Network supporting two-factor authentication for modules with embedded universal integrated circuit cards
First Claim
1. A method for securely distributing a profile from a subscription manager system to an embedded universal integrated circuit card comprising the steps of:
- (a) recording, in memory operatively connected to the subscription manager system, a digital signature algorithm comprising an elliptic curve digital signature algorithm;
(b) recording, by the memory operatively connected to the subscription manager system, a profile for the embedded universal integrated circuit card comprising;
(i) a key K; and
(ii) a network module identity,wherein the profile has been encrypted using a first key that is a symmetric key;
(c) recording, by the memory operatively connected to the subscription manager system,(i) a profile ciphering algorithm to cipher the profile into a ciphered profile for the embedded universal integrated circuit card, and(ii) ciphering parameters to be used by the profile ciphering algorithm, wherein the ciphering parameters comprisean Advanced Encryption Standard ciphering algorithm;
(d) authenticating, by the subscription manager system, the embedded universal integrated circuit card, by performing the steps of;
(i) receiving, by the subscription manager system from the embedded universal integrated circuit card, a first message comprising an eUICC identity associated with the embedded universal integrated circuit card;
(ii) receiving, by the subscription manager system from the embedded universal integrated circuit card, a second message comprising a first digital signature generated by the embedded universal integrated circuit card using the same digital signature algorithm as stored in the memory operatively connected to the subscription manager; and
(iii) authenticating, by the subscription manager system, the embedded universal integrated circuit card by confirming;
(A) the eUICC identity corresponds to the embedded universal integrated circuit card; and
(B) the first digital signature which was signed by the embedded universal integrated circuit card using the digital signature algorithm;
(e) authenticating the subscription manager system with the embedded universal integrated circuit, by performing the steps of;
(i) generating, by the subscription manager system, a third message including a second digital signature, generated by the subscription manager using the digital signature algorithm; and
(ii) sending, from the subscription manager system to the embedded universal integrated circuit card, the third message;
(f) receiving, by the subscription manager system from the embedded universal integrated circuit card a fourth message comprising;
(i) an eUICC public key corresponding to an eUICC private key stored at the embedded universal integrated circuit card; and
(ii) a third digital signature which was generated by the embedded universal integrated circuit card using the same digital signature algorithm as stored in the memory operatively connected to the subscription manager;
(g) confirming, by the subscription manager system, that the third digital signature was signed by the embedded universal integrated circuit card using the digital signature algorithm;
(h) generating, by the subscription manager system, an eUICC subscription manager public key and a corresponding eUICC subscription manager private key, using elliptic curve cryptography;
(i) generating, by the subscription manager system, a second key that is a mutually derived shared key using Elliptical Curve Diffie-Heilman based on at least;
(i) the eUICC public key; and
(ii) the eUICC subscription manager private key;
wherein the mutually derived shared key is configured to be derived by the embedded universal integrated circuit card based on at least;
(A) the eUICC private key associated with the eUICC public key; and
(B) the eUICC subscription manager public key associated with the eUICC subscription manager private key;
(j) generating, by the subscription manager system, a third key that is a profile key using the second key that is the mutually derived shared key;
(k) encrypting, by the subscription manager system, the profile using;
(i) the profile ciphering algorithm; and
(ii) the third key that is the profile key;
(l) authenticating, by the subscription manager system, a user associated with the embedded universal integrated circuit card;
(m) sending, by the subscription manager system to the embedded universal integrated circuit card, the symmetric key, after the user associated with the embedded universal integrated circuit card is authenticated;
(n) sending, from the subscription manager system to the embedded universal integrated circuit card, the encrypted profile.
4 Assignments
0 Petitions
Accused Products
Abstract
A network with a set of servers can support authentication from a module, where the module includes an embedded universal integrated circuit card (eUICC). The network can send a first network module identity, a first key K, and an encrypted second key K for an eUICC profile to an eUICC subscription manager. The second key K can be encrypted with a symmetric key. The module can receive and activate the eUICC profile, and the network can authenticate the module using the first network module identity and the first key K. The network can (i) authenticate the user of the module using a second factor, and then (ii) send the symmetric key to the module. The module can decrypt the encrypted second key K using the symmetric key. The network can authenticate the module using the second key K. The module can comprise a mobile phone.
-
Citations
8 Claims
-
1. A method for securely distributing a profile from a subscription manager system to an embedded universal integrated circuit card comprising the steps of:
-
(a) recording, in memory operatively connected to the subscription manager system, a digital signature algorithm comprising an elliptic curve digital signature algorithm; (b) recording, by the memory operatively connected to the subscription manager system, a profile for the embedded universal integrated circuit card comprising; (i) a key K; and (ii) a network module identity, wherein the profile has been encrypted using a first key that is a symmetric key; (c) recording, by the memory operatively connected to the subscription manager system, (i) a profile ciphering algorithm to cipher the profile into a ciphered profile for the embedded universal integrated circuit card, and (ii) ciphering parameters to be used by the profile ciphering algorithm, wherein the ciphering parameters comprise an Advanced Encryption Standard ciphering algorithm; (d) authenticating, by the subscription manager system, the embedded universal integrated circuit card, by performing the steps of; (i) receiving, by the subscription manager system from the embedded universal integrated circuit card, a first message comprising an eUICC identity associated with the embedded universal integrated circuit card; (ii) receiving, by the subscription manager system from the embedded universal integrated circuit card, a second message comprising a first digital signature generated by the embedded universal integrated circuit card using the same digital signature algorithm as stored in the memory operatively connected to the subscription manager; and (iii) authenticating, by the subscription manager system, the embedded universal integrated circuit card by confirming; (A) the eUICC identity corresponds to the embedded universal integrated circuit card; and (B) the first digital signature which was signed by the embedded universal integrated circuit card using the digital signature algorithm; (e) authenticating the subscription manager system with the embedded universal integrated circuit, by performing the steps of; (i) generating, by the subscription manager system, a third message including a second digital signature, generated by the subscription manager using the digital signature algorithm; and (ii) sending, from the subscription manager system to the embedded universal integrated circuit card, the third message; (f) receiving, by the subscription manager system from the embedded universal integrated circuit card a fourth message comprising; (i) an eUICC public key corresponding to an eUICC private key stored at the embedded universal integrated circuit card; and (ii) a third digital signature which was generated by the embedded universal integrated circuit card using the same digital signature algorithm as stored in the memory operatively connected to the subscription manager; (g) confirming, by the subscription manager system, that the third digital signature was signed by the embedded universal integrated circuit card using the digital signature algorithm; (h) generating, by the subscription manager system, an eUICC subscription manager public key and a corresponding eUICC subscription manager private key, using elliptic curve cryptography; (i) generating, by the subscription manager system, a second key that is a mutually derived shared key using Elliptical Curve Diffie-Heilman based on at least; (i) the eUICC public key; and (ii) the eUICC subscription manager private key; wherein the mutually derived shared key is configured to be derived by the embedded universal integrated circuit card based on at least; (A) the eUICC private key associated with the eUICC public key; and (B) the eUICC subscription manager public key associated with the eUICC subscription manager private key; (j) generating, by the subscription manager system, a third key that is a profile key using the second key that is the mutually derived shared key; (k) encrypting, by the subscription manager system, the profile using; (i) the profile ciphering algorithm; and (ii) the third key that is the profile key; (l) authenticating, by the subscription manager system, a user associated with the embedded universal integrated circuit card; (m) sending, by the subscription manager system to the embedded universal integrated circuit card, the symmetric key, after the user associated with the embedded universal integrated circuit card is authenticated; (n) sending, from the subscription manager system to the embedded universal integrated circuit card, the encrypted profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
Specification