Methods for provisioning universal integrated circuit cards

US 10,015,665 B2
Filed: 10/23/2014
Issued: 07/03/2018
Est. Priority Date: 11/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

instructing, by a secure element issuer system including a processor, an over-the-air system to transmit a first package that comprises configuration data for modifying a universal integrated circuit card, wherein the instructing causes the over-the-air system to encrypt the first package with a transport key to generate a first encrypted package, and wherein the instructing causes the over-the-air system to transmit the first encrypted package to a communication device communicatively coupled to the universal integrated circuit card to provision the universal integrated circuit card;

providing, by the secure element issuer system, a first mobile network operator trusted service manager system of a first mobile network operator with first information relating to the configuration data to enable the first mobile network operator trusted service manager system to manage content and memory allocation for a plurality of security domain containers of the universal integrated circuit card of the communication device, wherein the providing the first information to the first mobile network operator trusted service manager system is based on monitoring for configuration changes at the universal integrated circuit card and occurs in response to and after a detection of a particular configuration change at the universal integrated circuit card, wherein the particular configuration change is based on the configuration data of the first package, wherein the communication device and the first mobile network operator trusted service manager system are separate devices, wherein the first mobile network operator trusted service manager system is remotely located from the communication device, and wherein management of the content and the memory allocation for the plurality of security domain containers includes changing an amount of memory resource allocated to a particular security domain container of the plurality of security domain containers, wherein the plurality of security domain containers comprises an issuer security domain, a supplementary security domain, and a controlling authority security domain, wherein the issuer security domain stores first content that includes card issuer content, wherein the supplementary security domain stores second content that includes application provider content, and wherein the controlling authority security domain stores third content that includes security policy content;

detecting, by the secure element issuer system, that the communication device is to be provided services by a second mobile network operator; and

delegating, by the secure element issuer system, security management of the universal integrated circuit card of the communication device by providing a second mobile network operator trusted service manager system of the second mobile network operator with the first information relating to the configuration data to enable the second mobile network operator trusted service manager system to manage the content and the memory allocation for the plurality of security domain containers of the universal integrated circuit card of the communication device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system can receive a request to modify a universal integrated circuit card, generate a package comprising configuration data for modifying the universal integrated circuit card, instruct an over-the-air system to transmit the package encrypting the package with a transport key to generate an encrypted package, and transmit the encrypted package to a communication device communicatively coupled to the universal integrated circuit card to provision the universal integrated circuit card. The system can provide a mobile network operator trusted service manager system information relating to the configuration data to enable the mobile network operator trusted service manager system to manage content and memory allocation of the universal integrated circuit card.

179 Citations

20 Claims

1. A method, comprising:
- instructing, by a secure element issuer system including a processor, an over-the-air system to transmit a first package that comprises configuration data for modifying a universal integrated circuit card, wherein the instructing causes the over-the-air system to encrypt the first package with a transport key to generate a first encrypted package, and wherein the instructing causes the over-the-air system to transmit the first encrypted package to a communication device communicatively coupled to the universal integrated circuit card to provision the universal integrated circuit card;
  
  providing, by the secure element issuer system, a first mobile network operator trusted service manager system of a first mobile network operator with first information relating to the configuration data to enable the first mobile network operator trusted service manager system to manage content and memory allocation for a plurality of security domain containers of the universal integrated circuit card of the communication device, wherein the providing the first information to the first mobile network operator trusted service manager system is based on monitoring for configuration changes at the universal integrated circuit card and occurs in response to and after a detection of a particular configuration change at the universal integrated circuit card, wherein the particular configuration change is based on the configuration data of the first package, wherein the communication device and the first mobile network operator trusted service manager system are separate devices, wherein the first mobile network operator trusted service manager system is remotely located from the communication device, and wherein management of the content and the memory allocation for the plurality of security domain containers includes changing an amount of memory resource allocated to a particular security domain container of the plurality of security domain containers, wherein the plurality of security domain containers comprises an issuer security domain, a supplementary security domain, and a controlling authority security domain, wherein the issuer security domain stores first content that includes card issuer content, wherein the supplementary security domain stores second content that includes application provider content, and wherein the controlling authority security domain stores third content that includes security policy content;
  
  detecting, by the secure element issuer system, that the communication device is to be provided services by a second mobile network operator; and
  
  delegating, by the secure element issuer system, security management of the universal integrated circuit card of the communication device by providing a second mobile network operator trusted service manager system of the second mobile network operator with the first information relating to the configuration data to enable the second mobile network operator trusted service manager system to manage the content and the memory allocation for the plurality of security domain containers of the universal integrated circuit card of the communication device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the communication device is a portable communication device, and wherein a security domain container of the plurality of security domain containers is limited to use by one of a card issuer entity, an application provider entity, or a controlling authority entity.
  - 3. The method of claim 2, wherein the universal integrated circuit card is an embedded universal integrated circuit card affixed to the communication device.
  - 4. The method of claim 1, comprising generating, by the secure element issuer system, the first package.
  - 5. The method of claim 1, wherein the configuration data comprises an authentication key, a network access parameter, a service operator application, or combinations thereof.
  - 6. The method of claim 5, wherein the service operator application comprises a network-based application comprising one of a subscriber identity module application, a universal subscriber identity module application, or an internet protocol multimedia services identity module application.
  - 7. The method of claim 5, wherein the service operator application configures the communication device to comply with network operational requirements of a communication system from which the communication device receives communication services.
  - 8. The method of claim 1, wherein the plurality of security domain containers enable key handling, encryption, decryption, digital signature generation and verification for applications associated with a card issuer entity, an application provider entity and a controlling authority entity.
  - 9. The method of claim 1, wherein the management of the content and the memory allocation for the plurality of security domain containers includes deleting a selected security domain container of the plurality of security domain containers from the universal integrated circuit card.
  - 10. The method of claim 1, wherein the first encrypted package is transmitted to the communication device as a short messaging service message.

11. A method, comprising:
- receiving, by a first system including a processor, a request to modify content in a security domain container of a universal integrated circuit card;
  
  generating, by the first system, a script according to the request;
  
  encrypting, by the first system, the script according to an application key to generate an encrypted script;
  
  instructing, by the first system, a second system to transmit the encrypted script, wherein the instructing causes the second system to generate a package comprising the encrypted script and transport data, wherein the instructing causes the second system to encrypt the package with a transport key to generate an encrypted package, and wherein the instructing causes the second system to transmit the encrypted package to a communication device communicatively coupled to the universal integrated circuit card to provision the content of the security domain container of the universal integrated circuit card;
  
  providing, by the first system, a third system associated with a first mobile network operator with information relating to the provisioning of the security domain container to manage content and memory allocation for a plurality of security domain containers of the universal integrated circuit card, wherein the provisioning includes updating the plurality of security domain containers based on the transport key and the encrypted script, wherein the communication device and the third system are separate systems, wherein the third system is remotely located from the communication device, wherein the providing the information to the third system is based on monitoring for configuration changes at the universal integrated circuit card and occurs in response to and after a detection of a particular configuration change at the universal integrated circuit card, and wherein the particular configuration change is based on the script, wherein the plurality of security domain containers comprises an issuer security domain, a supplementary security domain, and a controlling authority security domain, wherein the issuer security domain stores first content that includes card issuer content, wherein the supplementary security domain stores second content that includes application provider content, and wherein the controlling authority security domain stores third content that includes security policy content;
  
  detecting, by the first system, that the communication device is to be provided services by a second mobile network operator; and
  
  delegating, by the first system, security management of the universal integrated circuit card of the communication device by providing a fourth system associated with the second mobile network operator with the information relating to the provisioning of the security domain container to manage the content and the memory allocation for the plurality of security domain containers of the universal integrated circuit card.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, wherein the universal integrated circuit card is an embedded universal integrated circuit card affixed to the communication device.
  - 13. The method of claim 11, wherein the plurality of security domain containers enable key handling, encryption, decryption, digital signature generation and verification for applications associated with a card issuer entity, an application provider entity and a controlling authority entity.
  - 14. The method of claim 11, wherein a first security domain container of the plurality of security domain containers is limited to use by a card issuer entity, wherein a second security domain container of the plurality of security domain containers is limited to use by an application provider entity, and wherein a third security domain container of the plurality of security domain containers is limited to use by a controlling authority entity.
  - 15. The method of claim 11, verifying, by the first system, that computing resources of the universal integrated circuit card and the communication device communicatively coupled to the universal integrated circuit card are capable of satisfying the request.
  - 16. The method of claim 11, wherein management of the content and the memory allocation for the plurality of security domain containers includes changing an amount of memory resource allocated to a particular security domain container of the plurality of security domain containers, deleting a selected security domain container of the plurality of security domain containers from the universal integrated circuit card, or combinations thereof.

17. A method, comprising:
- receiving, by a subscription management secure routing system of a first service provider, a first encrypted package, wherein the first encrypted package is encrypted by a subscription management data preparation system with an application key responsive to a subscription management data profile system receiving a request from a second service provider to modify a universal integrated circuit card with configuration data;
  
  sending, by the subscription management secure routing system to an over-the-air system of the first service provider, a second package comprising the first encrypted package and transport data, wherein the sending causes the over-the-air system to encrypt the second package with a transport key to generate a second encrypted package, and wherein the sending causes the over-the-air system to transmit the second encrypted package to a communication device communicatively coupled to the universal integrated circuit card to provision the universal integrated circuit card with the configuration data;
  
  providing, by the subscription management secure routing system, a first mobile network operator system of the first service provider with information relating to the configuration data to enable the first mobile network operator system to manage content and memory allocation for a plurality of security domain containers of the universal integrated circuit card responsive to receiving the second package to provision the configuration data for the universal integrated circuit card, wherein the communication device and the first mobile network operator system are separate devices, wherein the first mobile network operator system is remotely located from the communication device, wherein the providing the information to the first mobile network operator system is based on monitoring for configuration changes at the universal integrated circuit card and occurs in response to and after a detection of a particular configuration change at the universal integrated circuit card, and wherein the particular configuration change is based on the configuration data, wherein the plurality of security domain containers comprises an issuer security domain, a supplementary security domain, and a controlling authority security domain, wherein the issuer security domain stores first content that includes card issuer content, wherein the supplementary security domain stores second content that includes application provider content, and wherein the controlling authority security domain stores third content that includes security policy content;
  
  detecting, by the subscription management secure routing system, that the communication device is to be provided services by a second mobile network operator; and
  
  delegating, by the subscription management secure routing system, security management of the universal integrated circuit card of the communication device by providing a second mobile network operator system associated with the second mobile network operator with the information relating to the configuration data to enable the first mobile network operator system to manage the content and the memory allocation for the plurality of security domain containers of the universal integrated circuit card.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein a first security domain container of the plurality of security domain containers is limited to use by a card issuer entity, andwherein the subscription management secure routing system comprises a processing system.
  - 19. The method of claim 17, wherein a second security domain container of the plurality of security domain containers is limited to use by an application provider entity.
  - 20. The method of claim 17, wherein a third security domain container of the plurality of security domain containers is limited to use by a controlling authority entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Mobility II LLC (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.), AT&T Mobility II LLC (AT&T, Inc.)
Inventors
Chastain, Walter Cooper, Campbell, Clifton Ashman, Chin, Stephen Emille, Harber, David, Rainer, Brian Keith, Smith, David K., Wang, Shih-Ming
Primary Examiner(s)
Thiaw, Catherine
Assistant Examiner(s)
An, Wayne

Application Number

US14/521,838
Publication Number

US 20150044995A1
Time in Patent Office

1,349 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 21/77   in smart cards

G06F 21/79   in semiconductor storage me...

H04W 12/00   Security arrangements; Auth...

H04W 12/02   Protecting privacy or anony...

H04W 12/08   Access security

H04W 12/35   Protecting application or s...

H04W 8/205   Transfer to or from user eq...

H04W 8/22   Processing or transfer of t...

Methods for provisioning universal integrated circuit cards

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

179 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for provisioning universal integrated circuit cards

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

179 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links