Abstract: This invention relates to a method for managing the status of a connected device by publishing assertions in an immutable distributed database composed of a plurality of compute nodes, a pair of keys comprising a public key and a private key being associated with the connected device. The method comprises the steps of: receiving from a first terminal associated to a first user an instruction message; verifying that the first user is allowed to modify the status of the connected device; sending an assertion request to the immutable distributed database for publishing an assertion comprising the status information.

Abstract: The present invention relates to a method to authenticate a subscriber (IMSIi) within a local network (LNj) comprising preliminary step of deriving a subscriber key (SMKi) in local keys (LKi), one local key (LKiLNj) for each local network (LNj) the subscriber (IMSIi) is authorized to access, provisioning each local network (LNj) the subscriber (IMSIi) is authorized to access with its own local key (LKiLNj). When an authentication is required in a given local network (LNj), an UICC application derives a local key (LKiLNj) in the UICC application of the subscriber (IMSIi) using the network identifier (LNj), the key derivation function (KDF) and the subscriber key (SMKi) and use the derived local key (LKiLNj) in the algorithm to perform local authentication in the local network (LNj).

Abstract: The invention relates to a method for managing data access. The method includes receiving at least one request for accessing data; capturing data relating to at least one current context signal during each data access request; comparing, as a current authorization step, the data relating to at least one captured current context signal to predetermined reference data relating to at least one corresponding context signal according to at least one corresponding predetermined authorization policy; determining, based upon the current authorization result and at least one predetermined dynamic data access policy, whether the data access is or is not authorized, as a data access decision; and issuing the data access decision. The invention also relates to corresponding first device, second device and system.

Abstract: The invention relates to a method for managing an memory LNVM erasable by block. The method comprises an index management of the memory blocks wherein the index indicates if a block is erased (Erased) or to be erased (TBE). A memory manager performs a block erasing when the memory is not in use and a block is to be erased and when the number of erased blocks is lower than a predetermined number.

Abstract: A method of replacing an authentication parameter for authenticating a security element co-operating with a terminal includes storing in the security element a first authentication parameter; transmitting to a mobile network operator the first authentication parameter for the operator to record it in its authentication system; on occurrence of an event, having a remote platform transmit to the security element an indicator informing the security element that it is authorized to replace the first authentication parameter with a second authentication parameter if its authentication fails; on occurrence of the event, having the entity transmit to the operator a second authentication parameter to replace the first authentication parameter; and in the event of subsequent failure of the security element to connect to the mobile network and if the indicator is present at the security element, replacing the first authentication parameter with the second authentication parameter at the security element.

Abstract: A method for managing a secure element embedded in an equipment comprising an NFC controller. The secure element comprises a security indicator. The method comprises the steps of: on receipt of a triggering command sent by the NFC controller, the secure element switches in a test context; on receipt of a restore command sent by an application, the secure element sets the security indicator, such as a counter of unusual events, to a predefined value only if the secure element is in test context; and on receipt of an ending command sent by the NFC controller, the secure element switches in a Live context. The secure element keeps a track of the switch in the test context and denies any further triggering commands. The method enables reset of security indicator after manufacturing and test where the security indicator may have been affected.

Abstract: The invention is a method for managing an application that includes a generic part and an additional part. The generic part is pre-installed on a device. The device gets a fingerprint of itself and after a user authentication sends to a server a request for getting the additional part. The request comprises credentials associated with the user or a reference of the user, the fingerprint and a reference of the application. The server generates a ciphered part of the additional part using a key based on both the credentials and the fingerprint and builds an auto-decrypt program configured to decipher the ciphered part. The device receives the ciphered part and the auto-decrypt program. It gets the fingerprint and the credentials and retrieves the additional part by running the auto-decrypt program with said fingerprint and credentials as input parameters.

Abstract: There is described a method for Java Card application memory footprint optimization which relies on the separation in advance of the code related to the personalization from the rest of the code. It allows this code to perform the personalization of an application installed from a main package while being itself included and installed from a separated package dedicated to the personalization, namely the Card Personalization Specifications (CPS) package. This way, the CPS package and all the code inherent to the personalization can be removed once all the personalization steps have been completed.

Abstract: A secure element equips a device usable by N image owners, and comprises a first non-volatile memory divided into N parts storing image owner data, a second non-volatile memory storing a primary boot loader, a third non-volatile memory divided into N parts storing image owner session private data, a first random access memory divided into N parts associated to the N first non-volatile memory parts, a second random access memory for temporarily storing image owner data during an access session, and a controller activated by the primary boot loader when the device starts an access session, and then controlling accesses to the non-volatile memories and random access memories according to rules, and erasing the second random access memory each time the device starts an access session.

Abstract: A method for a credential container embedded into a wireless communication device to obtain a temporary wireless connectivity through a first wireless network, the credential container being provisioned with an identifier ID identifying the wireless communication device or the credential container and a pre-loaded subscription profile comprising a range of International Mobile Subscription Identifiers associated to a second network operator.

Abstract: A system and method for transmitting a provisioning dataset from a cellular network to a user equipment. The cellular network includes a plurality of base nodes providing access to the user equipment, a remote provisioning server accessible by the cellular network, and a core network, including at least two network slices. At least one of the network slices includes at least one network node exclusively assigned to the network slice. At least one of the network slices is dedicated for operating a predefined class of user equipment. At least one remote provisioning network slice includes an assigned network node giving access to the remote provisioning server, and at least one base node assigned to the remote provisioning network slice.

Abstract: The non-contact capture device allows for an image of an object to be captured when the object is not making contact with any portion of the non-contact capture device. The non-contact capture device comprises an electronic compartment comprising a camera and a light source, wherein the camera and light source are directed to an image capture region, a housing guide comprising a leg extending away from the electronic compartment to support a collar, and an image capture region spaced away from the electronic compartment and the housing guide. The collar extends laterally around only a portion of the image capture region forming an entry gap into the image capture region.

Abstract: A mechanism for securing a mobile app for execution on a mobile device. The mechanism includes loading a non-trusted portion of the mobile app from a non-trusted application provider onto the mobile device, operating a key provisioning server to generate keys associated with a trusted execution environment, transmitting the keys associated with the trusted execution environment to the mobile device and to a key directory server, authenticate the mobile device, and upon authenticating the mobile device, transmitting a trusted portion of the mobile app including a trusted application to the mobile device, and installing the trusted portion of the mobile app on the mobile device thereby providing a trusted execution environment. Other systems and methods are disclosed.

Abstract: A user equipment for wireless communication, configured to operate in a cellular network, includes a credential container. The user equipment sends a set of payload items to a central server communicatively coupled to the cellular network, wherein the user equipment is configured to send an attach request message to the cellular network comprising a preconfigured qualifier for at least one of the user equipment and the credential container. The user equipment is further configured—to retrieve an authentication request message from the cellular network comprising a random value and an authentication code,—to determine a response token comprising a preconfigured identifier stored in at least one of the user equipment and the credential container and at least one out of the set of payload items, and—to submit said response token with an authentication failure message to the cellular network for forwarding to the central server.

Abstract: The invention relates to a method for carrying out a sensitive operation in the course of a communication between a processing unit and a first service server, said first server being accessible via a first domain name and/or first electronic address. The method comprises the step of using at least one second domain name different from the first and/or a second electronic address different from the first to carry out all or part of the sensitive operation. The invention also relates to a system corresponding to the method and comprising the server and/or the processing unit.

Abstract: A method provides access to data or a service from a first device relating to a first user. A set of identifiers relating each to a second device is predefined. Each second device is related to a second user. A server receives, from the first device, a request for accessing the data or service from a current location relating to the first user. The server sends, to each selected second device, a request to determine whether the first user is locally present. Each selected second device requests, from to the second device user, whether the first user is locally present. Each selected second device gets, from the second user, a presence response and sends, to the server, the presence response. The server verifies whether the received presence response includes a predefined positive presence response. If yes, the server authorizes the first device to access the data or service.

Abstract: The invention relates to a method for carrying out a payment transaction on a bank terminal using an electronic payment device, where the device contains at least two payment applications. The method includes a step of data communication from the device to the terminal during a transaction, which data contains at least information of a first type identifying each payment application of the device; and a step of configuring the device so that the data provides information of a first type relative to at least one disabled payment application. The invention likewise relates to the corresponding system.

Abstract: The invention relates to an electronic module comprising a dielectric support film having a first side, conductor paths that are printed on said first side, and a semiconductor component which connects the conductor paths by means of electrical connections. The electronic module of the invention is characterized in that each electrical connection includes a lead wire that connects a contact of the semiconductor component to each path directly or via an island or an interconnection pad.

Abstract: The invention relates to an authentication method. The method comprises: collecting, based on a predetermined authentication policy, at least one context data element; constituting, based on the at least one collected context data element, a data packet; generating, by using a predetermined hash type algorithm and the data packet, as input to the predetermined hash type algorithm, a hash; sending the generated hash; generating, as a hash distance generation step, a hash distance between the generated hash and a predetermined reference hash; and authenticating successfully or not based on the generated hash distance, as an authentication step. The invention also relates to corresponding device and system.

Abstract: The invention is a method for managing a secure channel between a server and a secure element embedded in a first device, wherein a user agent embedded in a second device establishes a HTTPS session with the server and retrieves a web application from the server, the method comprising the steps: the server sends to the web application an application certificate which is linked to a specific data reflecting the identity of the server, the secure element gets the application certificate and the specific data, the secure element checks the validity of the application certificate and that the application certificate is consistently linked to the specific data, in case of successful checks, the secure element and the server generate an ephemeral session key and use it for opening a secure channel.