Abstract: The invention is a method for managing profiles in a secure element that has several profiles comprising files organized in respective logical tree structures comprising respective root files. The root files have identifiers whose values are different from 0x3F00 and the method comprises the step of enabling browsing of the logical tree structure comprising a targeted root file in response to the receipt of a Select file command aiming at selecting said targeted root file.

Abstract: The invention proposes a method for downloading files from an OTA platform over-the-air to secure elements cooperating with terminals, these files comprising roaming information allowing the secure elements to connect to networks different from their Home Public Land Mobile Networks. The method includes, for each secure element: Polling the OTA platform by the secure element; Checking if a new release of at least one file for which the owner of the secure element has contracted a subscription is available; and, If this check is positive, sending only the new release to the secure element and storing this new release in the secure element.

Abstract: The invention proposes an authentication server of a cellular telecommunication network, the authentication server being arranged for generating an authentication token to be transmitted to a telecommunication terminal, the authentication token comprising a message authentication code and a sequence number, wherein the message authentication code is equal to: MACx=KIdx XOR f1(AMF,SQNx,RAND,K) with KIdx being a key index information in the form of a bias of a MAC equal to: MAC=f1(K,AMF,SQNx,RAND) with f1 being a function, K a key, RAND a random number and SQNx a sequence counter relative to a corresponding key Kx derived from the key K and KIdx, and AMF the content of an authentication management field as defined in 3GPP TS 33.102.

Abstract: The invention relates to a method for managing data access. The method includes receiving at least one request for accessing data; capturing data relating to at least one current context signal during each data access request; comparing, as a current authorization step, the data relating to at least one captured current context signal to predetermined reference data relating to at least one corresponding context signal according to at least one corresponding predetermined authorization policy; determining, based upon the current authorization result and at least one predetermined dynamic data access policy, whether the data access is or is not authorized, as a data access decision; and issuing the data access decision. The invention also relates to corresponding first device, second device and system.

Abstract: A method of loading a Java Card memory with a Java Card package through a Card Personalization Specification (CPS) flow. The method proposes to encapsulate the Java Card package destined to be loaded into the Java Card memory in an extra proprietary Data Grouping Identifier (DGI) added at the beginning of a standard DGI sequence. By adding the extra DGI containing a Java Card package at the beginning of the DGI sequence, the Java Card application writes the Java Card package into the Java Card memory. The Java Card package then receives the rest of the DGIs from the application and handles the personalization process by writing itself the personalized data into the memory.

Abstract: The invention is a method for managing applications in a secure element comprising a communication interface. An application is installed in the secure element and configured to be implicitly selected on the communication interface. The method comprises the following steps: —the secure element receives a command requesting the installation of a new application configured to be implicitly selected on the communication interface, —upon receipt of the command, the secure element installs the new application, configures the new application to be implicitly selected on the communication interface and keeps the previous application unchanged.

Abstract: The present invention relates to a method to manage subscriptions in a provisioning server (PS) able to communicate with a Hardware Security Module (HSM) having an HSM key (K). Said method being such that the HSM comprising a load and a reload function, the secure device key ((Ke1)K) and the storage key ((Ks)K) as encrypted and stored are provided (S1) to one of said functions, said functions outputting, the storage key ((Ks)Ke1)K) encrypted using the provided secure device (SE1) key (Ke1) and the HSM key K, and an APDU_putkey command ((APDU_PUTKEY((Ks)Ke1))Ke1), encrypted using the provided secure device (SE1) key (Ke1), to put the retrieved storage key ((Ks)Ke1) also encrypted using the provided secure device key (Ke1), the storage key as previously stored ((Ks)K) is overwritten (S6) with the storage key (((Ks)Ke1)K) encrypted using the secure device key (Ke1) and the HSM key (K) returned by the function.

Abstract: A method for provisioning an applet in a security element with credentials of a terminal application provided by an application server comprises: Sending a request to provision the applet with credentials from the terminal application to the applet; Sending an SMS message containing an identifier of the applet from the applet to an OTA platform; Adding the MSISDN of the security element by an SMSC located in front of the OTA platform in the header of the SMS; Requesting the credentials from the OTA platform to the application server; Sending from the application server to the OTA platform the credentials to be associated with the MSISDN; Sending from the OTA platform to the applet the credentials associated with the MSISDN; and Sending from the applet to the terminal application a message that it has been provisioned with credentials of the terminal application.

Abstract: The invention relates in particular to a method for updating security elements cooperating with telecommunications terminals, the updates being performed by an OTA platform on the basis of queries formulated by the security elements, the security elements transmitting PSK-IDs to the OTA platform, the method comprising transmitting, from the security elements to the OTA platform, identities defining an order of priority of requests for handling the queries of same by the OTA platform.

Abstract: The present invention relates to a method to authenticate two devices to establish a secure channel, one belonging to a first group of devices, the second belonging to a second group of devices, in a non-traceable manner without the need to share a secret, each group being authenticated by an authority that stores a group secret key into the devices under its authority. The method uses a set of authentication tokens, one for each of the other groups with which the device is intended to communicate, said authentication token comprising at least a random number and a cipher of at least this random number by the secret key of each of these other groups, said authentication tokens being further renewed at each communication with a device from another group.

Abstract: The present invention relates to a mobile communication device for communicating with a cellular network by means of a serving base node, the mobile communication device further being connected to a subscriber identity module, the mobile communication device being configured to operate in a power optimization mode wherein the power optimization mode comprises extended paging periods, and the mobile communication device is further configured to set up a communication context with the base node using authentication means of the subscriber identity module, wherein the mobile communication device is further configured, in case of detection of a removal of the subscriber identity module and when the power optimization mode is activated: to send an removal alert message to the serving base node by means of said communication context, afterwards to terminate the communication context.

Abstract: The present invention relates to a device having a central processing unit, RAM memory and at least two hardware elementary operations, using registers of greater size than the one of the central processing unit, said device being such that construction of at least one part of RAM memory is managed only by the hardware elementary operations, hardware elementary operations themselves and masking of inputs/outputs/intermediary data are monitored by software instructions, said software instructions being able to address different cryptographic functionalities using said hardware elementary operations according to several ways depending on each concerned functionality, said software instructions being further able to address several levels of security in the execution of the different functionalities.

Abstract: A fingerprint imaging system is described comprising a film including an optically transparent self-wetting adhesive layer adhered to an imaging surface of an electronic optical image sensor. Also described is a method of use of an optical imaging system, and a film and multilayer film suitable for use with a fingerprint imaging system.

Abstract: The invention relates to a method for producing a module having an electronic chip including metallizations which are accessible from a first side of the metallizations and an integrated circuit chip which is arranged on the second side of the metallizations, opposite the first side. The method comprises the step of forming electrical interconnection elements which are separate from the metallizations, directly connecting the chip, and are arranged on the second side of the metallizations. The invention also relates to a module corresponding to the method and to a device comprising said module.

Abstract: A system, method and computer-readable storage medium with instructions for protecting an electronic device against fault attack. The technology includes operating the electronic device to determine two half-size exponents, dp and dq, from the exponent d; to split the base m into two sub-bases mp and mq determined from the base m; and to iteratively compute a decryption result S by repeatedly multiplying an accumulator A by m, mp, mq or 1 depending on the values of the i-th bit of dp and dq for each iteration I?. Other systems and methods are disclosed.

Abstract: The invention relates to a payment device 100 comprising a secure integrated circuit SE with a dual interface. A connector 110 is connected to the contact type interface in order to communicate with an external reader. An antenna 140 is connected to the contactless interface. The device also comprises a reader circuit 120, 130, 150 compatible with the secure integrated circuit SE, wherein the reader circuit is connected in parallel to the connector 110. An independent battery BAT is used to power the reader circuit. A power switching circuit 160 connected to a communication field detection circuit 170, wherein said power switching circuit is capable of powering the reader circuit after a communication field is detected.

Abstract: The invention relates to a process for securing an identification document and to a secure identification document. More particularly, the process uses UV sensitive ink(s) to define a pattern only visible under UV radiations, by printing a first layer of a transparent ablation varnish (13), printing a layer (14) of UV sensitive ink(s) over said first layer of transparent ablation varnish, removing parts of the layer (14) of UV sensitive ink(s), by means of a laser beam, some remaining areas of said UV sensitive ink(s) defining said pattern to be revealed in color under UV radiations, and some areas, where the UV sensitive ink(s) has been removed and the laser beam has interacted with the ablation varnish (13), absorbing the UV radiations with effect of creating black color. Other systems and methods are disclosed.

Abstract: A first device generates a first signature by using complete transaction data received from a second device, a first algorithm and a first key, modifies at least one character from the complete transaction data and gets partial transaction data, and sends to the second device the partial transaction data. The second device requests a user to modify the partial transaction data by providing at least one character, as complementary data to the partial transaction data, gets, as request response from a user, at least one character to modify the partial transaction data, a corresponding result being proposed modified transaction data, generates a second signature by using the proposed modified transaction data, the first algorithm and the first key, and sends to the first device the second signature. Only if the second signature does match the first signature, then the first device authorizes to carry out a corresponding transaction.

Abstract: The invention is a method for managing access to a service wherein the method comprises the following steps: a client application sends to an application server a request to access the service by using credentials and a first anti-clone code, the application server performs a verification of the credentials and said first anti-clone code, the application server sends a second anti-clone code to the client application and deactivates said first anti-clone code only in case of successful verification, said second anti-clone code being required for the next attempt to access the service.

Abstract: A device comprises a chip storing a first subscription relating to the first mobile network operator in a home country. The chip stores a second subscription relating to a second mobile network operator and associated with a preferred communication technology. The chip receives location information and analyses whether an extended cell identity value is present within the location information. The chip detects, based upon the analysis, a currently available communication technology relating to a second mobile network. The chip compares the currently available communication technology to at least one preferred communication technology. If the currently available communication technology matches at least one preferred communication technology, then the chip switches to a second subscription associated with the preferred communication technology. The chip sends to the device at least one identifier relating to the second subscription related to the second mobile network.