EP3298857A1 - Verfahren zur implementierung von sicherheitsregeln in einem endgerät - Google Patents
Verfahren zur implementierung von sicherheitsregeln in einem endgerätInfo
- Publication number
- EP3298857A1 EP3298857A1 EP16724287.4A EP16724287A EP3298857A1 EP 3298857 A1 EP3298857 A1 EP 3298857A1 EP 16724287 A EP16724287 A EP 16724287A EP 3298857 A1 EP3298857 A1 EP 3298857A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- security
- security element
- terminal
- rules
- predetermined
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/18—Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
- H04W88/06—Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B1/00—Details of transmission systems, not covered by a single one of groups H04B3/00 - H04B13/00; Details of transmission systems not characterised by the medium used for transmission
- H04B1/38—Transceivers, i.e. devices in which transmitter and receiver form a structural unit and in which at least one part is used for functions of transmitting and receiving
- H04B1/3816—Mechanical arrangements for accommodating identification devices, e.g. cards or chips; with connectors for programming identification devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/40—Security arrangements using identity modules
- H04W12/45—Security arrangements using identity modules using multiple identity modules
Definitions
- the invention relates to a method for implementing security rules in a terminal and a corresponding terminal.
- BYOD bring your own device
- One or more security elements in the BYOD device are for business use only, whereas one or more other security elements are only used privately.
- BYOD devices are preferably mobile devices and in particular smartphones, which contain a plurality of mobile radio identification modules (SIM / USIM modules) as security elements.
- the object of the invention is to implement simple and flexible security rules in a terminal with a plurality of security elements.
- the inventive method is used to implement security rules in a terminal in which a first security element and one or more second security elements are provided.
- the terminal is a mobile device.
- the first security element sends predefined commands to the terminal.
- the first security element monitors compliance with given security rules with regard to information regarding the second security element (s) and uses the given commands as part of this monitoring.
- the invention has the advantage that simple and flexible means of commands that are sent through a first security element, security rules can be enforced with respect to other (second) security elements.
- known card application toolkit commands are used as predefined commands which can be actively transmitted to the terminal by the first security element.
- the card application toolkit commands are based on the standard ETSI TS 102 223 ("Card Application Toolkit (CAT)").
- the card application toolkit commands can also be used on the ETSI TS 101 267 (“ SIM Application Toolkit ”) or 3GPP 31.111 (“ USIM Application Toolkit ”).
- the term" Card Application Toolkit Command may refer to commands from any of these standards.
- a respective second security element is preferably a chip card and / or an embedded ICC and / or a mobile radio module (eg
- the second security element may also be a virtual SIM, e.g. in a TEE environment, or an external SIM card that preferably communicates contactlessly with the terminal.
- the first security element retrieves information relating to a respective second security element by means of a predetermined command of a first type and compares this retrieved information with the predetermined security rules. That is, it is determined whether the retrieved information complies with the security rules.
- the first security element initiates a measure to comply with the prescribed security rules by means of a predetermined command of a second type.
- special commands for retrieving information and other special commands are used to initiate measures to comply with the security rules.
- the terminal triggered by the predetermined command of the first type, reads from the respective second security element the information relating to the respective second security element and transmits this information to the first security element.
- the given commands are Card Application Toolkit commands
- the measure for maintaining the predetermined security rules comprises switching off the respective second security element.
- the command "POWER OFF CARD" is preferably used as a command of the second type for switching off the respective second security element.
- the first security element informs itself automatically, in particular by registering for an event, by means of a predefined command of a specific type via the
- the first security element preferably registers with the "Card Reader Status” event and uses the "GET READER STATUS” command as the default command of the specific type.
- the information relating to the second security element (s) comprises one or more features of a respective second security element, in particular one or more security features of a respective second security element and / or at least a portion of an identifier of a respective second security element.
- the information relating to the or the second security elements comprises one or more features of the mobile radio identification code.
- the feature (s) male of the mobile network operator and / or mobile network belonging to the mobile radio module include one or more of the following features:
- the feature whether cloned mobile radio identification modules have occurred at the mobile network operator, wherein the predetermined security rules are not met, in particular, when cloned mobile radio identification modules have occurred at the mobile network operator.
- the predetermined security rules also relate to additional information concerning the terminal, wherein the first security element also uses the predetermined commands within the framework of monitoring compliance with the predetermined security rules in relation to the additional information.
- the invention relates to a terminal in which a first security element and one or more second security elements are provided, wherein the terminal configured in such a way is that security rules are implemented in its operation with a method in which
- the terminal is preferably set up to carry out one or more preferred variants of the method according to the invention.
- Fig. 1 shows a terminal with several SIM cards, in which an embodiment of the method according to the invention is implemented
- FIG 2 shows an example of the retrieval of information for checking security rules according to an embodiment of the method according to the invention.
- Fig. 1 is a schematic diagram showing a terminal ME in the form of a mobile phone.
- the terminal ME four security elements are used in corresponding card readers, which are SIM cards in the embodiment described here.
- the SIM card SE is a predetermined preferred SIM card, which is a variant of a first security element in the sense of the claims.
- the other three SIM cards SE 'are variants of second security elements within the meaning of the patent Claims.
- the terminal ME represents a so-called BYOD device. Due to the large number of SIM cards, the device can be used both privately and commercially. However, it must be ensured that all SIM cards comply with appropriate business rules. This is achieved by the method described below.
- the first security element SE is provided for implementing security rules with respect to the second security elements SE 1 .
- the "card application toolkit (CAT)" known per se is deposited on the SIM card SE in accordance with the standard ETSI TS 102 223. This standard comprises a large number of card application toolkit commands that are stored on the SIM card
- the card application toolkit can be used for SIM cards as well as USIM cards. If necessary, the "SIM Application Toolkit” (standard ETSI TS 101) can also be used 267) or the "USIM Application Toolkit” (standard 3GGP 31.111)
- SIM cards are shown in Fig. 1, other mobile radio cards or cellular identification modules, such as USIM cards, may also be used With these cards, the inventive method can be performed.
- predetermined security rules SP are implemented with the first security element SE, to which the first security element SE has access, as indicated by a double arrow in FIG. 2.
- the card application toolkit commands also referred to below as CAT commands
- the security rules relate to the second security elements SE '. It is therefore necessary to detect the current status of the second security elements at the start of the terminal ME and in a change with respect to the second security elements SE 1 .
- the second security element can also be a virtual security element (virtual SIM) or an external security element. However, this presupposes that the security element or its (virtual or contactless) card reader can be addressed analogously by means of C AT commands.
- the individual second security elements SE 'and also the first security element SE are inserted into respective card readers.
- the card reader toolkit event "Card Reader Status” is therefore used to inform about a change in the status of the security elements
- the CAT command "GET READER STATUS from the first security element SE to the terminal ME in order to obtain information about the card readers and the state of the respective cards in the readers. In particular, it is determined whether a card is inserted in the respective card reader and turned on. If this is the case, the given security rules are checked with respect to all connected cards.
- the predetermined security rules are preferably stored in the terminal ME.
- the security rules can also be stored on the first security element SE or in an external database outside the mobile device, provided access to this database is ensured by the first security element. Since the predetermined security rules SP relate to the second security elements SE ', the first security element SE for implementing the security rules must retrieve information relating to the second security elements SE. For this, the first security element uses the CAT command "PERFORM CARD APDU" CAT commands causes the terminal ME to read out information from a respective second security element SE 'via so-called APDUs (Application Protocol Data Unit, see standard ISO 7816-4) and to transmit it to the first security element SE. This process is illustrated in FIG. 2.
- the "PERFORM CARD APDU" command is transmitted from the first security element SE to the terminal ME as a CAT command CO.
- the terminal ME sends a C-APDU to a corresponding second security element SE '.
- This C-APDU contains a command to retrieve predetermined, publicly available information from the second security element SE 'In particular, this information comprises the known data elements MCC, MNC, ICCID, LOCI etc.
- MCC is the country code of the mobile network operator of the security element
- MNC is the mobile network code (MNC) network code ICCID is a unique identifier of the security element SE 'LOCI is location information related to the mobile operator's mobile network.
- the above-mentioned information is transmitted to the terminal ME in response to the C-APDU by means of an R-APDU. Subsequently, a so-called “Terminal Response” is again transmitted in the form of an R-APDU from the terminal ME to the first security element SE, which contains the corresponding information from the second security element SE '.
- the first security element SE After receiving the terminal response, the first security element SE analyzes the information of the corresponding second security element SE '. In other words, a check is made as to whether the transmitted information corresponds to the predetermined security rules SP. For example, it can first be determined with the MCC and the MNC to which mobile radio network operator the security element SE 'belongs. Subsequently, this mobile network operator can be compared with a local or remote database to determine what security level the mobile network of the mobile network operator of the security element SE 'has. If the security level does not meet a corresponding specification in the security rules SP, the non-fulfillment of the security rules is determined by the security element SE and the security element SE 'is switched off, as explained below.
- each card reader contains a security element in the form of a SIM card Card inserted.
- the SIM card in the card reader CR6 is a first security element in the sense of the claims.
- the remaining SIM cards in the other card readers are second security elements in the sense of the claims.
- the individual mobile network operators MNO of the respective SIM cards are specified in the second column of the table and labeled A, B, ..., H.
- the remaining columns of the table are features related to the SIM cards that are considered in the security rules.
- a feature is always satisfied for a SIM card of a corresponding row if the entry of the feature for the row contains an "x.” If the entry contains the character "-", the feature is not satisfied.
- the SIM card in the card reader CR6 ie for the first security element
- SC Small Cell
- small cells The mobile network of the corresponding SIM card contains so-called small cells, whereby the term "small cell” is well known to the person skilled in the art. Examples are micro, pico or femtocells.
- DES Data Encryption Standard
- CC Cloned Cards
- OR Other Reasons: Other features related to the corresponding SIM card.
- the safety rules SP are already not complied with if at least one characteristic from the above table is fulfilled for a corresponding SIM card. Thus, according to the above table, the security rules are only met for the card in the card reader CR7.
- the security rules also relate to features of the mobile phone ME. These features are retrieved via the CAT command "RUN AT COMMAND" by the first security element SE With the command “RUN AT COMMAND” the security element SE transmits a per se known AT command to the terminal ME. The AT command is executed by the terminal and in turn causes a "Terminal Response", which is returned to the security element SE. In addition to the retrieval of information from the terminal, the command "RUN AT COMMAND" with the associated AT command also be used to comply with security rules regarding the terminal. Among other things, AT commands can be used to connect the terminal or modem of the To configure terminal for connection to a USB cable, an infrared port, using Bluetooth and the like or to retrieve information about the current configuration or the current operating status of the terminal or its modem.
- security rules can be implemented simply and flexibly in a terminal by means of a security element, CardApplication Toolkit commands being used to enforce the security rules.
- CardApplication Toolkit commands being used to enforce the security rules.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephone Function (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102015006435.5A DE102015006435A1 (de) | 2015-05-18 | 2015-05-18 | Verfahren zur Implementierung von Sicherheitsregeln in einem Endgerät |
PCT/EP2016/000814 WO2016184565A1 (de) | 2015-05-18 | 2016-05-17 | Verfahren zur implementierung von sicherheitsregeln in einem endgerät |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3298857A1 true EP3298857A1 (de) | 2018-03-28 |
Family
ID=56068826
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP16724287.4A Ceased EP3298857A1 (de) | 2015-05-18 | 2016-05-17 | Verfahren zur implementierung von sicherheitsregeln in einem endgerät |
Country Status (4)
Country | Link |
---|---|
US (1) | US20180176258A1 (de) |
EP (1) | EP3298857A1 (de) |
DE (1) | DE102015006435A1 (de) |
WO (1) | WO2016184565A1 (de) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108089931A (zh) * | 2017-11-30 | 2018-05-29 | 大唐微电子技术有限公司 | 一种同步se信息的方法及装置、可穿戴支付设备 |
CN111125705B (zh) | 2018-11-01 | 2022-08-19 | 华为终端有限公司 | 一种能力开放方法及装置 |
WO2020088323A1 (zh) * | 2018-11-01 | 2020-05-07 | 华为技术有限公司 | 一种能力开放方法及装置 |
WO2020185204A1 (en) * | 2019-03-11 | 2020-09-17 | Hewlett-Packard Development Company, L.P. | Network device compliance |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
ES2524242T3 (es) * | 2010-08-05 | 2014-12-04 | Gemalto Sa | Sistema y procedimiento para utilizar con total seguridad múltiples perfiles de abonados con un componente de seguridad y un dispositivo de telecomunicación móvil |
US8954067B2 (en) * | 2011-12-23 | 2015-02-10 | Nokia Corporation | Method and apparatus for emulating a plurality of subscriptions |
KR20150051813A (ko) * | 2013-11-05 | 2015-05-13 | 한국전자통신연구원 | 복수의 보안 모듈을 구비하는 컴퓨팅 장치의 보안을 동적으로 제어하는 장치 및 방법 |
-
2015
- 2015-05-18 DE DE102015006435.5A patent/DE102015006435A1/de not_active Withdrawn
-
2016
- 2016-05-17 EP EP16724287.4A patent/EP3298857A1/de not_active Ceased
- 2016-05-17 WO PCT/EP2016/000814 patent/WO2016184565A1/de active Application Filing
- 2016-05-17 US US15/574,955 patent/US20180176258A1/en not_active Abandoned
Also Published As
Publication number | Publication date |
---|---|
DE102015006435A1 (de) | 2016-11-24 |
WO2016184565A1 (de) | 2016-11-24 |
US20180176258A1 (en) | 2018-06-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2235978B1 (de) | Verfahren zur verwaltung der autorisierung von mobiltelefonen mit und ohne sim-karte | |
EP2528362B1 (de) | Wechsel von subskriptionsdaten in einem identifizierungsmodul | |
WO2016184565A1 (de) | Verfahren zur implementierung von sicherheitsregeln in einem endgerät | |
EP3334140A1 (de) | Autorisierung im intercom-netzwerk, mobiles endgerät und verfahren | |
DE202008018009U1 (de) | Zellulare Basisstation | |
EP2987350B1 (de) | Mobilstation umfassend sicherheitsressourcen mit unterschiedlichen sicherheitsniveaus | |
EP2898714A1 (de) | Teilnehmeridentitätsmodul zum authentisieren eines teilnehmers an einem kommunikationsnetzwerk | |
EP3257219B1 (de) | Verfahren zum betreiben eines sicherheitselements | |
EP1802148B1 (de) | Verfahren und Vorrichtungen für die Autorisierung von Modulen eines Mobilfunkgerätes | |
WO2019214842A1 (de) | Kommunikation in einem mobilfunknetz | |
EP3314933B1 (de) | Kommunizieren eines teilnehmeridentitätsmoduls zu einem server, insbesondere bei profilwechsel | |
EP2528363A2 (de) | Wechsel der Subskription in einem Identifizierungsmodul | |
EP1895792B1 (de) | Verfahren und Vorrichtungen für die Aktualisierung der Konfiguration eines Mobilfunkteilnehmer-Identifikations-Moduls | |
EP3669562B1 (de) | Verfahren zur inbetriebnahme und personalisierung eines teilnehmeridentitätsmoduls | |
EP1723815A1 (de) | Synchronisation von daten in zwei oder mehr teilnehmerkarten zum betreiben eines mobilen endger ts | |
DE19929753B4 (de) | Zellulares Mobilfunknetz und Verfahren zum Betrieb eines solchen | |
WO2015018510A2 (de) | Verfahren und vorrichtungen zum wechseln eines mobilfunknetzes | |
EP1869921B1 (de) | Verfahren zur verbesserung des missbrauchsschutzes bei einer chipkarte und eine chipkarte zur durchführung des verfahrens | |
EP1768316B1 (de) | Entsperren einer mobilfunkkarte | |
EP3277004B1 (de) | Teilnehmeridentitätsmodul für einen zugriff auf ein mobilfunknetzwerk | |
DE60203811T2 (de) | Funkkommunikationsmodul, das ein hauptsoftwareprogramm ausführt, dessen niedrige schichten einem client-softwareprogramm, das ebenfalls durch das modul ausgeführt wird, offen sind | |
DE112013003499B4 (de) | Private Line Automatic Ringdown-artige Verbindung für ein mobiles Gerät | |
DE102015015212B4 (de) | Verfahren zum Betreiben eines Sicherheitsmoduls und Sicherheitsmodul | |
DE102008051869B4 (de) | Chipkarte mit implementiertem Befehlssatz | |
DE60202195T2 (de) | Modulares drahtloses endgerät |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20171218 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
17Q | First examination report despatched |
Effective date: 20180928 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R003 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN REFUSED |
|
18R | Application refused |
Effective date: 20190211 |