The present application is related to co-pending U.S. patent application Ser. No. 09/844,246 entitled, “METHOD AND SYSTEM FOR ESTABLISHING A REMOTE CONNECTION TO A PERSONAL SECURITY DEVICE,” filed on Apr. 30, 2001, and assigned to the assignee of the present invention. Applicant hereby incorporates by reference the above-mentioned co-pending application, which is not admitted to be prior art with respect to the present invention by its mention here or in the background section that follows.
The present invention relates to a data processing method and system for improving communications through a communications pipe employed over a network between a Personal Security Device (PSD) and a Remote Computer System.
The current art involving the management of information and data contained in a personal security devices (PSD), for example, smart cards, subscriber identity modules (SIM), wireless identification modules (WIM), biometric devices, or combinations thereof, requires discrete low-level commands known in that art as application protocol data units (APDUs) to be sent to a PSD.
The PSD is a reactive device in which a returned response is generated after completion of each command executed or upon encountering an error in execution. The majority of the responses returned by the PSD are simple “processing complete” or equivalent messages. In a networked environment, awaiting the return of such responses unnecessarily ties up network bandwidth and server resources due to the latency of the transactions and relatively slow execution speeds of the PSDs.
A second limitation is due to the relatively low-level nature of the PSD operating environment, which typically requires several sequential APDU commands to be executed in order to accomplish an operation within a PSD. This could be particularly troublesome when a large number of PSDs are being managed from a central server.
Co-pending U.S. patent application Ser. No. 09/844,246, entitled “Method and System for Establishing a Remote Connection to a PSD,” and assigned to the assignee of the present invention, describes a communication pipe, which allows a remote server to maintain communications with one or more PSD's over a network which could be susceptible to the foregoing limitations. As such, a means to minimize the potential latency effects imposed on a network is highly desirable.
The present invention is directed to a method and system, which resolves the potential latency problems associated with maintaining communications pipes over a network.
To practice this invention, a stack of APDU commands is generated and stored in a command script on the remote computer system. The command script is then sent over a network to a client to be executed locally by a pipe client program. As described in the co-pending U.S. patent application Ser. No. 09/844,246, the pipe client is an API level program which extracts APDUs from incoming message packets and encapsulates APDUs into outgoing message packets.
Upon receiving the command script, the pipe client temporarily stores the command stack in either a memory location or disk file and sequentially sends the APDU commands to the PSD for processing. Sequencing of the APDU commands is accomplished by receipt of an APDU response, which causes the next APDU command to be issued. The APDU responses are likewise temporarily stored in either a memory location or disk file for later transmission to the remote computer system. This process continues until the last APDU command is sent and its complementary APDU response is received and stored in a response script. Once completed, the response script is sent to the remote computer system for processing.
By recording APDU commands in a script and locally capturing the resulting APDU responses, the handshaking between the PSD and remote computer system is significantly reduced thus freeing networking and server resources.
In one embodiment of the invention the accumulated responses are stored as generated by the PSD. In a second embodiment of the invention, the APDUs are compressed to optimize storage and transmission throughput between the PSD and Remote Computer System. The file compression may be performed on the fly by using the file compression options included in Microsoft Windows™ 2000 or NT. An advantage in using the operating system to perform the data compression is the ability to add encryption to the stored and compressed data, which is transparent to the end user. Additional hardware or software data compression techniques may be employed during network communications to further reduce the size and number of packets exchanged between the remote computer system and the PSD.
A more complete understanding of the present invention may be accomplished by referring to the following Detailed Description and Claims, when viewed in conjunction with the following drawings:
FIG. 1—is a system block diagram depicting a version of the present invention where APDU commands are accumulated in the form of a command script (CMD Script);
FIG. 2—is a system block diagram depicting a version of the present invention where the command script is transferred to a client for processing;
FIG. 3—is a system block diagram depicting a version of the present invention where command APDUs contained in a command script are processed by a pipe client program and sent to a PSD for execution;
FIG. 4—is a system block diagram depicting a version of the present invention where response APDUs are returned from a PSD, processed by a pipe client program and accumulated in a response script (RSP Script);
FIG. 5—is a system block diagram depicting a version of the present invention where the response script containing the accumulated APDUs is returned to a remote computer system for processing;
FIG. 6—is a system block diagram depicting a version of the present invention where response APDUs are processed by a pipe server program installed in a remote computer system.
This invention provides a method and system for improving communications through a communications pipe over a network. In this invention, APDU commands are generated and accumulated in the form of a command script on a remote computer system. Once the command script has been generated, it is then transmitted to a local client for processing and execution by an associated PSD. The resulting APDU responses are likewise accumulated and stored in a response script, which is then returned to the remote computer system following completion of the command script or upon detection of an error condition. By consolidating APDU commands and responses in scripts, significantly less network traffic is generated thus optimizing the use of networking resources and simplifying management of large numbers of PSDs.
Referring to
A second specialized program contained within the API Level of the Remote Computer System 50 and referred to as a Pipe Server 70, interacts with Communications Programs 105 S contained within the communications layer. The Pipe Server 70 functions to separate encapsulated APDU Responses 90 from incoming messaging packets received from a network 45 for processing by the APDU Interface 55.
Alternately, outbound APDU commands are translated by the APDU Interface 55 and processed by the Pipe Server 70 for accumulation 135 in a Command Script (CMD Script) 125. The Command Script 125 is then encapsulated into an agreed upon communications protocol by the Pipe Server 70 and sent to the Communications Programs 105 S for transmission. The Command Script 125 may be temporarily stored before transmission. Optionally, file compression and cryptographic protection techniques may be employed to improve networking performance and transaction security. The Communications Programs 105 S communicates through the hardware I/O device interface 130 S, which connects the pipe 75 to a network 45 for communicating with at least the Client 10.
The Client 10 likewise communicates using internal Communications Programs 105 C through its hardware I/O device interface 130 C, which connects 75 to the network 45 for communicating with at least the Remote Computer System 50. A third specialized API level program referred to as a Pipe Client 15, interacts with the Communications Programs 105 C. The Pipe Client 15 functions to separate encapsulated Command Scripts 125 from incoming messaging packets received from the network 45. If employed, the Command Scripts 125 are decompressed and/or unencrypted by the Communications Programs 105 C and cryptographic services programs before being processed by the Pipe Client 15. Once the Pipe Client has completed processing, the Command Scripts 85 are temporarily stored. As before, optional file compression and cryptographic protection techniques may be employed to improve local file storage utilization and transaction security.
Alternately, outbound APDU response messages generated by a locally connected PSD 40 are processed by the Pipe Client 15 and temporarily stored in a Response Script (RSP Script) 90. The response APDUs are generated by the PSD 40 following sequential processing of each APDU command contained in the Command Script 85. The APDU responses are communicated through the PSD Hardware Device Interface 25, into the Client 10 via the I/O Device Port 5 and subsequently directed to the Pipe Client 15 by a software driver. The APDU responses are accumulated in the Response Script 90 until the last APDU command is processed and the final APDU response message received and stored. The completed Response Script 90 is then encapsulated into an agreed upon communications protocol by the Pipe Client 15 and transmitted by the Communications Programs 105 C through the pipe 75 and over the network 45. Again, optional file compression and cryptographic protection techniques may be employed to improve networking performance and transaction security.
Referring to
Referring to
Referring to
Referring to
Referring to
Number | Name | Date | Kind |
---|---|---|---|
5276735 | Boebert et al. | Jan 1994 | A |
5455863 | Brown et al. | Oct 1995 | A |
5499297 | Boebert | Mar 1996 | A |
5778071 | Caputo et al. | Jul 1998 | A |
5917168 | Nakamura et al. | Jun 1999 | A |
5944821 | Angelo | Aug 1999 | A |
5991407 | Murto | Nov 1999 | A |
6005942 | Chan et al. | Dec 1999 | A |
6018779 | Blumenau | Jan 2000 | A |
6101225 | Harrison et al. | Aug 2000 | A |
6101254 | Thiriet | Aug 2000 | A |
6105008 | Davis et al. | Aug 2000 | A |
6108789 | Dancs et al. | Aug 2000 | A |
6128338 | Behaghel et al. | Oct 2000 | A |
6131811 | Gangi | Oct 2000 | A |
6144671 | Perinpanathan et al. | Nov 2000 | A |
6181735 | Sarat | Jan 2001 | B1 |
6192473 | Ryan, Jr. et al. | Feb 2001 | B1 |
6195700 | Bender et al. | Feb 2001 | B1 |
6233683 | Chan et al. | May 2001 | B1 |
6279047 | Bublitz et al. | Aug 2001 | B1 |
6385729 | DiGiorgio et al. | May 2002 | B1 |
6434238 | Chaum et al. | Aug 2002 | B1 |
6481632 | Wentker et al. | Nov 2002 | B1 |
6575360 | Hagn | Jun 2003 | B1 |
6602469 | Maus et al. | Aug 2003 | B1 |
6694436 | Audebert | Feb 2004 | B1 |
6718314 | Chaum et al. | Apr 2004 | B1 |
6751671 | Urien | Jun 2004 | B1 |
6807561 | Lagosanto et al. | Oct 2004 | B1 |
6892301 | Hansmann et al. | May 2005 | B1 |
6944650 | Urien | Sep 2005 | B1 |
20010039587 | Uhler et al. | Nov 2001 | A1 |
20020025046 | Lin | Feb 2002 | A1 |
20020040936 | Wentker et al. | Apr 2002 | A1 |
Number | Date | Country |
---|---|---|
19522527 | Jan 1997 | DE |
19724901 | Dec 1998 | DE |
0911772 | Apr 1999 | EP |
0923211 | Jun 1999 | EP |
2779018 | Nov 1999 | FR |
9852161 | Nov 1998 | WO |
9962037 | Dec 1999 | WO |
9962210 | Dec 1999 | WO |
0116900 | Mar 2001 | WO |
0122373 | Mar 2001 | WO |
0159730 | Aug 2001 | WO |
Number | Date | Country | |
---|---|---|---|
20030088691 A1 | May 2003 | US |