USRE47020EActiveUtility

Certificate based access control in open mobile alliance device management

65
Assignee: SONY MOBILE COMMUNICATIONS INCPriority: Nov 12, 2010Filed: May 11, 2016Granted: Aug 28, 2018
Est. expiryNov 12, 2030(~4.3 yrs left)· nominal 20-yr term from priority
H04L 63/0823H04L 41/28H04W 12/08H04W 12/37H04L 67/125
65
PatentIndex Score
1
Cited by
15
References
28
Claims

Abstract

A wireless communication device provides a method of certificate-based access control. Particularly, the device establishes a secure communications session with a device management server. Rather than use access control lists to control access to the functions and services on the device, however, the device uses the certificate that was employed to establish the secure session to control access.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of certificate-based access control in a wireless communication device, the method comprising:
 storing a management object in a memory of a wireless communication device, the management object having a unique first management object ID and one or more nodes associated with corresponding device management functions; 
 establishing a secure communication session with a network server using a certificate; 
 receiving one or more requested management object IDs in the certificate; and 
 binding the certificate to the management object at the wireless communication device, wherein the binding the certificate comprises:
 associating the one or more requested management object IDs received in the certificate used to establish the communication session with a certificate ID of the certificate; and 
 storing the association in the memory at the wireless communication device; 
 
 controlling access to the management object by the server based on whether the certificate used to establish the communication session is valid to access the management object. 
 
     
     
       2. The method of  claim 1  wherein the secure communication session comprises a device management session. 
     
     
       3. The method of  claim 1  wherein binding the certificate to the management object at the wireless communication device comprises placing the one or more first management object IDs ID of the management object into the certificate. 
     
     
       4. The method of  claim 1  wherein controlling access to the device management function further comprises:
 comparing a requested management object ID received with the certificate to the first management object ID of the management object stored in the memory responsive to receiving the command to perform the device management function; 
 granting access to the management object and its one or more nodes if the requested management object ID received with the certificate matches the first management object ID of the management object; and 
 denying access to the management object and its one or more nodes if the requested management object ID received with the certificate does not match the first management object ID of the management object. 
 
     
     
       5. The method of  claim 1  wherein binding the certificate to the management object at the wireless communication device comprises:
 associating the first management object ID of the management object stored in the memory with a certificate ID of the certificate used to establish the communication session; and 
 storing the association in a binding table in the memory at the wireless communication device. 
 
     
     
       6. The method of  claim 5  wherein controlling access to the management object comprises:
 receiving a command to perform a device management function from the network server; 
 comparing the certificate ID for the network server to one or more certificate IDs stored in the binding table to identify the associated management object; 
 granting access to the management object and its one or more nodes if the certificate ID for the network server matches a certificate ID stored in the binding table; and 
 denying access to the management object and its one or more nodes if the certificate ID for the network server does not match a certificate ID stored in the binding table. 
 
     
     
       7. The method of  claim 1  wherein controlling access to the management object comprises granting or denying access to a node of the management object based on whether the certificate used to establish the communication session is bound to the management object. 
     
     
       8. A wireless communication device comprising:
 a memory to store a management object having a unique first management object ID and one or more nodes associated with corresponding device management functions; 
 a communications interface to communicate with a network server; and 
 a controller processor configured to:
 establish a secure communication session with the server using a certificate, wherein the certificate includes one or more requested management object IDs; 
 bind the certificate used to establish the secure communication session to the management object stored in memory by: 
 associating the one or more requested management object IDs included in the certificate used to establish the communication session with a certificate ID of the certificate and storing the association in the memory at the wireless communication device and 
 
 control access to the management object by the server based on whether the certificate used to establish the communication session is valid to access the management object. 
 
     
     
       9. The device of  claim 8  wherein the controller processor is further configured to bind the certificate used to establish the secure communication session to the management object stored in memory by placing a the first management object ID of the management object into the certificate. 
     
     
       10. The device of  claim 8  wherein the controller processor is further configured to control access to the management object by:
 comparing a the one or more requested management ID received with object IDs included in the certificate to the first management object ID of the management object stored in the memory; 
 granting access to the management object and its one or more nodes if the one or more requested management object ID received with IDs included in the certificate matches the first management object ID of the management object; and 
 denying access to the management object and its one or more nodes the if the one or more requested management object ID received with IDs included in the certificate does not match the first management object ID of the management object. 
 
     
     
       11. The device of  claim 8  wherein the controller processor is further configured to bind the certificate used to establish the secure communication session to the management object stored in memory by:
 associating the first management object ID of the management object stored in the memory with a certificate ID of the certificate used to establish the communication session; and 
 storing the association in a binding table in the memory at the wireless communication device. 
 
     
     
       12. The device of  claim 11  wherein the controller processor is configured to control access to the management object by the server by:
 comparing the certificate ID of the received certificate to one or more certificate IDs stored in the binding table at the wireless communication device to identify a corresponding management object; 
 granting access to the corresponding management object and its one or more nodes if the certificate ID of the received certificate matches a certificate ID stored in the binding table; and 
 denying access to the corresponding management object and its one or more nodes if the certificate ID of the received certificate does not match a certificate ID stored in the binding table. 
 
     
     
       13. The device of  claim 8  wherein the controller processor is further configured to grant or deny access to the management object and its corresponding nodes based on whether the certificate used to establish the communication session is bound to the management object. 
     
     
       14. The device of  claim 8  wherein the device management functions comprise protected functions at the wireless communication device. 
     
     
       15. A method of certificate-based access control for a wireless communication device comprising a memory, the method comprising:
 storing a management object in the memory of the wireless communication device, the management object including a first management object ID and at least one node that implements a device management function;   establishing a secure communication session with a network server using a certificate, the certificate including a certificate ID;   receiving one or more requested management object IDs with the certificate;   binding the certificate to the management object at the wireless communication device, wherein the binding the certificate comprises associating the one or more requested management object IDs received with the certificate used to establish the communication session with the certificate ID of the certificate and storing the association at the wireless communication device;   receiving from the server a management object controller command to manage the management object stored in the wireless communication device; and   controlling access to the management object by the server based on whether the certificate received with the management object controller command is or was bound to the management object.   
     
     
       16. The method of claim 15 further comprising receiving the management object controller command during the secure communication session with the server. 
     
     
       17. The method of claim 15 wherein establishing the secure communication session with the network server comprises using the certificate and establishing a Hypertext Transfer Protocol Secure (HTTPS) Transport Layer Security (TLS) session for device management. 
     
     
       18. The method of claim 15 wherein establishing the secure communication session with the network server using the certificate comprises performing a mutual authentication with the server. 
     
     
       19. The method of claim 15 further comprising accepting the certificate from the server prior to allowing access to the management object by the server. 
     
     
       20. The method of claim 15 further comprising controlling access by the server to a second management object stored at the wireless communication device based on whether the certificate is or was bound to the second management object. 
     
     
       21. The method of claim 15 further comprising validating the certificate and performing the specific device management function and sending an acknowledgement response to the server. 
     
     
       22. The method of claim 15 further comprising the server accessing and invoking the management object in response to the certificate being previously associated with the management object. 
     
     
       23. The method of claim 15 further comprising preventing the server from accessing the management object when the certificate was not previously bound with the management object. 
     
     
       24. The method of claim 15 wherein controlling access to the device management function further comprises:
 comparing at least one of the requested management object IDs received with the certificate to the first management object ID of the management object stored in the memory responsive to receiving the management object controller command; and   granting access to the management object and the at least one node if the at least one requested management object ID received with the certificate matches the first management object ID of the management object.   
     
     
       25. A wireless communication device comprising:
 a memory to store a management object including a first management object ID and one at least one node that implements a corresponding device management function;   a communications interface circuit to communicate with a network server; and   a processor configured to:
 establish a secure communication session with the network server using a certificate, the certificate including a certificate ID; 
 receive one or more requested management object IDs with the certificate; 
 bind the certificate to the management object at the wireless communication device by associating the one or more requested management object IDs received with the certificate used to establish the communication session with the certificate ID of the certificate and storing the association at the wireless communication device; 
 receive from the server a management object controller command to manage the management object stored in the wireless communication device; and 
 control access to the management object by the server based on whether the certificate received with the management object controller command is or was bound to the management object. 
   
     
     
       26. The device of claim 25 wherein the processor is further configured to control access to the management object by:
 comparing at least one of the requested management object IDs received with the certificate to the first management object ID of the management object stored in the memory; and   granting access to the management object and the at least one node if the at least one requested management object ID received with the certificate matches the first management object ID of the management object.   
     
     
       27. A method of certificate-based access control in a wireless communication device comprising a memory, the method comprising:
 storing a management object in the memory of the wireless communication device, the management object including a first management object ID and at least one node that implements a device management function;   establishing a secure communication session with a network server using a certificate, the certificate including a certificate ID;   receiving one or more requested management object IDs with the certificate;   binding the certificate to the management object at the wireless communication device, wherein the binding the certificate comprises associating the one or more requested management object IDs received with the certificate used to establish the communication session with the certificate ID of the certificate;   storing the association in the memory at the wireless communication device; and   controlling, by the wireless device, access to the management object by the server by comparing the one or more requested management object IDs received with the certificate to the first management object ID of the management object, and granting access to the management object if one of the management object IDs received with the certificate matches the management object ID of the management object.   
     
     
       28. A wireless communication device comprising:
 a memory to store a management object having a first management object ID and at least one node that implements a device management function;   a communications interface circuit configured to communicate with a network server; and   a processor configured to:
 establish a secure communication session with the network server using a certificate, the certificate including a certificate ID; 
 receive one or more requested management object IDs with the certificate; 
 bind the certificate to the management object at the wireless communication device by associating the one or more requested management object IDs received with the certificate used to establish the communication session with a certificate ID of the certificate, and storing the association in the memory; and 
 control access to the management object by the server by comparing the one or more requested management object IDs received with the certificate to the first management object ID of the management object and granting access to the management object if one of the requested management object IDs received with the certificate matches the first management object ID of the management object.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.