公开(公告)号：WO2017055014A1

公开(公告)日：2017-04-06

申请号：PCT/EP2016/070898

申请日：2016-09-05

Applicant: GEMALTO SA

Inventor： DELSUC, Julien ,  COGNIAUX, Geoffroy

IPC: G06F12/14 ,  G06F21/53 ,  G06F21/62 ,  G06F21/77 ,  G06F21/79 ,  G06F9/455

CPC classification number: G06F9/45558 ,  G06F12/0253 ,  G06F12/145 ,  G06F21/53 ,  G06F21/6218 ,  G06F21/77 ,  G06F21/79 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/1024

Abstract: The invention is an applicative virtual machine that comprises a unique interface and is configured to fully delegate, through the unique interface, the structured storage of data to several autonomous entities which are separate from the virtual machine and which are configured to identify the physical memory location of said data.

Abstract translation: 本发明是一种应用虚拟机，其包括唯一的接口，并且被配置为通过唯一接口将数据的结构化存储完全委托给与虚拟机分离的几个自主实体，并且被配置为识别物理存储器位置 的数据。

公开(公告)号：WO2017016762A1

公开(公告)日：2017-02-02

申请号：PCT/EP2016/064466

申请日：2016-06-22

Applicant: GEMALTO SA

Inventor： PAULIAC, Mireille ,  PEIRANI, Béatrice

IPC: H04W12/06

CPC classification number: H04W12/06

Abstract: The present invention relates to a method to provide user identification in privacy mode for using a user device (UE) with a Mobile Network Operator subscription to an on-line service offered by a service provider (SP) thanks to a GBA infrastructure comprising at least a Network Application Function (NAF) server suitable to retrieve at least a GBA secret key (KNAF) shared with the user device (UE). According to the invention the NAF server is used as identity provider and verifier.

Abstract translation: 本发明涉及一种在隐私模式下提供用户识别的方法，用于使用由移动网络运营商订阅由服务提供商（SP）提供的在线服务的用户设备（UE），这得益于至少包括至少 适合于检索与用户设备（UE）共享的至少一个GBA密钥（KNAF）的网络应用功能（NAF）服务器。 根据本发明，NAF服务器被用作身份提供者和验证者。

公开(公告)号：WO2017001587A1

公开(公告)日：2017-01-05

申请号：PCT/EP2016/065354

申请日：2016-06-30

Applicant: GEMALTO SA

Inventor： HUGOT, Didier

IPC: G06Q20/38

CPC classification number: G06Q20/385

Abstract: The invention relates to a method (30) for authorizing data transaction. According to the invention, the method comprises the following steps. A device (12) generates a transaction cryptogram by using a first predetermined algorithm,at least one payment transaction key and at least one predetermined data item. A value of at least one of the at least one predetermined data item changes from a first to a second transaction. The device extracts, from the transaction cryptogram, by using a predetermined reduction scheme, a predetermined number of at least one unit of information, the at least one extracted information unit forming a reduced cryptogram. The device generates (38) a first restricted use account number based upon at least the reduced cryptogram and a bank issuer identifier. The device or another device sends to a first server (18) a first message (39) including at least one piece of user account information accompanied with the first restricted use account number. The first server sends to a back-end system a second message (310) including a request for authorizing a transaction accompanied with the at least one piece of user account information and the first restricted use account number. The back-end system retrieves, based upon at least part of the at least one piece of user account information, at least one piece of user account information. The back-end system generates (312) a second restricted use account number by using the first predetermined algorithm and the predetermined reduction scheme, the bank issuer identifier and at least part of the at least one retrieved piece of user account information. The back-end system compares (314) the second restricted use account number to the first restricted use account number. Only if the second restricted use account number matches the first restricted use account number, the back-end system retrieves, based upon at least part of the at least one retrieved piece of user account information, at least one piece of user account information. And the back-end system or another entity sends to the first server a third message including, as request response, a transaction authorization. The invention also relates to corresponding device (12) and back-end system.

Abstract translation: 本发明涉及授权数据交易的方法（30）。 根据本发明，该方法包括以下步骤。 设备（12）通过使用第一预定算法，至少一个支付交易密钥和至少一个预定数据项来生成交易密码。 所述至少一个预定数据项中的至少一个的值从第一事务改变为第二事务。 设备从交易密码中通过使用预定的缩减方案提取预定数量的至少一个信息单元，所述至少一个提取的信息单元形成减少的密码。 该设备至少基于减少的密码和银行发行者标识符生成（38）第一受限制使用帐号。 设备或另一设备向第一服务器（18）发送包括伴随第一受限使用帐号的至少一个用户帐户信息的第一消息（39）。 第一服务器向后端系统发送包括授权交易的请求的第二消息（310），伴随着至少一个用户帐户信息和第一受限使用帐号。 后端系统基于至少一个用户帐户信息的至少一部分来检索至少一个用户帐户信息。 后端系统通过使用第一预定算法和预定缩减方案，银行发行者标识符和至少一个检索到的用户帐户信息的至少一部分来生成（312）第二限制使用帐号。 后端系统将第二受限制使用帐号与第一个受限制的使用帐号进行比较（314）。 仅当所述第二限制使用帐号与所述第一限制使用帐号一致时，所述后端系统基于所述至少一个检索到的用户帐户信息的至少一部分来检索至少一个用户帐户信息。 并且后端系统或另一实体向第一服务器发送包括作为请求响应的第三消息的交易授权。 本发明还涉及相应的设备（12）和后端系统。

公开(公告)号：WO2016193072A1

公开(公告)日：2016-12-08

申请号：PCT/EP2016/061716

申请日：2016-05-24

Applicant: GEMALTO SA

Inventor： POTONNIEE, Olivier ,  BERNABEU, Gil ,  LU, HongQian Karen

IPC: H04L29/06 ,  H04W12/06

CPC classification number: H04L63/0823 ,  H04L9/0844 ,  H04L9/3013 ,  H04L9/3242 ,  H04L63/0428 ,  H04L63/0853 ,  H04L63/166 ,  H04W12/06

Abstract: The invention is a method for managing a secure channel between a server and a secure element embedded in a first device, wherein a user agent embedded in a second device establishes a HTTPS session with the serverand retrievesa web application from theserver, themethod comprising the steps: -the server sends to the web applicationan application certificate which is linked to a specific data reflecting the identity of the server, -the secure element gets the application certificate and the specific data, -the secure element checks the validity of the application certificate and that the application certificate is consistently linked to the specific data, -in case of successful checks, the secure element and the server generate an ephemeral session key and use it for opening a secure channel.

Abstract translation: 本发明是一种用于管理服务器和嵌入在第一设备中的安全元件之间的安全通道的方法，其中嵌入在第二设备中的用户代理与服务器建立HTTPS会话并从服务器检索Web应用，其方法包括以下步骤： - 服务器发送到链接到反映服务器身份的特定数据的Web应用程序应用程序证书，安全元素获取应用程序证书和特定数据，安全元素检查应用程序证书的有效性， 应用程序证书始终与特定数据相关联 - 在成功检查的情况下，安全元素和服务器生成临时会话密钥并将其用于打开安全通道。

公开(公告)号：WO2016174158A1

公开(公告)日：2016-11-03

申请号：PCT/EP2016/059529

申请日：2016-04-28

Applicant: GEMALTO SA

Inventor： WILSON, John, Philip

IPC: H04W12/06 ,  H04W12/02 ,  H04L29/06

CPC classification number: H04W12/06 ,  H04L63/0853 ,  H04W12/02

Abstract: The invention relates to a method 20 for proving at least one piece of user information. According to the invention, the method comprises the following steps. A requester device 12 sends to a server 18 a first message 22 including a request for proving at least one piece of user 11 information and data identifying a requester. The server generates 24 requester authentication data and associated data identifying a transaction. The server generates 26 a proof of user information using the at least one piece of user information and the requester authentication data. The server sends to the requester device a second message 28 including, as a request response, the proof of user information and the associated data identifying the transaction. A verifier device 12 sends to the server a third message 214 including a request for getting authentication data associated with data identifying a transaction and the associated data identifying the transaction. The server sends to the verifier device a fourth message 218 including, as a request response, authentication data associated with the data identifying the transaction. The verifier device or a verifier 19 authenticates the at least one piece of user information only if the received authentication data matches the requester authentication data. The invention also relates to corresponding requester device, verifier device and server.

Abstract translation: 本发明涉及一种用于证明至少一个用户信息的方法20。 根据本发明，该方法包括以下步骤。 请求者设备12向服务器18发送包括用于证明至少一个用户11信息的请求的第一消息22和标识请求者的数据。 服务器生成24个请求者身份验证数据和标识事务的关联数据。 服务器使用至少一个用户信息和请求者认证数据生成26个用户信息的证明。 服务器向请求者设备发送第二消息28，其包括作为请求响应的用户信息的证明和标识交易的关联数据。 验证器装置12向服务器发送第三消息214，第三消息214包括获取与识别交易的数据相关联的认证数据的请求以及标识交易的相关联的数据。 服务器向验证者设备发送包括作为请求响应的与识别交易的数据相关联的认证数据的第四消息218。 仅当所接收的认证数据与请求者认证数据匹配时，验证器设备或验证器19认证该至少一条用户信息。 本发明还涉及对应的请求者设备，验证者设备和服务器。

公开(公告)号：WO2016166134A1

公开(公告)日：2016-10-20

申请号：PCT/EP2016/058076

申请日：2016-04-13

Applicant: GEMALTO SA

Inventor： RHELIMI, Alain

IPC: H04L9/06 ,  G06F12/14 ,  G06F21/78 ,  G09C1/00

CPC classification number: H04L63/0428 ,  G06F12/1408 ,  G06F12/145 ,  G06F21/74 ,  G06F21/79 ,  G06F21/85 ,  G06F2221/2125 ,  G09C1/00 ,  H04L9/065 ,  H04L2209/12

Abstract: A device (1) is intended for managing multiple accesses to a secure module (5) of a system on chip (2) of an apparatus (3), and comprises a stream ciphering means (13, 132) arranged for computing on the fly and in a single pass an integrity check for data to be transferred between secure (5) and non secure (4) modules of the system on chip (2) with a seed and an encryption key, and for encrypting/decrypting on the fly and in this single pass these data with the encryption key, and a control means (1, 12) for providing the encryption key and seed to the stream ciphering means (13,132) and for requesting data transfer and retrieving status to the secure (5) and non secure (4) modules for allowing the transfer of encrypted/decrypted data between the secure (5) and non secure (4) modules.

Abstract translation: 设备（1）旨在用于管理对设备（3）的片上系统（2）的安全模块（5）的多次访问，并且包括布置成用于在飞行中计算的流加密装置（13,132） 并且在单次通过中使用种子和加密密钥在片上（2）的系统的安全（5）和非安全（4）模块之间传输的数据的完整性检查，并且用于在飞行中进行加密/解密，以及 在用这个加密密钥单独传递这些数据，以及用于将加密密钥和种子提供给流加密装置（13,132）的控制装置（1,12），并且用于请求数据传送和检索状态到安全（5）和 非安全（4）模块，用于允许在安全（5）和非安全（4）模块之间传输加密/解密的数据。

公开(公告)号：WO2016156357A1

公开(公告)日：2016-10-06

申请号：PCT/EP2016/056866

申请日：2016-03-30

Applicant: GEMALTO SA

Inventor： CORRADINO, David ,  TIVOLLE, Philippe ,  QUETGLAS, Stéphane

IPC: H04W24/02

CPC classification number: H04W24/02

Abstract: The invention relates to a method (20) for detecting a corruption of at least one configuration parameter. A chip (12) is coupled to a device (14). The device stores at least one configuration parameter for configuring an access to an Internet (120) type network. According to the invention, the chip stores data relating to at least two subscriptions. The method comprises the following steps. The chip de-activates a first subscription. The chip activates a second subscription. The second subscription is distinct from the first subscription, as a previously active subscription. The second subscription is a currently active subscription. The chip detects whether the device does or does not read a currently active subscription. Only if the device reads a currently active subscription (22), then the chip detects whether at least one configuration parameter does or does not allow accessing an Internet type network. Only if at least one configuration parameter does not allow accessing an Internet type network, then the chip ascertains (215) that at least one configuration parameter is corrupted. The invention also relates to a corresponding device (12).

Abstract translation: 本发明涉及一种用于检测至少一个配置参数的损坏的方法（20）。 芯片（12）耦合到设备（14）。 设备存储用于配置对因特网（120）型网络的访问的至少一个配置参数。 根据本发明，芯片存储与至少两个订阅有关的数据。 该方法包括以下步骤。 芯片取消激活第一个订阅。 芯片激活第二个订阅。 第二个订阅与第一个订阅是不同的，作为以前的活动订阅。 第二个订阅是当前活动的订阅。 该芯片检测设备是否执行当前的订阅。 只有当设备读取当前激活的订阅（22）时，芯片才能检测至少一个配置参数是否允许访问互联网类型的网络。 只有至少一个配置参数不允许访问互联网类型网络，则芯片确定（215）至少一个配置参数已损坏。 本发明还涉及相应的装置（12）。

公开(公告)号：WO2016128463A1

公开(公告)日：2016-08-18

申请号：PCT/EP2016/052824

申请日：2016-02-10

Applicant: GEMALTO SA ,  ISSM

Inventor： PERION, Fabrice ,  VILLEGAS, Karine ,  PEREZ CHAMORRO, Jorge Ernesto ,  COULON, Jean Roch

IPC: G06F7/58

CPC classification number: G06F7/58 ,  H04L9/0662

Abstract: The present invention relates to a method to generate a mask (M) of a predefined size of b*m bits, said method comprising the following steps: generating a random number of a limited number p of bits, providing the p bits random number as the input of a deterministic random number generator (RNG) that outputs a random number of length m, applying to the output random number of length m an expansion function (EFM) using an error correcting code function to multiply the length by b and obtain a mask (M) of a size of b*m bits, a reseeding function (RFM) being regularly applied to the random number generator (RNG).

Abstract translation: 本发明涉及一种生成预定大小的b * m比特的掩码（M）的方法，所述方法包括以下步骤：产生有限数量的比特的随机数，提供p比特随机数作为 输出一个确定性随机数发生器（RNG），该确定性随机数发生器（RNG）输出长度为m的随机数，使用纠错码功能将长度为m的扩展函数（EFM）的输出随机数应用于乘以b并获得一个 大小为b * m比特的掩码（M），定期地应用于随机数发生器（RNG）的重新赋值功能（RFM）。

公开(公告)号：WO2016107802A1

公开(公告)日：2016-07-07

申请号：PCT/EP2015/081066

申请日：2015-12-22

Applicant: GEMALTO SA

Inventor： D'ANNOVILLE, Jérôme

IPC: G06F21/52

CPC classification number: G06F21/52

Abstract: A system, method and computer-readable storage medium with instructions for operating an electronic device to protect against attacks that are constructed by chaining programming gadgets from executable code. The technique includes associating a value with functions and pushing and popping the function association value from a special stack. Further, on function returns, top of special stack is compared to the function association value. Other systems and methods are disclosed.

Abstract translation: 一种具有用于操作电子设备的指令的系统，方法和计算机可读存储介质，以防止通过将可编程小组从可执行代码链接到构建的攻击。 该技术包括将值与功能相关联，并从特殊堆栈中推出和弹出函数关联值。 此外，在函数返回时，将特殊堆栈的顶部与函数关联值进行比较。 公开了其他系统和方法。

公开(公告)号：WO2016091834A1

公开(公告)日：2016-06-16

申请号：PCT/EP2015/078886

申请日：2015-12-07

Applicant: GEMALTO SA

Inventor： FROGER, Alexis ,  TSOI, Chi Tung ,  ROUSSEL, François

IPC: G06K19/077 ,  B26D3/08 ,  B26F3/00

CPC classification number: G06K19/07739 ,  B26F1/02 ,  B26F3/002

Abstract: The smart card according to the invention comprises a card body (3) in a first format enclosing a card body (4) in a smaller and thinner format than the first format card body. To manufacture this smart card, on a front face of a larger format card body, machining is used to reduce the thickness of an area (102) corresponding to the smaller format card body, then cutting out by stamping the smaller format and hence also thinner card body (4), and then immediately reinserting the aforesaid cut card body into the slot made by cutting out, far enough to make the machined surface (103) of the smaller format card body flush with the front surface (101) of the larger format card body. Application particularly to manufacturing multi-format smart cards, comprising a 4FF format card.

Abstract translation: 根据本发明的智能卡包括以比第一格式卡主体更小和更薄的格式包围卡体（4）的第一格式的卡体（3）。 为了制造该智能卡，在较大格式的卡体的正面上，使用机械加工来减小对应于较小格式的卡体的区域（102）的厚度，然后通过冲压较小的格式并因此也更薄 卡体（4），然后立即将切割的卡片重新插入通过切割制成的槽中，足够远使得较小格式卡体的加工表面（103）与较大格式的卡体的前表面（101）齐平 格式卡体。 尤其适用于制造多格式智能卡，包括4FF格式卡。