Abstract: Multiple host elements, such as smart cards, embedded secure elements, smart micro SD cards, or other card computing devices, within a mobile computing device (e.g., a mobile phone) may utilize a host API enabling applications to communicate over a network within the computing device. Applications may discover one another, establish themselves as hosts, obtain a host ID, request communication pipes, and utilize a host registry storing information regarding host elements. Additionally, multiple runtime execution environments may co-exist within a single host element of a mobile computing device, communicating and operating as hosts on the computing device even if the host element is associated with a single host ID. Messages from/to the multiple environments may be exchanged with other hosts while the environments share a physical communication link.

Abstract: Secure key derivation within a virtualized execution environment may involve a key derivation module executing within a platform layer of the execution environment. An application executing within an application layer of the execution environment may access the key derivation module in order to generate a cryptographic key according to a key derivation function. Instead of being returned to the application, the derived key may be stored within a secure storage area of the execution environment without being stored, even temporarily in the application layer, or other non-secure areas, of the execution environment. The application may receive a reference to the derived key usable by other cryptographic processes. The application may pass the key reference to a method of a cryptographic module and the cryptographic module may use the key reference to access the derived key from the secure storage for use in performing any of various cryptographic processes.

Abstract: A method involves registering events. The method may include receiving an install command for an applet by a runtime environment executing on a card computing device. The install command may comprise a tag-length-value (TLV) structure with a tag identifying an event-list for registration with a toolkit registry of the runtime environment. Further, the event-list may comprise a toolkit event. The method may further include executing, by the runtime environment, the install command for the applet. The method may further include creating an applet instance of the applet in response to executing the install command. The method may further include registering the applet instance with the toolkit registry by generating, by the runtime environment, a toolkit registry object for the applet instance. Registering the applet instance with the toolkit registry may further include assigning the toolkit registry object to the applet instance.

Abstract: A card computing device may include and manage multiple virtualized universal integrated circuit cards (UICCs) for use with mobile communications. The card computing device may be capable of storing information, and executing applications, for multiple mobile networks (e.g., using multiple virtual UICCs) and of managing switches among those mobile networks. A mobile network operator (MNO) may be represented by a MNO profile, which, when enabled, may look and behave like a dedicated UICC. One or more applications may be deployed on the card computing device and each may be associated with a MNO profile. When a MNO profile is enabled, one or more applications may be activated and when a MNO profile is disabled, one or more active applications may be deactivated, according to some embodiments. Thus, a card computing device may be configured to activate and deactivate applications as part of managing MNO profiles.

Abstract: Systems, methods, and other embodiments associated with terminal reading using an update list are described. In one embodiment, a method includes identifying request to modify an object having corresponding data stored on a smart card installed in a terminal; storing an object identifier for the object in an update list; modifying the data corresponding to the object per the instruction; and providing the update list for access by the terminal. In another embodiment, the method may also include receiving a card read command; accessing an update list; identifying one or more objects in the update list; and reading data corresponding to the one or more objects, such that data corresponding to objects in the set of objects that are not in the update list are not read.

Abstract: A method involves registering events. The method may include receiving an install command for an applet by a runtime environment executing on a card computing device. The install command may comprise a tag-length-value (TLV) structure with a tag identifying an event-list for registration with a toolkit registry of the runtime environment. Further, the event-list may comprise a toolkit event. The method may further include executing, by the runtime environment, the install command for the applet. The method may further include creating an applet instance of the applet in response to executing the install command. The method may further include registering the applet instance with the toolkit registry by generating, by the runtime environment, a toolkit registry object for the applet instance. Registering the applet instance with the toolkit registry may further include assigning the toolkit registry object to the applet instance.

Abstract: Multiple host elements, such as smart cards, embedded secure elements, smart micro SD cards, or other card computing devices, within a mobile computing device (e.g., a mobile phone) may utilize a host API to enable applications to discover and communicate over a network within the computing device. Applications may discover one another, establish themselves as hosts and obtain a host ID, and request communication pipes with one another, as well as utilize a host registry configured to store information regarding host elements, according to some embodiments. Additionally, multiple runtime execution environments may co-exist within a single host element of a mobile computing device. Both execution environments may communicate and operate as hosts on the computing device even if the host element is associated with a single host ID. Messages from/to the two environments may be exchanged with other hosts while the two environments share a physical communication link.

Abstract: A card computing device may include and manage multiple virtualized universal integrated circuit cards (UICCs) for use with mobile communications. The card computing device may be capable of storing information, and executing applications, for multiple mobile networks (e.g., using multiple virtual UICCs) and of managing switches among those mobile networks. A mobile network operator (MNO) may be represented by a MNO profile, which, when enabled, may look and behave like a dedicated UICC. One or more applications may be deployed on the card computing device and each may be associated with a MNO profile. When a MNO profile is enabled, one or more applications may be activated and when a MNO profile is disabled, one or more active applications may be deactivated, according to some embodiments. Thus, a card computing device may be configured to activate and deactivate applications as part of managing MNO profiles.

Abstract: Secure key derivation within a virtualized execution environment may involve a key derivation module executing within a platform layer of the execution environment. An application executing within an application layer of the execution environment may access the key derivation module in order to generate a cryptographic key according to a key derivation function. Instead of being returned to the application, the derived key may be stored within a secure storage area of the execution environment without being stored, even temporarily in the application layer, or other non-secure areas, of the execution environment. The application may receive a reference to the derived key usable by other cryptographic processes. The application may pass the key reference to a method of a cryptographic module and the cryptographic module may use the key reference to access the derived key from the secure storage for use in performing any of various cryptographic processes.

Abstract: Systems, methods, and other embodiments associated with terminal reading using an update list are described. In one embodiment, a method includes identifying request to modify an object having corresponding data stored on a smart card installed in a terminal; storing an object identifier for the object in an update list; modifying the data corresponding to the object per the instruction; and providing the update list for access by the terminal. In another embodiment, the method may also include receiving a card read command; accessing an update list; identifying one or more objects in the update list; and reading data corresponding to the one or more objects, such that data corresponding to objects in the set of objects that are not in the update list are not read.

Abstract: A card computing device may be configured to establish and manage secure channel communications between terminal applications and local applications installed on the card computing device. A runtime component of the card computing device may be configured to generate a registry of applications available as endpoints for secure channel communications, either in response to applications registering as endpoints or based on installation parameters on the card computing device. The runtime component may provide a list of the registered applications to a terminal application. The runtime component may establish a secure channel between a terminal application and a local application and may receive and decrypt secure commands from the terminal application. The runtime component may forward the decrypted commands to the local application and encrypt and forward responses from the local application to the terminal application.

Abstract: A card computing device may be configured to establish and manage secure channel communications between terminal applications and local applications installed on the card computing device. A runtime component of the card computing device may be configured to generate a registry of applications available as endpoints for secure channel communications, either in response to applications registering as endpoints or based on installation parameters on the card computing device. The runtime component may provide a list of the registered applications to a terminal application. The runtime component may establish a secure channel between a terminal application and a local application and may receive and decrypt secure commands from the terminal application. The runtime component may forward the decrypted commands to the local application and encrypt and forward responses from the local application to the terminal application.

Abstract: A system for loading application identifiers to a mobile device includes a mobile device, a card device insertable into the mobile device, and an application center. The card device is adapted to determine an effective mobile device identifier of the mobile device, and transmit the effective mobile device identifier to the application center. The effective mobile device identifier is based at least in part on the result of a process performed by the card device. The application center is adapted to (1) determine zero or more allotted application identifiers and zero or more application identifiers of applications loaded on the mobile device based at least in part on the effective mobile device identifier, (2) identify at least one application identifier of the zero or more allotted application identifiers which does not form part of the zero or more application identifiers of applications loaded on the mobile device, and (3) load the at least one application identifier to the mobile device.

Abstract: An authentication mechanism is provided to authenticate both client and user of a portable computing device when the user causes a client to request a protected resource on the portable computing device. Upon receiving a request a protected resource by the client, the authentication mechanism determines which authentication method is specified for authentication of the client, and authenticates the client accordingly. Upon a determination that the client is authentic, the authentication mechanism invokes a user interface that is separate and distinct from the client to solicit input from the user. Based on the input solicited from the user, the authentication mechanism determines whether the user is an authentic user of the portable computing device. If it is determined that the user is an authentic user, the authentication mechanism determines based on an indication from the user whether the client should be authorized to access the protected resource requested.

Abstract: A system for loading application identifiers to a mobile device includes a mobile device, a card device insertable into the mobile device, and an application center. The card device is adapted to determine an effective mobile device identifier of the mobile device, and transmit the effective mobile device identifier to the application center. The effective mobile device identifier is based at least in part on the result of a process performed by the card device. The application center is adapted to (1) determine zero or more allotted application identifiers and zero or more application identifiers of applications loaded on the mobile device based at least in part on the effective mobile device identifier, (2) identify at least one application identifier of the zero or more allotted application identifiers which does not form part of the zero or more application identifiers of applications loaded on the mobile device, and (3) load the at least one application identifier to the mobile device.

Abstract: A system for loading application identifiers to a mobile device includes a mobile device, a card device insertable into the mobile device, and an application center. The card device is adapted to determine an effective mobile device identifier of the mobile device, and transmit the effective mobile device identifier to the application center. The effective mobile device identifier is based at least in part on the result of a process performed by the card device. The application center is adapted to (1) determine zero or more allotted application identifiers and zero or more application identifiers of applications loaded on the mobile device based at least in part on the effective mobile device identifier, (2) identify at least one application identifier of the zero or more allotted application identifiers which does not form part of the zero or more application identifiers of applications loaded on the mobile device, and (3) load the at least one application identifier to the mobile device.

Abstract: A card device for communication with an electronic device comprises a memory for storing a capabilities list associated with an application program. The capabilities list comprises information regarding access to one or more resources for use by the application program. The memory is also for storing the application program and a security manager. The card device comprises a processing unit for executing the application program and the security manager, for selectively granting access to the one or more resources for use by the application program based at least in part on the capabilities list.