METHODS AND APPARATUS FOR STORAGE AND EXECUTION OF ACCESS CONTROL CLIENTS
First Claim
1. A wireless apparatus, comprising:
- one or more wireless links adapted to communicate with at least one network;
a secure element configured to store the access control client;
an interface to the secure element, the interface having a cryptographic key and a first endorsement certificate associated therewith;
a processor; and
a storage device in data communication with the processor, the storage device comprising computer-executable instructions, wherein at least a subset of the computer-executable instructions are further partitioned into one or more segments, and wherein the computer-executable instructions are configured to, when executed by the processor;
transmit a request for one or more components for the access control client specific to the at least one network via the interface;
receive the one or more requested components and a second endorsement certificate;
verify the second endorsement certificate; and
responsive to successful verification of the second endorsement certificate, stores the access control client to the secure element.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and apparatus for secure provision of access control entities (such as electronic or virtual Subscriber Identity Module (eSIM) components) post-deployment of the host device on which the access control entity will be used. In one embodiment, wireless (e.g., cellular) user equipment is given a unique device key and endorsement certificate which can be used to provide updates or new eSIMs to the user equipment in the “field”. The user equipment can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the device key. In another aspect, an operating system (OS) is partitioned into various portions or “sandboxes”. During operation, the user device can activate and execute the operating system in the sandbox corresponding to the current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.
-
Citations
26 Claims
-
1. A wireless apparatus, comprising:
-
one or more wireless links adapted to communicate with at least one network; a secure element configured to store the access control client; an interface to the secure element, the interface having a cryptographic key and a first endorsement certificate associated therewith; a processor; and a storage device in data communication with the processor, the storage device comprising computer-executable instructions, wherein at least a subset of the computer-executable instructions are further partitioned into one or more segments, and wherein the computer-executable instructions are configured to, when executed by the processor; transmit a request for one or more components for the access control client specific to the at least one network via the interface; receive the one or more requested components and a second endorsement certificate; verify the second endorsement certificate; and responsive to successful verification of the second endorsement certificate, stores the access control client to the secure element. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of requesting a user access control client for use with a wireless network, comprising:
-
requesting a user access control client from the wireless network, the requesting being associated with a first endorsement certificate; receiving the user access control client and a second endorsement certificate, the first and second endorsement certificates being issued by a trusted entity; and storing the user access control client if the second endorsement certificate is valid; wherein access to the wireless network is limited to (i) access via the user access control client, and (ii) requests for user access control clients. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A method of executing an access control client, comprising:
-
executing a first bootstrap operating system, the bootstrap operating system selecting a secure partition, the secure partition being associated with only one access control client; verifying the secure partition, the secure partition including one common operating system and one access control client; and executing the common operating system, the common operating system loading the one access control client; wherein the access control client is configured to authenticate to a network. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
Specification