 1 a) or the device 35 b (embodiment of FIG. 1 b): when the terminal 10 is next started up, the latter will be in its initial configuration again.
  • By virtue of the software embedded in the memory module, it is possible, without manual configuration of the user, to access enciphered data stored on a data storage medium, to operate a network access module and to access the network 50 from the terminal 10, doing so whatever the host terminal 10 to which the device 35 b or the peripherals 25 a, 35 a, 45 a are hooked up.
  • From a technical point of view, the device exhibits a very high security level on account of the coupled use of a memory, a network access card and a chip card.
  • Using a chip card makes it possible to use, during encipherment, much longer keys than a simple password and therefore improves the security level of the device. Furthermore, the chip card much improves the ergonomics of the device by limiting user entry to a short identification code (in general 4 digits), before authorizing access to the private data of the card. Finally, a chip card shuts down after three fruitless attempts at code entry, thereby making it possible to prevent attacks by exhaustive attempts.
  • Access to the enciphered data and the setting up of a secure communication tunnel are conditioned by the provision of a personal identification code (PIN).
  • The hard disk of the terminal 10 is never invoked. Furthermore the user does not leave any personal data there. Moreover, the user cannot execute the programs that are resident on the hard disk of the machine, in particular viruses or malicious programs. Generally, only the programs that are present in the memory will be able to be executed.
  • If the procedure for remotely updating the software in the memory module is intact, the complete software remains intact over time. There is no risk of deterioration of the security level. Preferably, the update management program comprises a downloaded software signature verification function to prevent the downloading of uncertified programs.
  • By virtue of the invention, the connection program is preconfigured to operate with a predefined network access module and in the context predefined by the telecommunication operator providing access to the network, and in particular with connection parameters specific to a user.
  • When the operating system is started up, that is to say when the terminal 10 is started up, the operating system uses the resources of the network access module to allow access to the network by the user's programs.
  • The connections pass through a network controlled by the user himself (company network or domestic network) or by his operator (mobile or WiFi network).
  • As a supplement, it is technically easy, for example by not providing the drivers for managing these interfaces, to contrive matters such that the operating system started up from the memory module cannot use network interfaces other than that of the device. This avoids connection to non-secure networks.
  • As regards access to the modem of the device 35 a, 35 b or access to the chip card of the device 35 b, a wireless link can be used as an alternative to a USB bus-based wired link between the terminal and the device 35 a, 35 b, for example a WiFi or Bluetooth link.
  • As regards the use of the SIM card of the network access module as card (embodiment of FIG. 1 b), a virtual driver such as that described in the patent document published under the number WO2005/036822 is preferably used for the terminal 10. Such a driver may be used equally well with a wired or nonwired link between the terminal and the device 35 a, 35 b. In this way, the terminal will be able to access the SIM card as if dealing with a chip card inserted into a local chip card reader, and therefore disregarding the USB link and access constraints related to the integration of the SIM card into the environment of the mobile terminal.
  • A virtual driver is also usable for driving the network access module, in such a way that the network access programs operate in the same manner as if the network access module was a module installed locally in the terminal 10.
  • As an alternative to the use of a USB key, in particular in the case of a relatively old personal computer 10 which cannot start up on the USB port, it is possible to use a CD-ROM for the first phase of configuring and starting up the operating system, then, once the operating system has been started and the USB peripherals are accessible, to search for the user data on the USB-based storage area or on a storage area accessible via another type of communication link, for example a memory area of the mobile terminal 35 b which would be accessible via a Bluetooth link established between the terminal 10 and the mobile terminal 35 b.
  • Generally, to increase the storage capacity, two recording media can be used: one for installing the operating system and drivers, the other for the user's data. In this case, the first of the two media is accessible by the BIOS and detected as forming part of the list of media that the BIOS analyzes to detect therein the presence of a startup program. The second of the two media is accessible from the terminal 10 by means of a storage peripheral management driver via a communication link between the terminal 10 and this recording medium.
  • In an embodiment where data storage volume will be favored over speed of execution, it will be possible to replace the USB memory by a mini hard disk.
  • The process for configuring the terminal 10 according to the invention is entirely automated. The only moments at which the user intervenes are when entering personal identification codes, or optionally, for running the connection program or the program for establishing the secure link. By virtue of the invention, it therefore becomes extremely simple for a travelling user to configure any personal computer in order to access a network, or more simply, so as to work in a predefined software environment and with his own specific data. The integrity of the software environment and of the user's data is guaranteed.

Claims (11)

1-10. (canceled)
11: A method of configuring a terminal comprising:
initializing the terminal, and which automatically triggers at least:
detecting presence of a memory by a basic input/output system of the terminal;
accessing the memory by the basic input/output system;
starting up an operating system of the terminal stored in the memory; and
starting up a driver of a telecommunication network access module, the driver of the access module being stored in the memory and configured to drive the access module from the terminal through a communication link between the terminal and a telecommunication device including the access module.
12: The configuration method as claimed in claim 11, further comprising:
establishing a communication link between the terminal and the communication network, by the access module and connection parameters stored in the memory.
13: The configuration method as claimed in claim 11, further comprising:
starting up a driver of a chip card reading device configured to interrogate a chip card, the driver being stored in the memory and configured to drive the reading device through a communication link between the terminal and the reading device.
14: The configuration method as claimed in claim 13, further comprising:
establishing a secure communication tunnel between the terminal and a server of the telecommunication network, during which a strong authentication procedure is implemented by a chip card interrogatable via the driver of the chip card reading device.
15: The configuration method as claimed in claim 13, further comprising:
constructing at least one virtual partition based on enciphered data stored in the memory to render the enciphered data accessible by a user of the terminal.
16: The configuration method as claimed in claim 13, further comprising:
dispatching to a chip card, interrogatable via the driver of the chip card reading device, a request to decipher at least one enciphered deciphering key;
deciphering at least part of the enciphered data stored in means for storing data by at least one deciphered deciphering key.
17: A device for configuring a terminal, the device comprising:
a memory;
a telecommunication device comprising a telecommunication network access module;
the memory being accessible by a basic input/output system of the terminal during a phase of starting up of the terminal, the memory comprising:
an operating system of the terminal,
a driver of the access module configured to drive the access module from the terminal through a communication link between the terminal and the telecommunication device,
the starting up of the terminal automatically triggering at least:
detection by the basic input/output system of the terminal of presence of the memory,
access by the basic input/output system to the memory,
starting up of the operating system stored in the memory, and
starting up of the driver of the access module.
18: The device as claimed in claim 17, further comprising:
a chip card;
a reading device configured to interrogate the chip card;
the memory further comprising:
a driver of the reading device configured to drive the reading device from the terminal through a communication link between the terminal and the reading device,
the operating system configured to start up the driver of the reading device.
19: The device as claimed in claim 17, further comprising:
means for storing data comprising: enciphered data, and at least one enciphered deciphering key;
the memory further comprising:
a data access management driver configured to construct at least one virtual partition based on enciphered data stored in the means for storing data, to render the enciphered data accessible by a user of the terminal, the data access management driver configured to dispatch to the chip card via the driver of the reading device a request to decipher at least one enciphered deciphering key and configured to trigger the decipherment of at least part of the enciphered data by at least one deciphered deciphering key,
the operating system configured to trigger execution of the deciphering driver.
20: The device as claimed in claim 18, the memory, the access module, and the chip card being integrated into a mobile telecommunication terminal.
US12/279,991 2006-02-21 2007-02-13 Method and device for securely configuring a terminal Abandoned US20090138643A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR0601536 2006-02-21
FR0601536 2006-02-21
PCT/FR2007/050794 WO2007096554A2 (en) 2006-02-21 2007-02-13 Method and device for securely configuring a terminal

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/FR2007/050794 A-371-Of-International WO2007096554A2 (en) 2006-02-21 2007-02-13 Method and device for securely configuring a terminal

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/253,528 Continuation US9071599B2 (en) 2006-02-21 2011-10-05 Method and device for securely configuring a terminal

Publications (1)

Publication Number Publication Date
US20090138643A1 true US20090138643A1 (en) 2009-05-28

Family

ID=37137470

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/279,991 Abandoned US20090138643A1 (en) 2006-02-21 2007-02-13 Method and device for securely configuring a terminal
US13/253,528 Active US9071599B2 (en) 2006-02-21 2011-10-05 Method and device for securely configuring a terminal

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/253,528 Active US9071599B2 (en) 2006-02-21 2011-10-05 Method and device for securely configuring a terminal

Country Status (3)

Country Link
US (2) US20090138643A1 (en)
EP (1) EP1987653B1 (en)
WO (1) WO2007096554A2 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090138975A1 (en) * 2007-11-17 2009-05-28 Uniloc Usa System and Method for Adjustable Licensing of Digital Products
US20100324983A1 (en) * 2009-06-22 2010-12-23 Etchegoyen Craig S System and Method for Media Distribution
US20100325704A1 (en) * 2009-06-19 2010-12-23 Craig Stephen Etchegoyen Identification of Embedded System Devices
US20100323798A1 (en) * 2009-06-19 2010-12-23 Etchegoyen Craig S Systems and Methods for Game Activation
US20100325734A1 (en) * 2009-06-19 2010-12-23 Etchegoyen Craig S Modular Software Protection
US20100325710A1 (en) * 2009-06-19 2010-12-23 Etchegoyen Craig S Network Access Protection
US20100333213A1 (en) * 2009-06-24 2010-12-30 Craig Stephen Etchegoyen Systems and Methods for Determining Authorization to Operate Licensed Software Based on a Client Device Fingerprint
US20110093703A1 (en) * 2009-10-16 2011-04-21 Etchegoyen Craig S Authentication of Computing and Communications Hardware
US20140075507A1 (en) * 2011-03-22 2014-03-13 Sagem Defense Securite Method and device for connecting to a high security network
US8898450B2 (en) 2011-06-13 2014-11-25 Deviceauthority, Inc. Hardware identity in multi-factor authentication at the application layer
US9143496B2 (en) 2013-03-13 2015-09-22 Uniloc Luxembourg S.A. Device authentication using device environment information
US9286466B2 (en) 2013-03-15 2016-03-15 Uniloc Luxembourg S.A. Registration and authentication of computing devices using a digital skeleton key
US9756133B2 (en) 2011-08-15 2017-09-05 Uniloc Luxembourg S.A. Remote recognition of an association between remote devices
US10432609B2 (en) 2011-01-14 2019-10-01 Device Authority Ltd. Device-bound certificate authentication

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090138643A1 (en) * 2006-02-21 2009-05-28 France Te;Ecp, Method and device for securely configuring a terminal
US20120327849A1 (en) * 2011-06-24 2012-12-27 Yung-Sen Lin Method for controlling network connection of wireless network device and associated wireless network device

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5448045A (en) * 1992-02-26 1995-09-05 Clark; Paul C. System for protecting computers via intelligent tokens or smart cards
US5892902A (en) * 1996-09-05 1999-04-06 Clark; Paul C. Intelligent token protected system with network authentication
US6845908B2 (en) * 2002-03-18 2005-01-25 Hitachi Semiconductor (America) Inc. Storage card with integral file system, access control and cryptographic support
US20050125513A1 (en) * 2003-12-08 2005-06-09 Monica Sin-Ling Lam Cache-based system management architecture with virtual appliances, network repositories, and virtual appliance transceivers
US20050138414A1 (en) * 2003-12-17 2005-06-23 Zimmer Vincent J. Methods and apparatus to support the storage of boot options and other integrity information on a portable token for use in a pre-operating system environment
US20060015931A1 (en) * 2004-07-15 2006-01-19 Davis Mark C Wireless-boot diskless mobile computing
US20060026338A1 (en) * 2003-01-31 2006-02-02 Hiromi Ebara Semiconductor memory card, and program for controlling the same
US7155615B1 (en) * 2000-06-30 2006-12-26 Intel Corporation Method and apparatus for providing a secure-private partition on a hard disk drive of a computer system via IDE controller
US20070082704A1 (en) * 2003-10-30 2007-04-12 Toshihisa Nakano Radio communication system, mobile terminal device, server device, memory card and computer-readable program
US20070168652A1 (en) * 2006-01-17 2007-07-19 Kimmo Mylly Method for booting a host device from an MMC/SD device, a host device bootable from an MMC/SD device and an MMC/SD device method a host device may booted from
US20090132816A1 (en) * 2007-11-15 2009-05-21 Lockheed Martin Corporation PC on USB drive or cell phone

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5249218A (en) * 1992-04-06 1993-09-28 Spectrum Information Technologies, Inc. Programmable universal interface system
US6487196B1 (en) * 1998-05-29 2002-11-26 3Com Corporation System and method for simulating telephone use in a network telephone system
FR2823576B1 (en) * 2001-04-12 2004-04-02 Gerard Sinpraseuth REMOVABLE RECORDING MEDIUM
US7424615B1 (en) * 2001-07-30 2008-09-09 Apple Inc. Mutually authenticated secure key exchange (MASKE)
US7327781B2 (en) * 2002-12-17 2008-02-05 Invensys Systems, Inc. Universal intelligent modem
US7917673B2 (en) * 2003-09-20 2011-03-29 Samsung Electronics Co., Ltd. Communication device and method having a shared local memory
WO2005036822A1 (en) * 2003-09-24 2005-04-21 France Telecom Method and device for exchanging data between a terminal connected to a network, and a sim card placed inside a mobile terminal
WO2006021784A1 (en) * 2004-08-25 2006-03-02 Levi Russell Method of and system for connecting to a network via a wireless local area network
GB0419927D0 (en) * 2004-09-09 2004-10-13 Siemens Ag A method of determinig a network connection
EP1836636A1 (en) * 2004-11-17 2007-09-26 David Fauthoux Portable personal mass storage medium and computer system with secure access to a user space via a network
US20090138643A1 (en) * 2006-02-21 2009-05-28 France Te;Ecp, Method and device for securely configuring a terminal
US7738920B1 (en) * 2006-07-12 2010-06-15 Sprint Communications Company L.P. Operating a computing device with an operating system and a wireless data access on a mobile device
KR20100089288A (en) * 2009-02-03 2010-08-12 삼성전자주식회사 Apparatus and method for managing secure information in a mobile termnal

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5448045A (en) * 1992-02-26 1995-09-05 Clark; Paul C. System for protecting computers via intelligent tokens or smart cards
US5892902A (en) * 1996-09-05 1999-04-06 Clark; Paul C. Intelligent token protected system with network authentication
US7155615B1 (en) * 2000-06-30 2006-12-26 Intel Corporation Method and apparatus for providing a secure-private partition on a hard disk drive of a computer system via IDE controller
US6845908B2 (en) * 2002-03-18 2005-01-25 Hitachi Semiconductor (America) Inc. Storage card with integral file system, access control and cryptographic support
US20060026338A1 (en) * 2003-01-31 2006-02-02 Hiromi Ebara Semiconductor memory card, and program for controlling the same
US20070082704A1 (en) * 2003-10-30 2007-04-12 Toshihisa Nakano Radio communication system, mobile terminal device, server device, memory card and computer-readable program
US20050125513A1 (en) * 2003-12-08 2005-06-09 Monica Sin-Ling Lam Cache-based system management architecture with virtual appliances, network repositories, and virtual appliance transceivers
US20050138414A1 (en) * 2003-12-17 2005-06-23 Zimmer Vincent J. Methods and apparatus to support the storage of boot options and other integrity information on a portable token for use in a pre-operating system environment
US20060015931A1 (en) * 2004-07-15 2006-01-19 Davis Mark C Wireless-boot diskless mobile computing
US20070168652A1 (en) * 2006-01-17 2007-07-19 Kimmo Mylly Method for booting a host device from an MMC/SD device, a host device bootable from an MMC/SD device and an MMC/SD device method a host device may booted from
US20090132816A1 (en) * 2007-11-15 2009-05-21 Lockheed Martin Corporation PC on USB drive or cell phone

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8566960B2 (en) 2007-11-17 2013-10-22 Uniloc Luxembourg S.A. System and method for adjustable licensing of digital products
US20090138975A1 (en) * 2007-11-17 2009-05-28 Uniloc Usa System and Method for Adjustable Licensing of Digital Products
US8423473B2 (en) 2009-06-19 2013-04-16 Uniloc Luxembourg S. A. Systems and methods for game activation
US10489562B2 (en) 2009-06-19 2019-11-26 Uniloc 2017 Llc Modular software protection
US20100325734A1 (en) * 2009-06-19 2010-12-23 Etchegoyen Craig S Modular Software Protection
US20100325710A1 (en) * 2009-06-19 2010-12-23 Etchegoyen Craig S Network Access Protection
US9047458B2 (en) 2009-06-19 2015-06-02 Deviceauthority, Inc. Network access protection
US9047450B2 (en) * 2009-06-19 2015-06-02 Deviceauthority, Inc. Identification of embedded system devices
US9633183B2 (en) 2009-06-19 2017-04-25 Uniloc Luxembourg S.A. Modular software protection
US20100325704A1 (en) * 2009-06-19 2010-12-23 Craig Stephen Etchegoyen Identification of Embedded System Devices
US20100323798A1 (en) * 2009-06-19 2010-12-23 Etchegoyen Craig S Systems and Methods for Game Activation
US20100324983A1 (en) * 2009-06-22 2010-12-23 Etchegoyen Craig S System and Method for Media Distribution
US20100333213A1 (en) * 2009-06-24 2010-12-30 Craig Stephen Etchegoyen Systems and Methods for Determining Authorization to Operate Licensed Software Based on a Client Device Fingerprint
US8726407B2 (en) 2009-10-16 2014-05-13 Deviceauthority, Inc. Authentication of computing and communications hardware
US20110093703A1 (en) * 2009-10-16 2011-04-21 Etchegoyen Craig S Authentication of Computing and Communications Hardware
US10432609B2 (en) 2011-01-14 2019-10-01 Device Authority Ltd. Device-bound certificate authentication
US20140075507A1 (en) * 2011-03-22 2014-03-13 Sagem Defense Securite Method and device for connecting to a high security network
US9722983B2 (en) * 2011-03-22 2017-08-01 Sagem Defense Securite Method and device for connecting to a high security network
US8898450B2 (en) 2011-06-13 2014-11-25 Deviceauthority, Inc. Hardware identity in multi-factor authentication at the application layer
US9756133B2 (en) 2011-08-15 2017-09-05 Uniloc Luxembourg S.A. Remote recognition of an association between remote devices
US9143496B2 (en) 2013-03-13 2015-09-22 Uniloc Luxembourg S.A. Device authentication using device environment information
US9286466B2 (en) 2013-03-15 2016-03-15 Uniloc Luxembourg S.A. Registration and authentication of computing devices using a digital skeleton key
US9740849B2 (en) 2013-03-15 2017-08-22 Uniloc Luxembourg S.A. Registration and authentication of computing devices using a digital skeleton key

Also Published As

Publication number Publication date
WO2007096554A3 (en) 2007-10-11
EP1987653B1 (en) 2019-12-04
US9071599B2 (en) 2015-06-30
WO2007096554A2 (en) 2007-08-30
US20120089838A1 (en) 2012-04-12
EP1987653A2 (en) 2008-11-05

Similar Documents

Publication Publication Date Title
US9071599B2 (en) Method and device for securely configuring a terminal
US10346614B1 (en) Security system and method for internet of things
AU2010260108B2 (en) Remote access control of storage devices
US7305549B2 (en) Filters to isolate untrusted ports of switches
US9015848B2 (en) Method for virtualizing a personal working environment and device for the same
CN108595982B (en) Secure computing architecture method and device based on multi-container separation processing
EP2590100A1 (en) Method and apparatus for securing a computer
WO2011119298A1 (en) System and methods for remote maintenance of multiple clients in an electronic network using virtualization and attestation
WO2009032036A2 (en) Compatible trust in a computing device
US8181006B2 (en) Method and device for securely configuring a terminal by means of a startup external data storage device
US20090217375A1 (en) Mobile Data Handling Device
US20060099991A1 (en) Method and apparatus for detecting and protecting a credential card
KR101098382B1 (en) System for network duplication and method thereof
KR102444356B1 (en) Security-enhanced intranet connecting method and system
Grimes Windows Honeypot Deployment
KR20110096516A (en) System for network duplication and method thereof

Legal Events

Date Code Title Description
AS Assignment

Owner name: FRANCE TELECOM, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHARLES, OLIVIER;TINNES, JULIEN;LECLERCQ, ERIC;REEL/FRAME:022684/0804;SIGNING DATES FROM 20080912 TO 20090125

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION