System and Method for Securely Issuing Subscription Credentials to Communication Devices

US 20090239503A1
Filed: 03/20/2008
Published: 09/24/2009
Est. Priority Date: 03/20/2008
Status: Abandoned Application

First Claim

Patent Images

1. A subscription credentialing system for providing subscription credentials to remote communication devices lacking subscription credentials for network access, said subscription credentialing system comprising a subscription server configured to:

receive a credential request from an intermediate data device operating under the control of a requesting user and having a first communication link with the remote communication device and a second communication link with the subscription server;

prompt an external identity verification system to communicate with the intermediate data device to verify a device owner identity to be linked with the subscription credentials;

responsive to device owner identity verification, establish communication with the remote communication device through the intermediate data device and request a device certificate from the remote communication device;

prompt an external validation system to verify a validity of the device certificate;

responsive to validation of the device certificate, send a first transaction identifier and operator certificate to the remote communication device and correspondingly receive a signed return value from the remote communication device;

authenticate and decrypt the signed return value to recover a second transaction identifier and correspondingly generate a credentialing session key from the first and second transaction identifier; and

conduct an encrypted credentialing session with the remote communication device based on the session key, including the transfer of the subscription credentials.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to teachings presented herein, communication devices are conveniently provisioned with network subscription credentials after purchasing, without device manufacturer or network operators having to preload temporary subscription credentials or to otherwise make provisions for supporting direct over-the-air provisioning of the devices. Such devices may be, for example, cellular telephones or other mobile devices. Broadly, a user communicatively couples a communication device to be provisioned to an intermediate data device that has existing communication capabilities, e.g., a PC or already-provisioned mobile telephone. A subscription server or other entity then uses a communication link with the intermediate data device to provide subscription credentials to the communication device, subject to trusted-device and owner identity verifications.

87 Citations

View as Search Results

15 Claims

1. A subscription credentialing system for providing subscription credentials to remote communication devices lacking subscription credentials for network access, said subscription credentialing system comprising a subscription server configured to:
- receive a credential request from an intermediate data device operating under the control of a requesting user and having a first communication link with the remote communication device and a second communication link with the subscription server;
  
  prompt an external identity verification system to communicate with the intermediate data device to verify a device owner identity to be linked with the subscription credentials;
  
  responsive to device owner identity verification, establish communication with the remote communication device through the intermediate data device and request a device certificate from the remote communication device;
  
  prompt an external validation system to verify a validity of the device certificate;
  
  responsive to validation of the device certificate, send a first transaction identifier and operator certificate to the remote communication device and correspondingly receive a signed return value from the remote communication device;
  
  authenticate and decrypt the signed return value to recover a second transaction identifier and correspondingly generate a credentialing session key from the first and second transaction identifier; and
  
  conduct an encrypted credentialing session with the remote communication device based on the session key, including the transfer of the subscription credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The subscription credentialing system of claim 1, wherein the subscription server comprises an internet-based server that is configured for internet-based communications with one or more of the intermediate data device, the external identity verification system, and the external validation system.
  - 3. The subscription credentialing system of claim 1, wherein the subscription server comprises an internet web server that is configured to provide a web browser-based interface to the intermediate data device.
  - 4. The subscription credentialing system of claim 1, wherein the subscription server is configured to generate the first transaction identifier as a first random value.
  - 5. The subscription credentialing system of claim 1, wherein the subscription server is configured to decrypt the signed return value by verifying a signature of the signed return value against the device certificate, decrypting the signed return value using an operator secret key associated with the operator certificate, and verifying that the signed return value includes a correct copy of the first transaction identifier.
  - 6. The subscription credentialing system of claim 5, wherein the subscription server is configured to generate the credentialing session key by hashing a combination of the first and second transaction identifiers.
  - 7. The subscription credentialing system of claim 1, wherein the subscription server is configured to communicate with a subscriber registration server to activate the remote communication device for one or more communication networks associated with the subscription credentials, and to communicate with the external validation system to indicate activation of the remote communication device.
  - 8. The subscription credentialing system of claim 1, wherein the subscription server is further configured to cancel active subscription credentials for a credentialed remote communication device based on:
    - receiving a deactivation request from the credentialed remote communication device, including a device identifier and a device certificate;
      
      prompting an external validation system to verify a validity of the device certificate;
      
      responsive to validation of the device certificate, sending a first transaction identifier and operator certificate to the credentialed remote communication device and correspondingly receiving a signed return value from the credentialed remote communication device;
      
      authenticating and decrypting the signed return value to recover a subscription credential identifier and a second transaction identifier;
      
      if the subscription credential identifier corresponds to a subscription, generating an encrypted deactivation message based on the subscription credential identifier and the first and second transaction identifiers and sending the deactivation message to the credentialed remote communication device; and
      
      prompting a subscriber registration server to deactivate the active subscription credentials.

9. A method of providing subscription credentials to remote communication devices lacking subscription credentials for network access, said method comprising:
- receiving a credential request from an intermediate data device operating under control of a requesting user and having a first communication link with the remote communication device;
  
  prompting an external identity verification system to communicate with the intermediate data device to verify a device owner identity to be linked with the subscription credentials;
  
  responsive to device owner identity verification, establishing communication with the remote communication device through the intermediate data device and requesting a device certificate from the remote communication device;
  
  prompting an external validation system to verify a validity of the device certificate;
  
  responsive to validation of the device certificate, sending a first transaction identifier and operator certificate to the remote communication device and correspondingly receiving a signed return value from the remote communication device;
  
  authenticating and decrypting the signed return value to recover a second transaction identifier and correspondingly generating a credentialing session key from the first and second transaction identifiers; and
  
  conducting an encrypted credentialing session with the remote communication device based on the session key, including transferring the subscription credentials.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein receiving the credential request from the intermediate data device comprises receiving an internet-based request at a subscription server communicatively linked to the intermediate data device via the internet.
  - 11. The method of claim 9, further comprising generating the first transaction identifier as a first random value.
  - 12. The method of claim 9, wherein authenticating and decrypting the signed return value comprises verifying a signature of the signed return value against the device certificate, decrypting the signed return value using an operator secret key associated with the operator certificate, and verifying that the signed return value includes a correct copy of the first transaction identifier.
  - 13. The method of claim 12, wherein generating the credentialing session key from the first and second identifiers comprises hashing a combination of the first and second transaction identifiers.
  - 14. The method of claim 9, further comprising communicating with a subscriber registration server to activate the remote communication device for one or more communication networks associated with the subscription credentials, and communicating with the external validation system to indicate activation of the remote communication device.
  - 15. The method of claim 9, further comprising canceling active subscription credentials for a credentialed remote communication device by receiving a deactivation request from the credentialed remote communication device, including a device identifier and a device certificate;
    - prompting an external validation system to verify a validity of the device certificate;
      
      responsive to validation of the device certificate, sending a first transaction identifier and operator certificate to the credentialed remote communication device and correspondingly receiving a signed return value from the credentialed remote communication device;
      
      authenticating and decrypting the signed return value to recover a subscription credential identifier and a second transaction identifier;
      
      if the subscription credential identifier corresponds to an subscription, generating an encrypted deactivation message based on the subscription credential identifier and the first and second transaction identifiers and sending the deactivation message to the credentialed remote communication device; and
      
      prompting a subscriber registration server to deactivate the active subscription credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Smeets, Bernard

Application Number

US12/052,028
Publication Number

US 20090239503A1
Time in Patent Office

Days
Field of Search
US Class Current

455/411
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

System and Method for Securely Issuing Subscription Credentials to Communication Devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

87 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Securely Issuing Subscription Credentials to Communication Devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links