Patents by Inventor Per Stahl
Per Stahl has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20200403780Abstract: There is provided mechanisms for enabling secure communication between a first communications device and a second communications device. A method is performed by the first communications device. The method comprises performing a network attachment procedure with an authentication server. The method comprises establishing, during the network attachment procedure, a shared secret between the first communications device and the authentication server. The shared secret is established by running an authentication and key agreement protocol as part of the network attachment procedure with a network access identity of the first communications device as input. The method comprises deriving an application level shared key for the first communications device from the shared secret. The shared key is to be used for secure communication between the first communications device and the second communications device.Type: ApplicationFiled: July 3, 2017Publication date: December 24, 2020Inventors: Per Ståhl, Patrik Ekdahl, Petri Mikael Johansson, Bernard Smeets
-
Publication number: 20200389788Abstract: A method of establishing a session key at a communication device is disclosed, wherein the session key is to be shared between the communication device and a network application function (NAF) and wherein a service bootstrap key and an associated transaction identifier, previously derived by application of a general bootstrapping architecture (GBA) procedure, are shared between the communication device and a bootstrapping server function (BSF). The method comprises acquiring a NAF identifier associated with the NAF, deriving a NAF specific key based on the NAF identifier and the service bootstrap key, deriving the session key based on the NAF specific key and one or more key defining parameters, wherein the key defining parameters are accessible by the communication device and by the NAF and are non-accessible by the BSF, and transmitting an attach request message and the transaction identifier towards the NAF for establishment of the session key at the NAF.Type: ApplicationFiled: November 29, 2017Publication date: December 10, 2020Inventors: Bernard Smeets, Håkan Englund, Per Ståhl
-
Publication number: 20200351656Abstract: There is presented mechanisms for profile handling of a communications device (300). A method is performed by a local profile assistant (200a) of a proxy device (200). The method comprises obtaining an indication of handling a profile of the communications device (300). The method comprises establishing a first secure communications link with a local profile assistant of the communications device. The method comprises establishing a second secure communications link with a subscription management entity (430) of the communications device. The method comprises receiving information pertaining to handling of the profile by the local profile assistant of the communications device, the information being received from the subscription management entity over the second secure communications link. The method comprises providing the information to the local profile assistant of the communications device over the first secure communications link.Type: ApplicationFiled: January 29, 2018Publication date: November 5, 2020Inventors: Petri Mikael JOHANSSON, Per STÅHL
-
Publication number: 20190223010Abstract: Methods for communication for a device and a transport node are disclosed, the transport node facilitating communication between the device and a server. The method (100) for the device comprises assembling a message for sending to the server via the transport node (120), the message comprising a message payload, an application layer header, and a signature, wherein at least one of the message payload or a part of the application layer header is encrypted. The method further comprises retrieving a compression context identifier corresponding to the application layer header (130), replacing the application layer header in the message with the retrieved compression context identifier (140) and forwarding the message to the transport node (150). The method (200) for the transport node comprises retrieving an application layer header corresponding to the compression context identifier (220), and replacing the compression context identifier in the message with the retrieved application layer header (230).Type: ApplicationFiled: September 21, 2016Publication date: July 18, 2019Inventors: Ari Keränen, Per Ståhl
-
Publication number: 20190158453Abstract: There is provided mechanisms for handling registration of data packet traffic for a wireless device in a communications network. A method is performed by a core network node. The method comprises registering an amount of data packet traffic in the communications network for the wireless device, wherein each data packet comprises an address of the wireless device, wherein the address is mapped to an identity of the wireless device, wherein the address comprises a first part defining an identity of a local network gateway of the wireless device and a second part defining the identity of the wireless device, and wherein selection of the second part is independent from the first part and the identity of the local network gateway. The method comprises mapping the amount of data packet traffic to the identity of the wireless device.Type: ApplicationFiled: April 14, 2016Publication date: May 23, 2019Applicant: Telefonaktiebolaget LM Ericsson (publ)Inventors: Per STÅHL, John FORNEHED, Ari KERÄNEN, Anders NOHLGREN, Bernard SMEETS
-
Publication number: 20180206117Abstract: This disclosure provides a method, performed in a wireless device, for obtaining initial access to a network in order to establish a connection to a server connected to the network. The wireless device stores a device public key and a device private key. The server stores the device public key. The method comprises transmitting an initial access request to a network node of the network and receiving an authentication request from the network node, the authentication request comprising a challenge. The method comprises generating a device authenticator based on the challenge and the device public key, and transmitting an authentication response to the network node. The authentication response comprises the device authenticator. The method comprises receiving an initial access response from the network node, the initial access response comprising an indicator of whether the initial access is granted or denied.Type: ApplicationFiled: July 2, 2015Publication date: July 19, 2018Inventor: Per STAHL
-
Patent number: 9615029Abstract: There is provided a method for determining a need for a change in a pixel density requirement due to changing light conditions. The pixel density requirement specifies a pixel density which enables identification of an object in images captured by a camera. The method comprises receiving and monitoring (S02) a camera setting which is indicative of a light condition to which the camera is subjected and which affects the quality of images captured by the camera, and determining (S06) that there is a need for a change in the pixel density requirement upon detection (S04) of a change in the camera setting. The camera setting includes at least one of a gain and an exposure time used by the camera when capturing images.Type: GrantFiled: April 27, 2015Date of Patent: April 4, 2017Assignee: Axis ABInventor: Per Stahl
-
Patent number: 9565172Abstract: This disclosure provides a method, performed in a wireless device 60, for enabling a secure provisioning of a credential from a server 70. The wireless device 60 stores a device public key and a device private key. The server 70 stores the device public key. The method comprises receiving S1 an authentication request from the server 70; generating S2 a device authentication and integrity, DAI, indicator; and transmitting S3 an authentication response to the server 70. The authentication response comprises the DAI indicator. The method comprises receiving S4 a credential message from the server 70, the credential message comprising a server authentication and integrity, SAI, indicator. The SAI indicator provides a proof of the server's possession of the device public key. The method comprises verifying S5 the received credential message using the device public key.Type: GrantFiled: June 17, 2015Date of Patent: February 7, 2017Assignee: Telefonaktiebolaget LM Ericsson (publ)Inventor: Per Ståhl
-
Publication number: 20160373418Abstract: This disclosure provides a method, performed in a wireless device 60, for enabling a secure provisioning of a credential from a server 70. The wireless device 60 stores a device public key and a device private key. The server 70 stores the device public key. The method comprises receiving Si. an authentication request from the server 70; generating S2 a device authentication and integrity, DAI, indicator; and transmitting S3 an authentication response to the server 70. The authentication response comprises the DAI indicator. The method comprises receiving S4 a credential message from the server 70, the credential message comprising a server authentication and integrity, SAI, indicator. The SAI indicator provides a proof of the server's possession of the device public key. The method comprises verifying S5 the received credential message using the device public key.Type: ApplicationFiled: June 17, 2015Publication date: December 22, 2016Inventor: Per Ståhl
-
Patent number: 9292712Abstract: An exemplary method of maintaining secure time in a computing device is disclosed in which one or more processors implements a Rich Execution Environment (REE), and a separate Trusted Execution Environment (TEE). The TEE maintains a real-time clock (RTC) that provides a RTC time to the REE. A RTC offset is stored in non-volatile memory, with the RTC offset indicating a difference between the RTC time and a protected reference (PR) time. Responsive to a request from the REE to read the RTC time, a current RTC time is returned to the REE. Responsive to a request from the REE to adjust the RTC time, the RTC time and the corresponding RTC offset are adjusted by a same amount, such that the PR time is not altered by the RTC adjustment. An exemplary computing device operable to implement the method is also disclosed.Type: GrantFiled: September 28, 2012Date of Patent: March 22, 2016Assignee: ST-Ericsson SAInventors: Per Ståhl, Håkan Englund, Martin Hovang, Hervé Sibert
-
Publication number: 20150326791Abstract: There is provided a method for determining a need for a change in a pixel density requirement due to changing light conditions. The pixel density requirement specifies a pixel density which enables identification of an object in images captured by a camera. The method comprises receiving and monitoring (S02) a camera setting which is indicative of a light condition to which the camera is subjected and which affects the quality of images captured by the camera, and determining (S06) that there is a need for a change in the pixel density requirement upon detection (S04) of a change in the camera setting. The camera setting includes at least one of a gain and an exposure time used by the camera when capturing images.Type: ApplicationFiled: April 27, 2015Publication date: November 12, 2015Applicant: Axis ABInventor: Per STAHL
-
Publication number: 20150326402Abstract: A method of authenticating an agent to a secure environment of a device, in a challenge-response authentication sys tem comprising the device, a remote authentication server and a connection path between the device and the remote authentication server, the method comprising: while the connection path is not established:—obtaining a predictable challenge based on at least a current value of a counter;—obtaining a response for the challenge; and,—authenticating the agent to the secure environment based on at least the response; and, wherein, upon successful authentication, the value of the counter is incremented. A challenge-response authentication system and an apparatus are also claimed.Type: ApplicationFiled: January 3, 2014Publication date: November 12, 2015Inventors: Herve SIBERT, Per STAHL
-
Patent number: 9027088Abstract: Systems and methods are provided for authenticating Internet Protocol (IP) Multimedia Subsystem (IMS) applications in a User Equipment (UE). A method includes: receiving a first Session Initiation Protocol (SIP) REGISTER message from an IMS application operating on the UE; transmitting a response message to the IMS application based on the received first SIP REGISTER message; receiving a second SIP REGISTER message from the IMS application operating on the UE; determining authentication for the IMS application based on the received second SIP REGISTER message from the IMS application operating on the UE; and based on the step of determining authentication for the IMS application, if the IMS application is authorized, then transmitting information associated with the first and second SIP REGISTER messages toward a SIP node or if the IMS application is unauthorized, then discarding data associated with the first and second SIP REGISTER messages.Type: GrantFiled: April 19, 2013Date of Patent: May 5, 2015Assignee: Ericsson Modems SAInventors: Stefan Runeson, Per Stahl
-
Publication number: 20140250290Abstract: A temporary anti-rollback table—which is cryptographically signed, unique to a specific device, and includes a version number—is provided to an electronic device requiring a replacement anti-rollback table. The table is verified by the device, and loaded to memory following a reboot. The memory image of the table is used to perform anti-rollback verification of all trusted software components as they are loaded. After booting, the memory image of the table is written in a secure manner to non-volatile memory as a replacement anti-rollback table, and the temporary anti-rollback table is deleted. The minimum required table version number in OTP memory is incremented. The temporary anti-rollback table is created and signed using a private key at authorized service centers; a corresponding public key in the electronic device verifies its authenticity.Type: ApplicationFiled: March 1, 2013Publication date: September 4, 2014Applicant: ST-ERICSSON SAInventors: Per Ståhl, Håkan Englund, Hans Holmberg
-
Publication number: 20140095918Abstract: An exemplary method of maintaining secure time in a computing device is disclosed in which one or more processors implements a Rich Execution Environment (REE), and a separate Trusted Execution Environment (TEE). The TEE maintains a real-time clock (RTC) that provides a RTC time to the REE. A RTC offset is stored in non-volatile memory, with the RTC offset indicating a difference between the RTC time and a protected reference (PR) time. Responsive to a request from the REE to read the RTC time, a current RTC time is returned to the REE. Responsive to a request from the REE to adjust the RTC time, the RTC time and the corresponding RTC offset are adjusted by a same amount, such that the PR time is not altered by the RTC adjustment. An exemplary computing device operable to implement the method is also disclosed.Type: ApplicationFiled: September 28, 2012Publication date: April 3, 2014Inventors: Per Ståhl, Håkan Englund, Martin Hovang, Hervé Sibert
-
Publication number: 20130340047Abstract: Systems and methods are provided for authenticating Internet Protocol (IP) Multimedia Subsystem (IMS) applications in a User Equipment (UE). A method includes: receiving a first Session Initiation Protocol (SIP) REGISTER message from an IMS application operating on the UE; transmitting a response message to the IMS application based on the received first SIP REGISTER message; receiving a second SIP REGISTER message from the IMS application operating on the UE; determining authentication for the IMS application based on the received second SIP REGISTER message from the IMS application operating on the UE; and based on the step of determining authentication for the IMS application, if the IMS application is authorized, then transmitting information associated with the first and second SIP REGISTER messages toward a SIP node or if the IMS application is unauthorized, then discarding data associated with the first and second SIP REGISTER messages.Type: ApplicationFiled: April 19, 2013Publication date: December 19, 2013Applicant: ST-Ericsson SAInventors: Stefan RUNESON, Per STAHL
-
Patent number: 8484451Abstract: A composite customer ID (CCID) is stored in the OTP memory of integrated circuit chipsets used by a number of different customers. The CCID includes individual customer IDs (CIDs) at defined index positions, each corresponding to a different customer. Each chipset allows or disallows software booting, based reading a certificate index value from a given customer's certificate, reading an OTP CID from OTP, as pointed to the by certificate index value, and evaluating the OTP CID with a certificate CID read from the certificate. Thus, while CCID carries information for a plurality of customers, each customer's certificate points only to that customer's OTP CID, which can be changed to revoke that customer's certificate without revoking the other customers' certificates. The CCID also may include a version number, where the chipsets allow or disallow software booting based on evaluating the certificate version number in view of the CCID version number.Type: GrantFiled: March 11, 2010Date of Patent: July 9, 2013Assignee: ST-Ericsson SAInventors: Hervé Sibert, Per Ståhl
-
Patent number: 8225110Abstract: An electronic device requires valid control keys to change any usage restriction setting. The device is provided control keys, a secret key, and a signed software object including a batch ID and a hash of the secret key. For each control key, the device generates a cryptographic footprint bound to the device and the secret key. A message authentication code (MAC) of each usage restriction setting is generated, the MAC bound to the device and a control key. To change a usage restriction, the device receives a control key, validates it against the stored footprint, changes the usage restriction settings, and generates a new usage restriction setting MAC. The control key footprints are bound to the secret key, but the device retains only a hash of the secret key.Type: GrantFiled: January 9, 2009Date of Patent: July 17, 2012Assignee: Telefonaktiebolaget LM Ericsson (publ)Inventors: Per Stáhl, Chris Loreskär, Bernard Smeets
-
Patent number: 8060748Abstract: Methods and apparatus for verifying that an electronic device has been disabled are disclosed. An exemplary electronic device includes a communications interface, a secure memory, storing a secret key, and a cryptographic circuit configured to calculate a verification token from the secret key, using a first cryptographic operation. The cryptographic circuit is further configured to calculate an identification token from the verification token, using a second cryptographic operation. The cryptographic circuit is further configured to output the identification token in response to a first command received via the communications interface. The verification token is output to the communications interface only if a predetermined functionality of the electronic device has been disabled. The electronic device may further comprise a disabling circuit configured to disable the predetermined functionality in response to a disable command.Type: GrantFiled: December 21, 2007Date of Patent: November 15, 2011Assignee: Telefonaktiebolaget LM Ericsson (publ)Inventors: Petri Mikael Johansson, Per Ståhl
-
Publication number: 20110225409Abstract: A composite customer ID (CCID) is stored in the OTP memory of integrated circuit chipsets used by a number of different customers. The CCID includes individual customer IDs (CIDs) at defined index positions, each corresponding to a different customer. Each chipset allows or disallows software booting, based reading a certificate index value from a given customer's certificate, reading an OTP CID from OTP, as pointed to the by certificate index value, and evaluating the OTP CID with a certificate CID read from the certificate. Thus, while CCID carries information for a plurality of customers, each customer's certificate points only to that customer's OTP CID, which can be changed to revoke that customer's certificate without revoking the other customers' certificates. The CCID also may include a version number, where the chipsets allow or disallow software booting based on evaluating the certificate version number in view of the CCID version number.Type: ApplicationFiled: March 11, 2010Publication date: September 15, 2011Inventors: Herve Sibert, Per Stahl