METHODS AND APPARATUS FOR STORAGE AND EXECUTION OF ACCESS CONTROL CLIENTS
First Claim
1. A method for securely managing access control clients on a mobile device, the method comprising:
- by a bootstrap operating system (OS) executing on an electronic Universal Integrated Circuit Card (eUICC) included in the mobile device;
receiving a request to activate an access control client;
identifying a secure partition that includes (i) the access control client and (ii) an OS that is associated with the access control client;
authenticating the access control client; and
subsequent to authenticating the access control client;
causing the OS to execute within a limited scope that corresponds to the secure partition, wherein the OS, when executed, activates the access control client.
0 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.
6 Citations
20 Claims
-
1. A method for securely managing access control clients on a mobile device, the method comprising:
by a bootstrap operating system (OS) executing on an electronic Universal Integrated Circuit Card (eUICC) included in the mobile device; receiving a request to activate an access control client; identifying a secure partition that includes (i) the access control client and (ii) an OS that is associated with the access control client; authenticating the access control client; and subsequent to authenticating the access control client; causing the OS to execute within a limited scope that corresponds to the secure partition, wherein the OS, when executed, activates the access control client. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A non-transitory computer readable storage medium configured to store instructions that, when executed by a processor of an electronic Universal Integrated Circuit Card (eUICC) included in a mobile device, cause the mobile device to securely manage access control clients, by carrying out steps that include:
-
identifying an initialization of the eUICC; in response to the initialization, parsing a plurality of access control clients managed by the eUICC to identify an access control client for activation; identifying a secure partition that stores the access control client; authenticating the access control client; and subsequent to authenticating the access control client; causing an OS associated with the access control client to execute within a limited scope that corresponds to the secure partition, wherein the OS, when executed, activates the access control client. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A mobile device configured to securely manage a plurality of access control clients, the mobile device comprising:
-
at least one wireless interface; an electronic Universal Integrated Circuit Card (eUICC), wherein the eUICC includes a processor and a memory having a plurality of secure partitions, and the processor is configured to carry out steps that include; receiving a request to activate an access control client included in the plurality of access control clients; identifying, among the plurality of secure partitions, a secure partition that includes the access control client, wherein the access control client is associated with an OS that is configured to manage the access control client; authenticating at least one of the access control client and the OS; and subsequent to authenticating; causing the OS to execute within a limited scope that corresponds to the secure partition, wherein the OS, when executed, causes the access control client to be activated. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification