Methods and apparatus for establishing a secure communication channel

US 10,404,693 B2
Filed: 03/26/2018
Issued: 09/03/2019
Est. Priority Date: 07/03/2014
Status: Active Grant

First Claim

Patent Images

1. A wireless device comprising:

one or more antennas;

an embedded Universal Integrated Circuit Card (eUICC) communicatively coupled to the one or more antennas, the eUICC comprising a processor and a memory communicatively coupled to the processor and storing instructions that, when executed by the processor, cause the eUICC to perform operations comprising;

providing, to a server via the wireless device, a request to establish a secure connection with the server, wherein the server is associated with a long-term server public key (PK_server) and a long-term server private key (SK_server),providing to the server via the wireless device;

(i) a signature produced using a long-term eUICC public key (PK_eUICC), and (ii) PK_eUICC,authenticating the server using PK_server,generating, subsequent to the authenticating, an ephemeral eUICC public key (ePK_eUICC) and an ephemeral eUICC private key (eSK_eUICC),providing, to the server via the wireless device, a signed ePK_eUICCthat is signed using SK_eUICC,receiving, from the server via the wireless device, an ephemeral server public key (ePK_server) that is signed using using SK_server,generating a shared symmetric key using eSK_eUICCand ePK_server, andestablishing the secure connection with the server using the shared symmetric key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

24 Citations

20 Claims

1. A wireless device comprising:
- one or more antennas;
  
  an embedded Universal Integrated Circuit Card (eUICC) communicatively coupled to the one or more antennas, the eUICC comprising a processor and a memory communicatively coupled to the processor and storing instructions that, when executed by the processor, cause the eUICC to perform operations comprising;
  
  providing, to a server via the wireless device, a request to establish a secure connection with the server, wherein the server is associated with a long-term server public key (PK_server) and a long-term server private key (SK_server),providing to the server via the wireless device;
  
  (i) a signature produced using a long-term eUICC public key (PK_eUICC), and (ii) PK_eUICC,authenticating the server using PK_server,generating, subsequent to the authenticating, an ephemeral eUICC public key (ePK_eUICC) and an ephemeral eUICC private key (eSK_eUICC),providing, to the server via the wireless device, a signed ePK_eUICCthat is signed using SK_eUICC,receiving, from the server via the wireless device, an ephemeral server public key (ePK_server) that is signed using using SK_server,generating a shared symmetric key using eSK_eUICCand ePK_server, andestablishing the secure connection with the server using the shared symmetric key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The wireless device of claim 1, wherein the operations further comprise:
    - storing, within a security domain of the eUICC, the shared symmetric key for establishing a different secure connection at a later time with the server.
  - 3. The wireless device of claim 1, wherein the operations further comprise:
    - receiving, from the server over the secure connection via the wireless device, an electronic subscriber identity module (eSIM).
  - 4. The wireless device of claim 1, wherein the operations further comprise:
    - updating an electronic subscriber identity module (eSIM) managed by the eUICC based on an update received from the server over the secure connection via the wireless device.
  - 5. The wireless device of claim 1, wherein the operations further comprise:
    - removing from the eUICC an electronic subscriber identity module (eSIM) managed by the eUICC responsive to receipt of a command from the server to remove the eSIM.
  - 6. The wireless device of claim 1, wherein the operations further comprise:
    - receiving, from the server via the wireless device prior to the authenticating the server, public key infrastructure (PKI) information.
  - 7. The wireless device of claim 6, wherein the PKI information comprises PK_server.
  - 8. The wireless device of claim 6, wherein:
    - the PKI information comprises a certificate authority (CA) signature; and
      
      the authenticating the server comprises verifying the CA signature.

9. An apparatus configurable for operation in a wireless device, the apparatus comprising:
- an embedded Universal Integrated Circuit Card (eUICC) comprising a processor and a memory communicatively coupled to the processor and storing instructions that, when executed by the processor, cause the eUICC to perform operations comprising;
  
  providing, to a server via the wireless device, a request to establish a secure connection with the server, wherein the server is associated with a long-term server public key (PK_server) and a long-term server private key (SK_server),providing to the server via the wireless device;
  
  (i) a signature produced using a long-term eUICC public key (PK_eUICC), and (ii) PK_eUICC,authenticating the server using PK_server,generating, subsequent to the authenticating, an ephemeral eUICC public key (ePK_eUICC) and an ephemeral eUICC private key (eSK_eUICC),providing, to the server via the wireless device, a signed ePK_eUICCthat is signed using SK_eUICC,receiving, from the server via the wireless device, an ephemeral server public key (ePK_server) that is signed using using SK_server,generating a shared symmetric key using eSK_eUICCand ePK_server, andestablishing the secure connection with the server using the shared symmetric key.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The apparatus of claim 9, wherein the operations further comprise:
    - storing, within a security domain of the eUICC, the shared symmetric key for establishing a different secure connection at a later time with the server.
  - 11. The apparatus of claim 9, wherein the operations further comprise:
    - receiving, from the server over the secure connection via the wireless device, an electronic subscriber identity module (eSIM).
  - 12. The apparatus of claim 9, wherein the operations further comprise:
    - updating an electronic subscriber identity module (eSIM) managed by the eUICC based on an update received from the server over the secure connection via the wireless device.
  - 13. The apparatus of claim 9, wherein the operations further comprise:
    - removing from the eUICC an electronic subscriber identity module (eSIM) managed by the eUICC responsive to receipt of a command from the server to remove the eSIM.
  - 14. The apparatus of claim 9, wherein the operations further comprise:
    - receiving, from the server via the wireless device prior to the authenticating the server, public key infrastructure (PKI) information comprising PK_server.
  - 15. The apparatus of claim 14, wherein:
    - the PKI information further comprises a certificate authority (CA) signature; and
      
      the authenticating the server comprises verifying the CA signature.

16. A method performed by an embedded Universal Integrated Circuit Card (eUICC) of a wireless device, the method comprising:
- by the eUICC;
  
  providing, to a server via the wireless device, a request to establish a secure connection with the server, wherein the server is associated with a long-term server public key (PK_server) and a long-term server private key (SK_server),providing to the server via the wireless device;
  
  (i) a signature produced using a long-term eUICC public key (PK_eUICC), and (ii) PK_eUICC,authenticating the server using PK_server,generating, subsequent to the authenticating, an ephemeral eUICC public key (ePK_eUICC) and an ephemeral eUICC private key (eSK_eUICC),providing, to the server via the wireless device, a signed ePK_eUICCthat is signed using SK_eUICC,receiving, from the server via the wireless device, an ephemeral server public key (ePK_server) that is signed using using SK_server,generating a shared symmetric key using eSK_eUICCand ePK_server, andestablishing the secure connection with the server using the shared symmetric key.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - storing, within a security domain of the eUICC, the shared symmetric key for establishing a different secure connection at a later time with the server.
  - 18. The method of claim 16, further comprising:
    - receiving, from the server over the secure connection via the wireless device, an electronic subscriber identity module (eSIM).
  - 19. The method of claim 16, further comprising:
    - receiving, from the server via the wireless device prior to the authenticating the server, public key infrastructure (PKI) information comprising PK_server.
  - 20. The method of claim 19, wherein:
    - the PKI information further comprises a certificate authority (CA) signature; and
      
      the authenticating the server comprises verifying the CA signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Yang, Xiangying, Li, Li, Hauck, Jerrold Von
Primary Examiner(s)
Steinle, Andrew J

Application Number

US15/936,331
Publication Number

US 20180278604A1
Time in Patent Office

526 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/068   using time-dependent keys, ...

H04L 63/0853   using an additional device,...

H04L 63/105   Multiple levels of security

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

H05K 999/99   dummy group

Methods and apparatus for establishing a secure communication channel

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for establishing a secure communication channel

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links