U.S. patent application number 10/954197 was filed with the patent office on 2006-04-06 for method and system to contextually initiate synchronization services on mobile terminals in an enterprise environment.
Invention is credited to Jussi E. Maki, Jouni I. Malinen.
Application Number | 20060075075 10/954197 |
Document ID | / |
Family ID | 36126173 |
Filed Date | 2006-04-06 |
United States Patent
Application |
20060075075 |
Kind Code |
A1 |
Malinen; Jouni I. ; et
al. |
April 6, 2006 |
Method and system to contextually initiate synchronization services
on mobile terminals in an enterprise environment
Abstract
A system and method are disclosed for providing security
features to a wireless mobile device based upon its context when it
establishes a wireless connection with different access points. A
plurality of access points are connected to a connectivity server
which includes a security context middleware. Each of the access
points also includes a security context middleware. Furthermore,
each mobile wireless device includes security context middleware. A
context manager program in the server determines a context for a
wireless mobile device from a signal received from an access point
indicating that the wireless mobile device is wirelessly connected
to the access point. A database connected to the server stores
security feature data which is accessible by the determined context
to implement a security process. The context manager accesses the
stored security feature data based on the determined context and
sends a command representing the security feature data to the
middleware programs in the server, the access point and the mobile
wireless device to implement the security process in the mobile
wireless device.
Inventors: |
Malinen; Jouni I.; (Espoo,
FI) ; Maki; Jussi E.; (Espoo, FI) |
Correspondence
Address: |
MORGAN & FINNEGAN, L.L.P.
3 World Financial Center
New York
NY
10281-2101
US
|
Family ID: |
36126173 |
Appl. No.: |
10/954197 |
Filed: |
October 1, 2004 |
Current U.S.
Class: |
709/220 ;
370/310 |
Current CPC
Class: |
H04M 1/72448 20210101;
H04M 1/72463 20210101; H04M 1/72406 20210101; H04W 8/18 20130101;
H04M 1/72457 20210101; H04W 48/16 20130101 |
Class at
Publication: |
709/220 ;
370/310 |
International
Class: |
G06F 15/177 20060101
G06F015/177 |
Claims
1. A system to provide security features to a wireless mobile
device based on its context, comprising: a first middleware program
stored in a memory of a wireless mobile device, having a plurality
of security process subroutines selectable by a command; a second
middleware program stored in a memory of a wireless access point
device, having a plurality of security process subroutines
selectable by said command; a third middleware program stored in a
memory of a server in a network coupled to said access point
device, having a plurality of security process subroutines
selectable by said command; a context manager program in said
server for determining a context for said wireless mobile device
from a signal received from said access point indicating that said
wireless mobile device is wirelessly connected to said access
point; a database coupled to said server for storing security
feature data accessible by said determined context to implement a
security process; said context manager accessing said stored
security feature data based on said determined context and sending
a command representing said security feature data to said first,
second, and third middleware programs to implement said security
process in said wireless mobile device, said access point device,
and said server, respectively.
2. The system of claim 1, which further comprises: said database
storing service data accessible by said determined context to
implement a service; said context manager accessing said stored
service data based on said determined context and sending a message
representing said service data to said wireless mobile device to
implement said service in said wireless mobile device.
3. The system of claim 1, which further comprises: said database
storing third-party message data accessible by said determined
context to implement a service; said context manager accessing said
stored third-party message data based on said determined context
and sending a message representing said message data to a third
party for providing said wireless mobile device a service.
4. The system of claim 3, which further comprises: a Bluetooth
communications subsystem in said wireless mobile device; a
Bluetooth communications subsystem in said wireless access point
device; said context manager program determining said context for
said wireless mobile device from a signal received from said access
point indicating that said Bluetooth communications subsystems have
established a connection between said wireless mobile device and
said access point; a cellular telephone communications subsystem in
said wireless mobile device; said third party selectively providing
said service to said wireless mobile device via said cellular
telephone communications subsystem or said Bluetooth communications
subsystem.
5. The system of claim 3, which further comprises: an IEEE 802.11
wireless LAN communications subsystem in said wireless mobile
device; an IEEE 802.11 wireless LAN communications subsystem in
said wireless access point device; said context manager program
determining said context for said wireless mobile device from a
signal received from said access point indicating that said IEEE
802.11 wireless LAN communications subsystems have established a
connection between said wireless mobile device and said access
point; a cellular telephone communications subsystem in said
wireless mobile device; said third party selectively providing said
service to said wireless mobile device via said cellular telephone
communications subsystem or said IEEE 802.11 wireless LAN
communications subsystem.
6. The system of claim 1, which further comprises: said context
manager program further accessing said stored security feature data
based on a type of service requested by said mobile device.
7. The system of claim 1, which further comprises: said context
manager program determining said context for said wireless mobile
device from an identity of said access point and an identity of
said wireless mobile device.
8. The system of claim 7, which further comprises: said context
manager program further determining said context for said wireless
mobile device from a time of day said wireless mobile device
connects to said access point.
9. The system of claim 1, which further comprises: said security
feature data stored in said database representing an authentication
process accessible by said determined context to authenticate said
wireless mobile device when wirelessly connected to said access
point.
10. The system of claim 9, which further comprises: said security
feature data stored in said database representing a first
authentication process to be applied to authenticating a first
wireless mobile device and a second authentication process to be
applied to authenticating a second wireless mobile device
accessible by said determined context detected at said wireless
access point.
11. The system of claim 1, which further comprises: said security
feature data stored in said database representing an encryption
process accessible by said determined context to encrypt
communications between said wireless mobile device and said access
point.
12. The system of claim 11, which further comprises: said security
feature data stored in said database representing a first
encryption process to be applied to encrypting a first wireless
mobile device and a second encryption process to be applied to
encrypting a second wireless mobile device accessible by said
determined context detected at said wireless access point.
13. The system of claim 1, which further comprises: said security
feature data stored in said database representing a first
selectable security process and a second selectable security
process, which are alternately selectable by a system administrator
to be applied when a wireless mobile device is detected by said
context manager program to be at said wireless access point.
14. The system of claim 1, which further comprises: said security
feature data stored in said database representing a first
selectable security process and a second selectable security
process, which are alternately selectable by a control program to
be applied when a wireless mobile device is detected by said
context manager program to be at said wireless access point.
15. The system of claim 1, which further comprises: a Bluetooth
communications subsystem in said wireless mobile device; a
Bluetooth communications subsystem in said wireless access point
device; said context manager program determining said context for
said wireless mobile device from a signal received from said access
point indicating that said Bluetooth communications subsystems have
established a connection between said wireless mobile device and
said access point.
16. The system of claim 1, which further comprises: an IEEE 802.11
wireless LAN communications subsystem in said wireless mobile
device; an IEEE 802.11 wireless LAN communications subsystem in
said wireless access point device; said context manager program
determining said context for said wireless mobile device from a
signal received from said access point indicating that said IEEE
802.11 wireless LAN communications subsystems have established a
connection between said wireless mobile device and said access
point.
17. The system of claim 1, which further comprises: said context
manager program classifying a service requested by said mobile
device to synchronize to an application and establishing an
appropriate security feature to apply to said mobile device based
on said classification.
18. The system of claim 1, which further comprises: said context
manager comparing said determined context with threshold values of
services for said mobile wireless device generating a triggering
event when a comparison is satisfied.
19. The system of claim 18, which further comprises: said
triggering event initiating sending a message representing said
service data to said wireless mobile device to implement said
service in said wireless mobile device.
20. The system of claim 18, which further comprises: said
triggering event initiating pushing said service represented by
said service data to said wireless mobile device.
21. A method to provide security features to a wireless mobile
device based on its context, comprising: storing a first middleware
program in a memory of a wireless mobile device, having a plurality
of security process subroutines selectable by a command; storing a
second middleware program in a memory of a wireless access point
device, having a plurality of security process subroutines
selectable by said command; storing a third middleware program in a
memory of a server in a network coupled to said access point
device, having a plurality of security process subroutines
selectable by said command; determining with a context manager
program in said server a context for said wireless mobile device
from a signal received from said access point indicating that said
wireless mobile device is wirelessly connected to said access
point; storing in a database coupled to said server security
feature data accessible by said determined context to implement a
security process; accessing with said context manager said stored
security feature data based on said determined context and sending
a command representing said security feature data to said first,
second, and third middleware programs to implement said security
process in said wireless mobile device, said access point device,
and said server, respectively.
22. The method of claim 21, which further comprises: said database
storing service data accessible by said determined context to
implement a service; said context manager accessing said stored
service data based on said determined context and sending a message
representing said service data to said wireless mobile device to
implement said service in said wireless mobile device.
23. The method of claim 21, which further comprises: said database
storing third-party message data accessible by said determined
context to implement a service; said context manager accessing said
stored third-party message data based on said determined context
and sending a message representing said message data to a third
party for providing said wireless mobile device a service.
24. The method of claim 23, which further comprises: operating a
Bluetooth communications subsystem in said wireless mobile device;
operating a Bluetooth communications subsystem in said wireless
access point device; said context manager program determining said
context for said wireless mobile device from a signal received from
said access point indicating that said Bluetooth communications
subsystems have established a connection between said wireless
mobile device and said access point; operating a cellular telephone
communications subsystem in said wireless mobile device; said third
party selectively providing said service to said wireless mobile
device via said cellular telephone communications subsystem or said
Bluetooth communications subsystem.
25. The method of claim 23, which further comprises: operating an
IEEE 802.11 wireless LAN communications subsystem in said wireless
mobile device; operating an IEEE 802.11 wireless LAN communications
subsystem in said wireless access point device; said context
manager program determining said context for said wireless mobile
device from a signal received from said access point indicating
that said IEEE 802.11 wireless LAN communications subsystems have
established a connection between said wireless mobile device and
said access point; operating a cellular telephone communications
subsystem in said wireless mobile device; said third party
selectively providing said service to said wireless mobile device
via said cellular telephone communications subsystem or said IEEE
802.11 wireless LAN communications subsystem.
26. The method of claim 21, which further comprises: said context
manager program further accessing said stored security feature data
based on a type of service requested by said mobile device.
27. The method of claim 21, which further comprises: said context
manager program determining said context for said wireless mobile
device from an identity of said access point and an identity of
said wireless mobile device.
28. The method of claim 27, which further comprises: said context
manager program further determining said context for said wireless
mobile device from a time of day said wireless mobile device
connects to said access point.
29. The method of claim 21, which further comprises: said security
feature data stored in said database representing an authentication
process accessible by said determined context to authenticate said
wireless mobile device when wirelessly connected to said access
point.
30. The method of claim 29, which further comprises: said security
feature data stored in said database representing a first
authentication process to be applied to authenticating a first
wireless mobile device and a second authentication process to be
applied to authenticating a second wireless mobile device
accessible by said determined context detected at said wireless
access point.
31. The method of claim 21, which further comprises: said security
feature data stored in said database representing an encryption
process accessible by said determined context to encrypt
communications between said wireless mobile device and said access
point.
32. The method of claim 31, which further comprises: said security
feature data stored in said database representing a first
encryption process to be applied to encrypting a first wireless
mobile device and a second encryption process to be applied to
encrypting a second wireless mobile device accessible by said
determined context detected at said wireless access point.
33. The method of claim 21, which further comprises: said security
feature data stored in said database representing a first
selectable security process and a second selectable security
process, which are alternately selectable by a system administrator
to be applied when a wireless mobile device is detected by said
context manager program to be at said wireless access point.
34. The method of claim 21, which further comprises: said security
feature data stored in said database representing a first
selectable security process and a second selectable security
process, which are alternately selectable by a control program to
be applied when a wireless mobile device is detected by said
context manager program to be at said wireless access point.
35. The method of claim 21, which further comprises: operating a
Bluetooth communications subsystem in said wireless mobile device;
operating a Bluetooth communications subsystem in said wireless
access point device; said context manager program determining said
context for said wireless mobile device from a signal received from
said access point indicating that said Bluetooth communications
subsystems have established a connection between said wireless
mobile device and said access point.
36. The method of claim 21, which further comprises: operating an
IEEE 802.11 wireless LAN communications subsystem in said wireless
mobile device; operating an IEEE 802.11 wireless LAN communications
subsystem in said wireless access point device; said context
manager program determining said context for said wireless mobile
device from a signal received from said access point indicating
that said IEEE 802.11 wireless LAN communications subsystems have
established a connection between said wireless mobile device and
said access point.
37. The method of claim 21, which further comprises: said context
manager program classifying a service requested by said mobile
device to synchronize to an application, and establishing an
appropriate security feature to apply to said mobile device based
on said classification.
38. The method of claim 21, which further comprises: said context
manager comparing said determined context with threshold values of
services for said mobile wireless device generating a triggering
event when a comparison is satisfied.
39. The method of claim 38, which further comprises: said
triggering event initiating sending a message representing said
service data to said wireless mobile device to implement said
service in said wireless mobile device.
40. The method of claim 38, which further comprises: said
triggering event initiating pushing said service represented by
said service data to said wireless mobile device.
41. A system to provide security features to a wireless mobile
device based on its context, comprising: a first middleware program
stored in a memory of a first wireless mobile device, having a
plurality of security process subroutines selectable by a command;
a second middleware program stored in a memory of a second wireless
device having a known current location, said middleware having a
plurality of security process subroutines selectable by said
command; a context manager program in a server coupled to said
second wireless device for determining a context for said first
wireless mobile device when said first wireless mobile device is
wirelessly connected to said second wireless device; a database
coupled to said server for storing security feature data accessible
by said determined context to implement a security process; said
context manager accessing said stored security feature data based
on said determined context and issuing a command representing said
security feature data to said first and second middleware programs
to implement said security process in said first wireless mobile
device and said second wireless device, respectively.
42. The system of claim 41, which further comprises: said server
and said context manager are contained within said second wireless
device.
43. The system of claim 42, which further comprises: said database
is contained within said second wireless device.
44. The system of claim 41, which further comprises: said database
storing service data accessible by said determined context to
implement a service; said context manager accessing said stored
service data based on said determined context and providing said
service data to said wireless mobile device to implement said
service in said wireless mobile device.
45. The system of claim 41, which further comprises: said database
storing third-party message data accessible by said determined
context to implement a service; said context manager accessing said
stored third-party message data based on said determined context
and sending a message representing said message data to a third
party for providing said wireless mobile device a service.
46. The system of claim 45, which further comprises: a cellular
telephone communications subsystem in said first wireless mobile
device; said third party selectively providing said service to said
wireless mobile device via said cellular telephone communications
subsystem or said second wireless device.
47. The system of claim 41, which further comprises: said second
wireless device is mobile and includes a location detector coupled
to said context manager for providing said known current
location.
48. The system of claim 47, which further comprises: said server
and said context manager are contained within said second wireless
device.
49. The system of claim 48, which further comprises: said database
is contained within said second wireless device.
50. The system of claim 47, which further comprises: said database
storing service data accessible by said determined context to
implement a service; said context manager accessing said stored
service data based on said determined context and providing said
service data to said wireless mobile device to implement said
service in said wireless mobile device.
51. The system of claim 47, which further comprises: said database
storing third-party message data accessible by said determined
context to implement a service; said context manager accessing said
stored third-party message data based on said determined context
and sending a message representing said message data to a third
party for providing said wireless mobile device a service.
52. The system of claim 51, which further comprises: a cellular
telephone communications subsystem in said first wireless mobile
device; said third party providing said service to said wireless
mobile device via said cellular telephone communications
subsystem.
53. A server to provide security features to a wireless mobile
device based on its context, comprising: a computer coupled to a
wireless access point; a context manager program stored in a memory
of the computer, for determining a context for a wireless mobile
device when said wireless mobile device is wirelessly connected to
said wireless access point; a database coupled to said computer for
storing security feature data accessible by said determined context
to implement a security process; said context manager accessing
said stored security feature data based on said determined context
and issuing a command representing said security feature data; a
middleware program stored in a memory of the computer, having a
plurality of security process subroutines selectable by said
command, to operatively interact with a first middleware program in
said access point and a second middleware program in said mobile
wireless device, to implement said security process in said first
wireless mobile device and said second wireless device,
respectively.
54. The server of claim 53, which further comprises: said database
storing service data accessible by said determined context to
implement a service; said context manager accessing said stored
service data based on said determined context and providing said
service data to said wireless mobile device to implement said
service in said wireless mobile device.
55. The server of claim 53, which further comprises: said database
storing third-party message data accessible by said determined
context to implement a service; said context manager accessing said
stored third-party message data based on said determined context
and sending a message representing said message data to a third
party for providing said wireless mobile device a service.
56. The server of claim 55, which further comprises: said third
party selectively providing said service to said wireless mobile
device via a cellular telephone communications subsystem or said
wireless access point.
57. The server of claim 53, which further comprises: said wireless
access point is mobile and includes a location detector coupled to
said context manager for providing a known current location.
58. The server of claim 53, which further comprises: said context
manager program further accessing said stored security feature data
based on a type of service requested by said wireless mobile
device.
59. The server of claim 53, which further comprises: said context
manager program determining said context for said wireless mobile
device from an identity of said access point and an identity of
said wireless mobile device.
60. The server of claim 59, which further comprises: said context
manager program further determining said context for said wireless
mobile device from a time of day said wireless mobile device
connects to said access point.
61. The server of claim 53, which further comprises: said security
feature data stored in said database representing an authentication
process accessible by said determined context to authenticate said
wireless mobile device when wirelessly connected to said access
point.
62. The server of claim 61, which further comprises: said security
feature data stored in said database representing a first
authentication process to be applied to authenticating a first
wireless mobile device and a second authentication process to be
applied to authenticating a second wireless mobile device
accessible by said determined context detected at said wireless
access point.
63. The server of claim 53, which further comprises: said security
feature data stored in said database representing an encryption
process accessible by said determined context to encrypt
communications between said wireless mobile device and said access
point.
64. The server of claim 63, which further comprises: said security
feature data stored in said database representing a first
encryption process to be applied to encrypting a first wireless
mobile device and a second encryption process to be applied to
encrypting a second wireless mobile device accessible by said
determined context detected at said wireless access point.
65. The server of claim 53, which further comprises: said security
feature data stored in said database representing a first
selectable security process and a second selectable security
process, which are alternately selectable by a system administrator
to be applied when a wireless mobile device is detected by said
context manager program to be at said wireless access point.
66. The server of claim 53, which further comprises: said security
feature data stored in said database representing a first
selectable security process and a second selectable security
process, which are alternately selectable by a control program to
be applied when a wireless mobile device is detected by said
context manager program to be at said wireless access point.
67. A wireless access point to provide security features to a
wireless mobile device based on its context, comprising: a computer
coupled to a memory; a server interface coupled to said computer,
for interfacing with a server; a wireless communications interface
coupled to said computer, for wirelessly interfacing with a mobile
wireless device; a communications program stored in said memory,
for establishing a wireless connection with said mobile device and
providing context information to said server when said wireless
mobile device is wirelessly connected to said wireless
communications interface; a middleware program stored in said
memory, having a plurality of security process subroutines
selectable by a command received from said server in response to
said context information; said command representing a security
feature to be implemented in said access point and said wireless
mobile device by one of said subroutines selected by said
command.
68. The wireless access point of claim 67, which further comprises:
a context manager program coupled to said access point, for
determining a context of said mobile device based on said context
information.
69. The wireless access point of claim 68, which further comprises:
a database coupled to said access point for storing security
feature data accessible by a determined context of said wireless
mobile device, to implement a security process.
70. The wireless access point of claim 69, which further comprises:
said database storing service data accessible by said determined
context to implement a service; said context manager accessing said
stored service data based on said determined context and providing
said service data to said wireless mobile device to implement said
service in said wireless mobile device.
71. The wireless access point of claim 69, which further comprises:
said database storing third-party message data accessible by said
determined context to implement a service; said context manager
accessing said stored third-party message data based on said
determined context and sending a message representing said message
data to a third party for providing said wireless mobile device a
service.
72. The wireless access point of claim 71, which further comprises:
said third party selectively providing said service to said
wireless mobile device via a cellular telephone communications
subsystem or said access point.
73. The wireless access point of claim 67, which further comprises:
a location detector coupled to said access point for providing a
known current location of said access point to said context
manager.
74. The wireless access point of claim 69, which further comprises:
a Bluetooth communications subsystem in said wireless access point
device and in said mobile device; said context manager program
determining said context for said wireless mobile device from a
signal received from said access point indicating that said
Bluetooth communications subsystems have established a connection
between said wireless mobile device and said access point.
75. The wireless access point of claim 69, which further comprises:
an IEEE 802.11 wireless LAN communications subsystem in said
wireless access point device and in said mobile device; said
context manager program determining said context for said wireless
mobile device from a signal received from said access point
indicating that said IEEE 802.11 wireless LAN communications
subsystems have established a connection between said wireless
mobile device and said access point.
76. The wireless access point of claim 69, which further comprises:
said context manager program further accessing said stored security
feature data based on a type of service requested by said mobile
device.
77. The wireless access point of claim 69, which further comprises:
said context manager program determining said context for said
wireless mobile device from an identity of said access point and an
identity of said wireless mobile device.
78. The wireless access point of claim 77, which further comprises:
said context manager program further determining said context for
said wireless mobile device from a time of day said wireless mobile
device connects to said access point.
79. The wireless access point of claim 69, which further comprises:
said security feature data stored in said database representing an
authentication process accessible by said determined context to
authenticate said wireless mobile device when wirelessly connected
to said access point.
80. The wireless access point of claim 79, which further comprises:
said security feature data stored in said database representing a
first authentication process to be applied to authenticating a
first wireless mobile device and a second authentication process to
be applied to authenticating a second wireless mobile device
accessible by said determined context detected at said wireless
access point.
81. The wireless access point of claim 69, which further comprises:
said security feature data stored in said database representing an
encryption process accessible by said determined context to encrypt
communications between said wireless mobile device and said access
point.
82. The wireless access point of claim 81, which further comprises:
said security feature data stored in said database representing a
first encryption process to be applied to encrypting a first
wireless mobile device and a second encryption process to be
applied to encrypting a second wireless mobile device accessible by
said determined context detected at said wireless access point.
83. The wireless access point of claim 69, which further comprises:
said security feature data stored in said database representing a
first selectable security process and a second selectable security
process, which are alternately selectable by a system administrator
to be applied when a wireless mobile device is detected by said
context manager program to be at said wireless access point.
84. The wireless access point of claim 69, which further comprises:
said security feature data stored in said database representing a
first selectable security process and a second selectable security
process, which are alternately selectable by a control program to
be applied when a wireless mobile device is detected by said
context manager program to be at said wireless access point.
85. The wireless access point of claim 69, which further comprises:
said context manager program classifying a service requested by
said mobile device to synchronize to an application and
establishing an appropriate security feature to apply to said
mobile device based on said classification.
86. The wireless access point of claim 69, which further comprises:
said context manager comparing said determined context with
threshold values of services for said mobile wireless device
generating a triggering event when a comparison is satisfied.
87. The wireless access point of claim 86, which further comprises:
said triggering event initiating sending a message representing
said service data to said wireless mobile device to implement said
service in said wireless mobile device.
88. The wireless access point of claim 86, which further comprises:
said triggering event initiating pushing said service represented
by said service data to said wireless mobile device.
89. The wireless access point of claim 69, which further comprises:
a Bluetooth-enabled device coupled to said wireless communications
interface; said wireless communications interface receiving control
signals from said wireless mobile device and forwarding them to
said Bluetooth-enabled device for control thereof.
90. The wireless access point of claim 89, which further comprises:
said wireless communications interface receiving output signals
from said Bluetooth-enabled device in response to said control
signals; said server interface forwarding said output signals to
said server.
91. The wireless access point of claim 90, which further comprises:
said Bluetooth-enabled device is a barcode reader.
92. A wireless mobile device having security features based on its
context, comprising: a computer coupled to a memory; a wireless
communications interface coupled to said computer, for wirelessly
interfacing with an access point; a communications program stored
in said memory, for establishing a wireless connection with said
access point; said access point providing to a server context
information about the mobile device when said access point is
wirelessly connected to said wireless communications interface; a
middleware program stored in said memory, having a plurality of
security process subroutines selectable by a command received from
said access point in response to said context information; said
command representing a security feature to be implemented in said
wireless mobile device by one of said subroutines selected by said
command.
93. The wireless mobile device of claim 92, which further
comprises: said access point coupled to a context manager program,
for determining a context of said mobile device based on said
context information.
94. The wireless mobile device of claim 93, which further
comprises: said access point coupled to a database for storing
security feature data accessible by a determined context of said
wireless mobile device, to implement a security process.
95. The wireless mobile device of claim 92, which further
comprises: said database storing service data accessible by said
determined context to implement a service; said context manager
accessing said stored service data based on said determined context
and providing said service data to said wireless mobile device to
implement said service in said wireless mobile device.
96. The wireless mobile device of claim 92, which further
comprises: said database storing third-party message data
accessible by said determined context to implement a service; said
context manager accessing said stored third-party message data
based on said determined context and sending a message representing
said message data to a third party for providing said wireless
mobile device a service.
97. The wireless mobile device of claim 96, which further
comprises: a cellular telephone subsystem in said wireless mobile
device; said third party selectively providing said service to said
wireless mobile device via said cellular telephone communications
subsystem or said access point.
98. The wireless mobile device of claim 92, which further
comprises: a Bluetooth communications subsystem in said wireless
access point device and in said mobile device; said context manager
program determining said context for said wireless mobile device
from a signal received from said access point indicating that said
Bluetooth communications subsystems have established a connection
between said wireless mobile device and said access point.
99. The wireless mobile device of claim 92, which further
comprises: an IEEE 802.11 wireless LAN communications subsystem in
said wireless access point device and in said mobile device; said
context manager program determining said context for said wireless
mobile device from a signal received from said access point
indicating that said IEEE 802.11 wireless LAN communications
subsystems have established a connection between said wireless
mobile device and said access point.
100. The wireless mobile device of claim 92, which further
comprises: said context manager program further accessing said
stored security feature data based on a type of service requested
by said mobile device.
101. The wireless mobile device of claim 92, which further
comprises: said context manager program determining said context
for said wireless mobile device from an identity of said access
point and an identity of said wireless mobile device.
102. The wireless mobile device of claim 101, which further
comprises: said context manager program further determining said
context for said wireless mobile device from a time of day said
wireless mobile device connects to said access point.
103. The wireless mobile device of claim 92, which further
comprises: said security feature data stored in said database
representing an authentication process accessible by said
determined context to authenticate said wireless mobile device when
wirelessly connected to said access point.
104. The wireless mobile device of claim 103, which further
comprises: said security feature data stored in said database
representing a first authentication process to be applied to
authenticating a first wireless mobile device and a second
authentication process to be applied to authenticating a second
wireless mobile device accessible by said determined context
detected at said wireless access point.
105. The wireless mobile device of claim 92, which further
comprises: said security feature data stored in said database
representing an encryption process accessible by said determined
context to encrypt communications between said wireless mobile
device and said access point.
106. The wireless mobile device of claim 105, which further
comprises: said security feature data stored in said database
representing a first encryption process to be applied to encrypting
a first wireless mobile device and a second encryption process to
be applied to encrypting a second wireless mobile device accessible
by said determined context detected at said wireless access
point.
107. The wireless mobile device of claim 92, which further
comprises: said security feature data stored in said database
representing a first selectable security process and a second
selectable security process, which are alternately selectable by a
system administrator to be applied when a wireless mobile device is
detected by said context manager program to be at said wireless
access point.
108. The wireless mobile device of claim 92, which further
comprises: said security feature data stored in said database
representing a first selectable security process and a second
selectable security process, which are alternately selectable by a
control program to be applied when a wireless mobile device is
detected by said context manager program to be at said wireless
access point.
109. The wireless mobile device of claim 92, which further
comprises: said context manager program classifying a service
requested by said mobile device to synchronize to an application
and establishing an appropriate security feature to apply to said
mobile device based on said classification.
110. The wireless mobile device of claim 92, which further
comprises: said context manager comparing said determined context
with threshold values of services for said mobile wireless device
generating a triggering event when a comparison is satisfied.
111. The wireless mobile device of claim 110, which further
comprises: said triggering event initiating sending a message
representing said service data to said wireless mobile device to
implement said service in said wireless mobile device.
112. The wireless mobile device of claim 110, which further
comprises: said triggering event initiating pushing said service
represented by said service data to said wireless mobile
device.
113. A program product for a wireless mobile device having security
features based on its context, comprising: a communications program
for establishing a wireless connection with an access point; said
access point providing to a server context information about the
mobile device when said access point is wirelessly connected to
said wireless communications interface; a middleware program having
a plurality of security process subroutines selectable by a command
received from said access point in response to said context
information; said command representing a security feature to be
implemented in said wireless mobile device by one of said
subroutines selected by said command.
114. The program product of claim 113, which further comprises:
said communications program receiving and processing a message
representing service data to implement a service in said wireless
mobile device in response to said context information.
115. The program product of claim 113, which further comprises:
said communications program receiving and processing a service
pushed to said wireless mobile device from said access point in
response to said context information.
116. A program product for an access point to provide security
features to a wireless mobile device based on its context,
comprising: a communications program for establishing a wireless
connection with a mobile device and providing context information
to a server when said wireless mobile device is wirelessly
connected to the access point; a middleware program having a
plurality of security process subroutines selectable by a command
received from said server in response to said context information;
said command representing a security feature to be implemented in
said access point and said wireless mobile device by one of said
subroutines selected by said command.
117. The program product of claim 116, which further comprises:
said communications program receiving service data from said server
based on said determined context and providing said service data to
said wireless mobile device to implement said service in said
wireless mobile device.
118. The program product of claim 116, which further comprises:
said communications program receiving third-party message data
based on said determined context and sending a message representing
said message data to a third party for providing said wireless
mobile device a service.
119. The program product of claim 118, which further comprises:
said third party selectively providing said service to said
wireless mobile device via a cellular telephone communications
subsystem or said access point.
120. The program product of claim 116, which further comprises:
said communications program pushing a service to said wireless
mobile device in response to said context information.
121. The program product of claim 116, which further comprises:
said communications program receiving control signals from said
wireless mobile device and forwarding them to a Bluetooth-enabled
device for control thereof.
122. The program product of claim 121, which further comprises:
said communications program receiving output signals from said
Bluetooth-enabled device in response to said control signals and
forwarding said output signals to said server.
123. A program product for a server to provide security features to
a wireless mobile device based on its context, comprising: a
context manager program for determining a context for a wireless
mobile device when said wireless mobile device is wirelessly
connected to a wireless access point; said context manager
accessing stored security feature data based on said determined
context and issuing a command representing said security feature
data; a middleware program having a plurality of security process
subroutines selectable by said command, to operatively interact
with a first middleware program in said access point and a second
middleware program in said mobile wireless device, to implement
said security process in said first wireless mobile device and said
second wireless device, respectively.
124. The program product of claim 123, which further comprises:
said context manager accessing stored service data based on said
determined context and providing said service data to said wireless
mobile device to implement said service in said wireless mobile
device.
125. The program product of claim 124, which further comprises:
said context manager accessing a stored third-party message data
based on said determined context and sending a message representing
said message data to a third party for providing said wireless
mobile device a service.
126. The program product of claim 125, which further comprises:
said third party selectively providing said service to said
wireless mobile device via a cellular telephone communications
subsystem or said wireless access point.
127. The program product of claim 123, which further comprises:
said context manager program further accessing said stored security
feature data based on a type of service requested by said wireless
mobile device.
128. The program product of claim 123, which further comprises:
said context manager program determining said context for said
wireless mobile device from an identity of said access point and an
identity of said wireless mobile device.
129. The program product of claim 128, which further comprises:
said context manager program further determining said context for
said wireless mobile device from a time of day said wireless mobile
device connects to said access point.
130. The program product of claim 123, which further comprises:
said context manager program classifying a service requested by
said mobile device to synchronize to an application and
establishing an appropriate security feature to apply to said
mobile device based on said classification.
131. The program product of claim 123, which further comprises:
said context manager comparing said determined context with
threshold values of services for said mobile wireless device
generating a triggering event when a comparison is satisfied.
132. The program product of claim 123, which further comprises:
said triggering event initiating sending a message representing
said service data to said wireless mobile device to implement said
service in said wireless mobile device.
133. The program product of claim 132, which further comprises:
said triggering event initiating pushing said service represented
by said service data to said wireless mobile device.
Description
FIELD OF THE INVENTION:
[0001] The invention disclosed broadly relates to context-dependent
services for mobile terminals and more particularly relates to
context dependent security features in communication, to properly
authenticate and secure communication links for short range RF
devices based on the current context of the device.
BACKGROUND OF THE INVENTION:
[0002] Short-range mobile wireless devices frequently come within
communicating range of stationary wireless devices, known as access
points, which are connected to wireline local area networks (LANs)
or wide area networks (WANs). The mobile wireless device can form a
wireless link with a nearby access point to enable communication
with network servers. The network servers can provide services to
the mobile wireless devices, which can be customized to the
particular access point currently nearest to and communicating with
the mobile device. An example is a business enterprise's office
building having a lobby area with an access point near the entrance
and various offices and access points distributed within the
interior of the building. A first access point in the lobby can
provide to visitors copies of company brochures and office maps
that are downloaded to their mobile devices from a network server.
A second access point within a company employee's private office
can provide copies of company confidential documents downloaded to
the employee's mobile device from the network server. Clearly,
there are different requirements for user authentication and
document security in these two examples. What is needed in the
prior art is a method to provide context dependent security
features for short range RF devices based on the current context of
the device.
[0003] Short-range wireless networks include both wireless personal
area networks ("PANs") and wireless local area network ("WLANs").
Both of these networks have the common feature of operating in
unlicensed portions of the radio spectrum, usually either in the
2.4 GHz Industrial, Scientific, and Medical (ISM) band or the 5 GHz
Unlicensed-National Information Infrastructure ("U-NII") band.
Wireless personal area networks use low cost, low power wireless
devices that have a typical range of ten meters.
[0004] The best-known example of wireless personal area network
technology is the Bluetooth Standard, which operates in the 2.4 GHz
ISM band. Bluetooth is a short-range radio network, originally
intended as a cable replacement. It can be used to create ad hoc
networks of up to eight devices operating together. The Bluetooth
Special Interest Group, Specification Of The Bluetooth System,
Volumes 1 and 2, Core and Profiles: Version 1.1, 22.sup.nd
February, 2001, (hereinafter "Bluetooth Specification") describes
the principles of Bluetooth device operation and communication
protocols. Bluetooth devices are designed to find other Bluetooth
devices and access points within their ten meter radio
communications range.
[0005] The Bluetooth Specification describes the basic security
features of the Bluetooth technology in its Chapter 14. The
Bluetooth system provides usage protection and information
confidentiality at the application layer and at the link layer. In
each Bluetooth device and access point, the authentication and
encryption routines are implemented in the same way, using the
device's address BD_ADDR, two secret keys, and a random number
which is different for each new transaction. What is needed in the
prior art is a method to customize security features for short
range RF devices and access points based on the current context of
the mobile device.
[0006] In addition to the Bluetooth technology, examples of
wireless local area network technology include the IEEE 802.11
Wireless LAN Standard and the HIPERLAN Standard, which operate in
the 5 GHz U-NII band. The IEEE 802.11 Wireless LAN Standard is
published in three parts as IEEE 802.11-1999; IEEE 802.11a-1999;
and IEEE 802.11b-1999, which are available from the IEEE, Inc. web
site http://grouper.ieee.org/groups/802/11. An overview of the
HIPERLAN Type 2 principles of operation is provided in the
Broadband Radio Access Networks (BRAN), HIPERLAN Type 2; System
Overview, ETSI TR 101 683 VI.I.1 (2000-02). Another example of
wireless local area network technology is Ultra Wideband (UWB)
radio, a wireless technology for transmitting digital data over a
wide spectrum of frequency bands with very low power. An Ultra
Wideband (UWB) standard published by the IEEE 802.15.3a task group
is a "classical" direct sequence version of UWB for Personal Area
Networking.
[0007] What is needed in the prior art is a method to customize
security features for short-range mobile wireless devices and
access points based on the current context of the mobile
device.
SUMMARY OF THE INVENTION
[0008] The invention solves the problem of providing customizable,
context dependent security features for short range RF devices
based on the current context of the device. In accordance with the
invention, the mobile device, the wireless access point, and the
network server in the network each include security context
middleware that responds to the detected location of the mobile
device to provide customized security services to the mobile
device. The security context middleware enables detecting,
authenticating and registering the mobile device and encrypting its
communications based on pre-specified security feature descriptions
stored in the network server. The system administrator or a system
management program can assign particular security features to
individual access points in the network. The security features can
be pre-specified based on the location of the access point, the
identity of the user's mobile device, other characteristics of the
user or the user's device, ambient conditions, such as the time of
day, and the classification of any services requested by the mobile
device.
[0009] When a mobile device moves into the communication domain of
an access point, its presence is detected by the access point, a
basic connection is established between the device and the access
point, and the presence of the device is registered at the network
server. The network server can then classify any service requested
by the mobile device, such as synchronization to applications
residing on another server and consider such service request as a
factor in establishing an appropriate security feature to apply to
the mobile device. For example, if the mobile device has requested
synchronization with a confidential email or calendar service to
update the mobile device, a high security will be assigned to the
wireless connection between the mobile device and the access
point.
[0010] The network server can then access a security context
database to obtain the pre-specified security features
corresponding to the location of the access point, the identity of
the user's mobile device, other characteristics of the user or the
user's device, ambient conditions, such as the time of day, and
classification of any service requested by the mobile device. The
network server obtains a middleware command from the database
corresponding to the pre-specified security feature. The middleware
command then is transmitted from the network server to the access
point and to the mobile device. The middleware command invokes the
particular security processing routine in the middleware of both
the mobile device and the access point to implement the
pre-specified security feature. The middleware command can also
invoke a corresponding security processing routine in the network
server when the server needs to participate in providing the
security service to the mobile device.
[0011] Some of the factors considered by the security context
middleware in determining the context of the mobile device include
the mobile device's address BD_ADDR, the location of the access
point, other available information about the mobile device, and the
time of day. Other environmental factors that can also be
considered by the security context middleware in determining the
context of the mobile device include day of the week, season of the
year, temperature, light level, and other ambient characteristics.
The security context middleware can also classify any service
requested by the mobile device, such as synchronization to
applications residing on another server, and consider such service
request as a factor in establishing an appropriate security feature
to apply to the mobile device.
[0012] The network server is also responsible for maintaining
additional information for comparing the determined context of the
mobile device with threshold values of services that are
pre-specified for the mobile device. The network server can
automatically synchronize the mobile device with email or calendar
services, for example, on another server. The network server can
generate triggering events based on the comparison and send notices
to the mobile device for suitable services or directly push service
messages to the mobile device. In addition, the network server can
provide necessary information to third parties for initiating
services to the mobile device based on the comparison. Third party
services can be provided to the mobile device either through the
connected access point or via a separate cellular telephone network
connection.
[0013] The resulting invention solves the problem of providing
context dependent security features for short range RF devices
based on the current context of the device.
[0014] The invention can be applied to wireless personal area
networks employing the Bluetooth Standard, and to wireless local
area networks employing the IEEE 802.11 Wireless LAN Standard or
the HIPERLAN Standard.
DESCRIPTION OF THE FIGURES
[0015] FIG. 1A is a network diagram according to an embodiment of
the present invention showing a plurality of wireless access points
140, 140A, 140B, and 140C. The LAN 142 interconnects the access
points with the connectivity server 180 and the security context
database 182. The user's wireless device 100 is shown at a first
location near a first wireless access point 140A and then later at
a second location, near a second wireless access point 140B.
[0016] FIG. 1B is a network diagram according to an embodiment of
the present invention showing a modification in the topology of the
network of FIG. 1A, where the access points are distributed within
an office building. The LAN 142 interconnects the access points
with the connectivity server 180. Several servers are shown
connected by means of the LAN to the access points, to provide
business-related services when signaled by the access points.
[0017] FIG. 1C is a network diagram according to an embodiment of
the present invention showing another modification in the topology
of the network of FIG. 1A, in which there is a GSM antenna 105 as
well as a Bluetooth or WLAN antenna 103 on the user's wireless
device 100. A GSM cellular telephone network is an alternate way to
communicate with the third party services server 190, via a WAP
protocol gateway and the Internet. A barcode reader 141 is also
shown connected by means of a Bluetooth link to the access point
140A to enable control and use of the barcode reader by the user's
mobile wireless device 100.
[0018] FIG. 1D is a network diagram according to an embodiment of
the present invention showing another modification in the topology
of the network of FIG. 1A, in which the access points 140A and 140B
are mobile and include a GPS position locator to establish their
current locations. A GSM cellular telephone subsystem in each
access point enables it to communicate with the connectivity server
over a wireless wide area network.
[0019] FIG. 2 is a flow diagram of the processing of a first
middleware command type 3 to invoke security context middleware
modules 602, 702, and 802 on the user's device 100, the access
point 140B, and the connectivity server 180, respectively, to
implement a first security feature in response to detecting the
user's device 100 at the access point 140B according to an
embodiment of the present invention.
[0020] FIG. 3 is a flow diagram of the processing of a second
middleware command type 4 to invoke security context middleware
modules 604, 704, and 804 on the user's device 100, the access
point 140C, and the connectivity server 180, respectively, to
implement a second security feature in response to detecting the
user's device at the access point 140C according to an embodiment
of the present invention.
[0021] FIG. 4 is a flow diagram of the processing of a third
middleware command type 5 to effect a reprogramming of the access
device 140C. The middleware command type 5 invokes security context
middleware modules 606, 706, and 806 on the user's device 100, the
access point 140C, and the connectivity server 180, respectively,
to implement a third, public key infrastructure security feature in
response to detecting the user's device 100 at the access point
140C according to an embodiment of the present invention.
[0022] FIG. 5A shows the security context database 182 and the
security middleware commands table 182 according to an embodiment
of the present invention.
[0023] FIG. 5B shows the security context database 182 and the
security middleware commands table 182' of FIG. 5A, where access
point 140C is reprogrammed to apply public key infrastructure when
connected to the user's mobile device 100 according to an
embodiment of the present invention.
[0024] FIG. 6 shows the security context middleware 10 in the
user's device 100 according to an embodiment of the present
invention.
[0025] FIG. 7 shows the security context middleware 10' in each
access point 140, 140A, B, C according to an embodiment of the
present invention.
[0026] FIG. 8 shows the security context middleware 10'' in the
network server 180 according to an embodiment of the present
invention.
[0027] FIG. 9 is another view of the network diagram of FIG. 1A,
according to an embodiment of the present invention, showing
various components of the user's wireless device 100, the wireless
access point 140A, and the connectivity server 180.
DISCUSSION OF THE PREFERRED EMBODIMENT
[0028] FIG. 1A is a network diagram according to an embodiment of
the present invention showing a plurality of wireless access points
140, 140A, 140B and 140C. The local area network (LAN) 142
interconnects the access points with the connectivity server 180
which in turn is connected to the security context database 182.
The user's wireless device 100 is shown at a first location A near
first wireless access point 140A, and then at a later time is shown
at a second location B near a second wireless access point 140B.
Each respective access point has a corresponding coverage area 150,
150A, 150B, 150C, respectively. Bluetooth wireless devices have
typical coverage area of a radius of 10 meters. IEEE 802.11
Wireless LAN devices and HIPERLAN Wireless LAN devices have a
typical coverage area with a radius of 100 meters. A user's
wireless device 100 in FIG. 1 includes the microbrowser 102, a key
pad, and an application program 106. Also included, in the user's
wireless device is security context middleware 10, which is shown
in greater detail in FIG. 6. Each access point 140, 140A, 140B and
140C includes security context middleware 10' which is shown in
greater detail in FIG. 7. The connectivity server 180 includes a
security context middleware 10'' which is shown in greater detail
in FIG. 8. The connectivity server 180 further includes the context
manager 14. The connectivity server 180 is also connected to the
internet 144 which is connected in turn to the WAP protocol gateway
188 which in turn is connected to the GSM access point 186.
[0029] In accordance with the invention, the security context
middleware 10 stored in a memory of the user's wireless device 100,
has a plurality of security process subroutines 602, 604 and 606 of
FIG. 6 which are selectable by a security processing middleware
command issued by the context manager 14. Similarly, the security
context middleware program 10' in the access points 140, 140A, 140B
and 104C, have a plurality of security process subroutines 702, 704
and 706 of FIG. 7, selectable by the security processing middleware
command issued by the context manager 14. Similarly, the security
context middleware 10'' in the connectivity server 180 has a
plurality of security process subroutines 802, 804 and 806 of FIG.
8 which are selectable by the security processing middleware
command issued by the context manager 14. Further in accordance
with the invention, the context manager program 14 in the
connectivity server 180 determines a context for the user's
wireless mobile device 100 from a signal received from one of the
access points 140, 140A, B, C indicating that the wireless mobile
device is wirelessly connected to that access point. The security
context database 182 connected to the connectivity server 180
stores security feature data which is accessible by the determined
context from the connectivity server 180, to implement a security
process. The context manager 14 accesses the stored security
feature data in the security context database 182 based on the
determined context of the user's wireless device 100 in the
vicinity of the access points 140, 140A, 140B or 140C. The context
manager 14 then sends the security processing middleware command
representing the security feature data to the security context
middleware program 10'' in the connectivity server 180, the
security context middleware program 10' in the access point
connected to the user's wireless device 100, and to the security
context middleware 10 in the user's wireless device 100. The
security processing middleware command then invokes the security
process in the addressed subroutine in the wireless mobile device,
in the access point and in the connectivity server 180.
[0030] The security context database 182 and the security
middleware commands table 182' are shown in FIG. 5A. A system
administrator or a system control program will initialize the data
in the security context database 182 to establish particular
security features 294 for each of the access points 140, 140A, 140B
and 140C when they are respectively wirelessly connected to the
user's device 100. For example, the security context database 182
will establish that the access point 140A, when its wirelessly
connected to any user device, as indicated in 284, will have a type
1 security feature 294. The type 1 security feature will then
invoke in the security middleware commands table 182', basic
Bluetooth security. The type 1 security processing middleware
command will be transmitted by the connectivity server 180 to the
security context middleware 10'' in the server 180, to the access
point 140A and its security context middleware 10', and to the
user's wireless device 100 which is wirelessly connected to the
access point 140A, for the security context middleware 10 in the
user's wireless device 100. As can be seen by inspection of the
security context database 182 of FIG. 5A, a system administrator
has assigned security features 294 to each of the access points
140, 140A, 140B and 140C when they are respectively wirelessly
connected to particular user wireless devices. Column 284 of the
database 182 indicates which user devices are permitted to be
assigned a security feature. Column 286 specifies whether other
terminal data is to be required before security features are
assigned. Column 288 specifies whether particular time of day
intervals are required before security features are assigned.
Column 292 specifies one or more services which are provided to the
user's wireless device 100 when it is wirelessly connected to each
of the respective access 140, 140A, 140B and 140C. As was mentioned
before, column 294 indicates the security feature assigned by the
system administrator to the respective access points and to the
user's wireless device 100 when it is connected to the respective
access points. The security middleware commands table 182' enables
the system administrator to programmatically change the security
feature assigned to a particular access point and wireless device
connected thereto. Five types of security features are shown in the
table 182'. Type 1 is a basic Bluetooth security. Type 2 uses an
acceptable address list with the specified wireless device
addresses. Type 3 requires a link key and 128-bit encryption and a
dynamic point-to-point protocol (PPP) user name and password. Type
4 increases the security from type 3 by providing a terminal key
and an encrypted link key plus the 128-bit encryption and the
dynamic PPP user name/password. Type 5 security feature is a public
key infrastructure (PKI) security feature wherein there is a public
key encryption of a random link and 128-bit bulk encryption.
[0031] FIG. 1B is a network diagram according to an embodiment of
the present invention showing a modification in the topology of the
network of FIG. 1A where the access points are distributed within
an office building 148. The local area network (LAN) 142 connects
the access points 140, 140A, 140B and 140C with the connectivity
server 180. Several servers are shown connected by means of the LAN
142 to the access points, to provide business related services when
signaled by the access points. A company confidential information
server 190 and a company confidential information database 191 are
connected to the LAN 142. An accounts department server 192 and an
accounts department database 193 are connected to the LAN 142. A
docking station server 194 and a docking station database 195 are
connected to the LAN 142. A room lighting server 196 and a room
lighting database 197 are connected to the LAN 142. The office
building 148 has a front entrance 152 and a lobby coverage area
150A where is located the access point 140A. Next in the office
building 148 is the office coverage area 150 with the access point
140. Next in the office building 148 is the office coverage area
150B with the access point 140B, which is a docking station.
Lastly, the office building 148 has a coverage area 150C with the
access point 140C which is a cashier terminal. A lighting control
198 is connected from the room lighting server 196 to the lights in
the respective coverage areas of the office building 148, as shown
in FIG. 1B. When the user's wireless device 100 enters the office
building 148 through the front entrance 152, into the lobby
coverage area 150A, the access point 140A establishes a wireless
connection with the user's wireless device. As the user's wireless
device proceeds through the office building 148 to the office 2
coverage area 150B, the mobile wireless device establishes a
wireless connection with the access point 140B, for example, when
the user places the wireless device 100 into the docking
station.
[0032] Reference to FIG. 2 illustrates the sequence of operational
steps that take place beginning at this point according to an
embodiment of the present invention. In the preferred embodiment,
the Access Point 140B periodically transmits inquiry packets to
discover which mobile devices are in range, and determine the
addresses and clocks for the devices. If a mobile device 100 that
receives the inquiry packets is in the inquiry scan state, it will
then enter the inquiry response state and send an inquiry response
202 to the Access Point 140B. The Access Point 140B can compare the
received address with a list of addresses of devices that are
authorized to receive services and can proceed to establish a
connection with an authorized mobile device. The comparison can
also be based on other information about the mobile device 100,
such as the class of device (CoD) field, and the list can identify
those devices that are to be accepted or alternately blocked from
receiving certain types of services. After the inquiry procedure
has completed, a connection can be established by the Access Point
140B with a paging procedure using the Bluetooth device address of
the mobile device 100. The Access Point 140B having established the
connection will automatically be the master of the connection.
[0033] In step 200 the user's wireless device sends an inquiry
response 202 to the access point 140B and receives a page 204 from
the access point. Correspondingly, the access point receives the
inquiry response packet from user's device 100. After inquiry and
paging signals are exchanged, basic connection is established
between the user's wireless device 100 and the access point 140B.
At this point, an initial request for services can be sent by the
mobile device 100 to the access point 140B, such as requesting
synchronization of received email or synchronization of a calendar.
A signal is transmitted from the access point 140B over the LAN 142
to the connectivity server 180 where the asynchronous
connectionless link (ACL) is validated in step 208. Step 207 can
then classify any services requested by the mobile device 100 and
pass the classification information to the next step 209 where it
is considered as a factor in establishing an appropriate security
feature to apply to the mobile device 100.
[0034] Then passing to the path 209 the connectivity server 180
accesses the security context database 182 for security features to
apply to the connection between the user's wireless device 100 and
the access point 140B. This is done in step 210 using the access
point address, user's device ID, any required terminal information
about the user's device, the time of day and the class of service
requested by the mobile device. Referring for a moment to the
security context database 182 of FIG. 5A, it is seen that these
various factors are considered in the selection of a security
feature, such as, specific identities of acceptable mobile wireless
devices, other terminal data and time of day. When the
corresponding security feature 294 is identified in the database
182, in this case it is a type 3 security feature, the
corresponding security processing middleware command is sent on
path 211 to the access point 140B. In step 212, the access point
140B implements the accessed security features in the security
middleware 702 in the access point. The security processing
middleware command is also transmitted over path 213 to the user's
device 100 where in step 214 it implements the accessed security
features in the security middleware 602 in the user's device
100.
[0035] Step 210 in the connectivity server 180 then proceeds to
step 215 which generates a link key which is transmitted via the
access point 140B to the user's device 100, as step 216 in the
subroutine 602 of the security context middleware 10, where it
initiates security settings. In the connectivity server 180, step
215 proceeds to step 225 which sets the link key for Bluetooth
128-bit encryption. This information is then provided to the access
point 140B the step 222 in the subroutine 702 of the security
context middleware 10', to establish an authenticated and encrypted
middleware connection with the user's device. Correspondingly, step
216 in the user's device 100 proceeds to step 218 to establish the
authenticated and encrypted middleware connection with the access
point over path 220. Step 222 in the access point 140B then
proceeds to step 224 where the middleware connection is established
and this information is then passed back to the connectivity server
180 step 226 which generates the dynamic point-to-point protocol
user name and password for additional access control. The flow then
passes to step 228 to forward the PPP user name and password to the
access point and the user device. Step 230 of the access point
140B, forwards the PPP user name and password to the user device
and also applies it to step 236. In the user's device 100, step 232
establishes the authenticated and encrypted IP connection with the
access point and flow passes to step 234. Step 234 and 236 then
establish over path 235 an authenticated and encrypted IP
connection. Then the connectivity server 180 in step 238 accesses
the context database 182 for services available to the user's
device using the access point's address, the user's device ID,
terminal information, time, and service requests. The network
server can automatically synchronize the mobile device with email
or calendar services on another server. Reference to FIG. 5A shows
that for a connection between the user's device 100 and the access
point 140B, services allowed to the user's device include lighting
from the lighting server 196 and docking facility services from the
docking station server 194 in FIG. 1B.
[0036] If the user's device 100 were now to pass to the cashier
coverage area 150C in FIG. 1B, a wireless connection is established
with the access point 140C, which invokes a different set of
security features, as is shown in FIG. 3. Reference to the security
context database 182 in FIG. 5A shows that the system administrator
has assigned a type 4 security feature to the user's device 100
when it establishes a wireless connection with the access point
140C in the cashier's coverage area 150C. The flow diagram in FIG.
3 illustrates this different implementation of security features
according to an embodiment of the present invention. Here it is
seen that the subroutine 604 of the security context middleware 10
in the user's wireless device 100 is invoked by command type 4.
Further it is seen that the subroutine 704 in the security context
middleware 10' in access point 140C is invoked by the command type
4. Further, it is seen that the subroutine 804 in the security
context middleware 10'' is invoked in the connectivity server 180
in response to the command type 4. Steps 200-214 in FIG. 3 are the
same as in FIG. 2, except that step 210 has accessed the context
security context database 182 and has obtained a type 4 security
feature which it distributes as a command type 4 to the access
point 140C, the user's device 100 and the security context
middleware 10'' in the connectivity server 180. Step 210 passes to
step 302 which generates a terminal key which is transmitted via
the access point 140C to the user's device 100 step 304 of
subroutine 604 of the security context middleware 10, where the
terminal key is stored. Step 302 in the connectivity server 180
passes to step 306 which constructs a random link key and encrypts
it with a terminal key. The encrypted link key is then transmitted
via the access point 140C to step 308 in the user's device 100
where the encrypted link key is opened with the terminal key. Then
step 306 in the connectivity server 180 passes to step 310 which
sets the link key for Bluetooth 128-bit encryption and this
information is then passed to step 312 of the access point 140C. In
the user's device 100, step 308 passes to step 314 which
establishes an authenticated and encrypted middleware connection
with the access point via the path 316. Correspondingly, step 312
of the access point 140C establishes an authenticated and encrypted
middleware connection with the user's device. Then flow passes from
step 312 to step 318 in the access point 140C where the middleware
connection is established and this information is then passed to
step 320 of the connectivity server 180 where the step generates a
dynamic PPP user name and password for additional access control.
Flow then passes to step 322 which forwards the PPP user name and
password to the access point 140 and the user's device 100. Step
324 in the access point 140C forwards the PPP user name and
password to the user device. Step 326 and the user device 100
establishes authenticated and encrypted IP connection with the
access point. The flow then passes to step 234 where the connection
is established over the path 235 to the corresponding step 236 in
the access point where the connection is established. Then flow
passes in connectivity server 180 from step 322 to step 328 to
access the context database 182 for services available to the
user's device using the access point address, the user's device ID,
terminal information and time.
[0037] It is seen in FIG. 5A that alternate security features are
applied to access point 140B when connected to alternate mobile
devices. Additionally, alternate security features can be applied
to access point 140 and the mobile device 100 based on class of
services requested by the user's mobile device 100. As an example,
if the mobile device 100 has requested synchronization with a
non-confidential email or calendar service, a low security type 2
security feature is assigned to the wireless connection between the
mobile device 100 and the access point 140. Alternately, if the
mobile device 100 has requested synchronization with a confidential
email or calendar service, a high security type 5 security feature
is assigned to the wireless connection between the mobile device
100 and the access point 140. The requested synchronization with
the email or calendar service can then be carried out in step 238
of FIGS. 2, 3, or 4 after the appropriate security feature is
established for the wireless connection.
[0038] FIG. 5B illustrates the security context database 182,
wherein the system administrator or a system control program has
reprogrammed the access point 140C for public key infrastructure
when connected to the user's device 100 according to an embodiment
of the present invention. It is seen that a type 5 security feature
is specified in the database 182 which corresponds to the public
key encryption middleware command shown in the commands table 182'.
FIG. 4 illustrates the flow of steps in establishing the public key
infrastructure authentication and encryption for the user's
wireless device 100 at the access point 140C which have a wireless
connection established there between. In an initial provisioning
phase, the connectivity server 180 distributes the public/private
key pairs with certificates of authority in step 402 to the access
point 140C in step 404 and to the user's device 100 in step 406.
Then in the later connection phase, steps 200-214 are the same as
in the FIGS. 2 and 3 except that step 210 accesses the security
context database 182 and obtains the security feature for public
key infrastructure and the corresponding command type 5 which it
distributes over path 211 to the access point 140C and path 213 to
the user's device 100. Then the step 212 of the access point 140C
passes to step 408 which sends the access point's public key and
its certificate to the user's device. At step 410 in the user's
device 100, a random link key is generated and then in step 412,
the user's device sends the user's public key and the user's
certificate plus the public key encrypted random link key to the
access point 140C. Correspondingly, the access point 140C forwards
the user's certificate to the server 180 for validation and sends
and acknowledgement back to the user in step 414. In the
connectivity server 180, the user's certificate is validated in
step 416 and the flow passes to step 418 which constructs a random
128-bit PIN for Bluetooth 128-bit encryption and this information
is passed to step 420 of the access point 140C. Step 420 in the
access point establishes an authenticated and encrypted middleware
connection with the user's device. Step 422 in the user's device
establishes the authenticated and encrypted middleware connection
with the access point 140C over path 424. Flow then passes from
step 422 to 426 to establish an authenticated and encrypted IP
connection with the access point 140C over path 430 and
correspondingly the access point establishes the authenticated and
encrypted connection with the user's device. This information is
then passed to step 238 in the connectivity server 180 where the
security context database 182 is accessed for services available to
user's device using the access point address, the user's device ID,
terminal information, time of day, and services requested.
[0039] FIG. 1C shows an alternate embodiment for the network of
FIGS. 1A and 1B, wherein a GSM cellular telephone communication
subsystem is included in the wireless mobile device 100. This
enables communication between the user's wireless device 100 and
third party services server 190 for providing service to the
wireless device via the cellular telephone communication's
subsystem. Communications is maintained over the internet 144 via
the WAP protocol gateway 188 to the GSM access point 186 which
communicates wirelessly with the GSM antenna 105 of the user's
wireless device 100.
[0040] FIG. 1C further shows a barcode reader 141 connected by
means of Bluetooth communications software 143 and a Bluetooth RF
link to the Bluetooth access point 140A to enable control and use
of the barcode reader 141 from the user's mobile wireless device
100. As an example, the application program 106 in the wireless
mobile device 100 is programmed to control and use the barcode
reader 141 to read a barcode of an article, such as a universal
product code (UPC), and to have the value read from the UPC
forwarded via the access point 140A to the application program 181
in the connectivity server 180. In order to accomplish this
example, application program 106 invokes the middleware 10 in the
user's wireless device 100, the middleware 10' in the access point
140A, and the middleware 10'' in the connectivity server 180.
Appropriate context and security processes are carried out by the
access point 140A and connectivity server 180, as discussed above,
to authenticate the user's device 100 and the barcode reader 141
and establish their respective secure connections with the access
point 140A. After secure connections are established between the
access point 140A and the user's device 100 and between the access
point 140A and the barcode reader 141, the wireless mobile device
100 can control the barcode reader 141 to read a barcode of an
article and forward the value read from the UPC via the access
point 140A to the application program 181 in the connectivity
server 180. This feature of the invention to enable the user's
mobile device to control and use a barcode reader can be extended
to the control and use of other types of devices. For example,
Bluetooth-enabled portable measurement devices can be controlled
and used by an application program in the user's mobile device, to
send their measurements to a server via distributed access points.
An example is a Bluetooth-enabled portable air flow monitor to
measure the air circulation in an office building and upload the
measurements to a server via access points distributed around the
office building.
[0041] FIG. 6 shows the security context middleware 10 in the
user's device 100 according to an embodiment of the present
invention, which includes the subroutine 602 responsive to command
type 3, the subroutine 604 responsive to the command type 4, and
the subroutine 606 responsive to the command type 5. FIG. 7 shows
the security context middleware 10' in each access point 140, 140A,
140B and 140C according to an embodiment of the present invention.
Security context middleware 10' in the access point includes
subroutine 702 responsive to command type 3, subroutine 704
responsive to command type 4, and the subroutine 706 responsive to
command type 5. FIG. 8 shows the security context middleware 10''
in the connectivity server 180 according to an embodiment of the
present invention. The subroutine 802 is responsive command type 3,
subroutine 804 is responsive to command type 4, and subroutine 806
is responsive to command type 5.
[0042] FIG. 9 is another view of the network diagram of FIG. 1 A,
according to an embodiment of the present invention, showing some
of the components of the user's wireless device 100, the wireless
access point 140A, and the connectivity server 180. The wireless
mobile device 100 includes the computer 902 and the memory 904. A
Bluetooth wireless communications interface 906 wirelessly
interfaces with the access point 140A. The Bluetooth communications
program 908 establishes a wireless connection with the access point
140A. Also shown is the middleware program 10 and the application
program 106.
[0043] FIG. 9 also shows some of the components of the wireless
access point 140A, which includes the computer 912 and the memory
914. A server interface 916 interfaces with the server 180. A
Bluetooth wireless communications interface 918 wirelessly
interfaces with the mobile wireless device 100. A communications
program 920 establishes a wireless connection with the mobile
device 100 and also provides context information to the server 180
over the LAN 142. Also shown is the middleware program 10'.
[0044] FIG. 9 also shows some of the components of the connectivity
server 180, which includes the computer 922 and the memory 924. The
context manager program 14 determines a context for the wireless
mobile device 100. The database 182 stores security feature data.
The context manager 14 accesses the stored security feature data
based on the determined context of the mobile device 100 and issues
a command representing the security feature data. Also shown is the
middleware program 10'' and the application program 181.
[0045] FIG. 1D is a network diagram showing another modification in
the topology of the network of FIG. 1A, in which the access points
140A' and 140B' are mobile and include a GPS position locator to
establish their current locations. A GSM cellular telephone
subsystem in each access point enables it to communicate with the
connectivity server 180 over a wireless wide area network 142'. The
a cellular telephone communications subsystem can enable a third
party to provide service to the user's wireless mobile device 100
via the wireless wide area network 142'.
[0046] In an alternate embodiment of the invention, at least some
of the functions of the connectivity server 180 and context manager
14 can be contained within the access points 140A and 140B.
Similarly, at least some of the functions of the security context
database 182 can be contained within the access points 140A and
140B.
[0047] Although specific embodiments of the invention has been
disclosed, a person skilled in the art will understand that changes
can be made to the specific embodiment without departing from the
spirit and scope of the invention.
* * * * *
References