APPARATUS AND METHODS FOR CONTROLLING DISTRIBUTION OF ELECTRONIC ACCESS CLIENTS

US 20120260095A1
Filed: 04/05/2011
Published: 10/11/2012
Est. Priority Date: 04/05/2011
Status: Active Grant

First Claim

Patent Images

1. A wireless apparatus, comprising:

a wireless interface;

one or more processors; and

a secure element comprising a secure processor and secure storage in data communication with the secure processor, the secure storage comprising computer-executable instructions that are configured to, when executed by the secure processor;

receive an activation ticket, the activation ticket comprising one or more unbreak records associated with the one or more processors;

verify the received activation ticket; and

upon successful verification, enable at least one processor of the one or more processors based at least in part on the one or more unbreak records.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods for controlling the distribution of electronic access clients to a device. In one embodiment, a virtualized Universal Integrated Circuit Card (UICC) can only load an access client such as an electronic Subscriber Identity Module (eSIM) according to an activation ticket. The activation ticket ensures that the virtualized UICC can only receive eSIMs from specific carriers (“carrier locking”). Unlike prior art methods which enforce carrier locking on a software application launched from a software chain of trust (which can be compromised), the present invention advantageously enforces carrier locking with the secure UICC hardware which has, for example, a secure code base.

Citations

33 Claims

1. A wireless apparatus, comprising:
- a wireless interface;
  
  one or more processors; and
  
  a secure element comprising a secure processor and secure storage in data communication with the secure processor, the secure storage comprising computer-executable instructions that are configured to, when executed by the secure processor;
  
  receive an activation ticket, the activation ticket comprising one or more unbreak records associated with the one or more processors;
  
  verify the received activation ticket; and
  
  upon successful verification, enable at least one processor of the one or more processors based at least in part on the one or more unbreak records.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The wireless apparatus of claim 1, wherein the one or more processors comprise an application processor and one or more baseband processors.
  - 3. The wireless apparatus of claim 2, wherein the verification of the received activation ticket comprises checking the one or more unbreak records for records associated with the application processor and the one or more baseband processors.
  - 4. The wireless apparatus of claim 1, wherein the verification of the received activation ticket comprises checking for an unbreak record for the secure processor.
  - 5. The wireless apparatus of claim 1, wherein the activation ticket comprises a digital signature signed by a trusted signatory.
  - 6. The wireless apparatus of claim 5, wherein the verification of the received activation ticket comprises verifying the digital signature.
  - 7. The wireless apparatus of claim 1, wherein the wireless interface is configured to communicate with a cellular network.
  - 8. The wireless apparatus of claim 7, wherein the verification of the received activation ticket comprises checking the cellular network identity.
  - 9. The wireless apparatus of claim 7, wherein the secure element is further configured to execute a user access control client.
  - 10. The wireless apparatus of claim 9, wherein the user access control client comprises a network-specific electronic Subscriber Identity Module (eSIM) that is specific to the cellular network.
  - 11. The wireless apparatus of claim 9, wherein the activation ticket is received via the wireless interface.

12. A secure element comprising:
- an interface to one or more processing elements;
  
  a secure processor in sole communication with first and second secure storage elements;
  
  wherein the first secure storage element is configured to store at least one access control client, the access control client comprising a first computer-executable instructions configured to, when executed by the secure processor, authenticate the at least one access control client to at least one cellular network; and
  
  wherein the second secure storage element comprises a second computer-executable instructions that are configured for sole execution by the secure processor, and are further configured to, when executed by the secure processor;
  
  verify an activation ticket; and
  
  upon successful verification of the activation ticket, enable the first secure storage element.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The secure element of claim 12, wherein the second computer-executable instructions additionally comprise instructions configured to, when executed by the secure processor, enable the one or more processing elements.
  - 14. The secure element of claim 12, wherein the activation ticket comprises one or more unbreak records for at least the secure processor.
  - 15. The secure element of claim 12, wherein the activation ticket comprises a digital signature signed by a trusted signatory.
  - 16. The secure element of claim 12, wherein the activation ticket further includes one or more operational limitations.
  - 17. The secure element of claim 16, wherein at least one of said one or more operational limitation limits operation to only a specific cellular networks.
  - 18. The secure element of claim 16, wherein at least one of the one or more operational limitations excludes operation with one or more cellular networks.
  - 19. The secure element of claim 16, wherein one operational limitation limits activation to only a subset of the one or more processing elements.

20. A method for enforcing security for a wireless device, comprising:
- receiving an activation ticket, the activation ticket comprising one or more activation records, each activation record specific to one or more processing elements of the wireless device;
  
  verifying the received activation ticket; and
  
  upon the activation ticket being successfully verified, enabling the one or more processing elements;
  
  wherein the verification of the activation ticket is performed by a secure element of the wireless device.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 21. The method of claim 20, further comprising transmitting a request for the activation ticket from a mobile services application, the mobile services application being configured for communication with an activation service.
  - 22. The method of claim 21, wherein the mobile services application executes on a computerized device in data communication with the wireless device.
  - 23. The method of claim 21, wherein the mobile services application executes on the wireless device.
  - 24. The method of claim 21, wherein the request comprises one or more unique identifiers associated with the one or more processing elements.
  - 25. The method of claim 21, wherein the wireless device comprises a cellular wireless interface, and the request comprises a desired cellular network.
  - 26. The method of claim 21, wherein the request comprises one or more user information elements.
  - 27. The method of claim 26, wherein the one or more user information elements comprise billing information.
  - 28. The method of claim 20, wherein verification comprises checking the activation ticket for one or more activation records, wherein each activation record identifies at least one processing element.
  - 29. The method of claim 20, wherein verification comprises checking the activation ticket for an activation record associated with the secure processor.
  - 30. The method of claim 20, wherein verification comprises checking a digital signature signed by a trusted signatory.
  - 31. The method of claim 30, wherein the trusted signatory comprises the activation service.
  - 32. The method of claim 20, additionally comprising requesting one or more user access control clients.
  - 33. The method of claim 32, wherein the one or more user access control clients are adapted to authenticate the wireless device to a wireless network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Haggerty, David T., Von Hauck, Jerrold

Granted Patent

US 9,450,759 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 9/3228   One-time or temporary data,...

H04L 9/3247   involving digital signatures

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/12   Detection or prevention of ...

H04W 12/35   Protecting application or s...

H04W 12/48   using secure binding, e.g. ...

H04W 4/60   Subscription-based services...

H04W 8/183   Processing at user equipmen...

H04W 8/245   from a network towards a te...

APPARATUS AND METHODS FOR CONTROLLING DISTRIBUTION OF ELECTRONIC ACCESS CLIENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHODS FOR CONTROLLING DISTRIBUTION OF ELECTRONIC ACCESS CLIENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links