(19)
(11)EP 3 155 552 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
27.05.2020 Bulletin 2020/22

(21)Application number: 14800130.8

(22)Date of filing:  17.06.2014
(51)Int. Cl.: 
G06F 21/62  (2013.01)
G06K 7/10  (2006.01)
(86)International application number:
PCT/IB2014/002157
(87)International publication number:
WO 2015/193697 (23.12.2015 Gazette  2015/51)

(54)

MECHANISMS FOR CONTROLLING TAG PERSONALIZATION

MECHANISMEN ZUR STEUERUNG VON ETIKETT-PERSONALISIERUNG

MÉCANISMES DE CONTRÔLE DE PERSONNALISATION D'ÉTIQUETTES


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 16.06.2014 US 201414306078

(43)Date of publication of application:
19.04.2017 Bulletin 2017/16

(73)Proprietor: Assa Abloy AB
111 64 Stockholm (SE)

(72)Inventors:
  • HOYER, Philip
    Richmond (GB)
  • ROBINTON, Mark
    Eden Prairie, MN 55347 (US)
  • NOVAK, Petr
    25230 Revnice (CZ)

(74)Representative: DTS Patent- und Rechtsanwälte Schnekenbühl und Partner mbB 
Marstallstrasse 8
80539 München
80539 München (DE)


(56)References cited: : 
EP-A1- 2 518 657
US-A1- 2014 023 195
US-A1- 2011 074 552
  
  • Epc Global Inc.: "EPC Radio-Frequency Identity Protocols Generation-2 UHF RFID Specification for RFID Air Interface, Protocol for Commnuications at 860MHz-960MHz, Version 2.0.0 Ratified", , 1 November 2013 (2013-11-01), pages 1-152, XP055164148, Retrieved from the Internet: URL:http://www.gs1.org/sites/default/files /docs/uhfc1g2/uhfc1g2_2_0_0_standard_20131 101.pdf [retrieved on 2015-01-22]
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

FIELD OF THE DISCLOSURE



[0001] The present disclosure is generally directed toward data carriers and, in particular, toward controlling personalization of data carriers, such as tags.

BACKGROUND



[0002] US2011/07455211 A1 is directed to an apparatus and a method for advanced communication in low-power wireless applications.
EP2518657 A1 is directed to an application to control access rights to a tag chip.
Epc Global Inc.: "EPC Radio-Frequency Identity Protocols Generation-2 UHF RFID Specification for RFID Air Interface, Protocol for Communications at 860MHz-960Mhz, Version 2.0.0 Ratified" is directed to a communication protocol.
US2014/023195 A1 is directed to a method for authentication between a RFID tag and an interrogator.

[0003] There are multiple Radio Frequency Identification (RFID) and non-RFID tags in commerce that have the capability to store data. Four standards currently dominate RFID communication: ISO/IEC 14443-A, ISO/IEC 14443-B, ISO/IEC 15693, and JIS X6319-4. Other types of tags may employ Bluetooth® communication protocols, Near-Field Communications (NFC) protocols, Zigbee communication protocols, ZWave communication protocols, and the like. Data is often written to a tag using an appropriate writing device that communicates with the tag via an appropriate protocol. On the other side, a reading device is used to read the data from the tag, again via the appropriate protocol. It can be possible that a single device has reading and writing capabilities. One example of such a device is an NFC-equipped mobile device that operates in a read / write mode.

[0004] Industry efforts, such as the NFC forum, have defined specifications regulating the format of messages that are written on NFC-enabled tags (e.g., NFC Data Exchange Format (NDEF) message definition standards). Tags that communicate with other protocols have similar limitations on the format of messages that can be written thereto. These standards do not, however, define how to control who can write data to a tag and/or when data can be written to the tag. This lack of control raises a serious issue. Specifically, regardless of the type of communication protocol used by the tag to communicate with other devices, data on a tag can be overwritten either accidentally or purposefully. Some proprietary solutions have the capability to switch off the tag's ability to have data written thereto, thereby avoiding the problem of overwriting data on the tag. As an example, the tag can be switched into a read-only mode of operation, thereby preserving all data written to the tag prior to switching the mode of operation of the tag.

[0005] The above-noted methods of protecting data on a tag have non-trivial shortcomings. On the one hand, if no write-protection controls are utilized, then anyone can write and modify the data on the tag. This is not acceptable in many applications where data on the tag needs to be trusted. On the other hand, if a read-only tag is utilized, then the tag cannot be modified once the tag is placed into the field. This strict control makes it difficult to enable flexible application development for the tags.

SUMMARY



[0006] The invention is defined by independent claims 1 and 10. Further embodiments are defined by the dependent claims. It is, therefore, one aspect of the present disclosure to provide a tag with the ability to protect its memory from unauthorized write commands. Specifically, data elements written to the tag may be protected with one or more access keys. The access keys may be used to specifically protect a predetermined location or portion of the tag's memory or, in other embodiments, the access keys may be used to specifically protect data elements after the data elements have been written to the tag's memory.

[0007] In one aspect, the tag includes an access control applet that includes an access control list. The access control list may provide a mapping between access keys maintained in the access control applet and data elements stored in the access control applet. When a writing device attempts to write or overwrite a data element, the access control applet may utilize the access control list to compare a key received from the writing device with the access key(s) mapped to the data element being written or overwritten. More specifically, the access control applet may execute an authentication protocol in response to receiving a write request from a writing device. The authentication protocol may enable the access control applet to authenticate the writing device using one of the access keys stored in the access control applet. Once authenticated, the writing device may write a data element to the access control applet.

[0008] The data elements may be read from the access control applet via a separate data applet that is selected by a reading device. The data applet may copy the data elements from the access control applet and store the copied data elements in a data buffer. Data elements stored in the data buffer may then be provided to a reading device. By separating the applets and their functionality (e.g., one applet manages/controls write operations and another applet manages/controls read operations), the tag is able to protect the integrity of the data elements written to its memory.

[0009] In one aspect, a tag is provided that generally comprises: computer-readable memory including:

an access control applet having the ability to store one or more data elements;

one or more access keys;

an access control list providing a mapping of the one or more access keys to the one or more data elements, wherein the access control applet implements an authentication protocol in response to receiving a write command from a writing device, the authentication protocol including confirming that the writing device provides the tag with the one or more access keys prior to allowing the writing device to write a data element to the memory.



[0010] The one or more access keys may include a first access key and a second access key, where a first memory location has write permissions controlled by the first access key, and where a second memory location different from the first memory location has write permissions controlled by the second access key. In some embodiments, the first access key may be maintained exclusively by a manufacturer of the tag and the second access key may be shared with a personalization entity.

[0011] In one aspect, a first data element is written to the first memory location by a first entity and a second data element is written to the second memory location by a second entity with reference to at least one of the first data element and the first memory location. Thus, any personalization of the tag that occurs after manufacturing of the tag may continue to reference the original data element(s) written to the tag by the manufacturer. Moreover, subsequent personalization events may also reference the first data element and/or the second data element.

[0012] The access keys may be maintained within the access control applet and may also be used for other purposes than simple authentication. For instance, the access keys can also used to create an encrypted communication channel between the writing device and the tag when writing the data element to the memory.

[0013] In some embodiments, the data element written to the memory may include an NDEF record.

[0014] It is another aspect of the present disclosure to provide a separate applet within the memory that is responsible for handling read operations. The separate applet may correspond to a data applet that is separate from the access control applet. The data applet may be used to provide the one or more data elements to a reading device by obtaining the one or more data elements from the access control applet and then providing the one or more data elements to the reading device. Furthermore, the data applet may include a data buffer that temporarily stores copies of the one or more data elements in response to receiving a read request from the reading device and then provides the reading device with the copies of the one or more data elements. Further still, where the one or more data elements include at least two data elements, the data applet may be configured to concatenate the at least two data elements in a patterned template (e.g., an NDEF template, a Bluetooth template, etc.) specified by at least one of the one or more data elements.

[0015] As can be appreciated, the specific tag type is not limited to NFC tags. Instead, the tag may be configured to operate using at one of an NFC protocol, an Ultra-High Frequency (UHF) protocol, a High Frequency (HF) protocol, and a Bluetooth protocol. Other tag types may also benefit from the tag designs proposed herein.

[0016] In another aspect, a method of writing data to memory of a tag is provided that generally comprises:

receiving, at the tag, a first write command from a first writing device;

receiving, at the tag, a first key from the first writing device;

prior to executing the first write command at the tag, comparing the first key to one or more access keys stored in the memory and then authenticating the first writing device by confirming the first key received from the first writing device matches a first access key included in the one or more access keys, wherein the one or more access keys are stored in an access control applet maintained in the memory of the tag;

upon authenticating the first writing device, completing the first write command by writing a first data element to the memory;

receiving, at the tag, a second write command from a second writing device;

receiving, at the tag, a second key from the second writing device;

prior to executing the second write command at the tag, comparing the second key to the one or more access keys and then authenticating the second writing device by confirming the second key received from the second writing device matches a second access key included in the one or access keys; and

upon authenticating the second writing device, completing the second write command by writing a second data element to the memory.



[0017] In some embodiments, the first writing device is different from the second writing device, the first data element is written to a first memory location, the second data element is written to a second memory location, and the first and second memory locations are write-protected by the first and second access keys, respectively.

[0018] In some embodiments, the first access key corresponds to a first private encryption key from a private-private encryption key pair, wherein the second access key corresponds to a second private encryption key from a public-private encryption key pair, and wherein the second key received from the second writing device corresponds to a public encryption key from the public-private encryption key pair.

[0019] In some embodiments, the first write command and the second write command are received in one or more messages transmitted in accordance with at least one of a Near-Field Communications (NFC) protocol, an Ultra-High Frequency (UHF) protocol, a High Frequency (HF) protocol, and a Bluetooth protocol.

[0020] In one aspect, the second data element references the first data element.

[0021] In some embodiments, the method may also include a process of reading the data element(s) from the tag's memory. Specifically, the method may further include:

receiving, at the tag, a read command from a reading device, the read command identifying a data applet as a selected data applet from which at least one of the first and second data elements are to be read from the tag;

in response to receiving the read command, copying at least one of the first and second data elements to a data buffer maintained in the selected data applet; and providing at least one of the first and second data elements to the reading device from the data buffer.



[0022] In responding to the read request, the tag may concatenate the first and second data element in a patterned template specified by one of the first and second data element. The patterned template may correspond to an NFC-specific template.

[0023] In some embodiments, when at least one of the first and second data elements are written to the memory an encrypted communications channel may be used, the encrypted communications channel may be encrypted with at least one of the first access key and the second access key.

[0024] The present disclosure will be further understood from the drawings and the following detailed description. Although this description sets forth specific details, it is understood that certain embodiments of the invention may be practiced without these specific details.

BRIEF DESCRIPTION OF THE DRAWINGS



[0025] 

Fig. 1 is a block diagram depicting a tag personalization system in accordance with embodiments of the present disclosure;

Fig. 2A is a block diagram depicting a first step in writing a data element to a tag in accordance with embodiments of the present disclosure;

Fig. 2B is a block diagram depicting a second step in writing a data element to a tag in accordance with embodiments of the present disclosure;

Fig. 2C is a block diagram depicting a third step in writing a data element to a tag in accordance with embodiments of the present disclosure;

Fig 2D is a block diagram depicting a fourth step in writing a data element to a tag in accordance with embodiments of the present disclosure;

Fig. 3 depicts a reading process in accordance with embodiments of the present disclosure;

Fig. 4 depicts details of a reading and/or writing device in accordance with embodiments of the present disclosure;

Fig. 5 depicts details of a reading process in accordance with embodiments of the present disclosure;

Fig. 6 depicts a secure writing process in accordance with embodiments of the present disclosure; and

Fig. 7 depicts details of a sequential personalization process in accordance with embodiments of the present disclosure.


DETAILED DESCRIPTION


COPYRIGHT AND LEGAL NOTICES



[0026] A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyrights whatsoever.

[0027] The ensuing description provides embodiments only, and is not intended to limit the scope, applicability, or configuration of the claims. Rather, the ensuing description will provide those skilled in the art with an enabling description for implementing the embodiments. It being understood that various changes may be made in the function and arrangement of elements without departing from the scope of the appended claims.

[0028] Embodiments of the present disclosure will be described in connection with an illustrative tag, a system for personalizing a tag, and other related processes. While most of the discussions herein refer to a "tag" as being the vehicle that has data elements written to a memory thereof and provides the data elements to a reading device, it should be appreciated that embodiments of the present disclosure are not so limited.

[0029] For instance, any form factor may be used. Examples of such form factors include card-type tags, key fobs, wristbands, smart tags embedded in clothing or other objects, smart watches, stickers, smart phones, laptops, tablets, etc.

[0030] With reference initially to Fig. 1 an illustrative system 100 for personalizing one or more tags from a population of manufactured tags 132 will be described in accordance with at least some embodiments of the present disclosure. The depicted system 100 includes one or more personalized tags 108 and a population of manufactured tags 132 that have yet to be personalized by a personalization entity. The tags 108, 132 may be manufactured by a tag manufacturer 120 that produces the tags 108, 132 with memory 112 and other required hardware and/or software components. As will be discussed in further detail herein, the tag manufacturer 120 may correspond to one example of a personalization entity that is responsible for personalizing a tag in a first step before it is personalized by another, different entity.

[0031] Personalization of a tag may be performed with one or more writing devices 104a, 104b. The writing devices 104a, 104b may be owned and/or operated by the tag manufacturer 120 or by other different personalization entities. The tag manufacturer 120 may produce the tags 108, 132 in such a way that personalization thereof is controlled by access keys 124. Specifically, the manufacturer may write-protect the memory 112 of the tags 108, 132 with one or more access keys 124 such that only an writing devices that present a valid access key (e.g., from the access keys 124) to the tag 108, 132 are allowed to personalize the tag (e.g., write a data element thereto).

[0032] In accordance with at least some embodiments, the tag manufacturer 120 may utilize a first writing device 104a to write a first data element 116a to a tag, thereby creating a personalized tag 108. Personalization by the tag manufacturer 120 may be relatively straight-forward since the tag manufacturer 120 will not need to provide an access key to another entity. In some embodiments, the first data element 116a may be written to the memory 112 of the tag 108 and may be secured with a first access key 128a. Thus, if the first writing device 104a does not present a valid first access key 128a to the tag 108, the tag 108 may reject the write command issued by the first writing device 104a and may, therefore, not store the first data element 116a in its memory 112. In some embodiments, the tag manufacturer 120 may authenticate with the tag 108 using a private-private key pair since the tag manufacturer 120 does not necessarily need to distribute the key to other entities. However, is should be appreciated that an asymmetric key pair (e.g., public-private key pair) may be used by the tag manufacturer 120 to authenticate itself prior to writing a data element to the tag 108.

[0033] Where the tag manufacturer 120 does not control the first writing device 104a, the tag manufacturer 120 may need to provide a first access key 128a to a personalization entity that does operate the first writing device 104a. In some embodiments, the first access key 128a provided to the personalization entity may correspond to a public key from a public-private key pair and the private key from the public-private key pair may be stored in the memory 112 of the tag when manufactured. Use of a public-private key pair may enable the tag manufacturer 120 to easily distribute or share the first access key 128a. The private key stored in the memory 112 of the tag may be used to authenticate the first access key 128 received from the first writing device 104a prior to executing a write command issued by the first writing device 104a. It should be appreciated, however, that a symmetric key pair (e.g., private-private key pair) may be used by the personalization entity to authenticate itself prior to writing a data element to the tag 108.

[0034] As shown in Fig. 1, the tag manufacturer 120 may distribute other keys from the access keys 124 to other entities. For instance, a second access key 116b may be provided to a second personalization entity that uses a second writing device 104b to write a second data element 116b to a tag 108, 132. As can be appreciated, while Fig. 1 depicts only two writing devices 104a, 104b and two access keys 128a, 128b, embodiments of the present disclosure are not so limited. In fact, the access keys 124 may include one, two, three, ..., twenty, etc. keys and some of all of the access keys 124 may be written to each manufactured tag 132. In some embodiments, only a subset of all access keys 124 maintained by the tag manufacturer 120 are written to a set of manufactured tag 132, thereby enabling the tag manufacturer 120 to control which personalization entities are allowed to personalize certain of the manufactured tags 132. In other words, the tag manufacturer 120 may produce one set of tags for personalization by one set of personalization entities and another set of tags for personalization by another set of personalization entities.

[0035] In some embodiments, the manner in which the access keys 116a, 116b are distributed to the personalization entities (and their writing devices) may depend upon the type of access key 116a, 116b used. Where the distributed access key corresponds to a private key, the tag manufacturer 120 may encrypt communications to the personalization entity that contains the access key. Additionally or alternatively, the tag manufacturer 120 may store the access keys on a portable memory device (e.g., portable flash memory) and hand deliver or mail the portable memory device to the personalization entity. On the other hand, where the distributed access key corresponds to a public key from a public-private key pair, the access key may be sent over a communication network without encryption or at least without substantially strong encryption (e.g., less than 256-bit encryption).

[0036] As will be discussed in further detail herein, the first and second writing devices 104a, 104b may correspond to the same device or different devices. Additionally, the writing devices 104a, 104b may be owned and operated by a common entity or by different entities without departing from the scope of the present disclosure.

[0037] With reference now to Figs. 2A-2D, details of a process for writing data to a tag, thereby creating a personalized tag 108 will be described in accordance with at least some embodiments of the present disclosure. With initial reference to Fig. 2A, a first step in the writing process is depicted. The first step in the writing process begins with a first writing device 204 sending a first write command to a tag 208 (step S201). The first writing device 204 may be similar or identical to the first writing device 104a and the tag 208 may correspond to one of the manufactured tags 132 and/or the personalized tag 108.

[0038] The write command may be issued in accordance with communication protocols supported by the tag 208 and/or first writing device 204. Specifically, the tag 208 may be configured to support a number of different communication protocols via its communication interface 212. Examples of the communication protocols that may be supported by the tag 208 and more specifically the interface 212 of the tag 208 include, without limitation, NFC protocol, Bluetooth, UHF protocols, HF protocols, or any other RF-based proximity communication protocol.

[0039] In some embodiments, the communication channel established between the first writing device 204 and tag 208 may correspond to a RF inductive coupling between antennas of each device. The inductive coupling between the first writing device 204 and tag 208 may depend upon a relative proximity of the two devices. Thus, the communication channel may correspond to a wireless communication channel such as an NFC channel. Other wireless and RF-based proximity protocols such as Bluetooth, WiFi (e.g., IEEE 802.1 IN), and the like may also be used to establish a communication channel between the first writing device 204 and tag 208. The channel may be established directly between the two devices or it may be established indirectly (e.g., by passing through a wireless router, server, and/or the like). In other embodiments, the communication channel may be wired (e.g., via a Universal Serial Bus (USB) wire, Ethernet wire, etc.).

[0040] In some embodiments, the first writing device 204 may correspond to any type of electro-mechanical device capable of interacting with the tag 208. Regardless of whether the communication channel is a wired or wireless channel, the process begins with the first writing device 204 transmitting the write command to the tag 208. The write command may include data (e.g., a first data element 116a) that the first writing device 204 is attempting to write to memory 112 or the write command may simply include a request to write data to the tag 208. Additionally or alternatively, the write command may simply include the first access key 128a maintained by the first writing device 204. In this scenario, the write command may also include a request for authentication with the tag 208.

[0041] Upon receiving the write command, the tag 208 may begin an authentication protocol in an access control applet 216 stored within memory 112. The access control applet 216 may correspond to a lightweight application stored in the memory 112 of the tag 208 that is responsible for controlling data elements written to the memory 112. In other words, the access control applet 216 may provide a security mechanism that protects the data already written to the memory 112 and/or data locations that have not yet had data written thereto. The access control applet 216 may include an access control list 220 and access keys 128a, 128b (which may match distributed keys or correspond to keys from a public-private key pair). The access keys 128a, 128b may not be the only access keys written to the tag 208; however, for simplicity of illustration only two access keys 128a, 128b are depicted as initially being stored in the access control applet 216. As discussed in Fig. 1, the first and second access keys 128a, 128b may be written to the tag 208 by the tag manufacturer 120 to control write access to the memory 112.

[0042] When the access control applet 216 receives a write request is may respond to the first writing device 204 with a request for an access key, if the access key was not originally provided with the write request in step S201. Upon receiving the access key from the first writing device 204, the access control applet 216 will initiate an authentication protocol in which the access control applet 216 will compare the key received from the first writing device 204 with some or all of the access keys stored locally within memory 112. This comparison may be done with the assistance of the access control list 220 or the comparison may be made directly with each of the access keys 128a, 128b stored in memory 112.

[0043] As shown in Figs. 2B, if the access control applet 216 determines that the key received from the first writing device 204 matches an access key stored in memory 112 (e.g., the first access key 128a was received from the first writing device 204 or a public key complimenting the first access key 128a was received from the first writing device 204), the access control applet 216 may proceed by allowing the first writing device 204 to write a first data element 116a thereto (step S202). As used herein, the access control applet 216 may identify "matching" keys by identifying keys that perfectly match one another (e.g., private-private key pair) or that compliment one another (e.g., public-private key pair). Accordingly, the use of the term "matching" is intended to encompass both perfect matches and complimentary matches.

[0044] When the first data element 116a is written to the access control applet 216, the access control list 220 may be updated to reflect a mapping of the first data element 116a to the first access key 128a. In other words, the access control list 220 may contain information that maps each access key 128a, 128b to a particular data element and/or to a particular location in memory 112. The access control list 220 may be used to restrict data writes or overwrites to only those writing devices that present a valid access key.

[0045] In some embodiments, the first data element 116a may be stored in memory 112 in accordance with the type of tag 208 being used. For instance, where the tag 208 corresponds to an NFC tag, the first data element 116a may be stored as one or more NDEF records. As can be appreciated, the first data element 116a may be stored as any type of data structure or collection of data structures and the format of that data structure may depend upon the type of the tag 208. Once the first data element 116a has been written to the tag 208, the tag 208 may be considered a personalized tag 108. This may be the case regardless of whether or not a personalization entity or the tag manufacturer 120 was operating the first writing device 204.

[0046] Further personalization of the tag 208 is shown in Fig. 2C when a second writing device 232 begins a process of writing a second data element 116b to the tag 208. In particular, the second writing device 232 issues a write command to the tag (step S203). The type write command issued by the second writing device 232 may be similar or identical to the type of write command issued by the first writing device 204. It should be appreciated, however, that the second writing device 232 may issue a write command with a second access key 128b instead of the first access key 128a. It should also be appreciated that the first writing device 204 and second writing device 232 may actually be the same device without departing from the scope of the present disclosure.

[0047] Upon receiving the write command from the second writing device 232, the access control applet 216 may perform an authentication process in which an access key received from the second writing device 232 is compared with keys listed in the access control list 220 and/or compared directly to keys stored in memory 112. If the access control applet 216 determines that the second writing device 232 has presented a valid key (e.g., a key that matches a locally-stored access key, such as the second access key 128b), the access control applet 216 will continue by completing the write process. In particular, the access control applet 216 will allow the second data element 116b to be written to memory 112 (step S204).

[0048] As with the first data element 116a, the second data element 116b may be stored in memory with a reference to the second access key 128b. In some embodiments, the mapping between the second data element 116b and the second access key 128b may be maintained in the access control list 220. Any subsequent re-writing of the second data element 116b may require the writing device to present the second access key 128b to be provided by the writing device. This helps secure the data element and/or the memory location used to store the data element.

[0049] With reference now to Fig. 3, a process of reading one or more data elements 116a, 116b from the memory 112 will be described in accordance with at least some embodiments of the present disclosure. The reading process is initiated when a reading device 236 provides the tag 208 with a read command (step S301). The reading device 236 may correspond to a same or similar device as the writing devices or the reading device 236 may be a different device. The read command may be directed to a particular application on the tag 208, specifically the data applet 224. Even more specifically, the reading device 236 may issue the read request and address the request to the data applet 224 stored on the tag 208. In some embodiments, the data applet 224 corresponds to a lightweight application that is separate and distinct (e.g., occupies separate code space and is operated with separate processing resources) than the access control applet 216. It should be appreciated that the tag 208 may comprise one, two, three, or more different data applets to support read operations for different applications and/or to support different reading devices 236. The single instance of a data applet 224 is depicted for simplicity.

[0050] Upon receiving the read request, the data applet 224 may identify the data elements that are being requested by the reading device 236 and may further identify where the data elements are stored by the access control applet 216. Upon identifying the location of the requested data elements 116a, 116b, the data applet 224 may copy the necessary data elements 116a, 116b to a data buffer 228 maintained by the data applet 224 (steps S302 and S303).

[0051] The data buffer 228 may correspond to a memory location where the data elements 116a, 116b can be temporarily stored by the data applet 224 such that the data applet 224 can provide the data elements 116a, 116b to the reading device 236. Once the copies of the data elements 116a, 116b have been stored in the data buffer 228, the data applet 224 may provide the requested data elements 116a, 116b back to the reading device 236 (step S304). If the data applet 224 is providing multiple data elements back to the reading device 236, the data applet 224 may concatenate the data elements prior to transmitting the data back in step S304. Alternatively, the data elements 116a, 116b may be provided separately in one or more separate response messages. In some embodiments, the multiple data elements 116a, 116b may be concatenated in a patterned template specified by at least one of the one or more data elements. As an example, if one or both of the data elements 116a, 116b correspond to an NDEF record, then the concatenation of the multiple data elements may be patterned into an NDEF record that contains the information from all of the data elements 116, 116b. The data elements 116a, 116b may correspond to any type of data stored by the tag 208 examples of which include, without limitation, a URL, email address, a phone number, combinations thereof, etc.

[0052] With reference now to Fig. 4, additional details of a reading/writing device 400 will be described in accordance with at least some embodiments of the present disclosure. As can be appreciated, the reading/writing device 400 may correspond to any of the reading and/or writing devices described herein, especially since it is contemplated that reading devices may also operate as writing devices.

[0053] The reading/writing device 400 may correspond to hand-held reader, a mobile communication device (e.g., smart phone, tablet, laptop, Personal Digital Assistant (PDA), smart watch, remote control, smart vehicle or car, etc.), or the like. In some embodiments, the reading/writing device 400 may communicate with the tag using RF inductive coupling (e.g., at frequencies of 125kHz, 13.56MHz, etc.). Other protocols such as Bluetooth and/or WiFi may also be used to facilitate communications between the reading/writing device 400 and tag.

[0054] The reading/writing device 400 may correspond to a mobile communication device such as a cellular phone, smart phone, tablet, laptop, or any other device that is NFC-enabled, Bluetooth-enabled, or otherwise configured to communicate via one or more proximity-based RF communication protocols or non-proximity-based RF communication protocols such as ZigBee, for example. The reading/writing device 400 is depicted as comprising a processor 404, memory 408, a tag interface 416, and a network interface 412. In some embodiments, the processor 404 may correspond to a plurality of processors, each configured to perform certain operations for the reading/writing device 400. As an example, the reading/writing device 400 may have dedicated processors for its NFC functions and other functions. In some embodiments, the components of the reading/writing device 400 may be connected together via a data bus or similar architecture. Thus, although the components are depicted as being connected via the central processor 404, such an arrangement of components is not required.

[0055] The processor 404 may correspond to a microprocessor, Central Processing Unit (CPU), collection of processors or CPUs, or the like. In some embodiments, the processor 404 may be configured to execute instructions stored in memory 408, thereby providing functionality to the reading/writing device 400.

[0056] The memory 408 may comprise a number of modules or instruction sets (e.g., applications, drivers, etc.) stored therein. In some embodiments, the memory 408 may include volatile and/or non-volatile memory. As some non-limiting examples, the memory 408 may include an NFC module 418, a messaging module 420, a browser 424, a phone module 428, an email module 432, and an Operating System (O/S) 436. Although not depicted, the memory 408 may further include one or more applications that are purpose-built to communicate with a tag 208 and, in particular, either write data to the tag 208 via the access control applet 216 or read data from the tag 208 via the data applet 224.

[0057] The NFC module 418 may comprise instructions that, when executed by the processor 404, enable the NFC functionality of the reading/writing device 400 and/or any other functions for interacting with a tag 208. For instance, the NFC module 418 may be responsible for causing the reading/writing device 400 to operate in a card emulation mode, a read/write mode, and/or a peer-to-peer mode. The NFC module 418 may also correspond to a specific portion of memory where sensitive data normally communicated via NFC (e.g., data elements 116a, 116b, access keys 128a, 128b, encryption algorithms,, etc.) is securely stored on the reading/writing device 400. As an example, the NFC module 418 may include a secure element such as a SIM card or an embedded secure element where NFC data is stored in an encryption fashion. Thus, the NFC module 418 may correspond to specific memory or memory locations in addition to providing the executable instructions for the processor 404. Alternatively or additionally, the NFC module 418 may be replaced with or supplemented with a Bluetooth module that enables the reading/writing device 400 to communicate with other devices (e.g., the tag 208) via Bluetooth. It should be appreciated that the reading/writing device 400 may be equipped for both Bluetooth and NFC communications. In some embodiments, the Bluetooth communications may occur via the network interface 412 or the tag interface 416.

[0058] When executed, the NFC module 418 or Bluetooth module may cause the processor 404 to exchange information with other devices according to known NFC or Bluetooth protocols via the tag interface 416 or network interface 412. Where NFC is employed, the tag interface 416 may include a coil or antenna that creates an inductive coupling with other RF-enabled devices. The size of the tag interface 416 may depend upon the overall size of the reading/writing device 400 as well as other antennas (e.g., network interface 412) contained within the reading/writing device 400.

[0059] The other phone functionality of the reading/writing device 400 may be provided by the other modules 420, 424, 428, 432 and O/S 436 stored in memory 408. As examples, the O/S 436 may correspond to a mobile operating system specifically designed for smart phones or the like. Non-limiting examples of an O/S 436 include Android®, iOS®, BlackberryOS®, Windows®, Windows Mobile®, and the like. The O/S 436 may be responsible for providing the basic functionality of the phone (e.g., controlling user input and output functions, microphone functions, coordinating drivers, etc.) in addition to coordinating operations of the applications and other modules stored in memory 408.

[0060] The messaging module 420 may correspond to an application that enables the reading/writing device 400 to communication SMS, MMS, and other messages via a cellular communication network. Alternatively or additionally, the messaging module 420 may utilize social media channels.

[0061] The browser 424 may provide the reading/writing device 400 with the ability to browse the Internet, for example. The browser 424, in some embodiments, corresponds to an application that enables the reading/writing device 400 to exchange information with servers and other data providers over a communication network using known Internet Protocols (e.g., HTTP, HTML, XML, etc.). Non-limiting examples of browsers 424 include Internet Explorer®, Safari®, Google Chrome®, mobile versions thereof, etc. In some embodiments, the browser 424 corresponds to at least a portion of the authentication service interface 336.

[0062] The phone module 428 may provide the reading/writing device 400 with the ability to initiate and respond to calls (e.g., voice calls, video calls, multi-media collaborations, etc.). The phone module 428 may also enable a user to perform advanced communication functions such as accessing voicemail, establishing conference calls, etc.

[0063] The email module 432 may provide the reading/writing device 400 with the ability to exchange electronic mail messages with other devices over a communication network. As examples, the email module 432 may specifically support email communications. It should also be appreciated that the email module 432 may be combined with the messaging module 420 to support other types of communications such as social media communications (e.g., Facebook®, Twitter®, etc.), Short Message Service (SMS) messaging, Multimedia Messaging Services (MMS), and so on.

[0064] Communications between the reading/writing device 400 and a broader communication network may be facilitated by the network interface 412, which may actually include several interfaces to different networks or network types. For instance, the network interface 412 may comprise a cellular network interface that enables the reading/writing device 400 to interact with a cellular network, which is usually provided by a Mobile Network Operator (MNO). Alternatively or additionally, the network interface 412 may comprise a Bluetooth interface, Infrared interface, etc. The network interface 412 may alternatively or additionally include an 802.1 IN interface (e.g., Wi-Fi interface), a Universal Serial Bus (USB) port, or any other wired or wireless interface to the communication bus of the reading/writing device 400.

[0065] With reference now to Fig. 5, additional details of a process for reading data from a tag 208 with a reading device will be described in accordance with embodiments of the present disclosure. The process begins when the reading device establishes a communication channel with the tag 208 (step 504). The communication channel may correspond to a proximity-based RF communication channel such as an NFC channel, a Bluetooth channel, a WiFi channel, or the like. Alternatively or additionally, the channel may be established over a wired connection between the devices (e.g., via USB, serial ports, etc.).

[0066] Once the devices are connected, the reading device may select the application from which the reading device wants to read data from the tag 208 (step 508). In some embodiments, the selection may be made by default while in other embodiments, the reading device may be used to enable a user to select from among a list of applications on the tag. Once the appropriate application has been selected (e.g., a version of data applet 224 is selected), the reading device transmits a read request to the selected application (step 512). The selected application on the tag 208 then obtains the requested data elements and provides such data elements back to the reading device as described in connection with Fig. 3 (step 516).

[0067] With reference now to Fig. 6, a method of optionally securing a communication channel between a writing device and the tag 208 will be described in accordance with embodiments of the present disclosure. The process begins when the writing device initially establishes a communication channel with the tag 208 (step 604). The communication channel may correspond to a proximity-based RF communication channel, such as an NFC channel, a Bluetooth channel, a WiFi channel, etc. At this point, the communication channel is not secured and, for that reason, the writing device may refrain from transmitting any sensitive data over the communication channel.

[0068] The process continues with the determination of whether or not a secure communication channel will be used to carry the data elements that are ultimately going to be written to the tag 208 by the writing device (step 608). If the query of step 608 is answered negatively, then the writing device and tag 208 will proceed with the authentication protocol by exchanging access keys and, if authentication is successful, the writing device will begin writing one or more data elements to the tag 208 (step 616).

[0069] On the other hand, if the query of step 608 is answered positively, then the process continues with the writing device and tag 208 encrypting the communication channel between the devices (step 612). In some embodiments, the keys used to write-protect the memory 216 of the tag 208 may also be used to encrypt the communication channel between the devices. Specifically, the writing device may use its version of the access key 128a, 128b to encrypt any messages transmitted to the tag 208 and the tag 208 may use its version of the access key 128a, 128b to decrypt the messages received from the writing device. Advantageously, the use of the access keys for encryption/decryption may obviate the need for a different authentication step. Instead, the tag 208 may assume that the writing device is trusted by virtue of the fact that the messages received from the writing device are capable of being decrypted by a key stored on the tag 208. Failure of the tag 208 to properly decrypt a message from the writing device provides an indication that the key used to encrypt the message was not a valid key. Once the channel has been decrypted, then the process can continue to step 616.

[0070] With reference now to Fig. 7, a sequential personalization process will be described in accordance with at least some embodiments of the present disclosure. The process begins when a first entity writes a first data element 116a to the tag 208 (step 704). The first entity may correspond to the tag manufacturer 120 or to a first personalization entity. The first data element 116a may be stored in the access control applet 216 and may be write-protected by and associated with the first access key 128a. The association of the first data element 116a and first access key 128a may be stored in the access control list 220 as a mapping of the two data structures.

[0071] The process continues with a second entity initiating a process of writing a second data element 116b to the tag 208 (step 708). The second entity may be the same as the first entity or different from the first entity. Moreover, the second entity may correspond to the tag manufacturer 120 or to a second personalization entity. Before or while the second data element 116b is being written to the tag 208, the access control applet 216 may determine that the second data element 116b is going to be written to the tag 208 with a reference to the first data element 116a (step 712). Identification of the first data element 116a and the need to reference the first data element 116a with the second data element 116b may be done automatically by the access control applet 216 or in response to receiving an user instruction to store the second data element 116b with reference to the first data element 116a. The first data element 116a may be found via reference to the access control list 220. Furthermore, reference to the first data element 116a may be protected by the first access key 128a and/or the second access key 128b.

[0072] Once the location of the first data element 116a has been identified, the process continues with the access control applet 216 writing the second data element 116b to the tag 208 with reference to the first data element 116a (step 716). In some embodiments, the reference between data elements may be stored in the access control list 220. In some embodiments, the reference to the first data element 116a may be stored as part of the second data element 116b (e.g., the second data element 116b may be stored in addition to storing a pointer or reference to the first data element 116a). In some embodiments, the second data element 116b may reference the first data element 116a by concatenating the first and second data elements to create a third (combined) data element that is eventually stored and referenced by the second access key 128b.

[0073] It is noted that the embodiments were described as a process which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed, but could have additional steps not included in the figure.


Claims

1. A tag, comprising:

computer-readable memory including:

an access control applet having the ability to store one or more data elements;

one or more access keys;

an access control list providing a mapping of the one or more access keys to the one or more data elements, wherein the access control applet implements an authentication protocol in response to receiving a write command from a writing device, the authentication protocol including confirming that the writing device provides the tag with the one or more access keys prior to allowing the writing device to write a data element to the memory;

wherein the one or more access keys include a first access key and a second access key, wherein a first memory location has write permissions controlled by the first access key, and wherein a second memory location different from the first memory location has write permissions controlled by the second access key; and

characterized in that a first data element is written to the first memory location by a first entity and wherein a second data element is written to the second memory location by a second entity and a pointer to at least one of the first data element and the first memory location is automatically stored together with the second data element, wherein the second entity may be the same as the first entity or different from the first entity.


 
2. The tag of claim 1, wherein the first access key is maintained exclusively by a manufacturer of the tag and wherein the second access key is shared with a personalization entity.
 
3. The tag of claim 1 or 2, wherein the one or more access keys are also used to create an encrypted communication channel between the writing device and the tag when writing the data element to the memory.
 
4. The tag according to any one of claims 1 to 3, wherein the data element written to the memory comprises a Near-Field Communications (NFC) Data Exchange Format (NDEF) record.
 
5. The tag according to any one of claims 1 to 4, wherein the computer-readable memory further includes a data applet that is used to provide the one or more data elements to a reading device by obtaining the one or more data elements from the access control applet and then providing the one or more data elements to the reading device.
 
6. The tag of claim 5, wherein the data applet comprises a data buffer that temporarily stores copies of the one or more data elements in response to receiving a read request from the reading device and then provides the reading device with the copies of the one or more data elements.
 
7. The tag of claim 6, wherein the one or more data elements comprise at least two data elements and wherein the data applet concatenates the at least two data elements in a patterned template specified by at least one of the one or more data elements.
 
8. The tag according to any one of claims 1 to 7, wherein communications between the tag and the writing device are performed using at least one of a Near-Field Communications (NFC) protocol, an Ultra-High Frequency (UHF) protocol, a High Frequency (HF) protocol, and a Bluetooth protocol.
 
9. The tag according to any one of claims 1 to 8, wherein read permissions for the one or more data elements are not secured with the one or more keys.
 
10. A method of writing data to memory of a tag, the method comprising:

receiving, at the tag, a first write command from a first writing device;

receiving, at the tag, a first key from the first writing device;

prior to executing the first write command at the tag, comparing the first key to one or more access keys stored in the memory and then authenticating the first writing device by confirming the first key received from the first writing device matches a first access key included in the one or more access keys, wherein the one or more access keys are stored in an access control applet maintained in the memory of the tag;

upon authenticating the first writing device, completing the first write command by writing a first data element to the memory;

receiving, at the tag, a second write command from a second writing device;

receiving, at the tag, a second key from the second writing device;

prior to executing the second write command at the tag, comparing the second key to the one or more access keys and then authenticating the second writing device by confirming the second key received from the second writing device matches a second access key included in the one or more access keys; and

upon authenticating the second writing device, completing the second write command by writing a second data element to the memory;

wherein the first writing device is different from the second writing device,

characterized in that the first data element is written to a first memory location, the second data element is written to a second memory location and a pointer to at least one of the first data element and the first memory location is automatically stored together with the second data element, and the first and second memory locations are write-protected by the first and second access keys, respectively.


 
11. The method of claim 10, wherein the first access key corresponds to a first private encryption key from a private-private encryption key pair, wherein the second access key corresponds to a second private encryption key from a public-private encryption key pair, and wherein the second key received from the second writing device corresponds to a public encryption key from the public-private encryption key pair.
 
12. The method of claim 10 or 11, wherein the first write command and the second write command are received in one or more messages transmitted in accordance with at least one of a Near-Field Communications (NFC) protocol, an Ultra-High Frequency (UHF) protocol, a High Frequency (HF) protocol, and a Bluetooth protocol.
 
13. The method according to any one of claims 10 to 12, further comprising:

receiving, at the tag, a read command from a reading device, the read command identifying a data applet as a selected data applet from which at least one of the first and second data elements are to be read from the tag;

in response to receiving the read command, copying at least one of the first and second data elements to a data buffer maintained in the selected data applet; and

providing at least one of the first and second data elements to the reading device from the data buffer.


 
14. The method of claim 13, wherein the first and second data elements are concatenated in a patterned template specified by one of the first and second data element, optionally the patterned template corresponds to a Near-Field Communications (NFC)-specific template.
 
15. The method according to any one of claims 10 to 14, wherein at least one of the first and second data elements are written to the memory using an encrypted communications channel, wherein the encrypted communications channel is encrypted with at least one of the first access key and the second access key.
 


Ansprüche

1. Etikett, aufweisend:
einen computerlesbaren Speicher, der Folgendes enthält:

ein Zugangssteuerungs-Applet mit der Fähigkeit, ein Datenelement oder mehrere Datenelemente zu speichern;

einen oder mehrere Zugangsschlüssel;

eine Zugangssteuerungsliste, die eine Übereinstimmung des einen oder der mehreren Zugangsschlüssel mit dem einen oder den mehreren Datenelementen bereitstellt, wobei das Zugangssteuerungs-Applet ein Authentifizierungsprotokoll im Ansprechen auf den Empfang eines Schreibbefehls von einer Schreibvorrichtung umsetzt, wobei das Authentifizierungsprotokoll eine Bestätigung dessen umfasst, dass die Schreibvorrichtung dem Etikett den einen oder die mehreren Zugangsschlüssel bereitstellt, bevor es der Schreibvorrichtung gestattet wird, ein Datenelement in den Speicher einzuschreiben;

wobei der eine oder die mehreren Zugangsschlüssel einen ersten Zugangsschlüssel und einen zweiten Zugangsschlüssel aufweisen, wobei ein erster Speicherort Schreibberechtigungen aufweist, die durch den ersten Zugangsschlüssel geregelt sind, und wobei ein zweiter Speicherort, der sich vom ersten Speicherort unterscheidet, Schreibberechtigungen aufweist, die durch den zweiten Zugangsschlüssel geregelt sind; und

dadurch gekennzeichnet, dass ein erstes Datenelement in den ersten Speicherort durch eine erste Entität geschrieben wird und wobei ein zweites Datenelement in den zweiten Speicherort durch eine zweite Entität geschrieben wird und ein Zeiger auf das erste Datenelement und/oder den ersten Speicherort automatisch zusammen mit dem zweiten Datenelement gespeichert wird, wobei die zweite Entität dieselbe sein kann wie die erste Entität oder eine andere als die erste Entität.


 
2. Etikett nach Anspruch 1, wobei der erste Zugangsschlüssel ausschließlich durch einen Hersteller des Etiketts unterhalten wird und der zweite Zugangsschlüssel mit einer Personalisierungsentität geteilt wird.
 
3. Etikett nach Anspruch 1 oder 2, wobei der eine oder die mehreren Zugangsschlüssel auch dazu verwendet wird bzw. werden, beim Einschreiben des Datenelements in den Speicher einen verschlüsselten Kommunikationskanal zwischen der Schreibvorrichtung und dem Etikett zu erzeugen.
 
4. Etikett nach einem der Ansprüche 1 bis 3, wobei das in den Speicher geschriebene Datenelement eine Nahfeldkommunikations-(NFC)-Datenaustauschformat-(NDEF)-Aufzeichnung aufweist.
 
5. Etikett nach einem der Ansprüche 1 bis 4, wobei der computerlesbare Speicher darüber hinaus ein Daten-Applet aufweist, das dazu verwendet wird, einer Lesevorrichtung das eine oder die mehreren Datenelemente bereitzustellen, indem das eine oder die mehreren Datenelemente von dem Zugangssteuerungs-Applet erhalten werden und dann der Lesevorrichtung das eine oder die mehreren Datenelemente bereitgestellt wird.
 
6. Etikett nach Anspruch 5, wobei das Daten-Applet einen Datenpuffer aufweist, der im Ansprechen auf den Empfang einer Leseaufforderung von der Lesevorrichtung temporär Kopien des einen oder der mehreren Datenelemente speichert und dann der Lesevorrichtung die Kopien des einen oder der mehreren Datenelemente bereitstellt.
 
7. Etikett nach Anspruch 6, wobei das eine oder die mehreren Datenelemente mindestens zwei Datenelemente aufweist bzw. aufweisen und wobei das Daten-Applet die mindestens zwei Datenelemente in einer strukturierten Vorlage verknüpft, die durch mindestens eines des einen oder der mehreren Datenelemente festgelegt ist.
 
8. Etikett nach einem der Ansprüche 1 bis 7, wobei Datenübertragungen zwischen dem Etikett und der Schreibvorrichtung unter Verwendung eines Nahfeldkommunikations-(NFC)-Protokolls, eines Ultrahochfrequenz-(UHF)-Protokolls, eines Hochfrequenz-(HF)-Protokolls und/oder eines Bluetooth-Protokolls durchgeführt werden.
 
9. Etikett nach einem der Ansprüche 1 bis 8, wobei Leseberechtigungen für das eine oder die mehreren Datenelemente nicht mit dem einen oder den mehreren Schlüsseln gesichert sind.
 
10. Verfahren zum Einschreiben von Daten in einen Speicher eines Etiketts, wobei das Verfahren umfasst:

Empfangen, am Etikett, eines ersten Schreibbefehls von einer ersten Schreibvorrichtung;

Empfangen, am Etikett, eines ersten Schlüssels von der ersten Schreibvorrichtung;

vor dem Ausführen des ersten Schreibbefehls am Etikett, Vergleichen des ersten Schlüssels mit einem oder mehreren Zugangsschlüsseln, die im Speicher gespeichert sind, und dann Authentifizieren der ersten Schreibvorrichtung, indem bestätigt wird, dass der von der ersten Schreibvorrichtung empfangene erste Schlüssel mit einem ersten Zugangsschlüssel übereinstimmt, der in dem einen oder den mehreren Zugangsschlüsseln enthalten ist, wobei der eine oder die mehreren Zugangsschlüssel in einem Zugangssteuerungs-Applet gespeichert ist bzw. sind, das im Speicher des Etiketts unterhalten wird;

nach Authentifizieren der ersten Schreibvorrichtung, Vollenden des ersten Schreibbefehls durch Einschreiben eines ersten Datenelements in den Speicher;

Empfangen, am Etikett, eines zweiten Schreibbefehls von einer zweiten Schreibvorrichtung;

Empfangen, am Etikett, eines zweiten Schlüssels von der zweiten Schreibvorrichtung;

vor dem Ausführen des zweiten Schreibbefehls am Etikett, Vergleichen des zweiten Schlüssels mit dem einem oder den mehreren Zugangsschlüsseln, und dann Authentifizieren der zweiten Schreibvorrichtung, indem bestätigt wird, dass der von der zweiten Schreibvorrichtung empfangene zweite Schlüssel mit einem zweiten Zugangsschlüssel übereinstimmt, der in dem einen oder den mehreren Zugangsschlüsseln enthalten ist; und

nach Authentifizieren der zweiten Schreibvorrichtung, Vollenden des zweiten Schreibbefehls durch Einschreiben eines zweiten Datenelements in den Speicher;

wobei sich die erste Schreibvorrichtung von der zweiten Schreibvorrichtung unterscheidet,

dadurch gekennzeichnet, dass das erste Datenelement in einen ersten Speicherort geschrieben wird, das zweite Datenelement in einen zweiten Speicherort geschrieben wird und ein Zeiger auf das erste Datenelement und/oder den ersten Speicherort automatisch zusammen mit dem zweiten Datenelement gespeichert wird, und der erste und zweite Speicherort durch den ersten bzw. zweiten Zugangsschlüssel schreibgeschützt sind.


 
11. Verfahren nach Anspruch 10, wobei der erste Zugangsschlüssel einem ersten privaten Verschlüsselungsschlüssel von einem Verschlüsselungsschlüsselpaar privat-privat entspricht, der zweite Zugangsschlüssel einem zweiten privaten Verschlüsselungsschlüssel von einem Verschlüsselungsschlüsselpaar öffentlich-privat entspricht, und wobei der zweite Schlüssel, der von der zweiten Schreibvorrichtung empfangen wird, einem öffentlichen Verschlüsselungsschlüssel vom Verschlüsselungsschlüsselpaar öffentlich-privat entspricht.
 
12. Verfahren nach Anspruch 10 oder 11, wobei der erste Schreibbefehl und der zweite Schreibbefehl in einer oder mehreren Nachrichten empfangen werden, die gemäß einem Nahfeldkommunikations-(NFC)-Protokoll, einem Ultrahochfrequenz-(UHF)-Protokoll, einem Hochfrequenz-(HF)-Protokoll und/oder einem Bluetooth-Protokoll übertragen werden.
 
13. Verfahren nach einem der Ansprüche 10 bis 12, darüber hinaus umfassend:

Empfangen, am Etikett, eines Lesebefehls von einer Lesevorrichtung, wobei der Lesebefehl ein Daten-Applet als ein ausgewähltes Daten-Applet bestimmt, von dem das erste und/oder zweite Datenelement aus dem Etikett auszulesen ist bzw. sind;

im Ansprechen auf dem Empfang des Lesebefehls, Kopieren des ersten und/oder zweiten Datenelements in einen Datenpuffer, der im ausgewählten Daten-Applet unterhalten wird; und

Bereitstellen des ersten und/oder zweiten Datenelements an die Lesevorrichtung vom Datenpuffer.


 
14. Verfahren nach Anspruch 13, wobei das erste und zweite Datenelement in einer strukturierten Vorlage verknüpft sind, die durch das erste oder zweite Datenelement festgelegt ist, wobei die strukturierte Vorlage optional einer für Nahfeldkommunikation (NFC) spezifischen Vorlage entspricht.
 
15. Verfahren nach einem der Ansprüche 10 bis 14, wobei das erste und/oder zweite Datenelement unter Verwendung eines verschlüsselten Kommunikationskanals in den Speicher geschrieben wird bzw. werden, wobei der verschlüsselte Kommunikationskanal mit dem ersten Zugangsschlüssel und/oder zweiten Zugangsschlüssel verschlüsselt wird.
 


Revendications

1. Étiquette, comprenant :
une mémoire lisible par ordinateur comprenant :

un applet de contrôle d'accès ayant la capacité de conserver en mémoire un ou plusieurs éléments de données ;

une ou plusieurs clés d'accès ;

une liste de contrôle d'accès fournissant une mise en correspondance de la ou des clés d'accès avec le ou les éléments de données, dans laquelle l'applet de contrôle d'accès implémente un protocole d'authentification en réponse à la réception d'une commande d'écriture provenant d'un dispositif d'écriture, le protocole d'authentification comprenant la confirmation que le dispositif d'écriture fournit l'étiquette avec la ou les clés d'accès avant d'autoriser le dispositif d'écriture à écrire un élément de données sur la mémoire ;

dans laquelle la ou les clés d'accès comprennent une première clé d'accès et une seconde clé d'accès, dans laquelle un premier emplacement de mémoire a des autorisations d'écriture commandées par la première clé d'accès et dans laquelle un second emplacement de mémoire différent du premier emplacement de mémoire a des autorisations d'écriture commandées par la seconde clé d'accès ; et

caractérisée en ce qu'un premier élément de données est écrit sur le premier emplacement de mémoire par une première entité et qu'un second élément de données est écrit sur le second emplacement de mémoire par une seconde entité et un pointeur vers au moins un élément parmi le premier élément de données et le premier emplacement de mémoire est automatiquement mémorisé conjointement avec le second élément de données, la seconde entité pouvant être la même que la première entité ou différente de la première entité.


 
2. Étiquette selon la revendication 1, dans laquelle la première clé d'accès est maintenue exclusivement par un fabricant de l'étiquette et dans laquelle la seconde clé d'accès est partagée avec une entité de personnalisation.
 
3. Étiquette selon la revendication 1 ou 2, dans laquelle la ou les clés d'accès sont également utilisées pour créer un canal de communication crypté entre le dispositif d'écriture et l'étiquette lors de l'écriture de l'élément de données sur la mémoire.
 
4. Étiquette selon l'une quelconque des revendications 1 à 3, dans laquelle l'élément de données écrit sur la mémoire comprend un enregistrement de format d'échange de données (NDEF) de communication en champ proche (NFC).
 
5. Étiquette selon l'une quelconque des revendications 1 à 4, dans laquelle la mémoire lisible par ordinateur comprend en outre un applet de données qui est utilisé pour fournir le ou les éléments de données à un dispositif de lecture en obtenant le ou les éléments de données à partir de l'applet de contrôle d'accès puis en fournissant le ou les éléments de données au dispositif de lecture.
 
6. Étiquette selon la revendication 5, dans laquelle l'applet de données comprend un tampon de données qui mémorise temporairement des copies du ou des éléments de données en réponse à la réception d'une demande de lecture à partir du dispositif de lecture puis fournit au dispositif de lecture les copies du ou des éléments de données.
 
7. Étiquette selon la revendication 6, dans laquelle le ou les éléments de données comprennent au moins deux éléments de données et dans laquelle l'applet de données concatène les au moins deux éléments de données dans un modèle modélisé spécifié par au moins un du ou des éléments de données.
 
8. Étiquette selon l'une quelconque des revendications 1 à 7, dans laquelle les communications entre l'étiquette et le dispositif d'écriture sont effectuées à l'aide d'au moins un protocole de communication en champ proche (NFC), d'un protocole de ultra-haute fréquence (UHF), d'un protocole de haute fréquence (HF) et d'un protocole Bluetooth.
 
9. Étiquette selon l'une quelconque des revendications 1 à 8, dans laquelle les autorisations de lecture du ou des éléments de données ne sont pas sécurisées avec la ou les clés.
 
10. Procédé d'écriture de données pour mettre en mémoire une étiquette, le procédé comprenant :

la réception, au niveau de l'étiquette, d'une première commande d'écriture provenant d'un premier dispositif d'écriture ;

la réception, au niveau de l'étiquette, d'une première clé provenant du premier dispositif d'écriture ;

avant d'exécuter la première commande d'écriture au niveau de l'étiquette, la comparaison de la première clé avec une ou plusieurs clés d'accès mémorisées dans la mémoire suivie de l'authentification du premier dispositif d'écriture par confirmation que la première clé reçue du premier dispositif d'écriture coïncide avec une première clé d'accès comprise dans la ou les clés d'accès, la ou les clés d'accès étant mémorisées dans un applet de contrôle d'accès conservé dans la mémoire de l'étiquette ;

lors de l'authentification du premier dispositif d'écriture, la réalisation de la première commande d'écriture en écrivant un premier élément de données sur la mémoire ;

la réception, au niveau de l'étiquette, d'une seconde commande d'écriture provenant d'un second dispositif d'écriture ;

la réception, au niveau de l'étiquette, d'une seconde clé provenant du second dispositif d'écriture ;

avant d'exécuter la seconde commande d'écriture au niveau de l'étiquette, la comparaison de la seconde clé avec la ou les clés d'accès suivie de l'authentification du second dispositif d'écriture en confirmant que la seconde clé reçue du second dispositif d'écriture coïncide avec une seconde clé d'accès comprise dans la ou les clés d'accès ; et

à authentification du second dispositif d'écriture, la réalisation de la seconde commande d'écriture en écrivant un second élément de données sur la mémoire ;

dans lequel le premier dispositif d'écriture est différent du second dispositif d'écriture ;

caractérisé en ce que le premier élément de données est écrit sur un premier emplacement de mémoire, le second élément de données est écrit sur un second emplacement de mémoire et un pointeur vers au moins un élément parmi le premier élément de données et le premier emplacement de mémoire est automatiquement mémorisé conjointement avec le second élément de données et que les premier et second emplacements de mémoire sont protégés en écriture par les première et seconde clés d'accès, respectivement.


 
11. Procédé selon la revendication 10, dans lequel la première clé d'accès correspond à une première clé de cryptage privée provenant d'une paire de clés de cryptage privée-privée, dans lequel la seconde clé d'accès correspond à une seconde clé de cryptage privée provenant d'une paire de clés de cryptage publique-privée et dans lequel la seconde clé reçue du second dispositif d'écriture correspond à une clé de cryptage publique provenant de la paire de clés de cryptage publique-privée.
 
12. Procédé selon la revendication 10 ou 11, dans lequel la première commande d'écriture et la seconde commande d'écriture sont reçues dans un ou plusieurs messages transmis conformément à au moins un protocole de communication en champ proche (NFC), de protocole de ultra-haute fréquence (UHF), de protocole de haute fréquence (HF) et d'un protocole Bluetooth.
 
13. Procédé selon l'une quelconque des revendications 10 à 12, comprenant en outre :

la réception, au niveau de l'étiquette, d'une commande de lecture provenant d'un dispositif de lecture, la commande de lecture identifiant un applet de données comme étant l'applet de données sélectionné à partir duquel au moins un des premier et second éléments de données sont lus à partir de l'étiquette ;

en réponse à la réception de la commande de lecture, la copie d'au moins un des premier et second éléments de données sur un tampon de données maintenu dans l'applet de données sélectionné ; et

la mise à disposition du dispositif de lecture d'au moins un des premier et second éléments de données à partir du tampon de données.


 
14. Procédé selon la revendication 13, dans lequel les premier et second éléments de données sont concaténés dans un modèle modélisé spécifié par un élément parmi le premier et le second élément de données, dans lequel en option le modèle modélisé correspond à un modèle spécifique de communication en champ proche (NFC).
 
15. Procédé selon l'une quelconque des revendications 10 à 14, dans lequel au moins un élément des premier et second éléments de données est écrit sur la mémoire à l'aide d'un canal de communication crypté, dans lequel le canal de communication crypté est crypté avec au moins une clé parmi la première clé d'accès et la seconde clé d'accès.
 




Drawing

































REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description




Non-patent literature cited in the description