ELECTRONIC ACCESS CLIENT DISTRIBUTION APPARATUS AND METHODS

US 20120331292A1
Filed: 04/26/2012
Published: 12/27/2012
Est. Priority Date: 04/26/2011
Status: Active Grant

First Claim

Patent Images

1. Apparatus for distributing access control clients, comprising:

one or more electronic access client appliances,one or more secure electronic access client storages configured to store one or more electronic access client and associated electronic access client metadata, the one or more secure electronic access client storages in communication with the one or more electronic access client appliances;

one or more electronic access client management entities configured to perform at least one of tracking, verification, and/or authorization for the one or more electronic access client; and

one or more secure element appliances configured to protect one or more cryptographic materials transmitted to one or more device secure elements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure. Exemplary embodiments of the present invention can provide redundancy, thus ensuring maximal uptime for the overall network (or the portion thereof).

162 Citations

12 Claims

1. Apparatus for distributing access control clients, comprising:
- one or more electronic access client appliances,one or more secure electronic access client storages configured to store one or more electronic access client and associated electronic access client metadata, the one or more secure electronic access client storages in communication with the one or more electronic access client appliances;
  
  one or more electronic access client management entities configured to perform at least one of tracking, verification, and/or authorization for the one or more electronic access client; and
  
  one or more secure element appliances configured to protect one or more cryptographic materials transmitted to one or more device secure elements.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein at least a portion of said electronic access clients comprise electronic Universal Integrated Circuit Cards (eUICCs), said secure element comprises an eUICC appliance, and said device secure elements comprise device eUICCs.
  - 3. The apparatus of claim 2, wherein said eUICC appliance comprises at least one networked server operated by a trusted entity, and said device eUICCs are associated with respective ones of mobile wireless user devices.
  - 4. The apparatus of claim 3, wherein said device eUICCs comprise physically secure card-like form factors receivable within respective ones of the user devices.
  - 5. The apparatus of claim 3, wherein the one or more cryptographic materials transmitted to one or more device secure elements are transmitted via a wireless link between the one or more secure element appliances and the one or more device secure elements.

6. A system for distributing access control clients, comprising:
- one or more eSIM appliances,one or more secure eSIM storages configured to store the one or more eSIMs and associated eSIM metadata, the one or more secure eSIM storages coupled to the one or more eSIM appliances;
  
  one or more eSIM managers, wherein each of the eSIM managers is configured to track, verify, and authorize the one or more eSIMs;
  
  one or more eUICC appliances, wherein each of the eUICC appliances is configured to protect one or more cryptographic materials transmitted to one or more device eUICCs;
  
  one or more eUICC managers, wherein each of the eUICC managers is configured to track, verify, and authorize the one or more device eUICCs; and
  
  one or more depots, each depot comprising;
  
  an eSIM inventory manager configured to distribute network traffic among the one or more eSIM managers;
  
  a system directory service configured to distribute address information for at one or more eSIM managers; and
  
  a pending eSIM storage configured to store eSIMs for delivery to the one or more device eUICCs.

7. A method for transmitting cryptographic materials to a destination device from a source device according to a first standard trusted relationship, the method comprising:
- encrypting one or more cryptographic materials based on at least a unique device key and an endorsement certificate, the unique device key being unique to the destination device, and the endorsement certificate uniquely identifying the source device as a trusted device; and
  
  responsive to receiving the encrypted one or more cryptographic materials, the destination device verifying the endorsement certificate of the source device and decrypting the one or more cryptographic materials;
  
  wherein the first standard trusted relationship between the source device and the destination device ensures that the one or more cryptographic materials cannot be modified by unfrosted entities.

8. A method for preventing cloning of one or more cryptographic materials transmitted to a destination device from a source device according to a standard trusted relationship, comprising:
- encrypting one or more cryptographic materials based on a unique device key and an endorsement certificate, the unique device key being unique to the destination device, and the endorsement certificate uniquely identifying the source device; and
  
  responsive to transmitting the encrypted one or more cryptographic materials;
  
  deleting the one or more cryptographic materials from the source device;
  
  wherein the standard trusted relationship between the source device and the destination device ensures that the one or more cryptographic materials are not duplicated.

9. A method for ensuring secure delivery of one or more cryptographic materials to a subscriber according to a standard trusted relationship, comprising:
- encrypting one or more cryptographic materials based on a unique device key and an endorsement certificate, the unique device key being unique to the destination device and the destination device being associated with the subscriber; and
  
  causing delivery of the encrypted one or more cryptographic materials to a user device of the subscriber, the user device configured to decrypt at least a portion of the encrypted one or more cryptographic materials;
  
  wherein said delivery can be accomplished from any of a plurality of network entities which maintain identical versions of the encrypted one or more cryptographic materials.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, further comprising receiving a registration communication from the user device after said decryption thereby.
  - 11. The method of claim 10, further comprising the registration communication to cause update of a network entity such that if a subsequent registration communication associated with one of said versions of said encrypted one or more cryptographic materials is attempted, further utilization of the cryptographic materials will be precluded for any device other than the user device.
  - 12. The method of claim 10, wherein the user device comprises a wireless mobile device, and the registration communication is communicated via a wireless interface of the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
McLaughlin, Kevin, Mathias, Arun, Haggerty, David T., Von Hauck, Jerrold

Granted Patent

US 8,887,257 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04B 1/3816   Mechanical arrangements for...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/12   Detection or prevention of ...

H04W 12/35   Protecting application or s...

H04W 4/029   Location-based management o...

H04W 4/60   Subscription-based services...

H04W 88/06   adapted for operation in mu...

ELECTRONIC ACCESS CLIENT DISTRIBUTION APPARATUS AND METHODS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

162 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

ELECTRONIC ACCESS CLIENT DISTRIBUTION APPARATUS AND METHODS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links