Key derivation for a module using an embedded universal integrated circuit card
First Claim
1. A subscription manager system for distributing a profile to a module comprising:
- (1) one or more processors; and
(2) first non-transitory computer-readable media operatively connected to the one or more processors and having stored thereon machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to perform a method comprising steps of;
(a) recording, in second non-transitory computer-readable media, a digital signature algorithm comprising an elliptic curve digital signature algorithm;
(b) recording, in the second non-transitory computer-readable media, a module identity, a server private key, and a server certificate for a corresponding server public key, wherein the server public key and the server private key use the elliptic curve digital signature algorithm;
(c) recording, in the second non-transitory computer-readable media, a symmetric ciphering algorithm, wherein the symmetric ciphering algorithm comprises an Advanced Encryption Standard with a 128 bit key length;
(d) receiving a certificate associated with the module from a module provider system associated with a module provider, wherein the certificate includes the module identity, a module public key, and cryptographic parameters;
(e) verifying the certificate associated with the module using a certificate authority;
(f) sending, to the module, the server certificate, wherein the module verifies the server certificate using a certificate authority public key stored by the module;
(g) receiving a challenge from the module;
(h) generating a network private key and a corresponding network public key, using a key pair generation algorithm and the cryptographic parameters;
(i) sending the generated network public key to the module;
(j) sending a digital signature and the challenge to the module, wherein the digital signature is generated using the server private key, the challenge, and the digital signature algorithm, wherein the module verifies the digital signature using at least the server public key;
(k) generating a mutually derived shared key using Elliptic Curve Diffie-Hellman based on at least;
i. the module public key;
ii. the network private key; and
iii. the cryptographic parameters,wherein the mutually derived shared key is derived by the module based on at least;
iv. a module private key associated with the module public key;
v. the network public key; and
vi. the cryptographic parameters;
(l) encrypting the profile using;
i. the symmetric ciphering algorithm, andii. the mutually derived shared key; and
(m) sending the encrypted profile, wherein the encrypted profile includes network access credentials for a wireless network.
3 Assignments
0 Petitions
Accused Products
Abstract
A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.
245 Citations
13 Claims
-
1. A subscription manager system for distributing a profile to a module comprising:
-
(1) one or more processors; and (2) first non-transitory computer-readable media operatively connected to the one or more processors and having stored thereon machine-readable instructions that, when executed by the one or more processors, cause the one or more processors to perform a method comprising steps of; (a) recording, in second non-transitory computer-readable media, a digital signature algorithm comprising an elliptic curve digital signature algorithm; (b) recording, in the second non-transitory computer-readable media, a module identity, a server private key, and a server certificate for a corresponding server public key, wherein the server public key and the server private key use the elliptic curve digital signature algorithm; (c) recording, in the second non-transitory computer-readable media, a symmetric ciphering algorithm, wherein the symmetric ciphering algorithm comprises an Advanced Encryption Standard with a 128 bit key length; (d) receiving a certificate associated with the module from a module provider system associated with a module provider, wherein the certificate includes the module identity, a module public key, and cryptographic parameters; (e) verifying the certificate associated with the module using a certificate authority; (f) sending, to the module, the server certificate, wherein the module verifies the server certificate using a certificate authority public key stored by the module; (g) receiving a challenge from the module; (h) generating a network private key and a corresponding network public key, using a key pair generation algorithm and the cryptographic parameters; (i) sending the generated network public key to the module; (j) sending a digital signature and the challenge to the module, wherein the digital signature is generated using the server private key, the challenge, and the digital signature algorithm, wherein the module verifies the digital signature using at least the server public key; (k) generating a mutually derived shared key using Elliptic Curve Diffie-Hellman based on at least; i. the module public key; ii. the network private key; and iii. the cryptographic parameters, wherein the mutually derived shared key is derived by the module based on at least; iv. a module private key associated with the module public key; v. the network public key; and vi. the cryptographic parameters; (l) encrypting the profile using; i. the symmetric ciphering algorithm, and ii. the mutually derived shared key; and (m) sending the encrypted profile, wherein the encrypted profile includes network access credentials for a wireless network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
Specification