METHODS AND APPARATUS FOR STORAGE AND EXECUTION OF ACCESS CONTROL CLIENTS

US 20120108205A1
Filed: 04/05/2011
Published: 05/03/2012
Est. Priority Date: 10/28/2010
Status: Active Grant

First Claim

Patent Images

1. A wireless apparatus, comprising:

one or more wireless links adapted to communicate with at least one network;

a secure element configured to store the access control client;

an interface to the secure element, the interface having a cryptographic key and a first endorsement certificate associated therewith;

a processor; and

a storage device in data communication with the processor, the storage device comprising computer-executable instructions, wherein at least a subset of the computer-executable instructions are further partitioned into one or more segments, and wherein the computer-executable instructions are configured to, when executed by the processor;

transmit a request for one or more components for the access control client specific to the at least one network via the interface;

receive the one or more requested components and a second endorsement certificate;

verify the second endorsement certificate; and

responsive to successful verification of the second endorsement certificate, stores the access control client to the secure element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for secure provision of access control entities (such as electronic or virtual Subscriber Identity Module (eSIM) components) post-deployment of the host device on which the access control entity will be used. In one embodiment, wireless (e.g., cellular) user equipment is given a unique device key and endorsement certificate which can be used to provide updates or new eSIMs to the user equipment in the “field”. The user equipment can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the device key. In another aspect, an operating system (OS) is partitioned into various portions or “sandboxes”. During operation, the user device can activate and execute the operating system in the sandbox corresponding to the current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.

Citations

26 Claims

1. A wireless apparatus, comprising:
- one or more wireless links adapted to communicate with at least one network;
  
  a secure element configured to store the access control client;
  
  an interface to the secure element, the interface having a cryptographic key and a first endorsement certificate associated therewith;
  
  a processor; and
  
  a storage device in data communication with the processor, the storage device comprising computer-executable instructions, wherein at least a subset of the computer-executable instructions are further partitioned into one or more segments, and wherein the computer-executable instructions are configured to, when executed by the processor;
  
  transmit a request for one or more components for the access control client specific to the at least one network via the interface;
  
  receive the one or more requested components and a second endorsement certificate;
  
  verify the second endorsement certificate; and
  
  responsive to successful verification of the second endorsement certificate, stores the access control client to the secure element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The wireless apparatus of claim 1, wherein the user access control client comprises an electronic Subscriber Identity Module (eSIM).
  - 3. The wireless apparatus of claim 2, wherein the at least one network comprises a Global Standard for Mobile Communications (GSM) network.
  - 4. The wireless apparatus of claim 2, wherein the at least one network comprises a Universal Mobile Telecommunications System (UMTS) network.
  - 5. The wireless apparatus of claim 2, wherein the at least one network comprises a Code Division Multiple Access 2000 (CDMA 2000) network.
  - 6. The wireless apparatus of claim 1, wherein the request includes the first endorsement certificate.
  - 7. The wireless apparatus of claim 6, wherein the cryptographic key is uniquely associated with the first endorsement certificate.
  - 8. The wireless apparatus of claim 1, wherein the cryptographic key has an asymmetric counterpart key that can be publicly distributed.
  - 9. The wireless apparatus of claim 8, wherein the asymmetric counterpart key enables secure transmission to the wireless apparatus.
  - 10. The wireless apparatus of claim 1, wherein the one or more components comprise an access control client that has been encrypted with a session key.
  - 11. The wireless apparatus of claim 10, wherein the session key is randomly generated.

12. A method of requesting a user access control client for use with a wireless network, comprising:
- requesting a user access control client from the wireless network, the requesting being associated with a first endorsement certificate;
  
  receiving the user access control client and a second endorsement certificate, the first and second endorsement certificates being issued by a trusted entity; and
  
  storing the user access control client if the second endorsement certificate is valid;
  
  wherein access to the wireless network is limited to (i) access via the user access control client, and (ii) requests for user access control clients.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, wherein the user access control client comprises an electronic Subscriber Identity Module (eSIM).
  - 14. The method of claim 12, wherein the first and second endorsement certificates are uniquely associated with a first and second cryptographic key pairs.
  - 15. The method of claim 14, wherein the first and second cryptographic key pairs comprise asymmetric key pairs.
  - 16. The method of claim 12, wherein the user access control client is further encrypted with a session key.
  - 17. The method of claim 12, wherein the act of storing the user access control client comprises storing the user access control client within a memory partition selected from a plurality of memory partitions.
  - 18. The method of claim 17, wherein the memory partition is specific to the user access control client.
  - 19. The method of claim 18, wherein subsequent modifications to the user access control client can only be performed with the second endorsement certificate.

20. A method of executing an access control client, comprising:
- executing a first bootstrap operating system, the bootstrap operating system selecting a secure partition, the secure partition being associated with only one access control client;
  
  verifying the secure partition, the secure partition including one common operating system and one access control client; and
  
  executing the common operating system, the common operating system loading the one access control client;
  
  wherein the access control client is configured to authenticate to a network.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The method of claim 20, wherein the user access control client comprises an electronic Subscriber Identity Module (eSIM).
  - 22. The method of claim 20, wherein the verifying comprises checking a certificate associated with the secure partition.
  - 23. The method of claim 20, wherein the selecting comprises identifying a default network.
  - 24. The method of claim 20, wherein the verifying comprises checking a certificate associated with the secure partition.
  - 25. The method of claim 24, wherein the secure partition includes one or more active patches, each of the one or more active patches associated with the certificate.
  - 26. The method of claim 20, wherein the selecting comprises selecting the secure partition from a plurality of secure partitions, each of the plurality of secure partitions being associated with only one access control client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Schell, Stephen V., Hauck, Jerrold Von

Granted Patent

US 8,924,715 B2
Time in Patent Office

Days
Field of Search
US Class Current

455/411
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/35   Protecting application or s...

H04W 4/50   Service provisioning or rec...

H04W 4/60   Subscription-based services...

H04W 8/18   Processing of user or subsc...

H04W 8/205   Transfer to or from user eq...

H04W 8/265   for initial activation of n...

METHODS AND APPARATUS FOR STORAGE AND EXECUTION OF ACCESS CONTROL CLIENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR STORAGE AND EXECUTION OF ACCESS CONTROL CLIENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links