Key derivation for a module using an embedded universal integrated circuit card
First Claim
1. A method for securely distributing a profile from a subscription manager system to a module comprising the steps of:
- (a) recording, in memory operatively connected to the subscription manager system, a digital signature algorithm comprising an elliptic curve digital signature algorithm;
(b) recording, by the memory operatively connected to the subscription manager system, a server private key and a corresponding server public key, wherein the server public key and the server private key use elliptic curve cryptography;
(c) recording, by the memory operatively connected to the subscription manager system, a symmetric ciphering algorithm, wherein the symmetric ciphering algorithm comprises an Advanced Encryption Standard with a 128 bit key length;
(d) receiving, by the subscription manager system, a certificate associated with the module from a module provider system associated with a module provider, wherein the certificate includes a module public key;
(e) receiving, by the subscription manager system, a challenge from the module;
(f) generating, by the subscription manager system, a network private key and a corresponding network public key, using a key pair generation algorithm;
(g) sending the generated network public key to the module; and
(h) sending a digital signature and the challenge to the module, wherein the digital signature is generated using the server private key and the digital signature algorithm;
(i) generating, by the subscription manager system, a mutually derived shared key using Elliptic Curve Diffie-Hellman based on at least;
(1) the module public key, and(2) the network private key;
wherein the mutually derived shared key is derived by the module based on at least;
(i) a module private key associated with the module public key, and(ii) the network public key;
(j) encrypting, by the subscription manager system, the profile using;
(1) the symmetric ciphering algorithm, and(2) the mutually derived shared key;
(k) sending, from the subscription manager system to the module, the encrypted profile, wherein the profile includes network access credentials for a wireless network.
4 Assignments
0 Petitions
Accused Products
Abstract
A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.
-
Citations
13 Claims
-
1. A method for securely distributing a profile from a subscription manager system to a module comprising the steps of:
-
(a) recording, in memory operatively connected to the subscription manager system, a digital signature algorithm comprising an elliptic curve digital signature algorithm; (b) recording, by the memory operatively connected to the subscription manager system, a server private key and a corresponding server public key, wherein the server public key and the server private key use elliptic curve cryptography; (c) recording, by the memory operatively connected to the subscription manager system, a symmetric ciphering algorithm, wherein the symmetric ciphering algorithm comprises an Advanced Encryption Standard with a 128 bit key length; (d) receiving, by the subscription manager system, a certificate associated with the module from a module provider system associated with a module provider, wherein the certificate includes a module public key; (e) receiving, by the subscription manager system, a challenge from the module; (f) generating, by the subscription manager system, a network private key and a corresponding network public key, using a key pair generation algorithm; (g) sending the generated network public key to the module; and (h) sending a digital signature and the challenge to the module, wherein the digital signature is generated using the server private key and the digital signature algorithm; (i) generating, by the subscription manager system, a mutually derived shared key using Elliptic Curve Diffie-Hellman based on at least; (1) the module public key, and (2) the network private key; wherein the mutually derived shared key is derived by the module based on at least; (i) a module private key associated with the module public key, and (ii) the network public key; (j) encrypting, by the subscription manager system, the profile using; (1) the symmetric ciphering algorithm, and (2) the mutually derived shared key; (k) sending, from the subscription manager system to the module, the encrypted profile, wherein the profile includes network access credentials for a wireless network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
Specification