US20060075075A1 - Method and system to contextually initiate synchronization services on mobile terminals in an enterprise environment - Google Patents

Abstract

A system and method are disclosed for providing security features to a wireless mobile device based upon its context when it establishes a wireless connection with different access points. A plurality of access points are connected to a connectivity server which includes a security context middleware. Each of the access points also includes a security context middleware. Furthermore, each mobile wireless device includes security context middleware. A context manager program in the server determines a context for a wireless mobile device from a signal received from an access point indicating that the wireless mobile device is wirelessly connected to the access point. A database connected to the server stores security feature data which is accessible by the determined context to implement a security process. The context manager accesses the stored security feature data based on the determined context and sends a command representing the security feature data to the middleware programs in the server, the access point and the mobile wireless device to implement the security process in the mobile wireless device.

Description

FIELD OF THE INVENTION:
• The invention disclosed broadly relates to context-dependent services for mobile terminals and more particularly relates to context dependent security features in communication, to properly authenticate and secure communication links for short range RF devices based on the current context of the device.
BACKGROUND OF THE INVENTION:
• Short-range mobile wireless devices frequently come within communicating range of stationary wireless devices, known as access points, which are connected to wireline local area networks (LANs) or wide area networks (WANs). The mobile wireless device can form a wireless link with a nearby access point to enable communication with network servers. The network servers can provide services to the mobile wireless devices, which can be customized to the particular access point currently nearest to and communicating with the mobile device. An example is a business enterprise's office building having a lobby area with an access point near the entrance and various offices and access points distributed within the interior of the building. A first access point in the lobby can provide to visitors copies of company brochures and office maps that are downloaded to their mobile devices from a network server. A second access point within a company employee's private office can provide copies of company confidential documents downloaded to the employee's mobile device from the network server. Clearly, there are different requirements for user authentication and document security in these two examples. What is needed in the prior art is a method to provide context dependent security features for short range RF devices based on the current context of the device.
• Short-range wireless networks include both wireless personal area networks (“PANs”) and wireless local area network (“WLANs”). Both of these networks have the common feature of operating in unlicensed portions of the radio spectrum, usually either in the 2.4 GHz Industrial, Scientific, and Medical (ISM) band or the 5 GHz Unlicensed-National Information Infrastructure (“U-NII”) band. Wireless personal area networks use low cost, low power wireless devices that have a typical range of ten meters.
• The best-known example of wireless personal area network technology is the Bluetooth Standard, which operates in the 2.4 GHz ISM band. Bluetooth is a short-range radio network, originally intended as a cable replacement. It can be used to create ad hoc networks of up to eight devices operating together. The Bluetooth Special Interest Group,Specification Of The Bluetooth System,Volumes 1 and 2, Core and Profiles: Version 1.1, 22^ndFebruary, 2001, (hereinafter “Bluetooth Specification”) describes the principles of Bluetooth device operation and communication protocols. Bluetooth devices are designed to find other Bluetooth devices and access points within their ten meter radio communications range.
• The Bluetooth Specification describes the basic security features of the Bluetooth technology in itsChapter 14. The Bluetooth system provides usage protection and information confidentiality at the application layer and at the link layer. In each Bluetooth device and access point, the authentication and encryption routines are implemented in the same way, using the device's address BD_ADDR, two secret keys, and a random number which is different for each new transaction. What is needed in the prior art is a method to customize security features for short range RF devices and access points based on the current context of the mobile device.
• In addition to the Bluetooth technology, examples of wireless local area network technology include the IEEE 802.11 Wireless LAN Standard and the HIPERLAN Standard, which operate in the 5 GHz U-NII band. The IEEE 802.11 Wireless LAN Standard is published in three parts as IEEE 802.11-1999; IEEE 802.11a-1999; and IEEE 802.11b-1999, which are available from the IEEE, Inc. web site http://grouper.ieee.org/groups/802/11. An overview of the HIPERLANType 2 principles of operation is provided in the Broadband Radio Access Networks (BRAN),HIPERLANType2;System Overview, ETSI TR 101 683 VI.I.1 (2000-02). Another example of wireless local area network technology is Ultra Wideband (UWB) radio, a wireless technology for transmitting digital data over a wide spectrum of frequency bands with very low power. An Ultra Wideband (UWB) standard published by the IEEE 802.15.3a task group is a “classical” direct sequence version of UWB for Personal Area Networking.
• What is needed in the prior art is a method to customize security features for short-range mobile wireless devices and access points based on the current context of the mobile device.
SUMMARY OF THE INVENTION
• The invention solves the problem of providing customizable, context dependent security features for short range RF devices based on the current context of the device. In accordance with the invention, the mobile device, the wireless access point, and the network server in the network each include security context middleware that responds to the detected location of the mobile device to provide customized security services to the mobile device. The security context middleware enables detecting, authenticating and registering the mobile device and encrypting its communications based on pre-specified security feature descriptions stored in the network server. The system administrator or a system management program can assign particular security features to individual access points in the network. The security features can be pre-specified based on the location of the access point, the identity of the user's mobile device, other characteristics of the user or the user's device, ambient conditions, such as the time of day, and the classification of any services requested by the mobile device.
• When a mobile device moves into the communication domain of an access point, its presence is detected by the access point, a basic connection is established between the device and the access point, and the presence of the device is registered at the network server. The network server can then classify any service requested by the mobile device, such as synchronization to applications residing on another server and consider such service request as a factor in establishing an appropriate security feature to apply to the mobile device. For example, if the mobile device has requested synchronization with a confidential email or calendar service to update the mobile device, a high security will be assigned to the wireless connection between the mobile device and the access point.
• The network server can then access a security context database to obtain the pre-specified security features corresponding to the location of the access point, the identity of the user's mobile device, other characteristics of the user or the user's device, ambient conditions, such as the time of day, and classification of any service requested by the mobile device. The network server obtains a middleware command from the database corresponding to the pre-specified security feature. The middleware command then is transmitted from the network server to the access point and to the mobile device. The middleware command invokes the particular security processing routine in the middleware of both the mobile device and the access point to implement the pre-specified security feature. The middleware command can also invoke a corresponding security processing routine in the network server when the server needs to participate in providing the security service to the mobile device.
• Some of the factors considered by the security context middleware in determining the context of the mobile device include the mobile device's address BD_ADDR, the location of the access point, other available information about the mobile device, and the time of day. Other environmental factors that can also be considered by the security context middleware in determining the context of the mobile device include day of the week, season of the year, temperature, light level, and other ambient characteristics. The security context middleware can also classify any service requested by the mobile device, such as synchronization to applications residing on another server, and consider such service request as a factor in establishing an appropriate security feature to apply to the mobile device.
• The network server is also responsible for maintaining additional information for comparing the determined context of the mobile device with threshold values of services that are pre-specified for the mobile device. The network server can automatically synchronize the mobile device with email or calendar services, for example, on another server. The network server can generate triggering events based on the comparison and send notices to the mobile device for suitable services or directly push service messages to the mobile device. In addition, the network server can provide necessary information to third parties for initiating services to the mobile device based on the comparison. Third party services can be provided to the mobile device either through the connected access point or via a separate cellular telephone network connection.
• The resulting invention solves the problem of providing context dependent security features for short range RF devices based on the current context of the device.
• The invention can be applied to wireless personal area networks employing the Bluetooth Standard, and to wireless local area networks employing the IEEE 802.11 Wireless LAN Standard or the HIPERLAN Standard.
DESCRIPTION OF THE FIGURES
• FIG. 1A is a network diagram according to an embodiment of the present invention showing a plurality ofwireless access points140,140A,140B, and140C. TheLAN142 interconnects the access points with theconnectivity server180 and thesecurity context database182. The user'swireless device100 is shown at a first location near a firstwireless access point140A and then later at a second location, near a secondwireless access point140B.
• FIG. 1B is a network diagram according to an embodiment of the present invention showing a modification in the topology of the network ofFIG. 1A, where the access points are distributed within an office building. TheLAN142 interconnects the access points with theconnectivity server180. Several servers are shown connected by means of the LAN to the access points, to provide business-related services when signaled by the access points.
• FIG. 1C is a network diagram according to an embodiment of the present invention showing another modification in the topology of the network ofFIG. 1A, in which there is aGSM antenna105 as well as a Bluetooth orWLAN antenna103 on the user'swireless device100. A GSM cellular telephone network is an alternate way to communicate with the thirdparty services server190, via a WAP protocol gateway and the Internet. Abarcode reader141 is also shown connected by means of a Bluetooth link to theaccess point140A to enable control and use of the barcode reader by the user'smobile wireless device100.
• FIG. 1D is a network diagram according to an embodiment of the present invention showing another modification in the topology of the network ofFIG. 1A, in which theaccess points140A and140B are mobile and include a GPS position locator to establish their current locations. A GSM cellular telephone subsystem in each access point enables it to communicate with the connectivity server over a wireless wide area network.
• FIG. 2 is a flow diagram of the processing of a firstmiddleware command type 3 to invoke securitycontext middleware modules602,702, and802 on the user'sdevice100, theaccess point140B, and theconnectivity server180, respectively, to implement a first security feature in response to detecting the user'sdevice100 at theaccess point140B according to an embodiment of the present invention.
• FIG. 3 is a flow diagram of the processing of a secondmiddleware command type 4 to invoke securitycontext middleware modules604,704, and804 on the user'sdevice100, theaccess point140C, and theconnectivity server180, respectively, to implement a second security feature in response to detecting the user's device at theaccess point140C according to an embodiment of the present invention.
• FIG. 4 is a flow diagram of the processing of a thirdmiddleware command type 5 to effect a reprogramming of theaccess device140C. Themiddleware command type 5 invokes securitycontext middleware modules606,706, and806 on the user'sdevice100, theaccess point140C, and theconnectivity server180, respectively, to implement a third, public key infrastructure security feature in response to detecting the user'sdevice100 at theaccess point140C according to an embodiment of the present invention.
• FIG. 5A shows thesecurity context database182 and the security middleware commands table182 according to an embodiment of the present invention.
• FIG. 5B shows thesecurity context database182 and the security middleware commands table182′ ofFIG. 5A, whereaccess point140C is reprogrammed to apply public key infrastructure when connected to the user'smobile device100 according to an embodiment of the present invention.
• FIG. 6 shows thesecurity context middleware10 in the user'sdevice100 according to an embodiment of the present invention.
• FIG. 7 shows thesecurity context middleware10′ in eachaccess point140,140A, B, C according to an embodiment of the present invention.
• FIG. 8 shows thesecurity context middleware10″ in thenetwork server180 according to an embodiment of the present invention.
• FIG. 9 is another view of the network diagram ofFIG. 1A, according to an embodiment of the present invention, showing various components of the user'swireless device100, thewireless access point140A, and theconnectivity server180.
DISCUSSION OF THE PREFERRED EMBODIMENT
• FIG. 1A is a network diagram according to an embodiment of the present invention showing a plurality ofwireless access points140,140A,140B and140C. The local area network (LAN)142 interconnects the access points with theconnectivity server180 which in turn is connected to thesecurity context database182. The user'swireless device100 is shown at a first location A near firstwireless access point140A, and then at a later time is shown at a second location B near a secondwireless access point140B. Each respective access point has acorresponding coverage area150,150A,150B,150C, respectively. Bluetooth wireless devices have typical coverage area of a radius of 10 meters. IEEE 802.11 Wireless LAN devices and HIPERLAN Wireless LAN devices have a typical coverage area with a radius of 100 meters. A user'swireless device100 inFIG. 1 includes themicrobrowser102, a key pad, and anapplication program106. Also included, in the user's wireless device issecurity context middleware10, which is shown in greater detail inFIG. 6. Eachaccess point140,140A,140B and140C includessecurity context middleware10′ which is shown in greater detail inFIG. 7. Theconnectivity server180 includes asecurity context middleware10″ which is shown in greater detail inFIG. 8. Theconnectivity server180 further includes thecontext manager14. Theconnectivity server180 is also connected to theinternet144 which is connected in turn to theWAP protocol gateway188 which in turn is connected to theGSM access point186.
• In accordance with the invention, thesecurity context middleware10 stored in a memory of the user'swireless device100, has a plurality of security process subroutines602,604 and606 ofFIG. 6 which are selectable by a security processing middleware command issued by thecontext manager14. Similarly, the securitycontext middleware program10′ in theaccess points140,140A,140B and104C, have a plurality of security process subroutines702,704 and706 ofFIG. 7, selectable by the security processing middleware command issued by thecontext manager14. Similarly, thesecurity context middleware10″ in theconnectivity server180 has a plurality of security process subroutines802,804 and806 ofFIG. 8 which are selectable by the security processing middleware command issued by thecontext manager14. Further in accordance with the invention, thecontext manager program14 in theconnectivity server180 determines a context for the user's wirelessmobile device100 from a signal received from one of theaccess points140,140A, B, C indicating that the wireless mobile device is wirelessly connected to that access point. Thesecurity context database182 connected to theconnectivity server180 stores security feature data which is accessible by the determined context from theconnectivity server180, to implement a security process. Thecontext manager14 accesses the stored security feature data in thesecurity context database182 based on the determined context of the user'swireless device100 in the vicinity of theaccess points140,140A,140B or140C. Thecontext manager14 then sends the security processing middleware command representing the security feature data to the securitycontext middleware program10″ in theconnectivity server180, the securitycontext middleware program10′ in the access point connected to the user'swireless device100, and to thesecurity context middleware10 in the user'swireless device100. The security processing middleware command then invokes the security process in the addressed subroutine in the wireless mobile device, in the access point and in theconnectivity server180.
• Thesecurity context database182 and the security middleware commands table182′ are shown inFIG. 5A. A system administrator or a system control program will initialize the data in thesecurity context database182 to establish particular security features294 for each of theaccess points140,140A,140B and140C when they are respectively wirelessly connected to the user'sdevice100. For example, thesecurity context database182 will establish that theaccess point140A, when its wirelessly connected to any user device, as indicated in284, will have atype 1security feature294. Thetype 1 security feature will then invoke in the security middleware commands table182′, basic Bluetooth security. Thetype 1 security processing middleware command will be transmitted by theconnectivity server180 to thesecurity context middleware10″ in theserver180, to theaccess point140A and itssecurity context middleware10′, and to the user'swireless device100 which is wirelessly connected to theaccess point140A, for thesecurity context middleware10 in the user'swireless device100. As can be seen by inspection of thesecurity context database182 ofFIG. 5A, a system administrator has assigned security features294 to each of theaccess points140,140A,140B and140C when they are respectively wirelessly connected to particular user wireless devices.Column284 of thedatabase182 indicates which user devices are permitted to be assigned a security feature.Column286 specifies whether other terminal data is to be required before security features are assigned.Column288 specifies whether particular time of day intervals are required before security features are assigned.Column292 specifies one or more services which are provided to the user'swireless device100 when it is wirelessly connected to each of therespective access140,140A,140B and140C. As was mentioned before,column294 indicates the security feature assigned by the system administrator to the respective access points and to the user'swireless device100 when it is connected to the respective access points. The security middleware commands table182′ enables the system administrator to programmatically change the security feature assigned to a particular access point and wireless device connected thereto. Five types of security features are shown in the table182′.Type 1 is a basic Bluetooth security.Type 2 uses an acceptable address list with the specified wireless device addresses.Type 3 requires a link key and 128-bit encryption and a dynamic point-to-point protocol (PPP) user name and password.Type 4 increases the security fromtype 3 by providing a terminal key and an encrypted link key plus the 128-bit encryption and the dynamic PPP user name/password.Type 5 security feature is a public key infrastructure (PKI) security feature wherein there is a public key encryption of a random link and 128-bit bulk encryption.
• FIG. 1B is a network diagram according to an embodiment of the present invention showing a modification in the topology of the network ofFIG. 1A where the access points are distributed within anoffice building148. The local area network (LAN)142 connects theaccess points140,140A,140B and140C with theconnectivity server180. Several servers are shown connected by means of theLAN142 to the access points, to provide business related services when signaled by the access points. A companyconfidential information server190 and a companyconfidential information database191 are connected to theLAN142. An accountsdepartment server192 and anaccounts department database193 are connected to theLAN142. Adocking station server194 and adocking station database195 are connected to theLAN142. Aroom lighting server196 and aroom lighting database197 are connected to theLAN142. Theoffice building148 has afront entrance152 and alobby coverage area150A where is located theaccess point140A. Next in theoffice building148 is theoffice coverage area150 with theaccess point140. Next in theoffice building148 is theoffice coverage area150B with theaccess point140B, which is a docking station. Lastly, theoffice building148 has acoverage area150C with theaccess point140C which is a cashier terminal. Alighting control198 is connected from theroom lighting server196 to the lights in the respective coverage areas of theoffice building148, as shown inFIG. 1B. When the user'swireless device100 enters theoffice building148 through thefront entrance152, into thelobby coverage area150A, theaccess point140A establishes a wireless connection with the user's wireless device. As the user's wireless device proceeds through theoffice building148 to theoffice2coverage area150B, the mobile wireless device establishes a wireless connection with theaccess point140B, for example, when the user places thewireless device100 into the docking station.
• Reference toFIG. 2 illustrates the sequence of operational steps that take place beginning at this point according to an embodiment of the present invention. In the preferred embodiment, theAccess Point140B periodically transmits inquiry packets to discover which mobile devices are in range, and determine the addresses and clocks for the devices. If amobile device100 that receives the inquiry packets is in the inquiry scan state, it will then enter the inquiry response state and send aninquiry response202 to theAccess Point140B. TheAccess Point140B can compare the received address with a list of addresses of devices that are authorized to receive services and can proceed to establish a connection with an authorized mobile device. The comparison can also be based on other information about themobile device100, such as the class of device (CoD) field, and the list can identify those devices that are to be accepted or alternately blocked from receiving certain types of services. After the inquiry procedure has completed, a connection can be established by theAccess Point140B with a paging procedure using the Bluetooth device address of themobile device100. TheAccess Point140B having established the connection will automatically be the master of the connection.
• Instep200 the user's wireless device sends aninquiry response202 to theaccess point140B and receives apage204 from the access point. Correspondingly, the access point receives the inquiry response packet from user'sdevice100. After inquiry and paging signals are exchanged, basic connection is established between the user'swireless device100 and theaccess point140B. At this point, an initial request for services can be sent by themobile device100 to theaccess point140B, such as requesting synchronization of received email or synchronization of a calendar. A signal is transmitted from theaccess point140B over theLAN142 to theconnectivity server180 where the asynchronous connectionless link (ACL) is validated instep208. Step207 can then classify any services requested by themobile device100 and pass the classification information to thenext step209 where it is considered as a factor in establishing an appropriate security feature to apply to themobile device100.
• Then passing to thepath209 theconnectivity server180 accesses thesecurity context database182 for security features to apply to the connection between the user'swireless device100 and theaccess point140B. This is done instep210 using the access point address, user's device ID, any required terminal information about the user's device, the time of day and the class of service requested by the mobile device. Referring for a moment to thesecurity context database182 ofFIG. 5A, it is seen that these various factors are considered in the selection of a security feature, such as, specific identities of acceptable mobile wireless devices, other terminal data and time of day. When thecorresponding security feature294 is identified in thedatabase182, in this case it is atype 3 security feature, the corresponding security processing middleware command is sent onpath211 to theaccess point140B. Instep212, theaccess point140B implements the accessed security features in thesecurity middleware702 in the access point. The security processing middleware command is also transmitted overpath213 to the user'sdevice100 where instep214 it implements the accessed security features in thesecurity middleware602 in the user'sdevice100.
• Step210 in theconnectivity server180 then proceeds to step215 which generates a link key which is transmitted via theaccess point140B to the user'sdevice100, asstep216 in thesubroutine602 of thesecurity context middleware10, where it initiates security settings. In theconnectivity server180, step215 proceeds to step225 which sets the link key for Bluetooth 128-bit encryption. This information is then provided to theaccess point140B thestep222 in thesubroutine702 of thesecurity context middleware10′, to establish an authenticated and encrypted middleware connection with the user's device. Correspondingly,step216 in the user'sdevice100 proceeds to step218 to establish the authenticated and encrypted middleware connection with the access point overpath220. Step222 in theaccess point140B then proceeds to step224 where the middleware connection is established and this information is then passed back to theconnectivity server180step226 which generates the dynamic point-to-point protocol user name and password for additional access control. The flow then passes to step228 to forward the PPP user name and password to the access point and the user device. Step230 of theaccess point140B, forwards the PPP user name and password to the user device and also applies it to step236. In the user'sdevice100,step232 establishes the authenticated and encrypted IP connection with the access point and flow passes to step234. Step234 and236 then establish overpath235 an authenticated and encrypted IP connection. Then theconnectivity server180 instep238 accesses thecontext database182 for services available to the user's device using the access point's address, the user's device ID, terminal information, time, and service requests. The network server can automatically synchronize the mobile device with email or calendar services on another server. Reference toFIG. 5A shows that for a connection between the user'sdevice100 and theaccess point140B, services allowed to the user's device include lighting from thelighting server196 and docking facility services from thedocking station server194 inFIG. 1B.
• If the user'sdevice100 were now to pass to thecashier coverage area150C inFIG. 1B, a wireless connection is established with theaccess point140C, which invokes a different set of security features, as is shown inFIG. 3. Reference to thesecurity context database182 inFIG. 5A shows that the system administrator has assigned atype 4 security feature to the user'sdevice100 when it establishes a wireless connection with theaccess point140C in the cashier'scoverage area150C. The flow diagram inFIG. 3 illustrates this different implementation of security features according to an embodiment of the present invention. Here it is seen that thesubroutine604 of thesecurity context middleware10 in the user'swireless device100 is invoked bycommand type 4. Further it is seen that thesubroutine704 in thesecurity context middleware10′ inaccess point140C is invoked by thecommand type 4. Further, it is seen that thesubroutine804 in thesecurity context middleware10″ is invoked in theconnectivity server180 in response to thecommand type 4. Steps200-214 inFIG. 3 are the same as inFIG. 2, except thatstep210 has accessed the contextsecurity context database182 and has obtained atype 4 security feature which it distributes as acommand type 4 to theaccess point140C, the user'sdevice100 and thesecurity context middleware10″ in theconnectivity server180. Step210 passes to step302 which generates a terminal key which is transmitted via theaccess point140C to the user'sdevice100step304 ofsubroutine604 of thesecurity context middleware10, where the terminal key is stored. Step302 in theconnectivity server180 passes to step306 which constructs a random link key and encrypts it with a terminal key. The encrypted link key is then transmitted via theaccess point140C to step308 in the user'sdevice100 where the encrypted link key is opened with the terminal key. Then step306 in theconnectivity server180 passes to step310 which sets the link key for Bluetooth 128-bit encryption and this information is then passed to step312 of theaccess point140C. In the user'sdevice100, step308 passes to step314 which establishes an authenticated and encrypted middleware connection with the access point via thepath316. Correspondingly, step312 of theaccess point140C establishes an authenticated and encrypted middleware connection with the user's device. Then flow passes fromstep312 to step318 in theaccess point140C where the middleware connection is established and this information is then passed to step320 of theconnectivity server180 where the step generates a dynamic PPP user name and password for additional access control. Flow then passes to step322 which forwards the PPP user name and password to theaccess point140 and the user'sdevice100. Step324 in theaccess point140C forwards the PPP user name and password to the user device. Step326 and theuser device100 establishes authenticated and encrypted IP connection with the access point. The flow then passes to step234 where the connection is established over thepath235 to thecorresponding step236 in the access point where the connection is established. Then flow passes inconnectivity server180 fromstep322 to step328 to access thecontext database182 for services available to the user's device using the access point address, the user's device ID, terminal information and time.
• It is seen inFIG. 5A that alternate security features are applied to accesspoint140B when connected to alternate mobile devices. Additionally, alternate security features can be applied toaccess point140 and themobile device100 based on class of services requested by the user'smobile device100. As an example, if themobile device100 has requested synchronization with a non-confidential email or calendar service, alow security type 2 security feature is assigned to the wireless connection between themobile device100 and theaccess point140. Alternately, if themobile device100 has requested synchronization with a confidential email or calendar service, ahigh security type 5 security feature is assigned to the wireless connection between themobile device100 and theaccess point140. The requested synchronization with the email or calendar service can then be carried out instep238 ofFIGS. 2, 3, or4 after the appropriate security feature is established for the wireless connection.
• FIG. 5B illustrates thesecurity context database182, wherein the system administrator or a system control program has reprogrammed theaccess point140C for public key infrastructure when connected to the user'sdevice100 according to an embodiment of the present invention. It is seen that atype 5 security feature is specified in thedatabase182 which corresponds to the public key encryption middleware command shown in the commands table182′.FIG. 4 illustrates the flow of steps in establishing the public key infrastructure authentication and encryption for the user'swireless device100 at theaccess point140C which have a wireless connection established there between. In an initial provisioning phase, theconnectivity server180 distributes the public/private key pairs with certificates of authority instep402 to theaccess point140C instep404 and to the user'sdevice100 instep406. Then in the later connection phase, steps200-214 are the same as in theFIGS. 2 and 3 except thatstep210 accesses thesecurity context database182 and obtains the security feature for public key infrastructure and thecorresponding command type 5 which it distributes overpath211 to theaccess point140C andpath213 to the user'sdevice100. Then thestep212 of theaccess point140C passes to step408 which sends the access point's public key and its certificate to the user's device. Atstep410 in the user'sdevice100, a random link key is generated and then instep412, the user's device sends the user's public key and the user's certificate plus the public key encrypted random link key to theaccess point140C. Correspondingly, theaccess point140C forwards the user's certificate to theserver180 for validation and sends and acknowledgement back to the user instep414. In theconnectivity server180, the user's certificate is validated instep416 and the flow passes to step418 which constructs a random 128-bit PIN for Bluetooth 128-bit encryption and this information is passed to step420 of theaccess point140C. Step420 in the access point establishes an authenticated and encrypted middleware connection with the user's device. Step422 in the user's device establishes the authenticated and encrypted middleware connection with theaccess point140C overpath424. Flow then passes fromstep422 to426 to establish an authenticated and encrypted IP connection with theaccess point140C overpath430 and correspondingly the access point establishes the authenticated and encrypted connection with the user's device. This information is then passed to step238 in theconnectivity server180 where thesecurity context database182 is accessed for services available to user's device using the access point address, the user's device ID, terminal information, time of day, and services requested.
• FIG. 1C shows an alternate embodiment for the network ofFIGS. 1A and 1B, wherein a GSM cellular telephone communication subsystem is included in the wirelessmobile device100. This enables communication between the user'swireless device100 and thirdparty services server190 for providing service to the wireless device via the cellular telephone communication's subsystem. Communications is maintained over theinternet144 via theWAP protocol gateway188 to theGSM access point186 which communicates wirelessly with theGSM antenna105 of the user'swireless device100.
• FIG. 1C further shows abarcode reader141 connected by means ofBluetooth communications software143 and a Bluetooth RF link to theBluetooth access point140A to enable control and use of thebarcode reader141 from the user'smobile wireless device100. As an example, theapplication program106 in the wirelessmobile device100 is programmed to control and use thebarcode reader141 to read a barcode of an article, such as a universal product code (UPC), and to have the value read from the UPC forwarded via theaccess point140A to theapplication program181 in theconnectivity server180. In order to accomplish this example,application program106 invokes themiddleware10 in the user'swireless device100, themiddleware10′ in theaccess point140A, and themiddleware10″ in theconnectivity server180. Appropriate context and security processes are carried out by theaccess point140A andconnectivity server180, as discussed above, to authenticate the user'sdevice100 and thebarcode reader141 and establish their respective secure connections with theaccess point140A. After secure connections are established between theaccess point140A and the user'sdevice100 and between theaccess point140A and thebarcode reader141, the wirelessmobile device100 can control thebarcode reader141 to read a barcode of an article and forward the value read from the UPC via theaccess point140A to theapplication program181 in theconnectivity server180. This feature of the invention to enable the user's mobile device to control and use a barcode reader can be extended to the control and use of other types of devices. For example, Bluetooth-enabled portable measurement devices can be controlled and used by an application program in the user's mobile device, to send their measurements to a server via distributed access points. An example is a Bluetooth-enabled portable air flow monitor to measure the air circulation in an office building and upload the measurements to a server via access points distributed around the office building.
• FIG. 6 shows thesecurity context middleware10 in the user'sdevice100 according to an embodiment of the present invention, which includes thesubroutine602 responsive to commandtype 3, thesubroutine604 responsive to thecommand type 4, and thesubroutine606 responsive to thecommand type 5.FIG. 7 shows thesecurity context middleware10′ in eachaccess point140,140A,140B and140C according to an embodiment of the present invention.Security context middleware10′ in the access point includessubroutine702 responsive to commandtype 3,subroutine704 responsive to commandtype 4, and thesubroutine706 responsive to commandtype5.FIG. 8 shows thesecurity context middleware10″ in theconnectivity server180 according to an embodiment of the present invention. Thesubroutine802 isresponsive command type 3,subroutine804 is responsive to commandtype 4, andsubroutine806 is responsive to commandtype5.
• FIG. 9 is another view of the network diagram ofFIG. 1 A, according to an embodiment of the present invention, showing some of the components of the user'swireless device100, thewireless access point140A, and theconnectivity server180. The wirelessmobile device100 includes thecomputer902 and thememory904. A Bluetoothwireless communications interface906 wirelessly interfaces with theaccess point140A. TheBluetooth communications program908 establishes a wireless connection with theaccess point140A. Also shown is themiddleware program10 and theapplication program106.
• FIG. 9 also shows some of the components of thewireless access point140A, which includes thecomputer912 and thememory914. Aserver interface916 interfaces with theserver180. A Bluetoothwireless communications interface918 wirelessly interfaces with themobile wireless device100. Acommunications program920 establishes a wireless connection with themobile device100 and also provides context information to theserver180 over theLAN142. Also shown is themiddleware program10′.
• FIG. 9 also shows some of the components of theconnectivity server180, which includes thecomputer922 and thememory924. Thecontext manager program14 determines a context for the wirelessmobile device100. Thedatabase182 stores security feature data. Thecontext manager14 accesses the stored security feature data based on the determined context of themobile device100 and issues a command representing the security feature data. Also shown is themiddleware program10″ and theapplication program181.
• FIG. 1D is a network diagram showing another modification in the topology of the network ofFIG. 1A, in which theaccess points140A′ and140B′ are mobile and include a GPS position locator to establish their current locations. A GSM cellular telephone subsystem in each access point enables it to communicate with theconnectivity server180 over a wirelesswide area network142′. The a cellular telephone communications subsystem can enable a third party to provide service to the user's wirelessmobile device100 via the wirelesswide area network142′.
• In an alternate embodiment of the invention, at least some of the functions of theconnectivity server180 andcontext manager14 can be contained within theaccess points140A and140B. Similarly, at least some of the functions of thesecurity context database182 can be contained within theaccess points140A and140B.
• Although specific embodiments of the invention has been disclosed, a person skilled in the art will understand that changes can be made to the specific embodiment without departing from the spirit and scope of the invention.

Claims (133)

1. A system to provide security features to a wireless mobile device based on its context, comprising:

a first middleware program stored in a memory of a wireless mobile device, having a plurality of security process subroutines selectable by a command;

a second middleware program stored in a memory of a wireless access point device, having a plurality of security process subroutines selectable by said command;

a third middleware program stored in a memory of a server in a network coupled to said access point device, having a plurality of security process subroutines selectable by said command;

a context manager program in said server for determining a context for said wireless mobile device from a signal received from said access point indicating that said wireless mobile device is wirelessly connected to said access point;

a database coupled to said server for storing security feature data accessible by said determined context to implement a security process;

said context manager accessing said stored security feature data based on said determined context and sending a command representing said security feature data to said first, second, and third middleware programs to implement said security process in said wireless mobile device, said access point device, and said server, respectively.

2. The system ofclaim 1, which further comprises:

said database storing service data accessible by said determined context to implement a service;

said context manager accessing said stored service data based on said determined context and sending a message representing said service data to said wireless mobile device to implement said service in said wireless mobile device.

3. The system ofclaim 1, which further comprises:

said database storing third-party message data accessible by said determined context to implement a service;

said context manager accessing said stored third-party message data based on said determined context and sending a message representing said message data to a third party for providing said wireless mobile device a service.

4. The system ofclaim 3, which further comprises:

a Bluetooth communications subsystem in said wireless mobile device;

a Bluetooth communications subsystem in said wireless access point device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said Bluetooth communications subsystems have established a connection between said wireless mobile device and said access point;

a cellular telephone communications subsystem in said wireless mobile device;

said third party selectively providing said service to said wireless mobile device via said cellular telephone communications subsystem or said Bluetooth communications subsystem.

5. The system ofclaim 3, which further comprises:

an IEEE 802.11 wireless LAN communications subsystem in said wireless mobile device;

an IEEE 802.11 wireless LAN communications subsystem in said wireless access point device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said IEEE 802.11 wireless LAN communications subsystems have established a connection between said wireless mobile device and said access point;

a cellular telephone communications subsystem in said wireless mobile device;

said third party selectively providing said service to said wireless mobile device via said cellular telephone communications subsystem or said IEEE 802.11 wireless LAN communications subsystem.

6. The system ofclaim 1, which further comprises:

said context manager program further accessing said stored security feature data based on a type of service requested by said mobile device.

7. The system ofclaim 1, which further comprises:

said context manager program determining said context for said wireless mobile device from an identity of said access point and an identity of said wireless mobile device.

8. The system ofclaim 7, which further comprises:

said context manager program further determining said context for said wireless mobile device from a time of day said wireless mobile device connects to said access point.

9. The system ofclaim 1, which further comprises:

said security feature data stored in said database representing an authentication process accessible by said determined context to authenticate said wireless mobile device when wirelessly connected to said access point.

10. The system ofclaim 9, which further comprises:

said security feature data stored in said database representing a first authentication process to be applied to authenticating a first wireless mobile device and a second authentication process to be applied to authenticating a second wireless mobile device accessible by said determined context detected at said wireless access point.

11. The system ofclaim 1, which further comprises:

said security feature data stored in said database representing an encryption process accessible by said determined context to encrypt communications between said wireless mobile device and said access point.

12. The system ofclaim 11, which further comprises:

said security feature data stored in said database representing a first encryption process to be applied to encrypting a first wireless mobile device and a second encryption process to be applied to encrypting a second wireless mobile device accessible by said determined context detected at said wireless access point.

13. The system ofclaim 1, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a system administrator to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

14. The system ofclaim 1, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a control program to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

15. The system ofclaim 1, which further comprises:

a Bluetooth communications subsystem in said wireless mobile device;

a Bluetooth communications subsystem in said wireless access point device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said Bluetooth communications subsystems have established a connection between said wireless mobile device and said access point.

16. The system ofclaim 1, which further comprises:

an IEEE 802.11 wireless LAN communications subsystem in said wireless mobile device;

an IEEE 802.11 wireless LAN communications subsystem in said wireless access point device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said IEEE 802.11 wireless LAN communications subsystems have established a connection between said wireless mobile device and said access point.

17. The system ofclaim 1, which further comprises:

said context manager program classifying a service requested by said mobile device to synchronize to an application and establishing an appropriate security feature to apply to said mobile device based on said classification.

18. The system ofclaim 1, which further comprises:

said context manager comparing said determined context with threshold values of services for said mobile wireless device generating a triggering event when a comparison is satisfied.

19. The system ofclaim 18, which further comprises:

said triggering event initiating sending a message representing said service data to said wireless mobile device to implement said service in said wireless mobile device.

20. The system ofclaim 18, which further comprises:

said triggering event initiating pushing said service represented by said service data to said wireless mobile device.

21. A method to provide security features to a wireless mobile device based on its context, comprising:

storing a first middleware program in a memory of a wireless mobile device, having a plurality of security process subroutines selectable by a command; storing a second middleware program in a memory of a wireless access point device, having a plurality of security process subroutines selectable by said command;

storing a third middleware program in a memory of a server in a network coupled to said access point device, having a plurality of security process subroutines selectable by said command;

determining with a context manager program in said server a context for said wireless mobile device from a signal received from said access point indicating that said wireless mobile device is wirelessly connected to said access point;

storing in a database coupled to said server security feature data accessible by said determined context to implement a security process;

accessing with said context manager said stored security feature data based on said determined context and sending a command representing said security feature data to said first, second, and third middleware programs to implement said security process in said wireless mobile device, said access point device, and said server, respectively.

22. The method ofclaim 21, which further comprises:

said database storing service data accessible by said determined context to implement a service;

said context manager accessing said stored service data based on said determined context and sending a message representing said service data to said wireless mobile device to implement said service in said wireless mobile device.

23. The method ofclaim 21, which further comprises:

said database storing third-party message data accessible by said determined context to implement a service;

said context manager accessing said stored third-party message data based on said determined context and sending a message representing said message data to a third party for providing said wireless mobile device a service.

24. The method ofclaim 23, which further comprises:

operating a Bluetooth communications subsystem in said wireless mobile device;

operating a Bluetooth communications subsystem in said wireless access point device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said Bluetooth communications subsystems have established a connection between said wireless mobile device and said access point;

operating a cellular telephone communications subsystem in said wireless mobile device;

said third party selectively providing said service to said wireless mobile device via said cellular telephone communications subsystem or said Bluetooth communications subsystem.

25. The method ofclaim 23, which further comprises:

operating an IEEE 802.11 wireless LAN communications subsystem in said wireless mobile device;

operating an IEEE 802.11 wireless LAN communications subsystem in said wireless access point device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said IEEE 802.11 wireless LAN communications subsystems have established a connection between said wireless mobile device and said access point;

operating a cellular telephone communications subsystem in said wireless mobile device;

said third party selectively providing said service to said wireless mobile device via said cellular telephone communications subsystem or said IEEE 802.11 wireless LAN communications subsystem.

26. The method ofclaim 21, which further comprises:

said context manager program further accessing said stored security feature data based on a type of service requested by said mobile device.

27. The method ofclaim 21, which further comprises:

said context manager program determining said context for said wireless mobile device from an identity of said access point and an identity of said wireless mobile device.

28. The method ofclaim 27, which further comprises:

said context manager program further determining said context for said wireless mobile device from a time of day said wireless mobile device connects to said access point.

29. The method ofclaim 21, which further comprises:

said security feature data stored in said database representing an authentication process accessible by said determined context to authenticate said wireless mobile device when wirelessly connected to said access point.

30. The method ofclaim 29, which further comprises:

said security feature data stored in said database representing a first authentication process to be applied to authenticating a first wireless mobile device and a second authentication process to be applied to authenticating a second wireless mobile device accessible by said determined context detected at said wireless access point.

31. The method ofclaim 21, which further comprises:

said security feature data stored in said database representing an encryption process accessible by said determined context to encrypt communications between said wireless mobile device and said access point.

32. The method ofclaim 31, which further comprises:

said security feature data stored in said database representing a first encryption process to be applied to encrypting a first wireless mobile device and a second encryption process to be applied to encrypting a second wireless mobile device accessible by said determined context detected at said wireless access point.

33. The method ofclaim 21, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a system administrator to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

34. The method ofclaim 21, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a control program to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

35. The method ofclaim 21, which further comprises:

operating a Bluetooth communications subsystem in said wireless mobile device;

operating a Bluetooth communications subsystem in said wireless access point device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said Bluetooth communications subsystems have established a connection between said wireless mobile device and said access point.

36. The method ofclaim 21, which further comprises:

operating an IEEE 802.11 wireless LAN communications subsystem in said wireless mobile device;

operating an IEEE 802.11 wireless LAN communications subsystem in said wireless access point device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said IEEE 802.11 wireless LAN communications subsystems have established a connection between said wireless mobile device and said access point.

37. The method ofclaim 21, which further comprises:

said context manager program classifying a service requested by said mobile device to synchronize to an application, and

establishing an appropriate security feature to apply to said mobile device based on said classification.

38. The method ofclaim 21, which further comprises:

said context manager comparing said determined context with threshold values of services for said mobile wireless device generating a triggering event when a comparison is satisfied.

39. The method ofclaim 38, which further comprises:

said triggering event initiating sending a message representing said service data to said wireless mobile device to implement said service in said wireless mobile device.

40. The method ofclaim 38, which further comprises:

said triggering event initiating pushing said service represented by said service data to said wireless mobile device.

41. A system to provide security features to a wireless mobile device based on its context, comprising:

a first middleware program stored in a memory of a first wireless mobile device, having a plurality of security process subroutines selectable by a command;

a second middleware program stored in a memory of a second wireless device having a known current location, said middleware having a plurality of security process subroutines selectable by said command;

a context manager program in a server coupled to said second wireless device for determining a context for said first wireless mobile device when said first wireless mobile device is wirelessly connected to said second wireless device;

a database coupled to said server for storing security feature data accessible by said determined context to implement a security process;

said context manager accessing said stored security feature data based on said determined context and issuing a command representing said security feature data to said first and second middleware programs to implement said security process in said first wireless mobile device and said second wireless device, respectively.

42. The system ofclaim 41, which further comprises:

said server and said context manager are contained within said second wireless device.

43. The system ofclaim 42, which further comprises:

said database is contained within said second wireless device.

44. The system ofclaim 41, which further comprises:

said database storing service data accessible by said determined context to implement a service;

said context manager accessing said stored service data based on said determined context and providing said service data to said wireless mobile device to implement said service in said wireless mobile device.

45. The system ofclaim 41, which further comprises:

said database storing third-party message data accessible by said determined context to implement a service;

said context manager accessing said stored third-party message data based on said determined context and sending a message representing said message data to a third party for providing said wireless mobile device a service.

46. The system ofclaim 45, which further comprises:

a cellular telephone communications subsystem in said first wireless mobile device;

said third party selectively providing said service to said wireless mobile device via said cellular telephone communications subsystem or said second wireless device.

47. The system ofclaim 41, which further comprises:

said second wireless device is mobile and includes a location detector coupled to said context manager for providing said known current location.

48. The system ofclaim 47, which further comprises:

said server and said context manager are contained within said second wireless device.

49. The system ofclaim 48, which further comprises:

said database is contained within said second wireless device.

50. The system ofclaim 47, which further comprises:

said database storing service data accessible by said determined context to implement a service;

said context manager accessing said stored service data based on said determined context and providing said service data to said wireless mobile device to implement said service in said wireless mobile device.

51. The system ofclaim 47, which further comprises:

said database storing third-party message data accessible by said determined context to implement a service;

said context manager accessing said stored third-party message data based on said determined context and sending a message representing said message data to a third party for providing said wireless mobile device a service.

52. The system ofclaim 51, which further comprises:

a cellular telephone communications subsystem in said first wireless mobile device;

said third party providing said service to said wireless mobile device via said cellular telephone communications subsystem.

53. A server to provide security features to a wireless mobile device based on its context, comprising:

a computer coupled to a wireless access point;

a context manager program stored in a memory of the computer, for determining a context for a wireless mobile device when said wireless mobile device is wirelessly connected to said wireless access point;

a database coupled to said computer for storing security feature data accessible by said determined context to implement a security process;

said context manager accessing said stored security feature data based on said determined context and issuing a command representing said security feature data;

a middleware program stored in a memory of the computer, having a plurality of security process subroutines selectable by said command, to operatively interact with a first middleware program in said access point and a second middleware program in said mobile wireless device, to implement said security process in said first wireless mobile device and said second wireless device, respectively.

54. The server ofclaim 53, which further comprises:

said database storing service data accessible by said determined context to implement a service;

said context manager accessing said stored service data based on said determined context and providing said service data to said wireless mobile device to implement said service in said wireless mobile device.

55. The server ofclaim 53, which further comprises:

said database storing third-party message data accessible by said determined context to implement a service;

said context manager accessing said stored third-party message data based on said determined context and sending a message representing said message data to a third party for providing said wireless mobile device a service.

56. The server ofclaim 55, which further comprises:

said third party selectively providing said service to said wireless mobile device via a cellular telephone communications subsystem or said wireless access point.

57. The server ofclaim 53, which further comprises:

said wireless access point is mobile and includes a location detector coupled to said context manager for providing a known current location.

58. The server ofclaim 53, which further comprises:

said context manager program further accessing said stored security feature data based on a type of service requested by said wireless mobile device.

59. The server ofclaim 53, which further comprises:

said context manager program determining said context for said wireless mobile device from an identity of said access point and an identity of said wireless mobile device.

60. The server ofclaim 59, which further comprises:

said context manager program further determining said context for said wireless mobile device from a time of day said wireless mobile device connects to said access point.

61. The server ofclaim 53, which further comprises:

said security feature data stored in said database representing an authentication process accessible by said determined context to authenticate said wireless mobile device when wirelessly connected to said access point.

62. The server ofclaim 61, which further comprises:

said security feature data stored in said database representing a first authentication process to be applied to authenticating a first wireless mobile device and a second authentication process to be applied to authenticating a second wireless mobile device accessible by said determined context detected at said wireless access point.

63. The server ofclaim 53, which further comprises:

said security feature data stored in said database representing an encryption process accessible by said determined context to encrypt communications between said wireless mobile device and said access point.

64. The server ofclaim 63, which further comprises:

said security feature data stored in said database representing a first encryption process to be applied to encrypting a first wireless mobile device and a second encryption process to be applied to encrypting a second wireless mobile device accessible by said determined context detected at said wireless access point.

65. The server ofclaim 53, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a system administrator to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

66. The server ofclaim 53, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a control program to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

67. A wireless access point to provide security features to a wireless mobile device based on its context, comprising:

a computer coupled to a memory;

a server interface coupled to said computer, for interfacing with a server;

a wireless communications interface coupled to said computer, for wirelessly interfacing with a mobile wireless device;

a communications program stored in said memory, for establishing a wireless connection with said mobile device and providing context information to said server when said wireless mobile device is wirelessly connected to said wireless communications interface;

a middleware program stored in said memory, having a plurality of security process subroutines selectable by a command received from said server in response to said context information;

said command representing a security feature to be implemented in said access point and said wireless mobile device by one of said subroutines selected by said command.

68. The wireless access point ofclaim 67, which further comprises:

a context manager program coupled to said access point, for determining a context of said mobile device based on said context information.

69. The wireless access point ofclaim 68, which further comprises:

a database coupled to said access point for storing security feature data accessible by a determined context of said wireless mobile device, to implement a security process.

70. The wireless access point ofclaim 69, which further comprises:

said database storing service data accessible by said determined context to implement a service;

said context manager accessing said stored service data based on said determined context and providing said service data to said wireless mobile device to implement said service in said wireless mobile device.

71. The wireless access point ofclaim 69, which further comprises:

said database storing third-party message data accessible by said determined context to implement a service;

said context manager accessing said stored third-party message data based on said determined context and sending a message representing said message data to a third party for providing said wireless mobile device a service.

72. The wireless access point ofclaim 71, which further comprises:

said third party selectively providing said service to said wireless mobile device via a cellular telephone communications subsystem or said access point.

73. The wireless access point ofclaim 67, which further comprises:

a location detector coupled to said access point for providing a known current location of said access point to said context manager.

74. The wireless access point ofclaim 69, which further comprises:

a Bluetooth communications subsystem in said wireless access point device and in said mobile device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said Bluetooth communications subsystems have established a connection between said wireless mobile device and said access point.

75. The wireless access point ofclaim 69, which further comprises:

an IEEE 802.11 wireless LAN communications subsystem in said wireless access point device and in said mobile device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said IEEE 802.11 wireless LAN communications subsystems have established a connection between said wireless mobile device and said access point.

76. The wireless access point ofclaim 69, which further comprises:

said context manager program further accessing said stored security feature data based on a type of service requested by said mobile device.

77. The wireless access point ofclaim 69, which further comprises:

said context manager program determining said context for said wireless mobile device from an identity of said access point and an identity of said wireless mobile device.

78. The wireless access point ofclaim 77, which further comprises:

said context manager program further determining said context for said wireless mobile device from a time of day said wireless mobile device connects to said access point.

79. The wireless access point ofclaim 69, which further comprises:

said security feature data stored in said database representing an authentication process accessible by said determined context to authenticate said wireless mobile device when wirelessly connected to said access point.

80. The wireless access point ofclaim 79, which further comprises:

said security feature data stored in said database representing a first authentication process to be applied to authenticating a first wireless mobile device and a second authentication process to be applied to authenticating a second wireless mobile device accessible by said determined context detected at said wireless access point.

81. The wireless access point ofclaim 69, which further comprises:

said security feature data stored in said database representing an encryption process accessible by said determined context to encrypt communications between said wireless mobile device and said access point.

82. The wireless access point ofclaim 81, which further comprises:

said security feature data stored in said database representing a first encryption process to be applied to encrypting a first wireless mobile device and a second encryption process to be applied to encrypting a second wireless mobile device accessible by said determined context detected at said wireless access point.

83. The wireless access point ofclaim 69, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a system administrator to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

84. The wireless access point ofclaim 69, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a control program to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

85. The wireless access point ofclaim 69, which further comprises:

said context manager program classifying a service requested by said mobile device to synchronize to an application and establishing an appropriate security feature to apply to said mobile device based on said classification.

86. The wireless access point ofclaim 69, which further comprises:

said context manager comparing said determined context with threshold values of services for said mobile wireless device generating a triggering event when a comparison is satisfied.

87. The wireless access point ofclaim 86, which further comprises:

said triggering event initiating sending a message representing said service data to said wireless mobile device to implement said service in said wireless mobile device.

88. The wireless access point ofclaim 86, which further comprises:

said triggering event initiating pushing said service represented by said service data to said wireless mobile device.

89. The wireless access point ofclaim 69, which further comprises:

a Bluetooth-enabled device coupled to said wireless communications interface;

said wireless communications interface receiving control signals from said wireless mobile device and forwarding them to said Bluetooth-enabled device for control thereof.

90. The wireless access point ofclaim 89, which further comprises:

said wireless communications interface receiving output signals from said Bluetooth-enabled device in response to said control signals;

said server interface forwarding said output signals to said server.

91. The wireless access point ofclaim 90, which further comprises:

said Bluetooth-enabled device is a barcode reader.

92. A wireless mobile device having security features based on its context, comprising:

a computer coupled to a memory;

a wireless communications interface coupled to said computer, for wirelessly interfacing with an access point;

a communications program stored in said memory, for establishing a wireless connection with said access point;

said access point providing to a server context information about the mobile device when said access point is wirelessly connected to said wireless communications interface;

a middleware program stored in said memory, having a plurality of security process subroutines selectable by a command received from said access point in response to said context information;

said command representing a security feature to be implemented in said wireless mobile device by one of said subroutines selected by said command.

93. The wireless mobile device ofclaim 92, which further comprises:

said access point coupled to a context manager program, for determining a context of said mobile device based on said context information.

94. The wireless mobile device ofclaim 93, which further comprises:

said access point coupled to a database for storing security feature data accessible by a determined context of said wireless mobile device, to implement a security process.

95. The wireless mobile device ofclaim 92, which further comprises:

said database storing service data accessible by said determined context to implement a service;

said context manager accessing said stored service data based on said determined context and providing said service data to said wireless mobile device to implement said service in said wireless mobile device.

96. The wireless mobile device ofclaim 92, which further comprises:

said database storing third-party message data accessible by said determined context to implement a service;

said context manager accessing said stored third-party message data based on said determined context and sending a message representing said message data to a third party for providing said wireless mobile device a service.

97. The wireless mobile device ofclaim 96, which further comprises:

a cellular telephone subsystem in said wireless mobile device;

said third party selectively providing said service to said wireless mobile device via said cellular telephone communications subsystem or said access point.

98. The wireless mobile device ofclaim 92, which further comprises:

a Bluetooth communications subsystem in said wireless access point device and in said mobile device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said Bluetooth communications subsystems have established a connection between said wireless mobile device and said access point.

99. The wireless mobile device ofclaim 92, which further comprises:

an IEEE 802.11 wireless LAN communications subsystem in said wireless access point device and in said mobile device;

said context manager program determining said context for said wireless mobile device from a signal received from said access point indicating that said IEEE 802.11 wireless LAN communications subsystems have established a connection between said wireless mobile device and said access point.

100. The wireless mobile device ofclaim 92, which further comprises:

said context manager program further accessing said stored security feature data based on a type of service requested by said mobile device.

101. The wireless mobile device ofclaim 92, which further comprises:

said context manager program determining said context for said wireless mobile device from an identity of said access point and an identity of said wireless mobile device.

102. The wireless mobile device ofclaim 101, which further comprises:

said context manager program further determining said context for said wireless mobile device from a time of day said wireless mobile device connects to said access point.

103. The wireless mobile device ofclaim 92, which further comprises:

said security feature data stored in said database representing an authentication process accessible by said determined context to authenticate said wireless mobile device when wirelessly connected to said access point.

104. The wireless mobile device ofclaim 103, which further comprises:

said security feature data stored in said database representing a first authentication process to be applied to authenticating a first wireless mobile device and a second authentication process to be applied to authenticating a second wireless mobile device accessible by said determined context detected at said wireless access point.

105. The wireless mobile device ofclaim 92, which further comprises:

said security feature data stored in said database representing an encryption process accessible by said determined context to encrypt communications between said wireless mobile device and said access point.

106. The wireless mobile device ofclaim 105, which further comprises:

said security feature data stored in said database representing a first encryption process to be applied to encrypting a first wireless mobile device and a second encryption process to be applied to encrypting a second wireless mobile device accessible by said determined context detected at said wireless access point.

107. The wireless mobile device ofclaim 92, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a system administrator to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

108. The wireless mobile device ofclaim 92, which further comprises:

said security feature data stored in said database representing a first selectable security process and a second selectable security process, which are alternately selectable by a control program to be applied when a wireless mobile device is detected by said context manager program to be at said wireless access point.

109. The wireless mobile device ofclaim 92, which further comprises:

said context manager program classifying a service requested by said mobile device to synchronize to an application and establishing an appropriate security feature to apply to said mobile device based on said classification.

110. The wireless mobile device ofclaim 92, which further comprises:

said context manager comparing said determined context with threshold values of services for said mobile wireless device generating a triggering event when a comparison is satisfied.

111. The wireless mobile device ofclaim 110, which further comprises:

said triggering event initiating sending a message representing said service data to said wireless mobile device to implement said service in said wireless mobile device.

112. The wireless mobile device ofclaim 110, which further comprises:

said triggering event initiating pushing said service represented by said service data to said wireless mobile device.

113. A program product for a wireless mobile device having security features based on its context, comprising:

a communications program for establishing a wireless connection with an access point;

said access point providing to a server context information about the mobile device when said access point is wirelessly connected to said wireless communications interface;

a middleware program having a plurality of security process subroutines selectable by a command received from said access point in response to said context information;

said command representing a security feature to be implemented in said wireless mobile device by one of said subroutines selected by said command.

114. The program product ofclaim 113, which further comprises:

said communications program receiving and processing a message representing service data to implement a service in said wireless mobile device in response to said context information.

115. The program product ofclaim 113, which further comprises:

said communications program receiving and processing a service pushed to said wireless mobile device from said access point in response to said context information.

116. A program product for an access point to provide security features to a wireless mobile device based on its context, comprising:

a communications program for establishing a wireless connection with a mobile device and providing context information to a server when said wireless mobile device is wirelessly connected to the access point;

a middleware program having a plurality of security process subroutines selectable by a command received from said server in response to said context information;

said command representing a security feature to be implemented in said access point and said wireless mobile device by one of said subroutines selected by said command.

117. The program product ofclaim 116, which further comprises:

said communications program receiving service data from said server based on said determined context and providing said service data to said wireless mobile device to implement said service in said wireless mobile device.

118. The program product ofclaim 116, which further comprises:

said communications program receiving third-party message data based on said determined context and sending a message representing said message data to a third party for providing said wireless mobile device a service.

119. The program product ofclaim 118, which further comprises:

said third party selectively providing said service to said wireless mobile device via a cellular telephone communications subsystem or said access point.

120. The program product ofclaim 116, which further comprises:

said communications program pushing a service to said wireless mobile device in response to said context information.

121. The program product ofclaim 116, which further comprises:

said communications program receiving control signals from said wireless mobile device and forwarding them to a Bluetooth-enabled device for control thereof.

122. The program product ofclaim 121, which further comprises:

said communications program receiving output signals from said Bluetooth-enabled device in response to said control signals and forwarding said output signals to said server.

123. A program product for a server to provide security features to a wireless mobile device based on its context, comprising:

a context manager program for determining a context for a wireless mobile device when said wireless mobile device is wirelessly connected to a wireless access point;

said context manager accessing stored security feature data based on said determined context and issuing a command representing said security feature data;

a middleware program having a plurality of security process subroutines selectable by said command, to operatively interact with a first middleware program in said access point and a second middleware program in said mobile wireless device, to implement said security process in said first wireless mobile device and said second wireless device, respectively.

124. The program product ofclaim 123, which further comprises:

said context manager accessing stored service data based on said determined context and providing said service data to said wireless mobile device to implement said service in said wireless mobile device.

125. The program product ofclaim 124, which further comprises:

said context manager accessing a stored third-party message data based on said determined context and sending a message representing said message data to a third party for providing said wireless mobile device a service.

126. The program product ofclaim 125, which further comprises:

said third party selectively providing said service to said wireless mobile device via a cellular telephone communications subsystem or said wireless access point.

127. The program product ofclaim 123, which further comprises:

said context manager program further accessing said stored security feature data based on a type of service requested by said wireless mobile device.

128. The program product ofclaim 123, which further comprises:

said context manager program determining said context for said wireless mobile device from an identity of said access point and an identity of said wireless mobile device.

129. The program product ofclaim 128, which further comprises:

said context manager program further determining said context for said wireless mobile device from a time of day said wireless mobile device connects to said access point.

130. The program product ofclaim 123, which further comprises:

said context manager program classifying a service requested by said mobile device to synchronize to an application and establishing an appropriate security feature to apply to said mobile device based on said classification.

131. The program product ofclaim 123, which further comprises:

said context manager comparing said determined context with threshold values of services for said mobile wireless device generating a triggering event when a comparison is satisfied.

132. The program product ofclaim 123, which further comprises:

said triggering event initiating sending a message representing said service data to said wireless mobile device to implement said service in said wireless mobile device.

133. The program product ofclaim 132, which further comprises:

said triggering event initiating pushing said service represented by said service data to said wireless mobile device.

Images