[go: up one dir, main page]

WO2025082605A1 - Secure access device structured object - Google Patents

Secure access device structured object Download PDF

Info

Publication number
WO2025082605A1
WO2025082605A1 PCT/EP2023/079197 EP2023079197W WO2025082605A1 WO 2025082605 A1 WO2025082605 A1 WO 2025082605A1 EP 2023079197 W EP2023079197 W EP 2023079197W WO 2025082605 A1 WO2025082605 A1 WO 2025082605A1
Authority
WO
WIPO (PCT)
Prior art keywords
memory portion
memory
access
configuration
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2023/079197
Other languages
French (fr)
Inventor
Martin Kaufmann
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Assa Abloy AB
Original Assignee
Assa Abloy AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Assa Abloy AB filed Critical Assa Abloy AB
Priority to PCT/EP2023/079197 priority Critical patent/WO2025082605A1/en
Publication of WO2025082605A1 publication Critical patent/WO2025082605A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Definitions

  • Physical control access systems may be used to restrict entry to physical spaces and permit entry to authorized individuals.
  • physical control access systems may control access to a room, a floor, a building, a safe (e.g., a floor safe, a wall safe, a freestanding safe, etc.), a cabinet, a vehicle, a case, etc.
  • Digital access may be similarly controlled.
  • a user device and an access control device or system are used, where the user device communicates with the reader (e.g., using a short distance communication technique, via wireless communication, etc.).
  • the access control device may determine whether the user device has proper authorization or authentication to access the controlled physical or digital area.
  • FIG. 1 illustrates a system diagram including a secure access device in accordance with some examples.
  • FIG. 2 illustrates an object structure for a secure access device in accordance with some examples.
  • FIG. 3 illustrates a detailed view of slots in an object structure in accordance with some examples.
  • FIG. 4 illustrates a file system showing example objects in accordance with some examples.
  • FIG. 5 illustrates a flowchart showing a technique for creating an object on a device in accordance with some examples.
  • FIG. 6 illustrates generally an example of a block diagram of a machine upon which any one or more of the techniques discussed herein may perform in accordance with some examples.
  • the systems and techniques described herein provide for creating, modifying, or accessing an object on a device, such as in storage (e.g., memory).
  • the object may be created using a single structured access command,.
  • a single structured access command may be used to access or modify data in the object after creation.
  • the single structured access command may include writing an object tag number and an object type to a properties memory portion of memory of the device, optionally writing at least one access right value to an access rights memory portion of the memory, and optionally writing at least one configuration to a configuration memory portion of the memory including a current status flag of the object.
  • One or more of these writing operations may be included in the single structured access command.
  • a data memory portion of the memory may be read using the object tag number, for example based on a request that complies with the at least one access right value and the current status flag.
  • These systems and techniques may be used to control access to a secure resource, such as a physical resource, a digital resource, or both.
  • the object may be stored on a dedicated device (e.g., a secure card, a key, etc.), on a mobile device (e.g., a mobile phone, a tablet, etc.), on a server, or the like.
  • the object may be used to configure access rights to one or more resources.
  • a structured functionality object may include multiple parts.
  • the object may include various components, such as properties, configuration, access rights, or data.
  • a structured command may write to all four components or a subset of the four components with a single command. In some examples, more parts or fewer parts may be used. The number of parts are not limited or minimized, but the description herein uses an example of four parts in an example the structured object.
  • a data part may represent traditional access to the object, such as a memory space that conforms to a standard (e.g. ISO/IEC 7816-4). Commands conforming to this or other standards may access the data component of the object, for example using direct access to that portion of memory of the object.
  • each part may be accessed (in some examples, the only way to access them) via structured access.
  • each part may have separate access rights.
  • the data part may be accessed by a user, but properties, configuration, or access rights may only be accessed by an administrator.
  • the systems and techniques described herein solve the technological problems of overwriting to memory, inability to selectively write to an object, inability to provide separate access rights to more than one component, and other memory issues.
  • These systems and techniques provide technical solutions to allow an update to one component (e.g., configuration) without accessing, changing, or otherwise affecting another component (e.g., secure data in the data section, such as a key).
  • Previous solutions required re-writing to the entire object, which stresses memory long-term.
  • the present systems and techniques provide an improvement to the functioning of memory for an object.
  • FIG. 1 illustrates a system diagram 100 including a secure access device in accordance with some examples.
  • the diagram illustrates various components that may be used with a secure access device 102.
  • the secure access device 102 may be used to grant or control access to one or more platforms or devices 104 (e.g., a camera, a computer, a mobile device, a wearable or internet of things device, etc.), a component 106 (e.g., an application, a database, a secure website, etc.), or a connection 108 (e.g., connectivity via a network, Bluetooth, Wi-Fi, over NFC, etc.).
  • the secure access device 102 of the system diagram 100 may provide access to secure data storage and support multiple interfaces, such as contact-less interface, which may be used for one or more use cases, such as identity cards, access (physical or digital), ticketing, etc.
  • the secure access device 102 may store an object, such as described herein.
  • the object on the secure access device 102 may be accessed via a structured command, as described herein.
  • access rights to various portions of the object stored on the secure access device 102 may differ for one or more of the platforms or devices 104, one or more of the components, or based on a type of connectivity 108, or depending on a use for an access attempt.
  • the secure access device 102 may require an access right to a portion of data stored in the object.
  • To change an access right on the object of the secure access device 102 may require a different access right (e.g., a heightened security level).
  • FIG. 2 illustrates structure of an object 200 for a secure access device in accordance with some examples.
  • the object 300 includes four parts for illustration, but may include more or fewer (e.g., multiple data parts, no access rights part for example when there is only one access right level to be used, combination of properties and configuration, etc.).
  • the four parts illustrated in the object 200 include a properties part 202, an access rights part 204, a configuration part 206, and a data part 208.
  • the parts may be written to or read from one or more of the parts using a structured access command.
  • the properties part 202 defines an internal structure of the object 200 for example specifying an object type.
  • Object types may be used to manage each type individually to gain more flexibility.
  • an object type may specify individual access rights, special behavior or implementation, special protection of data internally, or the like.
  • the properties part 202 may be created first.
  • the object type may be used to implement a specific behavior or functionality for the object 200.
  • Some examples for object types include data object, symmetric key object, wallet object, record object, value object, or the like.
  • the properties part 202 may include an object type that cannot be changed or that is changeable only with a particular access right.
  • the access rights part 204 may include information about access conditions or permissions to the object 200 or with more granularity to one or more parts or portions of parts.
  • the access rights or permissions may be defined individually for each object type. Permissions may not be limited to only read and write operations. Depending on the object type, for example, different permissions may be defined (e.g., define the usage of a key object for authentication, define the usage of a wallet object for a debit operation, etc.).
  • the configuration part 206 may be generated or configured in part based on the object type defined by the permissions part 202.
  • the configuration part 206 may include additional configuration of the object 200. Configuration may be used to specify a specific behavior or enable or disable features of the object 200, for example on the fly. Separating the configuration part 206 from a data part 208 provides more flexibility for managing the permissions, for example by allowing the configuration part 206 or the data part 208 to be updated without updating the other. This may be useful for objects holding secret information, for example where the secret data may not need to be updated or accessed when information other than the secret data needs updating.
  • the configuration part 206 may include information such as a current status, or updatable information.
  • the data part 208 includes data of the object 200.
  • the data part 208 may be accessed directly when accessing the object 200, in some examples.
  • the data part 208 may include a key, secure information, an identifier, or the like.
  • the data part 208 may include one or more slots, as described below with respect to FIG. 3.
  • each part or each operation on a part may have its own access right or permission defined (e.g., stored in the access rights part 204).
  • An example of an object holding a symmetric key where reading and writing of certain fields is allowed or denied based on the object type is shown in Table 1 below.
  • Table 1 shows an example where each read or write permissions of a part may be restricted with specific access rights (e.g., ARI).
  • the field portion of Table 1 indicates what type of information is capable of being read or written based on the access rights in the read and write columns.
  • permissions within an access right may include read, write, create an object, delete an object, or the like.
  • Accessing the object 200 may include using a direct access, such as a read or write as described in a specification (e.g., ISO/IEC 7816).
  • the direct access may be indicated by using a primitive flag of a tag.
  • direct access may be limited to an active slot of the data part 208.
  • a direct access request may include ‘ ⁇ TagPrimitive> ⁇ Len> ⁇ Data>’ .
  • Accessing the object 200 via structed access request may be used to access one or more (e.g., all) parts of the object 200.
  • the structured access may be generated by using a constructed flag of a tag.
  • the parts or slots to be accessed may be given as nested objects.
  • the complete object 200 may be edited or accessed using a single structured access command, optionally including one or more slots of the data part 208 (see FIG. 3 and description for further details regarding slots).
  • An example structure in Table 2 below uses six data slots.
  • a single structured command may be used to access one or more parts. In an example, only the parts that are to be accessed are present in the single structured command.
  • a single structured command may include, ‘ ⁇ TagConstructed> ⁇ Len> (‘80’ ⁇ Len> ⁇ Properties> ‘81’ ⁇ Len> ⁇ Access Rights> ‘82’ ⁇ Len> ⁇ Configuration> ‘8A’ ⁇ Len> ⁇ Data>)’.
  • a single structured command may include, ‘ ⁇ TagConstructed> ⁇ Len> (‘82’ ⁇ Len> ⁇ Configuration> ‘8A’ ⁇ Len> ⁇ Data>)’.
  • the a single structured command may include, ‘ ⁇ TagConstructed> ⁇ Len> (‘8A’ ⁇ Len> ⁇ Data> ‘8B’ ⁇ Len> ⁇ Data> ‘8C ⁇ Len> ⁇ Data>)’.
  • FIG. 3 illustrates a detailed view of slots in an object 300 structure in accordance with some examples.
  • the object 300 may include the object 200 of FIG. 2.
  • the object 300 illustrates slots 310, 312, and 314 of a data part 308. Although three slots are shown, more or fewer may be used (e.g., a single slot, ten or more slots, etc.).
  • the slots may include an active slot 312, which may be identified in A properties part 302 or a configuration part 306.
  • An access rights part 304 may identify access rights for one or more of the slots 310-314.
  • the data part 308 may have a single access right.
  • each slot or a set of slots may have corresponding access rights (e.g., separate access rights for each of slots 310, 312, and 312, or one access right for slots 310 and 312 and another for slot 314).
  • the active slot 312 may be the slot that is accessed via a direct access command.
  • One or more slots, including inactive slots, may be accessed via a structured access command.
  • the active slot 312 may be changed (e.g., to slot 310 or 314) via a write (e.g., to the properties part 302 or the configuration part 306).
  • An active slot may be used for keyset rolling, for example.
  • the active slot 312 may be changed in a less secure environment in some examples (e.g., optionally without writing to the data part 308), such as when the other slots 310 and 314 are already pre-filled.
  • FIG. 4 illustrates a file system 400 showing example objects in accordance with some examples.
  • the file system 400 includes an example application with a root folder, which may include one or more objects.
  • the example file system 400 shown in FIG. 4 includes a set of objects. Each object may be accessed by a unique tag number.
  • An object may include one or more parts. In an example, a data part of an object may be accessible using an object tag number. Other sub-parts may be accessed using the object tag number.
  • the tag number may be unique for each level, in some examples.
  • a tag numbers may have a size of one to two bytes, in some examples.
  • a tag lengths with a size one to five bytes may be used, for example allowing object sizes of up to four gigabytes.
  • FIG. 5 illustrates a flowchart showing a technique 500 for creating an object on a device in accordance with some examples.
  • operations of the technique 500 may be performed by processing circuitry, for example by executing instructions stored in memory.
  • the processing circuitry may include a processor, a system on a chip, or other circuitry (e.g., wiring).
  • technique 500 may be performed by processing circuitry of a device (or one or more hardware or software components thereof), such as those illustrated and described with reference to FIG 6.
  • the technique 500 includes an operation 501 to, using a single structured access command constructed with an object tag number, perform one or more of operations 502 to 506.
  • the object tag number may be used to write any one or more aspects of the object, for example properties, access rights, configuration, data, etc.
  • the object tag number may refer to the object, thus keeping information written to the object in a same storage location or preventing fragmentation of information corresponding to the object.
  • the object tag number may be unique to the object (e.g., within an ecosystem).
  • the technique 500 includes an operation 502 to write an object tag number and an object type to a properties memory portion of memory of the device.
  • the object type may include at least one of a data object, a symmetric key object, a wallet object, a record object, a value object, or the like.
  • the object tag number may have a size of one or two bytes, for example where the memory stores more than one object.
  • the technique 500 includes an operation 504 to write at least one access right value to an access rights memory portion of the memory.
  • the at least one access right value may prevent further writes to the properties memory portion after the object type is written.
  • the at least one access right value may indicate a right to read the properties memory portion with a particular key.
  • the technique 500 includes an operation 506 to write at least one configuration to a configuration memory portion of the memory including a current status flag of the object.
  • the at least one configuration may be configurable based on the object type.
  • the technique 500 includes an operation 508 to read a data memory portion of the memory using the object tag number based on a request that complies with the at least one access right value and the current status flag.
  • the data memory portion may include a plurality of slots.
  • reading the data memory portion may include reading a current slot of the plurality of slots, the current slot identified in the configuration memory portion.
  • the properties memory portion, the access rights memory portion, and the configuration memory portion are stored in memory in order.
  • the technique 500 may include an operation to use a second single structured access command constructed with the object tag number to read the properties memory portion, the access rights memory portion, the configuration memory portion, or the data memory portion.
  • the second single structured access command may read the properties memory portion, the access rights memory portion, the configuration memory portion, and the data memory portion.
  • the device may include a limited memory device including one of a control card, a sim card, or a smart credit card.
  • FIG. 6 illustrates generally an example of a block diagram of a machine 600 upon which any one or more of the techniques (e.g., methodologies) discussed herein may perform in accordance with some examples.
  • the machine 600 may operate as a standalone device or may be connected (e.g., networked) to other machines.
  • the machine 600 may operate in the capacity of a server machine, a client machine, or both in server-client network environments.
  • the machine 600 may act as a peer machine in peer-to-peer (P2P) (or other distributed) network environment.
  • P2P peer-to-peer
  • the machine 600 may be a personal computer (PC), a tablet PC, a set-top box (STB), a personal digital assistant (PDA), a mobile telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • PC personal computer
  • PDA personal digital assistant
  • STB set-top box
  • PDA personal digital assistant
  • mobile telephone a web appliance
  • network router network router, switch or bridge
  • machine any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • machine shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein, such as cloud computing, software as a service (SaaS), other computer cluster configurations.
  • SaaS software as a service
  • Examples, as described herein, may include, or may operate on, logic or a number of components, modules, or mechanisms.
  • Modules are tangible entities (e.g., hardware) capable of performing specified operations when operating.
  • a module includes hardware.
  • the hardware may be specifically configured to carry out a specific operation (e.g., hardwired).
  • the hardware may include configurable execution units (e.g., transistors, circuits, etc.) and a computer readable medium containing instructions, where the instructions configure the execution units to carry out a specific operation when in operation. The configuring may occur under the direction of the executions units or a loading mechanism. Accordingly, the execution units are communicatively coupled to the computer readable medium when the device is operating.
  • the execution units may be a member of more than one module.
  • the execution units may be configured by a first set of instructions to implement a first module at one point in time and reconfigured by a second set of instructions to implement a second module.
  • Machine 600 may include a hardware processor 602 (e.g., a central processing unit (CPU), a graphics processing unit (GPU), a hardware processor core, or any combination thereof), a main memory 604 and a static memory 606, some or all of which may communicate with each other via an interlink (e.g., bus) 608.
  • the machine 600 may further include a display unit 610, an alphanumeric input device 612 (e.g., a keyboard), and a user interface (UI) navigation device 614 (e.g., a mouse).
  • the display unit 610, alphanumeric input device 612 and UI navigation device 614 may be a touch screen display.
  • the machine 600 may additionally include a storage device (e.g., drive unit) 616, a signal generation device 618 (e.g., a speaker), a network interface device 620, and one or more sensors 621, such as a global positioning system (GPS) sensor, compass, accelerometer, or other sensor.
  • the machine 600 may include an output controller 628, such as a serial (e.g., universal serial bus (USB), parallel, or other wired or wireless (e.g., infrared (IR), near field communication (NFC), etc.) connection to communicate or control one or more peripheral devices (e.g., a printer, card reader, etc.).
  • a serial e.g., universal serial bus (USB), parallel, or other wired or wireless (e.g., infrared (IR), near field communication (NFC), etc.) connection to communicate or control one or more peripheral devices (e.g., a printer, card reader, etc.).
  • USB universal serial bus
  • NFC near field
  • the storage device 616 may include a machine readable medium 622 that is non- transitory on which is stored one or more sets of data structures or instructions 624 (e.g., software) embodying or utilized by any one or more of the techniques or functions described herein.
  • the instructions 624 may also reside, completely or at least partially, within the main memory 604, within static memory 606, or within the hardware processor 602 during execution thereof by the machine 600.
  • one or any combination of the hardware processor 602, the main memory 604, the static memory 606, or the storage device 616 may constitute machine readable media.
  • machine readable medium 622 is illustrated as a single medium, the term “machine readable medium” may include a single medium or multiple media (e.g., a centralized or distributed database, or associated caches and servers) configured to store the one or more instructions 624.
  • machine readable medium may include a single medium or multiple media (e.g., a centralized or distributed database, or associated caches and servers) configured to store the one or more instructions 624.
  • machine readable medium may include any medium that is capable of storing, encoding, or carrying instructions for execution by the machine 600 and that cause the machine 600 to perform any one or more of the techniques of the present disclosure, or that is capable of storing, encoding or carrying data structures used by or associated with such instructions.
  • Non-limiting machine-readable medium examples may include solid-state memories, and optical and magnetic media.
  • machine readable media may include: non-volatile memory, such as semiconductor memory devices (e.g., Electrically Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read- Only Memory (EEPROM)) and flash memory devices; magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
  • non-volatile memory such as semiconductor memory devices (e.g., Electrically Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read- Only Memory (EEPROM)) and flash memory devices
  • magnetic disks such as internal hard disks and removable disks
  • magneto-optical disks and CD-ROM and DVD-ROM disks.
  • the instructions 624 may further be transmitted or received over a communications network 626 using a transmission medium via the network interface device 620 utilizing any one of a number of transfer protocols (e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hyper
  • Example communication networks may include a local area network (LAN), a wide area network (WAN), a packet data network (e.g., the Internet), mobile telephone networks (e.g., cellular networks), Plain Old Telephone (POTS) networks, and wireless data networks (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.11 family of standards known as Wi-Fi®, IEEE 802.16 family of standards known as WiMax®), IEEE 802.15.4 family of standards, peer-to-peer (P2P) networks, among others.
  • the network interface device 620 may include one or more physical jacks (e.g., Ethernet, coaxial, or phonejacks) or one or more antennas to connect to the communications network 626.
  • the network interface device 620 may include a plurality of antennas to wirelessly communicate using at least one of single-input multiple-output (SIMO), multiple-input multiple-output (MIMO), or multiple-input single-output (MISO) techniques.
  • SIMO single-input multiple-output
  • MIMO multiple-input multiple-output
  • MISO multiple-input single-output
  • transmission medium shall be taken to include any intangible medium that is capable of storing, encoding or carrying instructions for execution by the machine 600, and includes digital or analog communications signals or other intangible medium to facilitate communication of such software.
  • Example 1 is a method for creating an object on a device, the method comprising: using a single structured access command constructed with an object tag number: writing an object type to a properties memory portion of memory of the device; writing at least one access right value to an access rights memory portion of the memory; and writing at least one configuration to a configuration memory portion of the memory including a current status flag of the object; and reading a data memory portion of the memory using the object tag number based on a request that complies with the at least one access right value and the current status flag.
  • Example 2 the subject matter of Example 1 includes, wherein the properties memory portion, the access rights memory portion, and the configuration memory portion are stored in memory in order.
  • Example 3 the subject matter of Examples 1-2 includes, wherein the at least one access right value prevents further writes to the properties memory portion after the object type is written.
  • Example 4 the subject matter of Examples 1-3 includes, wherein the at least one access right value identifies a right to read the properties memory portion with a particular key.
  • Example 5 the subject matter of Examples 1-4 includes, wherein the object type includes at least one of a data object, a symmetric key object, a wallet object, a record object, or a value object.
  • Example 6 the subject matter of Examples 1-5 includes, wherein the at least one configuration is configurable based on the object type.
  • Example 7 the subject matter of Examples 1-6 includes, wherein the data memory portion includes a plurality of slots, and wherein reading the data memory portion includes reading a current slot of the plurality of slots, the current slot identified in the configuration memory portion.
  • Example 8 the subject matter of Examples 1-7 includes, using a second single structured access command constructed with the object tag number, read the properties memory portion, the access rights memory portion, the configuration memory portion, and the data memory portion.
  • Example 9 the subject matter of Examples 1-8 includes, wherein the object tag number has a size of one or two bytes, and wherein the memory stores more than one object.
  • Example 10 the subject matter of Examples 1-9 includes, wherein the device is limited memory device including one of a control card, a sim card, or a smart credit card.
  • Example 11 is at least one machine-readable medium including instructions for creating an object on a device, which when executed by processing circuitry, cause the processing circuitry to perform operations to: use a single structured access command constructed with an object tag number to: write an object type to a properties memory portion of memory of the device; write at least one access right value to an access rights memory portion of the memory; and write at least one configuration to a configuration memory portion of the memory including a current status flag of the object; and read a data memory portion of the memory using the object tag number based on a request that complies with the at least one access right value and the current status flag.
  • Example 12 the subject matter of Example 11 includes, wherein the properties memory portion, the access rights memory portion, and the configuration memory portion are stored in memory in order.
  • Example 13 the subject matter of Examples 11-12 includes, wherein the at least one access right value prevents further writes to the properties memory portion after the object tag number and the object type are written.
  • Example 14 the subject matter of Examples 11-13 includes, wherein the at least one access right value identifies a right to read the properties memory portion with a particular key.
  • Example 15 the subject matter of Examples 11-14 includes, wherein the object type includes at least one of a data object, a symmetric key object, a wallet object, a record object, or a value object.
  • Example 16 the subject matter of Examples 11-15 includes, wherein the at least one configuration is configurable based on the object type.
  • Example 17 the subject matter of Examples 11-16 includes, wherein the data memory portion includes a plurality of slots, and wherein reading the data memory portion includes reading a current slot of the plurality of slots, the current slot identified in the configuration memory portion.
  • Example 18 the subject matter of Examples 11-17 includes, wherein the object tag number has a size of one or two bytes, and wherein the memory stores more than one object.
  • Example 19 the subject matter of Examples 11-18 includes, wherein the device is limited memory device including one of a control card, a sim card, or a smart credit card.
  • Example 20 is an object data structure comprising: a properties memory portion including an object type of an object; an access rights memory portion including a set of access conditions of the object; a configuration memory portion including a current status flag of the object; and a data memory portion including at least one key, the data memory portion accessible via the object tag number based on a request that complies with the set of access conditions and the current status flag; wherein information in the properties memory portion, in the configuration memory portion, in the access rights memory portion, and in the data memory portion are accessible via a single structured access command constructed with an objecttag number.
  • Example 21 is at least one machine-readable medium including instructions that, when executed by processing circuitry, cause the processing circuitry to perform operations to implement of any of Examples 1-20.
  • Example 22 is an apparatus comprising means to implement of any of Examples 1-20.
  • Example 23 is a system to implement of any of Examples 1-20.
  • Example 24 is a method to implement of any of Examples 1-20.
  • Method examples described herein may be machine or computer-implemented at least in part. Some examples may include a computer-readable medium or machine-readable medium encoded with instructions operable to configure an electronic device to perform methods as described in the above examples.
  • An implementation of such methods may include code, such as microcode, assembly language code, a higher-level language code, or the like. Such code may include computer readable instructions for performing various methods. The code may form portions of computer program products. Further, in an example, the code may be tangibly stored on one or more volatile, non-transitory, or non-volatile tangible computer-readable media, such as during execution or at other times.
  • Examples of these tangible computer-readable media may include, but are not limited to, hard disks, removable magnetic disks, removable optical disks (e.g., compact disks and digital video disks), magnetic cassettes, memory cards or sticks, random access memories (RAMs), read only memories (ROMs), and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

Systems and techniques may be used for creating an object (e.g., a data structure) on a device. A technique may include using a single structured access command constructed with an object tag number to perform one or more write operations. For example, a write operation may include writing an object type to a properties memory portion of memory of the device, writing at least one access right value to an access rights memory portion of the memory, or writing at least one configuration to a configuration memory portion of the memory including a current status flag of the object. An example technique may include reading a data memory portion of the memory using the object tag number based on a request that complies with the at least one access right value and the current status flag.

Description

SECURE ACCESS DEVICE STRUCTURED OBJECT
BACKGROUND
[0001] Physical control access systems may be used to restrict entry to physical spaces and permit entry to authorized individuals. For example, physical control access systems may control access to a room, a floor, a building, a safe (e.g., a floor safe, a wall safe, a freestanding safe, etc.), a cabinet, a vehicle, a case, etc. Digital access may be similarly controlled. In some systems, a user device and an access control device or system are used, where the user device communicates with the reader (e.g., using a short distance communication technique, via wireless communication, etc.). The access control device may determine whether the user device has proper authorization or authentication to access the controlled physical or digital area.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] In the drawings, which are not necessarily drawn to scale, like numerals may describe similar components in different views. Like numerals having different letter suffixes may represent different instances of similar components. The drawings illustrate generally, by way of example, but not by way of limitation, various examples discussed in the present document.
[0003] FIG. 1 illustrates a system diagram including a secure access device in accordance with some examples.
[0004] FIG. 2 illustrates an object structure for a secure access device in accordance with some examples.
[0005] FIG. 3 illustrates a detailed view of slots in an object structure in accordance with some examples.
[0006] FIG. 4 illustrates a file system showing example objects in accordance with some examples.
[0007] FIG. 5 illustrates a flowchart showing a technique for creating an object on a device in accordance with some examples.
[0008] FIG. 6 illustrates generally an example of a block diagram of a machine upon which any one or more of the techniques discussed herein may perform in accordance with some examples. DETAILED DESCRIPTION
[0009] The systems and techniques described herein provide for creating, modifying, or accessing an object on a device, such as in storage (e.g., memory). The object may be created using a single structured access command,. A single structured access command may be used to access or modify data in the object after creation. The single structured access command may include writing an object tag number and an object type to a properties memory portion of memory of the device, optionally writing at least one access right value to an access rights memory portion of the memory, and optionally writing at least one configuration to a configuration memory portion of the memory including a current status flag of the object. One or more of these writing operations may be included in the single structured access command. In an example, a data memory portion of the memory may be read using the object tag number, for example based on a request that complies with the at least one access right value and the current status flag.
[0010] These systems and techniques may be used to control access to a secure resource, such as a physical resource, a digital resource, or both. The object may be stored on a dedicated device (e.g., a secure card, a key, etc.), on a mobile device (e.g., a mobile phone, a tablet, etc.), on a server, or the like. The object may be used to configure access rights to one or more resources.
[0011] A structured functionality object may include multiple parts. For example, the object may include various components, such as properties, configuration, access rights, or data. In some examples, a structured command may write to all four components or a subset of the four components with a single command. In some examples, more parts or fewer parts may be used. The number of parts are not limited or minimized, but the description herein uses an example of four parts in an example the structured object. In an example, a data part may represent traditional access to the object, such as a memory space that conforms to a standard (e.g. ISO/IEC 7816-4). Commands conforming to this or other standards may access the data component of the object, for example using direct access to that portion of memory of the object. The other parts may be accessed (in some examples, the only way to access them) via structured access. In some examples, each part may have separate access rights. For example, the data part may be accessed by a user, but properties, configuration, or access rights may only be accessed by an administrator.
[0012] The systems and techniques described herein solve the technological problems of overwriting to memory, inability to selectively write to an object, inability to provide separate access rights to more than one component, and other memory issues. These systems and techniques provide technical solutions to allow an update to one component (e.g., configuration) without accessing, changing, or otherwise affecting another component (e.g., secure data in the data section, such as a key). Previous solutions required re-writing to the entire object, which stresses memory long-term. The present systems and techniques provide an improvement to the functioning of memory for an object.
[0013] FIG. 1 illustrates a system diagram 100 including a secure access device in accordance with some examples. The diagram illustrates various components that may be used with a secure access device 102. The secure access device 102 may be used to grant or control access to one or more platforms or devices 104 (e.g., a camera, a computer, a mobile device, a wearable or internet of things device, etc.), a component 106 (e.g., an application, a database, a secure website, etc.), or a connection 108 (e.g., connectivity via a network, Bluetooth, Wi-Fi, over NFC, etc.). In an example, the secure access device 102 of the system diagram 100 may provide access to secure data storage and support multiple interfaces, such as contact-less interface, which may be used for one or more use cases, such as identity cards, access (physical or digital), ticketing, etc.
[0014] The secure access device 102 may store an object, such as described herein. The object on the secure access device 102 may be accessed via a structured command, as described herein. In some examples, access rights to various portions of the object stored on the secure access device 102 may differ for one or more of the platforms or devices 104, one or more of the components, or based on a type of connectivity 108, or depending on a use for an access attempt. For example, to cause firmware to be updated, the secure access device 102 may require an access right to a portion of data stored in the object. To change an access right on the object of the secure access device 102 may require a different access right (e.g., a heightened security level).
[0015] FIG. 2 illustrates structure of an object 200 for a secure access device in accordance with some examples. The object 300 includes four parts for illustration, but may include more or fewer (e.g., multiple data parts, no access rights part for example when there is only one access right level to be used, combination of properties and configuration, etc.). The four parts illustrated in the object 200 include a properties part 202, an access rights part 204, a configuration part 206, and a data part 208. The parts may be written to or read from one or more of the parts using a structured access command.
[0016] In an example, the properties part 202 defines an internal structure of the object 200 for example specifying an object type. Object types may be used to manage each type individually to gain more flexibility. For example, an object type may specify individual access rights, special behavior or implementation, special protection of data internally, or the like. In some examples, the properties part 202 may be created first. The object type may be used to implement a specific behavior or functionality for the object 200. Some examples for object types include data object, symmetric key object, wallet object, record object, value object, or the like. The properties part 202 may include an object type that cannot be changed or that is changeable only with a particular access right.
[0017] The access rights part 204 may include information about access conditions or permissions to the object 200 or with more granularity to one or more parts or portions of parts. The access rights or permissions may be defined individually for each object type. Permissions may not be limited to only read and write operations. Depending on the object type, for example, different permissions may be defined (e.g., define the usage of a key object for authentication, define the usage of a wallet object for a debit operation, etc.).
[0018] The configuration part 206 may be generated or configured in part based on the object type defined by the permissions part 202. The configuration part 206 may include additional configuration of the object 200. Configuration may be used to specify a specific behavior or enable or disable features of the object 200, for example on the fly. Separating the configuration part 206 from a data part 208 provides more flexibility for managing the permissions, for example by allowing the configuration part 206 or the data part 208 to be updated without updating the other. This may be useful for objects holding secret information, for example where the secret data may not need to be updated or accessed when information other than the secret data needs updating. The configuration part 206 may include information such as a current status, or updatable information.
[0019] The data part 208 includes data of the object 200. The data part 208 may be accessed directly when accessing the object 200, in some examples. The data part 208 may include a key, secure information, an identifier, or the like. The data part 208 may include one or more slots, as described below with respect to FIG. 3.
[0020] In some examples, each part or each operation on a part may have its own access right or permission defined (e.g., stored in the access rights part 204). An example of an object holding a symmetric key where reading and writing of certain fields is allowed or denied based on the object type is shown in Table 1 below.
Figure imgf000006_0001
Table 1
[0021] Table 1 shows an example where each read or write permissions of a part may be restricted with specific access rights (e.g., ARI). The field portion of Table 1 indicates what type of information is capable of being read or written based on the access rights in the read and write columns. In some examples, permissions within an access right may include read, write, create an object, delete an object, or the like.
[0022] Accessing the object 200 may include using a direct access, such as a read or write as described in a specification (e.g., ISO/IEC 7816). The direct access may be indicated by using a primitive flag of a tag. In some examples, direct access may be limited to an active slot of the data part 208. For example, a direct access request may include ‘<TagPrimitive> <Len> <Data>’ .
[0023] Accessing the object 200 via structed access request may be used to access one or more (e.g., all) parts of the object 200. The structured access may be generated by using a constructed flag of a tag. The parts or slots to be accessed may be given as nested objects. In an example, the complete object 200 may be edited or accessed using a single structured access command, optionally including one or more slots of the data part 208 (see FIG. 3 and description for further details regarding slots). An example structure in Table 2 below uses six data slots.
Figure imgf000007_0001
Table 2
[0024] To access a part, the nested object tag may be indicated. A single structured command may be used to access one or more parts. In an example, only the parts that are to be accessed are present in the single structured command. For example, to access properties, access rights, configuration, and data (e.g., slot 1), a single structured command may include, ‘<TagConstructed> <Len> (‘80’ <Len> <Properties> ‘81’ <Len> <Access Rights> ‘82’ <Len> <Configuration> ‘8A’ <Len> <Data>)’. To access only configuration and data, a single structured command may include, ‘<TagConstructed> <Len> (‘82’ <Len> <Configuration> ‘8A’ <Len> <Data>)’. To access more than one data slot, the a single structured command may include, ‘<TagConstructed> <Len> (‘8A’ <Len> <Data> ‘8B’ <Len> <Data> ‘8C <Len> <Data>)’.
[0025] FIG. 3 illustrates a detailed view of slots in an object 300 structure in accordance with some examples. The object 300 may include the object 200 of FIG. 2. The object 300 illustrates slots 310, 312, and 314 of a data part 308. Although three slots are shown, more or fewer may be used (e.g., a single slot, ten or more slots, etc.). The slots may include an active slot 312, which may be identified in A properties part 302 or a configuration part 306. An access rights part 304 may identify access rights for one or more of the slots 310-314. In one example, the data part 308 may have a single access right. In other examples, each slot or a set of slots may have corresponding access rights (e.g., separate access rights for each of slots 310, 312, and 312, or one access right for slots 310 and 312 and another for slot 314). The active slot 312 may be the slot that is accessed via a direct access command. One or more slots, including inactive slots, may be accessed via a structured access command. The active slot 312 may be changed (e.g., to slot 310 or 314) via a write (e.g., to the properties part 302 or the configuration part 306). An active slot may be used for keyset rolling, for example. The active slot 312 may be changed in a less secure environment in some examples (e.g., optionally without writing to the data part 308), such as when the other slots 310 and 314 are already pre-filled.
[0026] FIG. 4 illustrates a file system 400 showing example objects in accordance with some examples. The file system 400 includes an example application with a root folder, which may include one or more objects. The example file system 400 shown in FIG. 4 includes a set of objects. Each object may be accessed by a unique tag number. An object may include one or more parts. In an example, a data part of an object may be accessible using an object tag number. Other sub-parts may be accessed using the object tag number. [0027] The tag number may be unique for each level, in some examples. A tag numbers may have a size of one to two bytes, in some examples. A tag lengths with a size one to five bytes may be used, for example allowing object sizes of up to four gigabytes. The objects in the file system 400 may be sorted by tag number in ascending order (e.g., addressed). This may be used in examples where only a first found object is usable (e.g. card information usable for certain access implementations). Ascending order tag numbers may be used to reduce reading time for an important object by assigning a lower tag number to that object. [0028] FIG. 5 illustrates a flowchart showing a technique 500 for creating an object on a device in accordance with some examples. In an example, operations of the technique 500 may be performed by processing circuitry, for example by executing instructions stored in memory. The processing circuitry may include a processor, a system on a chip, or other circuitry (e.g., wiring). For example, technique 500 may be performed by processing circuitry of a device (or one or more hardware or software components thereof), such as those illustrated and described with reference to FIG 6.
[0029] The technique 500 includes an operation 501 to, using a single structured access command constructed with an object tag number, perform one or more of operations 502 to 506. The object tag number may be used to write any one or more aspects of the object, for example properties, access rights, configuration, data, etc. The object tag number may refer to the object, thus keeping information written to the object in a same storage location or preventing fragmentation of information corresponding to the object. The object tag number may be unique to the object (e.g., within an ecosystem).
[0030] The technique 500 includes an operation 502 to write an object tag number and an object type to a properties memory portion of memory of the device. The object type may include at least one of a data object, a symmetric key object, a wallet object, a record object, a value object, or the like. In an example, the object tag number may have a size of one or two bytes, for example where the memory stores more than one object. [0031] The technique 500 includes an operation 504 to write at least one access right value to an access rights memory portion of the memory. The at least one access right value may prevent further writes to the properties memory portion after the object type is written. The at least one access right value may indicate a right to read the properties memory portion with a particular key.
[0032] The technique 500 includes an operation 506 to write at least one configuration to a configuration memory portion of the memory including a current status flag of the object. The at least one configuration may be configurable based on the object type.
[0033] The technique 500 includes an operation 508 to read a data memory portion of the memory using the object tag number based on a request that complies with the at least one access right value and the current status flag. The data memory portion may include a plurality of slots. In this example, reading the data memory portion may include reading a current slot of the plurality of slots, the current slot identified in the configuration memory portion.
[0034] In some examples, the properties memory portion, the access rights memory portion, and the configuration memory portion are stored in memory in order. The technique 500 may include an operation to use a second single structured access command constructed with the object tag number to read the properties memory portion, the access rights memory portion, the configuration memory portion, or the data memory portion. In some examples, the second single structured access command may read the properties memory portion, the access rights memory portion, the configuration memory portion, and the data memory portion. The device may include a limited memory device including one of a control card, a sim card, or a smart credit card.
[0035] FIG. 6 illustrates generally an example of a block diagram of a machine 600 upon which any one or more of the techniques (e.g., methodologies) discussed herein may perform in accordance with some examples. In alternative examples, the machine 600 may operate as a standalone device or may be connected (e.g., networked) to other machines. In a networked deployment, the machine 600 may operate in the capacity of a server machine, a client machine, or both in server-client network environments. In an example, the machine 600 may act as a peer machine in peer-to-peer (P2P) (or other distributed) network environment. The machine 600 may be a personal computer (PC), a tablet PC, a set-top box (STB), a personal digital assistant (PDA), a mobile telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein, such as cloud computing, software as a service (SaaS), other computer cluster configurations.
[0036] Examples, as described herein, may include, or may operate on, logic or a number of components, modules, or mechanisms. Modules are tangible entities (e.g., hardware) capable of performing specified operations when operating. A module includes hardware. In an example, the hardware may be specifically configured to carry out a specific operation (e.g., hardwired). In an example, the hardware may include configurable execution units (e.g., transistors, circuits, etc.) and a computer readable medium containing instructions, where the instructions configure the execution units to carry out a specific operation when in operation. The configuring may occur under the direction of the executions units or a loading mechanism. Accordingly, the execution units are communicatively coupled to the computer readable medium when the device is operating. In this example, the execution units may be a member of more than one module. For example, under operation, the execution units may be configured by a first set of instructions to implement a first module at one point in time and reconfigured by a second set of instructions to implement a second module.
[0037] Machine (e.g., computer system) 600 may include a hardware processor 602 (e.g., a central processing unit (CPU), a graphics processing unit (GPU), a hardware processor core, or any combination thereof), a main memory 604 and a static memory 606, some or all of which may communicate with each other via an interlink (e.g., bus) 608. The machine 600 may further include a display unit 610, an alphanumeric input device 612 (e.g., a keyboard), and a user interface (UI) navigation device 614 (e.g., a mouse). In an example, the display unit 610, alphanumeric input device 612 and UI navigation device 614 may be a touch screen display. The machine 600 may additionally include a storage device (e.g., drive unit) 616, a signal generation device 618 (e.g., a speaker), a network interface device 620, and one or more sensors 621, such as a global positioning system (GPS) sensor, compass, accelerometer, or other sensor. The machine 600 may include an output controller 628, such as a serial (e.g., universal serial bus (USB), parallel, or other wired or wireless (e.g., infrared (IR), near field communication (NFC), etc.) connection to communicate or control one or more peripheral devices (e.g., a printer, card reader, etc.).
[0038] The storage device 616 may include a machine readable medium 622 that is non- transitory on which is stored one or more sets of data structures or instructions 624 (e.g., software) embodying or utilized by any one or more of the techniques or functions described herein. The instructions 624 may also reside, completely or at least partially, within the main memory 604, within static memory 606, or within the hardware processor 602 during execution thereof by the machine 600. In an example, one or any combination of the hardware processor 602, the main memory 604, the static memory 606, or the storage device 616 may constitute machine readable media.
[0039] While the machine readable medium 622 is illustrated as a single medium, the term “machine readable medium” may include a single medium or multiple media (e.g., a centralized or distributed database, or associated caches and servers) configured to store the one or more instructions 624.
[0040] The term “machine readable medium” may include any medium that is capable of storing, encoding, or carrying instructions for execution by the machine 600 and that cause the machine 600 to perform any one or more of the techniques of the present disclosure, or that is capable of storing, encoding or carrying data structures used by or associated with such instructions. Non-limiting machine-readable medium examples may include solid-state memories, and optical and magnetic media. Specific examples of machine readable media may include: non-volatile memory, such as semiconductor memory devices (e.g., Electrically Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read- Only Memory (EEPROM)) and flash memory devices; magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. [0041] The instructions 624 may further be transmitted or received over a communications network 626 using a transmission medium via the network interface device 620 utilizing any one of a number of transfer protocols (e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), etc.). Example communication networks may include a local area network (LAN), a wide area network (WAN), a packet data network (e.g., the Internet), mobile telephone networks (e.g., cellular networks), Plain Old Telephone (POTS) networks, and wireless data networks (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.11 family of standards known as Wi-Fi®, IEEE 802.16 family of standards known as WiMax®), IEEE 802.15.4 family of standards, peer-to-peer (P2P) networks, among others. In an example, the network interface device 620 may include one or more physical jacks (e.g., Ethernet, coaxial, or phonejacks) or one or more antennas to connect to the communications network 626. In an example, the network interface device 620 may include a plurality of antennas to wirelessly communicate using at least one of single-input multiple-output (SIMO), multiple-input multiple-output (MIMO), or multiple-input single-output (MISO) techniques. The term “transmission medium” shall be taken to include any intangible medium that is capable of storing, encoding or carrying instructions for execution by the machine 600, and includes digital or analog communications signals or other intangible medium to facilitate communication of such software.
[0042] Example 1 is a method for creating an object on a device, the method comprising: using a single structured access command constructed with an object tag number: writing an object type to a properties memory portion of memory of the device; writing at least one access right value to an access rights memory portion of the memory; and writing at least one configuration to a configuration memory portion of the memory including a current status flag of the object; and reading a data memory portion of the memory using the object tag number based on a request that complies with the at least one access right value and the current status flag.
[0043] In Example 2, the subject matter of Example 1 includes, wherein the properties memory portion, the access rights memory portion, and the configuration memory portion are stored in memory in order.
[0044] In Example 3, the subject matter of Examples 1-2 includes, wherein the at least one access right value prevents further writes to the properties memory portion after the object type is written.
[0045] In Example 4, the subject matter of Examples 1-3 includes, wherein the at least one access right value identifies a right to read the properties memory portion with a particular key.
[0046] In Example 5, the subject matter of Examples 1-4 includes, wherein the object type includes at least one of a data object, a symmetric key object, a wallet object, a record object, or a value object.
[0047] In Example 6, the subject matter of Examples 1-5 includes, wherein the at least one configuration is configurable based on the object type.
[0048] In Example 7, the subject matter of Examples 1-6 includes, wherein the data memory portion includes a plurality of slots, and wherein reading the data memory portion includes reading a current slot of the plurality of slots, the current slot identified in the configuration memory portion.
[0049] In Example 8, the subject matter of Examples 1-7 includes, using a second single structured access command constructed with the object tag number, read the properties memory portion, the access rights memory portion, the configuration memory portion, and the data memory portion. [0050] In Example 9, the subject matter of Examples 1-8 includes, wherein the object tag number has a size of one or two bytes, and wherein the memory stores more than one object. [0051] In Example 10, the subject matter of Examples 1-9 includes, wherein the device is limited memory device including one of a control card, a sim card, or a smart credit card.
[0052] Example 11 is at least one machine-readable medium including instructions for creating an object on a device, which when executed by processing circuitry, cause the processing circuitry to perform operations to: use a single structured access command constructed with an object tag number to: write an object type to a properties memory portion of memory of the device; write at least one access right value to an access rights memory portion of the memory; and write at least one configuration to a configuration memory portion of the memory including a current status flag of the object; and read a data memory portion of the memory using the object tag number based on a request that complies with the at least one access right value and the current status flag.
[0053] In Example 12, the subject matter of Example 11 includes, wherein the properties memory portion, the access rights memory portion, and the configuration memory portion are stored in memory in order.
[0054] In Example 13, the subject matter of Examples 11-12 includes, wherein the at least one access right value prevents further writes to the properties memory portion after the object tag number and the object type are written.
[0055] In Example 14, the subject matter of Examples 11-13 includes, wherein the at least one access right value identifies a right to read the properties memory portion with a particular key.
[0056] In Example 15, the subject matter of Examples 11-14 includes, wherein the object type includes at least one of a data object, a symmetric key object, a wallet object, a record object, or a value object.
[0057] In Example 16, the subject matter of Examples 11-15 includes, wherein the at least one configuration is configurable based on the object type.
[0058] In Example 17, the subject matter of Examples 11-16 includes, wherein the data memory portion includes a plurality of slots, and wherein reading the data memory portion includes reading a current slot of the plurality of slots, the current slot identified in the configuration memory portion.
[0059] In Example 18, the subject matter of Examples 11-17 includes, wherein the object tag number has a size of one or two bytes, and wherein the memory stores more than one object. [0060] In Example 19, the subject matter of Examples 11-18 includes, wherein the device is limited memory device including one of a control card, a sim card, or a smart credit card.
[0061] Example 20 is an object data structure comprising: a properties memory portion including an object type of an object; an access rights memory portion including a set of access conditions of the object; a configuration memory portion including a current status flag of the object; and a data memory portion including at least one key, the data memory portion accessible via the object tag number based on a request that complies with the set of access conditions and the current status flag; wherein information in the properties memory portion, in the configuration memory portion, in the access rights memory portion, and in the data memory portion are accessible via a single structured access command constructed with an objecttag number.
[0062] Example 21 is at least one machine-readable medium including instructions that, when executed by processing circuitry, cause the processing circuitry to perform operations to implement of any of Examples 1-20.
[0063] Example 22 is an apparatus comprising means to implement of any of Examples 1-20.
[0064] Example 23 is a system to implement of any of Examples 1-20.
[0065] Example 24 is a method to implement of any of Examples 1-20.
[0066] Method examples described herein may be machine or computer-implemented at least in part. Some examples may include a computer-readable medium or machine-readable medium encoded with instructions operable to configure an electronic device to perform methods as described in the above examples. An implementation of such methods may include code, such as microcode, assembly language code, a higher-level language code, or the like. Such code may include computer readable instructions for performing various methods. The code may form portions of computer program products. Further, in an example, the code may be tangibly stored on one or more volatile, non-transitory, or non-volatile tangible computer-readable media, such as during execution or at other times. Examples of these tangible computer-readable media may include, but are not limited to, hard disks, removable magnetic disks, removable optical disks (e.g., compact disks and digital video disks), magnetic cassettes, memory cards or sticks, random access memories (RAMs), read only memories (ROMs), and the like.

Claims

CLAIMS What is claimed is:
1. A method for creating an object on a device, the method comprising: using a single structured access command constructed with an object tag number: writing an object type to a properties memory portion of memory of the device; writing at least one access right value to an access rights memory portion of the memory; and writing at least one configuration to a configuration memory portion of the memory including a current status flag of the object; and reading a data memory portion of the memory using the object tag number based on a request that complies with the at least one access right value and the current status flag.
2. The method of claim 1, wherein the properties memory portion, the access rights memory portion, and the configuration memory portion are stored in memory in order.
3. The method of claim 1, wherein the at least one access right value prevents further writes to the properties memory portion after the object type is written.
4. The method of claim 1, wherein the at least one access right value indicates a right to read the properties memory portion with a particular key.
5. The method of claim 1, wherein the object type includes at least one of a data object, a symmetric key object, a wallet object, a record object, or a value object.
6. The method of claim 1, wherein the at least one configuration is configurable based on the object type.
7. The method of claim 1, wherein the data memory portion includes a plurality of slots, and wherein reading the data memory portion includes reading a current slot of the plurality of slots, the current slot identified in the configuration memory portion.
8. The method of claim 1, further comprising using a second single structured access command constructed with the object tag number, read the properties memory portion, the access rights memory portion, the configuration memory portion, and the data memory portion.
9. The method of claim 1, wherein the object tag number has a size of one or two bytes, and wherein the memory stores more than one object.
10. The method of claim 1, wherein the device is limited memory device including one of a control card, a sim card, or a smart credit card.
11. At least one machine-readable medium including instructions for creating an object on a device, which when executed by processing circuitry, cause the processing circuitry to perform operations to: use a single structured access command constructed with an object tag number to: write an object type to a properties memory portion of memory of the device; write at least one access right value to an access rights memory portion of the memory; and write at least one configuration to a configuration memory portion of the memory including a current status flag of the object; and read a data memory portion of the memory using the object tag number based on a request that complies with the at least one access right value and the current status flag.
12. The at least one machine-readable medium of claim 11, wherein the properties memory portion, the access rights memory portion, and the configuration memory portion are stored in memory in order.
13. The at least one machine-readable medium of claim 11, wherein the at least one access right value prevents further writes to the properties memory portion after the object type is written.
14. The at least one machine-readable medium of claim 11, wherein the at least one access right value indicates a right to read the properties memory portion with a particular key.
15. The at least one machine-readable medium of claim 11, wherein the object type includes at least one of a data object, a symmetric key object, a wallet object, a record object, or a value object.
16. The at least one machine-readable medium of claim 11, wherein the at least one configuration is configurable based on the object type.
17. The at least one machine-readable medium of claim 11, wherein the data memory portion includes a plurality of slots, and wherein reading the data memory portion includes reading a current slot of the plurality of slots, the current slot identified in the configuration memory portion.
18. The at least one machine-readable medium of claim 11, wherein the object tag number has a size of one or two bytes, and wherein the memory stores more than one object.
19. The at least one machine-readable medium of claim 11, wherein the device is limited memory device including one of a control card, a sim card, or a smart credit card.
20. An object data structure comprising: a properties memory portion including an object type of an object; an access rights memory portion including a set of access conditions of the object; a configuration memory portion including a current status flag of the object; and a data memory portion including at least one key, the data memory portion accessible via the object tag number based on a request that complies with the set of access conditions and the current status flag; wherein information in the properties memory portion, in the configuration memory portion, in the access rights memory portion, and in the data memory portion are accessible via a single structured access command constructed with an object tag number.
PCT/EP2023/079197 2023-10-19 2023-10-19 Secure access device structured object Pending WO2025082605A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/079197 WO2025082605A1 (en) 2023-10-19 2023-10-19 Secure access device structured object

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/079197 WO2025082605A1 (en) 2023-10-19 2023-10-19 Secure access device structured object

Publications (1)

Publication Number Publication Date
WO2025082605A1 true WO2025082605A1 (en) 2025-04-24

Family

ID=88584923

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2023/079197 Pending WO2025082605A1 (en) 2023-10-19 2023-10-19 Secure access device structured object

Country Status (1)

Country Link
WO (1) WO2025082605A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020077803A1 (en) * 2000-09-08 2002-06-20 Michiharu Kudoh Access control system and methods
US6412070B1 (en) * 1998-09-21 2002-06-25 Microsoft Corporation Extensible security system and method for controlling access to objects in a computing environment
US20050044426A1 (en) * 2003-08-18 2005-02-24 Matthias Vogel Data structure for access control

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6412070B1 (en) * 1998-09-21 2002-06-25 Microsoft Corporation Extensible security system and method for controlling access to objects in a computing environment
US20020077803A1 (en) * 2000-09-08 2002-06-20 Michiharu Kudoh Access control system and methods
US20050044426A1 (en) * 2003-08-18 2005-02-24 Matthias Vogel Data structure for access control

Similar Documents

Publication Publication Date Title
CN102368201B (en) Storage optimization selection within a virtualization environment
US8713646B2 (en) Controlling access to resources on a network
US9042877B1 (en) System and method for retrofitting a branding framework into a mobile communication device
US20190089810A1 (en) Resource access method, apparatus, and system
US8909291B1 (en) Dynamic remotely managed SIM profile
US10354082B2 (en) Document state interface
US20160070431A1 (en) Sync based on navigation history
US20180260578A1 (en) Self destructing portable encrypted data containers
US12197974B2 (en) Logical java card runtime environment
US20190005260A1 (en) Method and system for isolating application data access
EP3425846A1 (en) Authorization method and device for joint account, and authentication method and device for joint account
EP2902947A1 (en) RF communication device with access control for host interface
JP2019153310A (en) Information processing apparatus, information processing method, and program
KR20220005933A (en) Cloud server and Method for controlling the cloud server thereof
WO2025082605A1 (en) Secure access device structured object
EP3769253A1 (en) Storage device authenticated modification
GB2466969A (en) Circuit card data protection
WO2015096940A1 (en) Method for allowing an access control enforcer to access to rules of a secure element with a single specific command, and associated device
US20230119797A1 (en) In-field encoding of access credentials
CN110574002B (en) Storage device hash generation
KR102745190B1 (en) Techniques for performing data caching
KR102804678B1 (en) System and method for managing passes
CN105630811A (en) Update method and update system of access control rule
US20250209177A1 (en) Scripting transform loader
EP2211264A1 (en) Versatile electronic storage device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23797693

Country of ref document: EP

Kind code of ref document: A1