Secure subscriber identity module service

US 20110151836A1
Filed: 12/17/2009
Published: 06/23/2011
Est. Priority Date: 12/17/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed in a secure partition of a system, the method comprising:

in response to receiving a request to activate communication service for the system, creating a permit requesting to activate the communication service;

sending the permit to a service provider for the communication service, wherein the service provider communicates with a permit service to obtain a digital signature for the permit to activate the communication service;

receiving a signed permit from the service provider;

retrieving a key for the permit service from storage accessible only by the secure partition;

using the key to confirm that the signed permit contains the digital signature by the permit service; and

activating the communication service for the system in response to confirming that the signed permit contains the digital signature by the permit service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, system, and computer program product for a secure subscriber identity module service. Communication via a mobile network is activated in response to receiving a request to activate communication service for the system by a secure partition of the system. In response to receiving the request, a key is retrieved for a permit service from storage accessible only by the secure partition. The key is included in a permit requesting to activate the communication service, and the permit is sent to a service provider for the communication service. The service provider communicates with the permit service to obtain a digital signature for the permit. The secure partition receives a signed permit from the service provider, confirms that the signed permit contains the digital signature by the permit service, and activates the communication service for the system in response to confirming that the signed permit contains the digital signature.

83 Citations

View as Search Results

22 Claims

1. A computer-implemented method performed in a secure partition of a system, the method comprising:
- in response to receiving a request to activate communication service for the system, creating a permit requesting to activate the communication service;
  
  sending the permit to a service provider for the communication service, wherein the service provider communicates with a permit service to obtain a digital signature for the permit to activate the communication service;
  
  receiving a signed permit from the service provider;
  
  retrieving a key for the permit service from storage accessible only by the secure partition;
  
  using the key to confirm that the signed permit contains the digital signature by the permit service; and
  
  activating the communication service for the system in response to confirming that the signed permit contains the digital signature by the permit service.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
    - generating a nonce for the permit;
      
      confirming that the signed permit contains the nonce prior to activating the communication service for the system.
  - 3. The method of claim 1 further comprising:
    - storing the signed permit in the storage accessible only by the secure partition.
  - 4. The method of claim 1 whereinthe key is embedded in the storage accessible only by the secure partition at the time of manufacture of hardware for the secure partition.
  - 5. The method of claim 1 whereinthe signed permit contains a second key for the service provider, andthe method further comprises:
    - receiving a subsequent communication from the service provider;
      
      confirming that the subsequent communication is associated with the second key for the service provider prior to acting in response to the subsequent communication.

6. An apparatus comprising:
- at least one processor;
  
  a secure partition isolated from a host operating system for the processor;
  
  storage accessible only by the secure partition; and
  
  a memory comprising instructions for at least one service executing in the secure partition to perform the following;
  
  in response to receiving a request to activate communication service for the system, creating a permit requesting to activate the communication service;
  
  sending the permit to a service provider for the communication service, wherein the service provider communicates with a permit service to obtain a digital signature for the permit to activate the communication service;
  
  receiving a signed permit from the service provider;
  
  retrieving a key for the permit service from the storage accessible only by the secure partition;
  
  using the key to confirm that the signed permit contains the digital signature by the permit service; and
  
  activating the communication service for the system in response to confirming that the signed permit contains the digital signature by the permit service.
- View Dependent Claims (7)
- - 7. The apparatus of claim 6 whereinthe key is embedded in the storage accessible only by the secure partition at the time of manufacture of hardware for the secure partition.

8. A computer program product comprising:
- a computer-readable storage medium; and
  
  instructions in the computer-readable storage medium, wherein the instructions, when executed in a secure partition of a processing system, cause a service executing in the secure partition to perform operations comprising;
  
  in response to receiving a request to activate communication service for the system, creating a permit requesting to activate the communication service;
  
  sending the permit to a service provider for the communication service, wherein the service provider communicates with a permit service to obtain a digital signature for the permit to activate the communication service;
  
  receiving a signed permit from the service provider;
  
  retrieving a key for the permit service from storage accessible only by the secure partition;
  
  using the key to confirm that the signed permit contains the digital signature by the permit service; and
  
  activating the communication service for the system in response to confirming that the signed permit contains the digital signature by the permit service.

9. A computer-implemented method comprising:
- receiving a permit requesting to activate communication service from a requesting system;
  
  adding a key to the permit;
  
  obtaining a signed permit from a permit service, wherein the permit service adds a digital signature to the permit to create the signed permit;
  
  sending the signed permit to the requesting system, wherein the requesting system verifies that the signed permit contains the digital signature by the permit service prior to activating the communication service for the system; and
  
  sending a subsequent communication to the requesting system, wherein the subsequent communication contains a command to modify a parameter of the communication service, and the requesting system verifies that the subsequent communication is associated with the key prior to modifying the communication service.
- View Dependent Claims (10)
- - 10. The method of claim 9 further comprising:
    - adding an authentication key and a International Mobile Subscriber Identifier to the permit before obtaining the signed permit.

11. A computer-implemented method comprising:
- selecting a selected mobile network from at least one mobile network available at a location of a system;
  
  identifying a plurality of provisioned SIM services for the system;
  
  selecting a selected provisioned SIM service of the plurality of provisioned SIM services; and
  
  using a credential of the selected provisioned SIM service to attempt communication with the selected mobile network.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11 further comprising:
    - combining mobile network lists for each of the plurality of provisioned SIM services to create a combined mobile network list, wherein the selected mobile network is selected from the combined mobile network list.
  - 13. The method of claim 12 further comprising:
    - identifying a highest-quality mobile network that provides a highest quality of service of services available from the at least one mobile network available at the location;
      
      identifying a country code of the highest-quality mobile network; and
      
      using the country code to select mobile networks to be included in the combined mobile network list.
  - 14. The method of claim 11 further comprising:
    - causing a SIM service in a secure partition of the system to assume an identity of the selected provisioned SIM service, wherein the secure partition is isolated from a host operating system of the system.

15. An apparatus comprising:
- at least one processor;
  
  a secure partition isolated from a host operating system for the processor; and
  
  a memory comprising instructions for at least one service executing in the secure partition to perform the following;
  
  selecting a selected mobile network from at least one mobile network available at a location of the system;
  
  identifying a plurality of provisioned SIM services for the system;
  
  selecting a selected provisioned SIM service from the plurality of provisioned SIM services; and
  
  using a credential of the selected provisioned SIM service to attempt communication with the selected mobile network.
- View Dependent Claims (16, 17, 18)
- - 16. The apparatus of claim 15 wherein the instructions further comprise instructions to perform the following:
    - combining mobile network lists for each of the plurality of provisioned SIM services to create a combined mobile network list, wherein the selected mobile network is selected from the combined mobile network list.
  - 17. The apparatus of claim 16 wherein the instructions further comprise instructions to perform the following:
    - identifying a highest-quality mobile network that provides a highest quality of service of services available from the at least one mobile network available at the location;
      
      identifying a country code of the highest-quality mobile network; and
      
      using the country code to select mobile networks to be included in the combined mobile network list.
  - 18. The apparatus of claim 15 wherein the instructions further comprise instructions to perform the following:
    - causing a SIM service in a secure partition of the system to assume an identity of the selected provisioned SIM service.

19. A computer program product comprising:
- a computer-readable storage medium; and
  
  instructions in the computer-readable storage medium, wherein the instructions, when executed in a secure partition of a processing system, cause a service executing in the secure partition to perform operations comprising;
  
  selecting a selected mobile network from at least one mobile network available at a location of the processing system;
  
  identifying a plurality of provisioned SIM services for the processing system;
  
  selecting a selected provisioned SIM service from the plurality of provisioned SIM services; and
  
  using a credential of the selected provisioned SIM service to attempt communication with the selected mobile network.
- View Dependent Claims (20, 21, 22)
- - 20. The computer program product of claim 19 wherein the instructions further comprise instructions to perform the following:
    - combining mobile network lists for each of the plurality of provisioned SIM services to create a combined mobile network list, wherein the selected mobile network is selected from the combined mobile network list.
  - 21. The computer program product of claim 20 wherein the instructions further comprise instructions to perform the following:
    - identifying a highest-quality mobile network that provides a highest quality of service of services available from the at least one mobile network available at the location;
      
      identifying a country code of the highest-quality mobile network; and
      
      using the country code to select mobile networks to be included in the combined mobile network list.
  - 22. The computer program product of claim 19 wherein the instructions further comprise instructions to perform the following:
    - causing a SIM service in the secure partition to assume an identity of the selected provisioned SIM service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Prakash, Gyan, Mirashrafi, Mojtaba, Dadu, Saurabh

Granted Patent

US 8,171,529 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/411
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/34   involving the use of extern...

G06F 21/6272   by registering files or doc...

G06F 21/72   in cryptographic circuits

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2115   Third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0853   using an additional device,...

H04L 63/123   received data contents, e.g...

H04W 4/50   Service provisioning or rec...

Secure subscriber identity module service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

83 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Secure subscriber identity module service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links