Professional Documents
Culture Documents
Hon Rupices: (12) United States Patent
Hon Rupices: (12) United States Patent
BA
Network
Server
104
Server
110 -Mr TSZ
TS Permissive
Sector
TSZ Code
Work
Station
134a -
Generator
Ticket
Generator
Trusted App
Non - Trusted
App
116
?
OTP
US 9 ,779 ,232 B1
Page 2
( 56 ) References Cited Final Office Action dated Feb. 1, 2013, U .S . Appl. No. 12/486,873 ,
filed Jun . 18 , 2009.
OTHER PUBLICATIONS Notice of Allowance dated Jan . 28 , 2014 , U . S . Appl. No.
12 /486 , 873 , filed Jun . 18 , 2009.
FAIPP Pre- Interview Communication dated Jun . 5, 2013, U .S . Appl. Zimmerman , Ann, " Check Out the Future of Shopping” , The Wall
No . 13/ 556 ,200 , filed Jul. 24 , 2012 . Street Journal, Business, May 18 , 2011 , http :// online .wsj.com /ar
First Action Interview Office Action dated Aug . 19, 2013, U .S. Appl. ticle /SB10001424052748703421204576329253050634700 .html.
No . 13/ 556 ,200 , filed Jul. 24 , 2012 . Garry , Michael, Kroger Test Prepares for Mobile Future :, SN ,
Notice of Allowance dated Oct. 16 , 2013 , U .S . Appl. No. Supermarket News, Jun . 13 , 2011 , http ://supermarketnews.com /
13 / 556 ,200 , filed Jul. 24 , 2012 . technology /kroger-test-prepares-mobile- future .
FAIPP Pre -Interview Communication dated Aug. 4 , 2014 , U . S . Jones , Sally , “ Industry Trends in POS Hardware for Mobile
Appl . No. 13 /844, 357, filed Mar. 15 , 2013 . Devices” , Aug. 31, 2011, http ://pointofsale .com /20110831734 /Mo
Notice of Allowance dated Oct. 6 , 2014 , U . S . Appl. No. 13 /844 ,357 , bile -POS -News/industry -trends - in -pos -hardware - for -mobile -de
filed Mar. 15 , 2013 . vices.html.
FAIPP Pre -Interview Communication dated Nov. 12 , 2014 , U .S . Foreign Communication from a Related Counterpart — International
Appl. No. 13 /844 , 145, filed Mar. 15 , 2013 . Search Report and Written Opinion , dated Dec. 2, 2013 , PCT/US13 /
FAIPP Pre - Interview Communication dated Apr. 3 , 2014 , U . S . Appl. 40673 , filed on May 10 , 2013 .
No . 13 /802 ,383 , filed Mar. 13 , 2013 . Foreign Communication from a Related Counterpart — International
First Action Interview Office Action dated May 23 , 2014 , U .S . Appl. Preliminary Report on Patentability , dated Nov . 20 , 2014 , PCT/
No . 13/ 802 ,383 , filed Mar. 13 , 2013 . US13/40673 , filed on May 10 , 2013.
Notice of Allowance dated Jul. 8 , 2014 , U .S . Appl. No. 13/ 802,383 , Giesecke & Devrient, “ The OTA Platform in the World of LTE ” ,
filed Mar. 13 , 2013. Jan . 2011, http ://www . gi- de .com / gd _ media /media / en /documents/
FAIPP Pre -Interview Communication dated Feb . 12 , 2015 , U .S . brochures/mobile _ security _ 2/cste _ 1/OTA -and -LTE .pdf.
Appl. No. 14 /066,661, filed Oct. 29 , 2013 . Pesonen , Lauri, “ Development of Mobile Payment Ecosystem
Restriction Requirement dated Aug. 14 , 2014 , U .S . Appl. No . NFC Based Payment Services” , Aug . 27 , 2008 .
13/ 594,777 , filed Aug. 25 , 2012 . Foreign Communication from a Related Counterpart — International
Notice of Allowance dated Dec. 3 , 2014 , U . S . Appl. No. Search Report and Written Opinion, dated Feb . 4 , 2014 , PCT/US13 /
13 / 594 ,777 , filed Aug . 25 , 2012 . 47729 , filed on Jun. 25 , 2013 .
FAIPP Pre -Interview Communication dated Jul. 17 , 2014 , U . S . Foreign Communication from a Related Counterpart — International
Appl. No. 13 /594 , 778 , filed Aug. 25 , 2012 . Preliminary Report on Patentability, dated Jan . 8 , 2015 , PCT/US13 /
Notice of Allowance dated Sep . 19 , 2014 , U . S . Appl. No . 47729 , filed on Jun. 25 , 2013 .
13/ 594 ,778 , filed Aug. 25, 2012 . Foreign Communication from a Related Counterpart — International
FAIPP Pre -Interview Communication dated Jul. 17 , 2014 , U . S . Search Report and Written Opinion , dated Apr. 22, 2014 , PCT/
Appl. No. 13/ 594 , 779 , filed Aug. 25 , 2012. US13 /53617 , filed on Aug. 5 , 2013 .
First Action Interview Office Action dated Dec . 3 , 2014 , U . S . Appl. Foreign Communication from a Related Counterpart — International
No. 13 /594, 779 , filed Aug. 25, 2012 . Preliminary Report on Patentability, dated Feb . 19 , 2015 , PCT/
Office Action dated May 5, 2014 , U . S . Appl. No. 13 /786 ,450 , filed US13/ 53617, filed on Aug. 5, 2013 .
Mar. 5 , 2013 Foreign Communication from a Related Counterpart — International
Final Office Action dated Nov. 7 , 2014 , U . S. Appl. No. 13 /786 ,450 , Search Report and Written Opinion , dated Feb . 4 , 2014 , PCT/US13 /
filed Mar. 5 , 2013 . 51750 , filed on Jul. 24 , 2013 .
Notice of Allowance dated Feb . 26 , 2015, U .S . Appl. No. Foreign Communication from a Related Counterpart — International
13/ 786 ,450 , filed Mar. 5, 2013 . Preliminary Report on Patentability, dated Feb . 5, 2015, PCT/US13 /
FAIPP Pre -Interview Communication dated Aug . 6 , 2014 , U .S . 51750 , filed on Jul. 24 , 2013 .
Appl. No . 13 /831, 486 , filed Mar. 14 , 2013 . Foreign Communication from a Related Counterpart — International
Notice of Allowance dated Sep . 26 , 2014 , U .S . Appl. No . Search Report and Written Opinion , dated Jul. 11, 2014 , PCT/US14 /
13 / 831,486 , filed Mar. 14 , 2013 . 16651, filed on Feb . 16 , 2014 .
FAIPP Pre -Interview Communication dated Nov . 7 , 2014 , U .S . Ahmed , Farid , et al., “ Correlation - based Watermarking Method for
Appl. No. 13 / 802,404, filed Mar. 13 , 2013 . Imagine Authentication Applications” , Society of Photo -Optical
FAIPP Pre -Interview Communication dated Dec. 16 , 2014 , U .S . Instrumentation Engineers, Feb . 17 , 2004 , pp . 1834 - 1838 .
Appl . No. 13 /898,435 , filed May 20 , 2013 . Perrig, Adrian , et al., “ SPINS: Security Protocols for Sensor Net
Notice of Allowance dated Feb . 20 , 2015, U . S . Appl. No . works," ACM , Sep . 2002 , vol. 8 , pp . 521-534 .
13 / 898 ,435 , filed May 20 , 2013 . Clark , CJ., et al. “ Anti-tamper JTAG TAP design enables DRM to
FAIPP Pre -Interview Communication dated Oct. 29 , 2014 , U . S . JTAG registers and P1687 on -chip instruments” , 2010 IEEE , Inter
Appl. No. 13 / 844 , 282, filed Mar. 15 , 2013 . national Symposium on Hardware -Oriented Security and Trust
FAIPP Pre -Interview Communication dated Oct. 21 , 2014 , U . S . (HOST). Pub . Date : 2010 . Relevant pp. 19 - 24 . http ://ieeexplore .
Appl. No. 13 / 844,325 , filed Mar. 15 , 2013 . ieee . org /stamp stamp .jsp ? tp = & arnumber = 5513119 .
Notice of Allowance dated Dec . 19 , 2014 , U . S . Appl. No . Lee , Jeremy, et al., “ A Low -Cost Solution for Protecting IPs Against
13 / 844 , 325 , filed Mar. 15 , 2013. Scan -Based Side Channel Attacks,” 24th IEEE VLSI Test Sympo
Notice of Allowance dated Jan . 2 , 2015 , U . S. Appl. No. 13 /831,463, sium . Pub . Date: 2006 . http //ieeexplore. ieee . org/stamp stamp .
filed Mar. 14 , 2013 . jsp ? tp = & arnumber = 1617569.
FAIPP Pre -Interview Communication dated Feb . 4, 2015 , U .S . Katzer, Robin D ., et al., " Secure Placement of Centralized Media
Appl. No . 14 /075 ,663, filed Nov . 8 , 2013 . Controller Application in Mobile Access Terminal” , filed Nov . 11 ,
FAIPP Pre- Interview Communication dated Feb . 24 , 2015, U .S . 2011, U .S . Appl. No. 13/294 , 177 .
Appl. No. 14 / 163,047 , filed Jan . 24 , 2014 . Paczkowski, Lyle W ., et al., “ Trusted Policy and Charging Enforce
Restriction Requirement dated Jan . 5 , 2015 , U .S . Appl. No. ment Function ” , filed Jun . 27 , 2012 , U .S . Appl. No. 13 /533 , 969 .
13 / 857 , 139 , filed Apr. 4 , 2013 . Bye , Stephen James , et al., “ Trusted Signaling in Long Term
First Action Interview Pre -Interview Communication dated Dec. 27 , Evolution (LTE ) 4G Wireless Communication ” , filed Feb . 7 , 2013 ,
2011, U .S . Appl. No . 12 / 486 , 873 , filed Jun. 18 , 2009. U .S . Appl. No. 13 /762,319 .
First Action Interview Office Action dated Feb . 13 , 2012 , U .S . Appl. Cope, Warren B ., et al., “ Extended Trusted Security Zone Radio
No. 12 /486 , 873 , filed Jun . 18 , 2009. Modem ” , filed Nov. 26 , 2013, U .S . Appl. No . 14 /090 ,667.
Office Action dated Jul. 5, 2012 , U . S . Appl. No. 12 /486 ,873 , filed Paczkowski, Lyle W ., et al., “ Trusted Security Zone Access to
Jun . 18 , 2009 . Peripheral Devices” , filed Jan . 6 , 2014 , U . S . Appl. No . 14 / 148 ,714 .
US 9, 779 ,232 B1
Page 7
100
124
IPK
EUqusipemrnt
SOpyesrateinmg
1ProcPresror 2 0 Memory
PermisveSector
TSZ
-TNonrusted App
Genrato Genrato
Code Ticket TApprusted
116
118
???
1
.
FIG
126
14
108
126
30
eNB
Network 132
WorkSta ion
SDtaotrae OTP
106
134b
102
TrustedServer Server TSZ
104
atent Oct. 3 , 2017 Sheet 2 of 7 US 9 ,779, 232 B1
200
Start
End
End
FIG . 2
atent Oct. 3 , 2017 Sheet 3 of 7 US 9 ,779, 232 B1
300
Start
3164 Responsive to the associated access code having been verified and the one
time-passwords from the user equipment and the trusted server matching, grant
access associated with the access code to the user equipment.
3184 Invalidate the one- time -password after granting access to the user equipment.
End
End
FIG . 3
U . S . Patent Oct. 3 , 2017 Sheet 4 of 7 US 9 ,779, 232 B1
400
402
FIG . 4
U . S . Patent Oct. 3 , 2017 Sheet 5 of 7 US 9 ,779, 232 B1
400
508 RF Transceiver
As
Infrared
prator
Vibrator
you 4 532
530
Touch Screen /LCD
Controller
534 Camera
FIG . 5
U . S . Patent Oct. 3 , 2017 Sheet 6 of 7 US 9 ,779, 232 B1
602
6064
6044
Web
Browser
D Media
Player
JAVA
Applets
FIG . 6A
620
622 Applications
624 Application Framework
6267 Libraries
Libraries | Runtimet
Runtime - 630
628 OS Kernel
OS Kernel
FIG . 6B
U . S . Patent Oct. 3 , 2017 Sheet 7 of 7 US 9 ,779, 232 B1
380
382
390 %
384
THE
Secondary
Storage CPU
Network
RAM - 388
ROM
ROM
392
386
386
FIG . 7
US 9 ,779, 232 B1
TRUSTED CODE GENERATION AND fied and the one- time-passwords matching, granting access
VERIFICATION TO PREVENT FRAUD associated with the access code to the user equipment, and
FROM MALEFICENT EXTERNAL DEVICES invalidating the one-time-password promptly after the dis
THAT CAPTURE DATA play ends .
In an embodiment, a method of generating and verifying
CROSS -REFERENCE TO RELATED one- time- passwords for user equipments is disclosed . The
APPLICATIONS method comprises generating , by a code generator stored in
a trusted security zone in a memory of a user equipment, a
None . different one -time- password associated with each of a plu
10 rality of access codes, wherein the one- time-password is not
STATEMENT REGARDING FEDERALLY displayed on the user equipment, and storing the one - time
SPONSORED RESEARCH OR DEVELOPMENT password in the trusted security zone. The method further
comprises transmitting the generated one - time-password to
Not applicable . a trusted server through an encrypted channel, and respon
15 sive to an associated access code being displayed to a work
REFERENCE TO A MICROFICHE APPENDIX station , transmitting the one -time-password to the work
station through a dedicated channel, wherein the one-time
Not applicable. password is not displayed on the user equipment or the work
station . The method further comprises transmitting, by the
BACKGROUND 20 work station , a request to the trusted server for a one-time
password associated with the access code , comparing the
Network capable electronic devices are becoming one -time- password received from the user equipment with
increasingly prevalent in our daily lives . With the rapid the one -time -password received from the trusted server, and
development and popularization of network capable elec - examining the access code. The method further comprises
tronic devices, applications on the network capable elec - 25 responsive to the associated access code having been veri
tronic devices are growing rapidly. For example , people can fied and the one -time-passwords from the user equipment
now order, pay for , obtain , and redeem digital tickets on and the trusted server matching, granting access associated
network capable mobile communication devices . with the access code to the user equipment, and invalidating
the one -time-password after granting access to the user
SUMMARY 30 equipment.
These and other features will be more clearly understood
In an embodiment, a user equipment is disclosed . The user from the following detailed description taken in conjunction
equipment comprises a processor, a memory , a trusted with the accompanying drawings and claims.
security zone, wherein the trusted security zone provides
hardware assisted trust, a ticket generator stored in the 35 BRIEF DESCRIPTION OF THE DRAWINGS
trusted security zone to generate a plurality of access codes,
and a code generator stored in the trusted security zone. The For a more complete understanding of the present disclo
code generator generates a different one-time- password for sure , reference is now made to the following brief descrip
each of the plurality of access codes, wherein the one -time- tion , taken in connection with the accompanying drawings
password is not displayed on the user equipment, stores the 40 and detailed description , wherein like reference numerals
one-time- password in the trusted security zone , and trans- represent like parts .
mits the one -time-password to a trusted server through a FIG . 1 is an illustration of a communication system
trusted channel . Responsive to an associated access code according to an embodiment of the disclosure.
from the plurality of access codes being displayed and upon FIG . 2 is a flow chart illustrating a method according to
request of a user of the user equipment, the code generator 45 an embodiment of the disclosure .
further displays the one -time-password and invalidates the FIG . 3 is a flow chart illustrating another method accord
one - time- password promptly after the display ends. ing to an embodiment of the disclosure .
In an embodiment, a method of generating and verifying FIG . 4 is an illustration of a user equipment to an
one-time-passwords for user equipments is disclosed . The embodiment of the disclosure .
method comprises generating, by a code generator stored in 50 FIG . 5 is a block diagram of a user equipment according
a trusted security zone in a memory of a user equipment, a to an embodiment of the disclosure .
different one -time-password associated with each of a plu - FIG . 6A is a block diagram of a software architecture of
rality of access codes , wherein the trusted security zone a user equipment according to an embodiment of the dis
provides hardware assisted trust, wherein the one-time closure .
password is not displayed on the user equipment at the time 55 FIG . 6B is a block diagram of another software architec
of generation , and storing the one -time-password in the ture of a user equipment according to an embodiment of the
trusted security zone . The method further comprises trans - disclosure .
mitting the generated one -time -password to a trusted server FIG . 7 is a block diagram of a computer system according
through a trusted channel, and responsive to an associated to an embodiment of the disclosure .
access code being displayed at a point of sale (POS ), 60
displaying the one -time-password . The method further com DETAILED DESCRIPTION
prises transmitting, by the POS, a request to the trusted
server for a one -time-password associated with the access It should be understood at the outset that although illus
code, and comparing the one-time- password displayed on trative implementations of one or more embodiments are
the user equipment with the one- time-password received 65 illustrated below , the disclosed systems and methods may be
from the trusted server. The method further comprises implemented using any number of techniques, whether
responsive to the associated access code having been veri currently known or not yet in existence . The disclosure
US 9 ,779 ,232 B1
should in no way be limited to the illustrative implementa password being displayed when the access code is dis
tions , drawings, and techniques illustrated below , but may be played . For example , the one -time- password may be trans
modified within the scope of the appended claims along with mitted by the code generator from the user equipment to the
their full scope of equivalents . work station using near field communication (NFC ), WiFi
User equipments may present digital tickets or e -tickets in 5 direct, Bluetooth® , or some other non - visual method . When
a visual manner, for example as a number, a barcode , a quick the work station obtains information of the one -time-pass
response (QR ) code, or in some other visual manner on a word and the access code, the work station may transmit a
display of the user equipment . E - tickets may be vulnerable request to the trusted server in order to verify whether or not
to shoulder-surfing with external cameras. For example , the one - time- password is valid .
someone may take a video or photograph with an external 10 For example , the work station may request for a one
camera ofkeyboard entry of an e -ticket on a user equipment. time-password on record associated with the displayed
Alternatively, the person may use the external camera to access code , for example by transmitting a request to the
capture a screenshot of the user equipment with e -ticket trusted server. The trusted server may locate the associated
information displayed on the screen of the user equipment. one -time- password based on the access code received from
The present disclosure teaches a system and method for 15 the work station and transmit the located one- time-password
generating one- time-passwords to prevent fraud from and the access code back to the work station . When the
maleficent external devices that capture data . one -time- password from the trusted server and the one -time
For example , a code generator application in a trusted password from the user equipment match , the one-time
security zone in a memory of a user equipmentmay generate password from the user equipment is determined by the
a one - time-password associated with an access token or an 20 work station to be valid . Alternatively , the work station may
access code when the access code is obtained . The access transmit to the trusted server both the access code and the
code may be a flight e - ticket, a sports event e -ticket, a music associated one - time- password obtained from the user equip
event e -ticket, a hotel room reservation , secure space access , ment . The trusted servermay locate the associated one -time
or another type of access code. For example , in the case password stored in the trusted server itself or in the data
where the access code is a flight e - ticket , when the flight 25 store based on the access code and compare the one -time
e - ticket is purchased and /or generated , the code generator password received from the work station with the one -time
may generate a one -time-password associated with the flight password on record . When the one - time-password stored by
e -ticket. For a second access code, a second one-time the trusted server and the one -time-password received from
password may be generated by the code generator. the work station match , the one -time- password from the
A one -time-password may be generated by the code 30 work station ( originally from the user equipment) is deter
generator as a random number , for example using a random mined by the trusted server to be valid . The access codemay
number generating algorithm or a pseudorandom number be determined by the work station to be valid or not in
generating algorithm . The one -time-password may not be traditional way (s ) as in existing systems.
displayed at the time of generation . Furthermore , the one When both the access code and the one - time-password
time- password may not be displayed until the final use of the 35 received from the user equipment are determined to be valid ,
one-time-password or may not be displayed at all . For access associated with the access code may be granted by the
example , when a user and /or owner of the user equipment work station to the user equipment . Otherwise , access asso
checks the e -ticket on the user equipment, the one -time- ciated with the access code may be denied to the user
password may not be displayed . After the one - time-pass equipment. The one - time-password may be invalidated by
word is generated , it may be stored in the trusted security 40 the code generator after use upon receipt of a command from
zone on the user equipment. the trusted server. For example , the one- time-password may
The one -time-password may also be transmitted to a be deleted , flagged as invalid , or invalidated in some other
trusted server by the code generator along with the associa - manner by the code generator. The trusted server may also
tion with the access code in a trusted and / or encrypted invalidate the one -time- password at its side. For example ,
channel. For more details on establishing trusted end - to - end 45 the trusted server may delete the stored one -time-password ,
communication links relying on hardware assisted security , flag the stored one-time- password as invalid , or invalidate
see U .S . patent application Ser. No . 13 /532, 588 , filed Jun . the stored one - time- password in some other manner.
25 , 2012 , entitled “ End -to - end Trusted Communications Turning now to FIG . 1 , a communication system 100 is
Infrastructure," by Leo Michael McRoberts, et al., which is described . In an embodiment, the communication system
hereby incorporated by reference in its entirety . The trusted 50 100 comprises a plurality of user equipments 124 , a data
server may store the one- time-passwords with the associated store 106 , and a trusted server 102. The trusted server 102
access codes , for example on the trusted server itself or in a may comprise a server trusted security zone 104 . The user
data store . It should be noted that although a user equipment equipment may alternatively be referred to in some contexts
with a trusted security zone is discussed throughout the as a mobile communication device . The user equipment 124
disclosure as a preferred embodiment, the technology dis - 55 may comprise a processor 108 , an operating system 122 , and
cussed in this disclosure may also be applied to user equip - a memory 120 . The memory 120 may comprise a trusted
ments without a trusted security zone enablement. security zone portion 110 and a permissive sector 118 . The
When the access code is displayed to be redeemed , for trusted security zone 110 may comprise a plurality of trusted
example when a flight e- ticket is displayed at a boarding applications 128 , a code generator 112 , and a ticket genera
counter , the one -time- password may be used . The one -time- 60 tor 114 . The permissive sector 118 may comprise a plurality
password may be displayed or hidden when it is used . For of non - trusted applications 116 . The user equipment 124
example , the one - time-password may be displayed when the may be configured to use a radio transceiver to establish a
access code is displayed and an access agent (e . g ., airline wireless communication link with an enhanced Node B
boarding agent) may read the one-time-password and enter ( NB ) 130 , and the eNB 130 may provide communications
it into a work station . Alternatively, the one -time-password 65 connectivity of the UE 124 to a network 126 . The eNB may
may be received or read from the user equipment by the alternatively be referred to in some contexts as a base
work station at the boarding counter without the one -time transceiver station (BTS ). The trusted server 102 and the
US 9 ,779,232 B1
data store 106 may also have access to the network 126 . The The code generator 112 may be a trusted application and
network 126 may comprise any combination of private and may be stored in the trusted security zone 110 of the user
public networks. equipment 124 . When executed by the processor 108, the
It is understood that the system 100 may comprise any code generator 112 may perform a variety of functionality
number of user equipments 124 , any number of data stores 5 associated with one -time-passwords 134 . For example , the
106 , and any number of eNBs 130 . The collectivity of eNBS code generator 112 may generate a one-time- password 134
130 may be said to comprise a radio access network , in that associated with each of a plurality of access codes . The code
these eNBs 130 may provide a radio communication link to generator 112 may store the generated one- time-password
the user equipments 124 to provide access to the network 134 and / or transmit the one-time-password 134 to the
126 . The radio transceiver of the user equipment 124 may 10 trusted server 102 . The code generator 112 may display the
communicate with the eNB 130 using any of a variety of one-time- password 134 under predefined circumstances or
wireless communication protocols including a code division may exchange the one - time- password 134 with a ticket
multiple access (CDMA ) wireless communication protocol, verification system . Additionally , the code generator 112
a global system for mobile communication (GSM ) wireless may invalidate the one -time-password 134 after the display
communication protocol, a long - term evolution (LTE ) wire - 15 or exchange upon request from the trusted server 102 .
less communication protocol, a world -wide interoperability For example , a one-time-password 134 may be generated
for microwave access (WiMAX ) wireless communication by the code generator 112 for each access code. The one
protocol, or another wireless communication protocol. time- password 134 may be generated by the code generator
While a user equipment or smart phone is used in a 112 as a random number, a group of characters , or any
preferred embodiment, the teachings of the present disclo - 20 combination of the two , for example using a random number
sure may also be extended to other mobile communication generating algorithm or a pseudorandom number generating
devices such as a laptop computer, a notebook computer , a algorithm . The random number generating algorithm may
tablet computer, a mobile phone, a personal digital assistant use some seed with a difficult to know value , such as the 16
( PDA ), a media player, a headset computer, a wearable lowest bits of a counter in the user equipment 124 , a global
computer, a game console , an Internet digitalmedia stream - 25 positioning system (GPS ) coordinate , or a short sequence of
ing device , a television , or another network / communications bits from a recently taken photograph . The one -time -pass
capable device . In an embodiment, the user equipment 124 word 134 may be generated by the code generator 112 based
may have other components (not shown ) such as a near field on a number chosen by the trusted server 102 , for example
communication (NFC ) radio transceiver, a short range radio using the number chosen by the trusted server 102 as a
transceiver such as a wireless local area network radio 30 random seed for the random number generating algorithm or
transceiver, or other components. the pseudorandom number generating algorithm . The one
The trusted server 102 and the data store 106 may be time- password 134 may be generated by the code generator
server computers . The trusted server 102 and the data store 112 based on a previously generated one-time- password
106 may be located in one computer — for example a server 134 , for example using the previously generated one - time
computer, in two different computers — for example , a server 35 password 134 as a random seed for the random number
computer for the trusted server 102 and another computer generating algorithm or the pseudorandom number gener
for the data store 106 , in multiple different computers — for ating algorithm . Alternatively , the one-time- password 134
example, multiple server computers for the trusted server may be generated by the code generator 112 based on
102 and other multiple computers for the data store 106 , or time- synchronization between the trusted server 102 and the
in some other combination of computers . When the trusted 40 user equipment 124 .
server 102 and the data store 106 are not located in one The one-time-password 134 may be integrated by the
computer , the trusted server 102 and the data store 106 may code generator 112 into a file that constitutes the associated
share the same wired or wireless local area network . access code, for example in text. For example, if the access
Non - trusted applications 116 are normal applications on code is generated as a barcode, the information of the
the user equipment 124 . When trusted applications 128 are 45 one -time-password 134 may also be integrated or embedded
executed in the trusted security zone 110 of the user equip in the barcode. When the barcode is scanned by a ticket
ment 124 , peripherals and data of the user equipment 124 agent under predefined circumstances , for example at a
may not be accessible to the non - trusted applications 116 . specific point of sale (POS ), the scanner may extract infor
The non -trusted applications 116 may be stored in a per - mation of the associated one -time-password 134. For
missive sector 118 in the memory 120. The permissive 50 example, the barcode may comprise information of the
sector 118 of the memory 120 is the normal partition in the one-time- password 134 and the scanner may access the
memory 120 . Additionally , non - secure resources may be trusted security zone 110 to obtain the one-time- password
stored in the permissive sector 118 in the memory 120 . 134 from the trusted security zone 110 , for example through
The trusted security zone 110 may be implemented by an application programming interface (API).
partitioning both hardware and software resources of the 55 Alternatively , the one - time- password 134 may be gener
user equipment 124 into two partitions : a secure partition ated by the code generator 112 in a way that the one -time
and a normal partition . The secure partition may be imple - password 134 is separate from a file that constitutes the
mented by a distinct, separate , or dedicated physical pro - associated access code . For example, the one -time-password
cessor, usually the first processor, from the processor by 134 may be generated in a second file separate from a first
which the normal partition may be implemented , usually the 60 file that constitutes the access code . In an embodiment, the
second processor. Alternatively , the secure partition may be second file may be coupled to the first file. In another
implemented by a distinct, separate , or dedicated virtual embodiment, the access code may be in the form of a quick
processor from the virtual processor by which the normal response (QR ) code and the QR code may comprise a
partition may be implemented . A server trusted security zone marker, indicator, or pointer pointing to the one-time-pass
104 may be a server - side trusted security zone and may 65 word 134 .
communicate with the trusted security zone 110 and/ or A plurality of one -time -passwords 134 may be generated
applications on the user equipment 124 . at once or at various times. For example, the plurality of
US 9 ,779 ,232 B1
one - time-passwords 134 may be generated by the code one -time- password 134 is similar with the two cases: when
generator 112 at the same time and may be used at different the one-time- password 134 is displayed and when the one
times. This method of generating a plurality of one -time- time- password 134 is not displayed .
passwords 134 at once and using them at various times may For example , the one- time-password 134 may be dis
be beneficial when the user equipment 124 does not always 5 played or used by the code generator 112 upon request by an
have access to the network 126 and may not be able to owner and / or a user of the user equipment 124 . The one
communicate with the trusted server 102 at times . For time-password 134 may be displayed or used by the code
example , for a flight e - ticket , two one - time- passwords 134 generator 112 upon receipt of a code , for example a code that
may be generated by the code generator 112 when the is input by the owner and / or user of the user equipment 124 .
e -ticket is purchased and /or generated . Here the flight 10 In an embodiment, this code may be different from the
e -ticket may be an access code . One of the two one-time- access code. For example , the code may be a personal
passwords 134 may be used at a transportation security identification number (PIN ) of the user equipment 124 . The
administration ( TSA ) checkpoint at an airport with the one -time-password 134 may be displayed or used by the
e -ticket and / or an identification (ID ) document such as a code generator 112 based on a location -based service , for
driver 's license or a passport. The other one -time-password 15 example when the location -based service detects that the
134 may be used at a boarding counter with the flight user equipment 124 is at a specific POS location . For
e - ticket rightbefore boarding. With more than one one - time example , if the access code is a flight e - ticket of American
password generated at once , the user equipment 124 and the Airlines , an associated one - time-password 134 may be dis
trusted server 102 may synchronize to use and /or invalidate played or used by the code generator 112 when the location
the one -time-passwords 134 . For example , each one -time- 20 based service detects that the user equipment 124 is at an
password 134 may be configured to have a time-to - live American Airlines boarding counter at a specific airport
(TTL ) value . based on the departure information of the e -ticket.
Alternatively , one -time-passwords 134 may be generated Awork station 132 at the boarding counter may verify the
by the code generator 112 at various times . For example , a access code and the associated one - time-password 134 . For
first one -time-password 134 may be generated by the code 25 example , the work station 132 may read the access code and
generator 112 at the time when the flight e -ticket is pur - the associated one-time-password 134 . When the one -time
chased and /or generated . The first one-time-password 134 password 134 is not displayed , the work station 132 may
may be used at the transportation security administration receive information of the one - time-password 134 from the
checkpoint at the airport with the flight e - ticket and / or an user equipment 124 or read information of the one -time
identification document. A second one-time-password 134 30 password 134 from the user equipment 124 . The work
may be generated at a corresponding boarding counter when station 132 may verify the access code in the manner that is
the e - ticket is displayed to a ticket agent. The second performed in currently existing systems. When the access
one-time-password 134 may be used at the boarding counter code is verified to be valid , the work station 132 may further
when the flight e- ticket is displayed to the ticket agent. transmit a request to the trusted server 102 for a one - time
The one-time- password 134 may not be displayed on the 35 password 134b associated with the verified access code . For
user equipment 124 at the time of generation . The one-time- example , thework station 132may transmit a message to the
password 134 may be stored by the code generator 112 in the trusted server 102 with the access code requesting for an
trusted security zone 110 after the one -time-password 134 is associated one -time- password 134b .
generated . The generated one -time-password 134 may be The trusted server 102 may look up the associated one
transmitted by the code generator 112 with the associated 40 time- password 134b , for example in a stored bank of one
access code to the trusted server 102 through a trusted time-password (s) 134b and association with access code(s),
channel. The trusted server 102 may store the received based on the access code received from the work station 132.
one- time-password 134 and /or the association with the When the stored associated one- time- password 134b is
access code in the trusted server 102. Alternatively, the located , the trusted server 102 may transmit the located
trusted server 102 may store the received one -time-password 45 one -time-password 134b with the access code back to the
134 and / or the association with the access code in the data work station 132 . After the located one - time-password 134b
store 106 . is received from the trusted server 102 , the work station 132
The one- time-password 134 may be used or redeemed by may compare the one -time-password 134b received from the
the code generator 112 under predefined circumstances. The trusted server 102 with the one - time- password 134a dis
one - time- password 134 may be displayed or may be hidden 50 played on the user equipment 124 . The work station 132 may
when the one-time- password 134 is used . For example , further compare the one -time-password 134a received from
when the one- time-password 134 is used , it may be dis the user equipment 124 with the one - time-password 134b
played on the user equipment 124 or on a work station 132 . received from the trusted server 102 . When the one -time
The work station 132 may be a ticket verification machine . password 134b received from the trusted server 102 matches
Alternatively, when the one - time-password 134 is used , it 55 the one - time- password 134a from the user equipment 124 ,
may be hidden , e . g ., the one -time-password 134 may not be the one -time-password 134a from the user equipment 124 is
displayed on the user equipment 124 or the work station 132 . determined by the work station 132 to be valid .
Instead , information of the one -time-password 134 may be Alternatively, when the access code is verified to be valid ,
exchanged between the user equipment 124 and the work the work station 132 may transmit to the trusted server 102
station 132 . For example , information of the one -time- 60 the displayed access code and the one-time-password 134a
password 134 stored in the trusted security zone 110 of the read and / or received from the user equipment 124 . The
user equipment 124 may be integrated in or coupled to the trusted server 102 may compare the pair of the one-time
associated access code. When the access code is read by the password 134a and the access code received from the work
work station 132 , the embedded or coupled information of station 132 with stored pair ( s ) of one-time- password (s ) 134b
the one - time-password 134 may be obtained by the work 65 and access code (s) to determine whether or not the one
station 132 without a visual representation of the one -time- time-password 134a from the work station 132 is valid . For
password 134 being shown. The verification process of the example , the trusted server 102 may locate a record of the
US 9 ,779 ,232 B1
10
pair of the one-time-password 134b and the associated channel. At block 208, responsive to an associated access
access code based on the access code received from the work code being displayed at a point of sale (POS ), the one- time
station 132. The trusted server 102 may compare the located password 134a is displayed . At block 210 , a request is
one-time- password 134b in the record with the one-time- transmitted by the POS to the trusted server 102 for a
password 134a received from the work station 132 . When 5 one -time-password 134b associated with the access code .
the located one -time-password 134b in the record matches At block 212 , the one - time-password 134a displayed on
the one-time- password 134a received from the work station the user equipment 124 is compared with the one-time
132 , the one-time-password 134a from the work station 132 password 134b received from the trusted server 102 . At
which originates from the user equipment 124 is determined block 214 , responsive to the associated access code having
by the trusted server 102 to be valid . The trusted server 102 10 been verified and the one- time-passwords 134a and 134b
may transmit a message to the work station 132 confirming matching, access associated with the access code is granted
the validity of the one-time- password 134a from the user to the user equipment 124 . At block 216 , the one- time
equipment 124. password 134 is invalidated promptly after the display ends .
When both the access code and the one-time- password For example, the one-time- password 134 is deleted from the
134a from the user equipment 124 are verified to be valid , 15 user equipment 124 and from the trusted server 102 .
access associated with the access codemay be granted by the Turning now to FIG . 3 , a method 300 is described . At
work station 132 to the user equipment 124 . Otherwise , block 302 , a different one -time-password 134 associated
access associated with the access code may be denied by the with each of a plurality of access codes is generated by the
work station 132 to the user equipment 124 . For example , if code generator 112 stored in a trusted security zone 110 in
the access code from the user equipment 124 is determined 20 a memory 120 of a user equipment 124 , wherein the
to be invalid , access may be denied by the work station 132 one -time-password 134 is not displayed on the user equip
to the user equipment 124 . If the access code from the user ment 124 . At block 304 , the one -time-password 134 is stored
equipment 124 is determined to be valid but the one - time in the trusted security zone 110 .
password 134a from the user equipment 124 is determined At block 306 , the generated one - time-password 134 is
to be invalid , access may be denied by the work station 132 25 transmitted to a trusted server 102 through an encrypted
to the user equipment 124 . channel. For example , the one-time-password 134 may be
In an embodiment, the one-time- password 134 may be encrypted using an encryption key and transmitted over a
invalidated promptly after the use, for example within one communication channel to the trusted server 102 . Upon
minute after the user, within 30 seconds after the use , orreceipt of the encrypted one- time- password 134, the trusted
within another short period of time after the use. The 30 server 102 may decrypt the encrypted one - time-password
one - time- password 134 may be invalidated after the one - 134 using an appropriate key. At block 308 , responsive to an
time- password 134 is verified to be valid and the associated associated access code being displayed to a work station
access is granted to the user equipment 124 . Additionally, 132, the one -time -password 134a is transmitted to the work
the one-time-password 134 may be invalidated when the station 132 through a dedicated channel, wherein the one
one -time-password 134 is verified to be invalid and the 35 time-password 134a is not displayed on the user equipment
associated access is denied to the user equipment 124 . For 124 or the work station 132 . For example , the one -time
example , the trusted server 102 may transmit a command to password 134a may be transmitted by the code generator
the user equipment 124 , for example to the code generator 112 from the user equipment 124 to the work station 132
112 or some other trusted application 128 in the trusted using near field communication (NFC ), WiFi direct, Blu
security zone 110 , to invalidate the used one -time-password 40 etooth® , or some other dedicated channel. At block 310 , a
134 . The command may be received by the user equipment request is transmitted by the work station 132 to the trusted
124 through an application programming interface . The server 102 for a one-time-password 134b associated with the
one -time-password 134 may be deleted , flagged as invalid , access code.
or invalidated in some other manner. The code generator 112 At block 312 , the one - time-password 134a received from
may transmit an acknowledgement message back to the 45 the user equipment 124 is compared with the one -time
trusted server 102 after the one -time-password 134 has been password 134b received from the trusted server 102 . At
invalidated . Additionally , the trusted server 102 may also block 314 , the access code is examined . At block 316 ,
invalidate the one -time-password 134 stored on the trusted responsive to the associated access code having been veri
server 102 or the data store 106 , for example by deleting the fied and the one - time-passwords 134a and 134b from the
one -time-password 134 , flagging the one- time-password 50 user equipment 124 and the trusted server 102 respectively
134 as invalid , or invalidating the one-time-password 134 in matching , access associated with the access code is granted
some other manner. to the user equipment 124 . At block 318, the one- time
Turning now to FIG . 2 , a method 200 is described . At password 134 is invalidated after granting access to the user
block 202, a different one -time-password 134 for each of a equipment 124.
plurality of access codes is generated by a code generator 55 FIG . 4 depicts the user equipment (UE ) 400, which is
stored in a trusted security zone in a memory of a user o perable for implementing aspects of the present disclosure ,
equipment, wherein the trusted security zone provides hard but the present disclosure should not be limited to these
ware assisted trust, wherein the one - time-password 134 is implementations. Though illustrated as a mobile phone, the
not displayed on the user equipment at the time of genera - UE 400 may take various forms including a wireless hand
tion . For example , a different one -time-password 134 asso - 60 set, a pager, a personal digital assistant (PDA ), a gaming
ciated with each of a plurality of access codes may be device , or a media player . The UE 400 includes a touch
generated by the code generator 112 stored in the trusted screen display 402 having a touch -sensitive surface for input
security zone 110 of the user equipment 124 . At block 204 , by a user. A small number of application icons 404 are
the one-time- password 134 is stored in the trusted securityillustrated within the touch screen display 402 . It is under
zone
zo 110 . 65 stood that in different embodiments , any number of appli
At block 206 , the generated one-time-password 134 is cation icons 404 may be presented in the touch screen
transmitted to the trusted server 102 through a trusted display 402. In some embodiments of the UE 400 , a user
US 9,779,232 B1
12
may be able to download and install additional applications embodiments, the communication may provide Internet con
on the UE 400, and an icon associated with such down - nectivity , enabling a user to gain access to content on the
loaded and installed applicationsmay be added to the touch Internet and to send and receive e -mail or textmessages . The
screen display 402 or to an alternative screen . The UE 400 input/output interface 518 interconnects the DSP 502 and
may have other components such as electro -mechanical 5 various memories and interfaces. The memory 504 and the
switches , speakers, camera lenses, microphones, input and/ removable memory card 520 may provide software and data
or output connectors , and other components as are well to configure the operation of the DSP 502 . Among the
known in the art. The UE 400 may present options for the interfaces may be the USB port 522 and the infrared port
user to select, controls for the user to actuate , and /or cursors 524 . The USB port 522 may enable the UE 400 to function
or other indicators for the user to direct. The UE 400 may 10 as a peripheral device to exchange information with a
further accept data entry from the user , including numbers to personal computer or other computer system . The infrared
dial or various parameter values for configuring the opera
tion of the handset . The UE 400 may further execute one or port 524 and other optional ports such as a Bluetooth®
interface or an IEEE 802 . 11 compliant wireless interface
more software or firmware applications in response to user
commands. These applications may configure the UE 400 to 15 may enable the UE 400 to communicate wirelessly with
perform various customized functions in response to user other nearby handsets and /or wireless base stations. In an
interaction . Additionally, the UE 400 may be programmed embodiment, the UE 400 may comprise a near field com
munication (NFC ) transceiver. The NFC transceiver may be
and/ or configured over- the-air, for example from a wireless
base station , a wireless access point, or a peer UE 400. The
used to complete payment transactions with point-of -sale
UE 400 may execute a web browser application which 20 terminals or other communications exchanges. In an
enables the touch screen display 402 to show a web page . embodiment, the UE 400 may comprise a radio frequency
The web page may be obtained via wireless communications identify (RFID ) reader and /or writer device .
with a base transceiver station , a wireless network access The switches 528 may couple to the DSP 502 via the
node , a peer UE 400 or any other wireless communication input/ output interface 518 to provide one mechanism for the
network or system . 25 user to provide input to the UE 400 . Alternatively , one or
FIG . 5 shows a block diagram of the UE 400 . While a more of the switches 528 may be coupled to a motherboard
variety of known components ofhandsets are depicted , in an of the UE 400 and/or to components of the UE 400 via a
embodiment a subset of the listed components and /or addi different path ( e.g ., not via the input/ output interface 518 ),
tional components not listed may be included in the UE 400 . for example coupled to a power control circuit (power
The UE 400 includes a digital signal processor (DSP ) 502 30 button ) of the UE 400 . The touch screen display 530 is
and a memory 504 . As shown, the UE 400 may further another inputmechanism , which further displays text and / or
include an antenna and front end unit 506 , a radio frequency graphics to the user. The touch screen LCD controller 532
(RF) transceiver 508, a baseband processing unit 510 , a couples the DSP 502 to the touch screen display 530 . The
microphone 512 , an earpiece speaker 514 , a headset port GPS receiver 538 is coupled to the DSP 502 to decode global
516 , an input/ output interface 518 , a removable memory 35 positioning system signals , thereby enabling the UE 400 to
card 520 , a universal serial bus (USB ) port 522, an infrared determine its position .
port 524 , a vibrator 526 , one or more electro -mechanical FIG . 6A illustrates a software environment 602 that may
switches 528 , a touch screen liquid crystal display (LCD ) be implemented by the DSP 502 . The DSP 502 executes
with a touch screen display 530 , a touch screen /LCD con operating system software 604 that provides a platform from
troller 532, a camera 534 , a camera controller 536 , and a 40 which the rest of the software operates. The operating
global positioning system (GPS ) receiver 538 . In an embodi- system software 604 may provide a variety of drivers for the
ment, the UE 400 may include another kind of display that handset hardware with standardized interfaces that are
does not provide a touch sensitive screen . In an embodiment accessible to application software . The operating system
the UE 400 may include both the touch screen display 530 software 604 may be coupled to and interact with applica
and additional display component that does not provide a 45 tion management services (AMS ) 606 that transfer control
touch sensitive screen . In an embodiment, the DSP 502 may between applications running on the user equipment 400 .
communicate directly with the memory 504 without passing Also shown in FIG . 6A are a web browser application 608 ,
through the input/ output interface 518 . Additionally, in an a media player application 610 , and JAVA applets 612 . The
embodiment, the UE 400 may comprise other peripheral web browser application 608 may be executed by the user
devices that provide other functionality . 50 equipment 400 to browse content and / or the Internet, for
The DSP 502 or some other form of controller or central example when the user equipment 400 is coupled to a
processing unit operates to control the various components network via a wireless link . The web browser application
of the UE 400 in accordance with embedded software or 608 may permit a user to enter information into forms and
firmware stored in memory 504 or stored in memory con select links to retrieve and view web pages. The media
tained within the DSP 502 itself. In addition to the embedded 55 player application 610 may be executed by the user equip
software or firmware , the DSP 502 may execute other ment 400 to play audio or audiovisual media . The JAVA
applications stored in the memory 504 or made available via applets 612 may be executed by the user equipment 400 to
information carrier media such as portable data storage provide a variety of functionality including games , utilities ,
media like the removable memory card 520 or via wired or and other functionality .
wireless network communications. The application software 60 FIG . 6B illustrates an alternative software environment
may comprise a compiled set ofmachine- readable instruc - 620 that may be implemented by the DSP 502 . The DSP 502
tions that configure the DSP 502 to provide the desired executes operating system kernel (OS kernel ) 628 and an
functionality , or the application software may be high -level execution runtime630 . The DSP 502 executes applications
software instructions to be processed by an interpreter or 622 that may execute in the execution runtime 630 and may
compiler to indirectly configure the DSP 502 . 65 rely upon services provided by the application framework
The DSP 502 may communicate with a wireless network 624 . Applications 622 and the application framework 624
via the analog baseband processing unit 510 . In some may rely upon functionality provided via the libraries 626 .
US 9,779,232 B1
13 14
A trusted security zone provides chipsets with a hardware accessed from the secure partition . While the secure parti
root of trust, a secure execution environment for applica tion is being accessed through the Trusted Execution Envi
tions, and secure access to peripherals . A hardware root of ronment, the main mobile operating system in the normal
trust means the chipset should only execute programs partition is suspended , and applications in the normal par
intended by the device manufacturer or vendor and resists 5 tition are prevented from accessing the secure peripherals
software and physical attacks , and therefore remains trusted and data . This prevents corrupted applications or malware
to provide the intended level of security . The chipset archi- applications from breaking the trust of the device .
tecture is designed to promote a programmable environment The trusted security zone is implemented by partitioning
that allows the confidentiality and integrity of assets to be the hardware and software resources to exist in a secure
protected from specific attacks. Trusted security zone capa - 10 subsystem which is not accessible to components outside the
bilities are becoming features in both wireless and fixed secure subsystem . The trusted security zone is built into the
hardware architecture designs . Providing the trusted security processor architecture at the time of manufacture through
zone in the main user equipment chipset and protecting the hardware logic present in the trusted security zone which
hardware root of trust removes the need for separate secure enables a perimeter boundary between the secure partition
hardware to authenticate the device or user. To ensure the 15 and the normal partition . The trusted security zone may only
integrity of the applications requiring trusted data , such as a be manipulated by those with the proper credentials and , in
mobile financial services application , the trusted security an embodiment, may not be added to the chip after it is
zone also provides the secure execution environment where manufactured . Software architecture to support the secure
only trusted applications can operate, safe from attacks . partition may be provided through a dedicated secure kernel
Security is further promoted by restricting access of non - 20 running trusted applications . Trusted applications are inde
trusted applications to peripherals , such as data inputs and pendent secure applications which can be accessed by
data outputs, while a trusted application is running in the normal applications through an application programming
secure execution environment. In an embodiment, the interface in the Trusted Execution Environment on a chipset
trusted security zone may be conceptualized as hardware that utilizes the trusted security zone .
assisted security . 25 In an embodiment, the normal partition applications run
A complete Trusted Execution Environment (TEE ) may on a first virtual processor, and the secure partition appli
be implemented through the use of the trusted security zone cations run on a second virtual processor. Both virtual
hardware and software architecture . The Trusted Execution processors may run on a single physical processor, executing
Environment is an execution environment that is parallel to in a time- sliced fashion , removing the need for a dedicated
the execution environment of the main user equipment 30 physical security processor . Time-sliced execution com
operating system . The Trusted Execution Environment and prises switching contexts between the two virtual processors
or the trusted security zone may provide a base layer of to share processor resources based on tightly controlled
functionality and/ or utilities for use of applications that may mechanisms such as secure software instructions or hard
execute in the trusted security zone . For example, in an ware exceptions. The contextofthe currently running virtual
embodiment, trust tokens may be generated by the base layer 35 processor is saved , the context of the virtual processor being
of functionality and/ or utilities of the Trusted Execution switched to is restored , and processing is restarted in the
Environment and / or trusted security zone for use in trusted restored virtual processor. Time -sliced execution protects
end -to - end communication links to document a continuity of the trusted security zone by stopping the execution of the
trust of the communications. Through standardization of normal partition while the secure partition is executing.
application programming interfaces (APIS ) , the Trusted 40 The two virtual processors context switch via a processor
Execution Environment becomes a place to which scalable mode called monitor mode when changing the currently
deployment of secure services can be targeted . A device running virtual processor. The mechanisms by which the
which has a chipset that has a Trusted Execution Environ - processor can enter monitor mode from the normal partition
ment on it may exist in a trusted services environment, are tightly controlled . The entry to monitor mode can be
where devices in the trusted services environment are trusted 45 triggered by software executing a dedicated instruction , the
and protected against attacks . The Trusted Execution Envi- Secure Monitor Call (SMC ) instruction , or by a subset of the
ronment can be implemented on mobile phones and tablets hardware exception mechanisms such as hardware inter
as well as extending to other trusted devices such as personal rupts , which can be configured to cause the processor to
computers , servers , sensors, medical devices, point-of-sale switch into monitor mode . The software that executes within
terminals, industrial automation , handheld terminals, auto - 50 monitor mode then saves the context of the running virtual
motive , etc . processor and switches to the secure virtual processor.
The trusted security zone is implemented by partitioning The trusted security zone runs a separate operating system
all of the hardware and software resources of the user that is not accessible to the device users . For security
equipment into two partitions: a secure partition and a purposes , the trusted security zone is not open to users for
normal partition . The secure partition may be implemented 55 installing applications, which means users do not have
by a first physical processor, and the normal partition may be access to install applications in the trusted security zone .
implemented by a second physical processor. Alternatively , This prevents corrupted applications or malware applica
the secure partition may be implemented by a first virtual tions from executing powerful instructions reserved to the
processor, and the normal partition may be implemented by trusted security zone and thus preserves the trust of the
a second virtual processor. Placing sensitive resources in the 60 device . The security of the system is achieved at least in part
secure partition can protect against possible attacks on those by partitioning the hardware and software resources of the
resources . For example , resources such as trusted software mobile phone so they exist in one of two partitions, the
applications may run in the secure partition and have access secure partition for the security subsystem and the normal
to hardware peripherals such as a touchscreen or a secure partition for everything else . Placing the trusted security
location in memory . Less secure peripherals such as wireless 65 zone in the secure partition and restricting access from the
radios may be disabled completely while the secure partition normal partition protects against software and basic hard
is being accessed , while other peripherals may only be ware attacks. Hardware logic ensures that no secure partition
US 9,779 ,232 B1
15 16
resources can be accessed by the normal partition compo execute instructions that the application is comprised of.
nents or applications. A dedicated secure partition operating During execution , an application may load instructions into
system runs in a virtual processor separate from the normal the CPU 382, for example load some of the instructions of
partition operating system that likewise executes in its own the application into a cache of the CPU 382 . In some
virtual processor. Users may install applications on the user 5 contexts , an application that is executed may be said to
equipment which may execute in the normal partition oper - configure the CPU 382 to do something, e . g ., to configure
ating system described above. The trusted security zone runs the CPU 382 to perform the function or functions promoted
a separate operating system for the secure partition that is by the subject application . When the CPU 382 is configured
installed by the user equipment manufacturer or vendor, and in this way by the application , the CPU 382 becomes a
users are not able to install new applications in or alter the 10 specific purpose computer or a specific purpose machine .
contents of the trusted security zone. The secondary storage 384 is typically comprised of one
FIG . 7 illustrates a computer system 380 suitable for or more disk drives or tape drives and is used for non
implementing one or more embodiments disclosed herein . volatile storage of data and as an over- flow data storage
The computer system 380 includes a processor 382 (which device if RAM 388 is not large enough to hold all working
may be referred to as a central processor unit or CPU ) that 15 data . Secondary storage 384 may be used to store programs
is in communication with memory devices including sec - which are loaded into RAM 388 when such programs are
ondary storage 384 , read only memory (ROM ) 386 , random selected for execution . The ROM 386 is used to store
access memory (RAM ) 388, input/output (I/ O ) devices 390 , instructions and perhaps data which are read during program
and network connectivity devices 392. The processor 382 execution. ROM 386 is a non - volatile memory device which
may be implemented as one or more CPU chips . 20 typically has a smallmemory capacity relative to the larger
It is understood that by programming and/ or loading memory capacity of secondary storage 384 . The RAM 388
executable instructions onto the computer system 380, at is used to store volatile data and perhaps to store instruc
least one of the CPU 382, the RAM 388, and the ROM 386 tions. Access to both ROM 386 and RAM 388 is typically
are changed , transforming the computer system 380 in part faster than to secondary storage 384 . The secondary storage
into a particular machine or apparatus having the novel 25 384 , the RAM 388, and /or the ROM 386 may be referred to
functionality taught by the present disclosure . It is funda - in some contexts as computer readable storage media and / or
mental to the electrical engineering and software engineer - non -transitory computer readable media .
ing arts that functionality that can be implemented by I/O devices 390 may include printers, video monitors,
loading executable software into a computer can be con - liquid crystal displays (LCDs), touch screen displays , key
verted to a hardware implementation by well -known design 30 boards , keypads, switches , dials , mice , track balls, voice
rules . Decisions between implementing a concept in soft recognizers, card readers , paper tape readers, or other well
ware versus hardware typically hinge on considerations of known input devices .
stability of the design and numbers of units to be produced The network connectivity devices 392 may take the form
rather than any issues involved in translating from the of modems, modem banks, Ethernet cards, universal serial
software domain to the hardware domain . Generally , a 35 bus (USB ) interface cards, serial interfaces , token ring cards ,
design that is still subject to frequent change may be fiber distributed data interface (FDDI) cards, wireless local
preferred to be implemented in software , because re -spin - area network (WLAN ) cards, radio transceiver cards that
ning a hardware implementation is more expensive than promote radio communications using protocols such as code
re -spinning a software design . Generally , a design that is division multiple access (CDMA ), global system for mobile
stable that will be produced in large volume may be pre - 40 communications (GSM ), long -term evolution (LTE ) , world
ferred to be implemented in hardware , for example in an wide interoperability for microwave access (WiMAX ), near
application specific integrated circuit (ASIC ), because for field communications (NFC ), radio frequency identity
large production runs the hardware implementation may be (RFID ), and /or other air interface protocol radio transceiver
less expensive than the software implementation . Often a cards, and other well-known network devices . These net
design may be developed and tested in a software form and 45 work connectivity devices 392 may enable the processor 382
later transformed , by well -known design rules , to an equiva - to communicate with the Internet or one or more intranets .
lent hardware implementation in an application specific With such a network connection , it is contemplated that the
integrated circuit that hardwires the instructions of the processor 382 might receive information from the network ,
software . In the same manner as a machine controlled by a or might output information to the network in the course of
new ASIC is a particular machine or apparatus , likewise a 50 performing the above - described method steps . Such infor
computer that has been programmed and / or loaded with mation , which is often represented as a sequence of instruc
executable instructions may be viewed as a particular tions to be executed using processor 382 , may be received
machine or apparatus. from and outputted to the network , for example , in the form
Additionally , after the system 380 is turned on or booted , of a computer data signal embodied in a carrier wave .
the CPU 382 may execute a computer program or applica - 55 Such information , which may include data or instructions
tion . For example , the CPU 382 may execute software or to be executed using processor 382 for example, may be
firmware stored in the ROM 386 or stored in the RAM 388 . received from and outputted to the network , for example , in
In some cases , on boot and / or when the application is the form of a computer data baseband signal or signal
initiated , the CPU 382may copy the application or portions embodied in a carrier wave . The baseband signal or signal
of the application from the secondary storage 384 to the 60 embedded in the carrier wave , or other types of signals
RAM 388 or to memory space within the CPU 382 itself, currently used or hereafter developed , may be generated
and the CPU 382 may then execute instructions that the according to several methods well -known to one skilled in
application is comprised of. In some cases, the CPU 382 the art . The baseband signal and / or signal embedded in the
may copy the application or portions of the application from carrier wave may be referred to in some contexts as a
memory accessed via the network connectivity devices 392 65 transitory signal.
or via the I/ O devices 390 to the RAM 388 or to memory The processor 382 executes instructions, codes, computer
space within the CPU 382 , and the CPU 382 may then programs, scripts which it accesses from hard disk , floppy
US 9,779 ,232 B1
18
disk , optical disk (these various disk based systemsmay all may process the executable instructions and /or data struc
be considered secondary storage 384 ), flash drive , ROM tures by remotely accessing the computer program product,
386 , RAM 388 , or the network connectivity devices 392 . for example by downloading the executable instructions
While only one processor 382 is shown,multiple processors and /or data structures from a remote server through the
may be present . Thus, while instructions may be discussed 5 network connectivity devices 392 . The computer program
as executed by a processor, the instructionsmay be executed product may comprise instructions that promote the loading
simultaneously, serially , or otherwise executed by one or and /or copying of data , data structures , files , and/ or execut
multiple processors . Instructions, codes, computer pro - able instructions to the secondary storage 384 , to the ROM
grams, scripts , and/ or data that may be accessed from the 386 , to the RAM 388 , and/ or to other non -volatile memory
secondary storage 384 , for example , hard drives, floppy 10 and volatile memory of the computer system 380.
disks, optical disks, and /or other device , the ROM 386 , In some contexts, the secondary storage 384 , the ROM
and /or the RAM 388 may be referred to in some contexts as 386 , and the RAM 388 may be referred to as a non - transitory
non - transitory instructions and / or non - transitory informa- computer readable medium or a computer readable storage
tion . media . A dynamic RAM embodiment of the RAM 388 ,
In an embodiment, the computer system 380 may com - 15 likewise , may be referred to as a non -transitory computer
prise two or more computers in communication with each readable medium in that while the dynamic RAM receives
other that collaborate to perform a task . For example , but not electrical power and is operated in accordance with its
by way of limitation , an application may be partitioned in design , for example during a period of time during which the
such a way as to permit concurrent and /or parallel process - computer system 380 is turned on and operational, the
ing of the instructions of the application . Alternatively, the 20 dynamic RAM stores information that is written to it .
data processed by the application may be partitioned in such Similarly , the processor 382 may comprise an internal RAM ,
a way as to permit concurrent and/ or parallel processing of an internal ROM , a cache memory, and /or other internal
different portions of a data set by the two or more computers. non -transitory storage blocks , sections, or components that
In an embodiment, virtualization software may be employed may be referred to in some contexts as non - transitory
by the computer system 380 to provide the functionality of 25 computer readable media or computer readable storage
a number of servers that is not directly bound to the number media .
of computers in the computer system 380 . For example , While several embodiments have been provided in the
virtualization software may provide twenty virtual servers present disclosure , it should be understood that the disclosed
on four physical computers . In an embodiment, the func - systems and methods may be embodied in many other
tionality disclosed above may be provided by executing the 30 specific forms without departing from the spirit or scope of
application and/ or applications in a cloud computing envi- the present disclosure . The present examples are to be
ronment. Cloud computing may comprise providing com - considered as illustrative and not restrictive, and the inten
puting services via a network connection using dynamically tion is not to be limited to the details given herein . For
scalable computing resources . Cloud computing may be example , the various elements or components may be com
supported , at least in part, by virtualization software . A cloud 35 bined or integrated in another system or certain features may
computing environment may be established by an enterprise be omitted or not implemented .
and / or may be hired on an as-needed basis from a third party Also , techniques , systems, subsystems, and methods
provider. Some cloud computing environments may com - described and illustrated in the various embodiments as
prise cloud computing resources owned and operated by the discrete or separate may be combined or integrated with
enterprise as well as cloud computing resources hired and /or 40 other systems, modules, techniques , or methods without
leased from a third party provider. departing from the scope of the present disclosure . Other
In an embodiment, some or all of the functionality dis - items shown or discussed as directly coupled or communi
closed above may be provided as a computer program cating with each other may be indirectly coupled or com
product. The computer program product may comprise one municating through some interface, device , or intermediate
or more computer readable storage medium having com - 45 component, whether electrically , mechanically , or other
puter usable program code embodied therein to implement wise . Other examples of changes , substitutions , and altera
the functionality disclosed above . The computer program tions are ascertainable by one skilled in the art and could be
product may comprise data structures, executable instruc - made without departing from the spirit and scope disclosed
tions , and other computer usable program code. The com - herein .
puter program product may be embodied in removable 50 What is claimed is:
computer storage media and/ or non -removable computer 1 . A user equipment, comprising :
storage
sto media . The removable computer readable storage a processor of the user equipment;
medium may comprise , without limitation , a paper tape , a a memory of the user equipment;
magnetic tape, magnetic disk , an optical disk , a solid state a trusted security zone of the user equipment, wherein the
memory chip , for example analog magnetic tape , compact55 trusted security zone provides hardware assisted trust
disk read only memory (CD -ROM ) disks , floppy disks , jump and is implemented by partitioning hardware and soft
drives , digital cards, multimedia cards, and others . The ware resources into a secure partition and a normal
computer program product may be suitable for loading, by partition ;
the computer system 380, at least portions of the contents of a ticket generator stored in the secure partition in the
the computer program product to the secondary storage 384 , 60 trusted security zone of the user equipmentto generate
to the ROM 386 , to the RAM 388 , and/or to other non a plurality of access codes; and
volatile memory and volatile memory of the computer a code generator stored in the secure partition in the
system 380 . The processor 382 may process the executable trusted security zone of the user equipment configured
instructions and /or data structures in part by directly access to :
ing the computer program product, for example by reading 65 generate a different one-time-password for each of the
from a CD -ROM disk inserted into a disk drive peripheral of plurality of access codes , wherein the one -time
the computer system 380 . Alternatively, the processor 382 password is not displayed on the user equipment,
US 9 ,779,232 B1
19 20
store the one-time-password in the secure partition in responsive to the associated access code having been
the trusted security zone, verified and the one-time- password from the user
transmit the one -time-password to a trusted server equipment and the one -time-password stored by the
through a trusted channel, wherein the one- time trusted server matching, granting access associated
password generated in the trusted security zone of 5 with the access code to the user equipment; and
the user equipment and received by the trusted server invalidating the one -time-password promptly after the
from the user equipment is stored in the trusted display ends .
server, 9. The method of claim 8, further comprising utilizing a
responsive to an associated access code from the plu - location -based service to recognize the proper POS location
rality of access codes being displayed and upon 10 to display the access code and the one -time-password .
request of a user of the user equipment, display the 10 . The method of claim 8 , wherein the one -time -pass
one-time-password , wherein a request is sent to the word is displayed upon request by a user of the user
trusted server from a point of sale or a workstation equipment.
for the one-time- password associated with the access 11 . The method of claim 10 , wherein the user of the user
code , and wherein access is granted to the user 15 equipment enters a code for the code generator to display the
equipment in response to a verification of the asso - one-time-password , and wherein the one-time- password is
ciated access code and the one -time-password from invalidated within 30 seconds after the display ends.
the user equipment and the one- time-password 12 . The method of claim 8 , wherein the access code is for
stored by the trusted server matching, and at least one of a plane ticket, a sports event access , a music
invalidate the one- time-password promptly after the 20 event access, a hotel room reservation , or a secure space
display ends . access , and wherein the secure spaces access is secure access
2 . The user equipment of claim 1 , wherein the one - time- to one of a building , a floor, or a room .
password is integrated into a file that constitutes the asso 13 . The method of claim 8, wherein the one -time- pass
ciated access code in text. word is invalidated upon receipt of a command from the
3 . The user equipment of claim 1 , wherein the one - time- 25 trusted server .
password is separated from a file that constitutes the asso - 14 . Themethod of claim 13 , wherein the command from
ciated access code . the trusted server is received by the user equipment through
4 . The user equipment of claim 1 , wherein the one -time- an application programming interface (API).
password is generated by a random number generating 15 . A method of generating and verifying one-time
algorithm , and wherein the one -time-password is invalidated 30 passwords for user equipments , comprising :
within one minute after the display ends. generating, by a code generator stored in a trusted security
5 . The user equipment of claim 4 , wherein the one -time zone in a memory of a user equipment, a different
password is generated based on a seed chosen by the trusted one- time-password associated with each of a plurality
server. of access codes , wherein the trusted security zone
6 . The user equipment of claim 4 , wherein the one-time- 35 provides hardware assisted trust and is implemented by
password is generated based on a previously generated partitioning hardware and software resources into a
one - time- password . secure partition and a normal partition , and wherein the
7 . The user equipment of claim 4 , wherein the one-time one-time- password is not displayed on the user equip
password is generated based on time-synchronization ment ;
between the trusted server and the user equipment. 40 storing the one - time- password in the secure partition in
8 . A method of generating and verifying one -time- pass the trusted security zone of the user equipment;
words for user equipments, comprising: transmitting the one - time- password to a trusted server
generating, by a code generator stored in a trusted security through an encrypted channel, wherein the one -time
zone in a memory of a user equipment, a different password generated in the trusted security zone of the
one -time-password associated with each of a plurality 45 user equipment and received by the trusted server from
of access codes, wherein the trusted security zone the user equipment is stored in the trusted server ;
provides hardware assisted trust and is implemented by responsive to an associated access code being displayed to
partitioning hardware and software resources into a a work station , transmitting the one- time-password to
secure partition and a normal partition , and wherein the the work station through a dedicated channel, wherein
one -time-password is not displayed on the user equip - 50 t he one - time-password is not displayed on the user
ment at the time of generation ; equipment or the work station ;
storing the one -time-password in the secure partition in transmitting, by the work station , a request to the trusted
the trusted security zone of the user equipment ; server for a one-time-password associated with the
transmitting the one- time- password to a trusted server access code;
through a trusted channel, wherein the one - time-pass - 55 comparing the one- time- password received from the user
word generated in the trusted security zone of the user equipment with the one-time-password stored by and
equipment and received by the trusted server from the received from the trusted server ;
user equipment is stored in the trusted server ; examining the access code ;
responsive to an associated access code being displayed at responsive to the associated access code having been
a point of sale (POS ), displaying the one -time-pass - 60 verified and the one -time-password from the user
word ; equipment and the one- time-password stored by the
transmitting, by the POS, a request to the trusted server trusted server matching, granting access associated
for a one- time-password associated with the access with the access code to the user equipment; and
code ; invalidating the one -time- password after granting access
comparing the one -time-password displayed on the user 65 to the user equipment.
equipment with the one -time- password stored by and 16 . The method of claim 15 , wherein the user equipment
received from the trusted server ; is one of a laptop computer, a notebook computer, a tablet
US 9 ,779, 232 B1
21
computer, a mobile phone , a personal digital assistant
(PDA ), a media player, a headset computer, a wearable
computer, a game console , an Internet digitalmedia stream
ing device , a television ,or another network /communications
capable device .
17 . The method of claim 15 , wherein the user equipment
establishes a wireless communication with a radio access
network according to a code division multiple access
(CDMA ) wireless communication protocol, a global system
for mobile communication (GSM ) wireless communication 10
protocol, a long -term evolution (LTE ) wireless communica
tion protocol, or a world -wide interoperability for micro
wave access (WiMAX ) wireless communication protocol.
18 . The method of claim 15 , wherein the one -time
password is generated by a random number generating 15
algorithm .
19 . The method of claim 18, wherein the one-time
password is generated based on a seed chosen by the trusted
server.
20 . The method of claim 18 , wherein the one -time- 20
password is generated based on a previously generated
one- time-password .
* * * * *