METHODS AND APPARATUS FOR STORAGE AND EXECUTION OF ACCESS CONTROL CLIENTS

US 20150074780A1
Filed: 11/17/2014
Published: 03/12/2015
Est. Priority Date: 10/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method for securely managing access control clients on a mobile device, the method comprising:

by a bootstrap operating system (OS) executing on an electronic Universal Integrated Circuit Card (eUICC) included in the mobile device;

receiving a request to activate an access control client;

identifying a secure partition that includes (i) the access control client and (ii) an OS that is associated with the access control client;

authenticating the access control client; and

subsequent to authenticating the access control client;

causing the OS to execute within a limited scope that corresponds to the secure partition, wherein the OS, when executed, activates the access control client.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.

6 Citations

View as Search Results

20 Claims

1. A method for securely managing access control clients on a mobile device, the method comprising:
- by a bootstrap operating system (OS) executing on an electronic Universal Integrated Circuit Card (eUICC) included in the mobile device;
  
  receiving a request to activate an access control client;
  
  identifying a secure partition that includes (i) the access control client and (ii) an OS that is associated with the access control client;
  
  authenticating the access control client; and
  
  subsequent to authenticating the access control client;
  
  causing the OS to execute within a limited scope that corresponds to the secure partition, wherein the OS, when executed, activates the access control client.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the access control client comprises an electronic Subscriber Identity Module (eSIM), and the eSIM is a virtualization of a physical SIM.
  - 3. The method of claim 1, wherein authenticating the access control client comprises validating a first certificate associated with the access control client against a second certificate associated with the eUICC.
  - 4. The method of claim 1, wherein the bootstrap OS receives the request to activate the access control client after a reset of the eUICC.
  - 5. The method of claim 1, wherein the access control client corresponds to a default Mobile Network Operator (MNO) associated with the mobile device.
  - 6. The method of claim 1, wherein the secure partition stores a plurality of access control clients that includes the access control client.
  - 7. The method of claim 1, wherein activating the access control client enables the mobile device to register with a Mobile Network Operator (MNO) that corresponds to the access control client.

8. A non-transitory computer readable storage medium configured to store instructions that, when executed by a processor of an electronic Universal Integrated Circuit Card (eUICC) included in a mobile device, cause the mobile device to securely manage access control clients, by carrying out steps that include:
- identifying an initialization of the eUICC;
  
  in response to the initialization, parsing a plurality of access control clients managed by the eUICC to identify an access control client for activation;
  
  identifying a secure partition that stores the access control client;
  
  authenticating the access control client; and
  
  subsequent to authenticating the access control client;
  
  causing an OS associated with the access control client to execute within a limited scope that corresponds to the secure partition, wherein the OS, when executed, activates the access control client.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer readable storage medium of claim 8, wherein the access control client comprises an electronic Subscriber Identity Module (eSIM), and the eSIM is a virtualization of a physical SIM.
  - 10. The non-transitory computer readable storage medium of claim 8, wherein authenticating the access control client comprises validating a first certificate associated with the access control client against a second certificate associated with the eUICC.
  - 11. The non-transitory computer readable storage medium of claim 8, wherein the mobile device receives identifies the initialization of the eUICC after a reset of the eUICC.
  - 12. The non-transitory computer readable storage medium of claim 8, wherein the access control client corresponds to a default Mobile Network Operator (MNO) associated with the mobile device.
  - 13. The non-transitory computer readable storage medium of claim 8, wherein the secure partition stores a plurality of access control clients that includes the access control client.
  - 14. The non-transitory computer readable storage medium of claim 8, wherein activating the access control client enables the mobile device to register with a Mobile Network Operator (MNO) that corresponds to the access control client.

15. A mobile device configured to securely manage a plurality of access control clients, the mobile device comprising:
- at least one wireless interface;
  
  an electronic Universal Integrated Circuit Card (eUICC), wherein the eUICC includes a processor and a memory having a plurality of secure partitions, and the processor is configured to carry out steps that include;
  
  receiving a request to activate an access control client included in the plurality of access control clients;
  
  identifying, among the plurality of secure partitions, a secure partition that includes the access control client, wherein the access control client is associated with an OS that is configured to manage the access control client;
  
  authenticating at least one of the access control client and the OS; and
  
  subsequent to authenticating;
  
  causing the OS to execute within a limited scope that corresponds to the secure partition, wherein the OS, when executed, causes the access control client to be activated.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The mobile device of claim 15, wherein the access control client comprises an electronic Subscriber Identity Module (eSIM), and the eSIM is a virtualization of a physical SIM.
  - 17. The mobile device of claim 15, wherein authenticating the access control client comprises validating a first certificate associated with the access control client against a second certificate associated with the eUICC.
  - 18. The mobile device of claim 15, wherein the processor receives the request to activate the access control client after a reset of the eUICC.
  - 19. The mobile device of claim 15, wherein the access control client corresponds to a default Mobile Network Operator (MNO) associated with the mobile device.
  - 20. The mobile device of claim 15, wherein activating the access control client enables the mobile device to, using the at least one wireless interface, register with a Mobile Network Operator (MNO) that corresponds to the access control client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
SCHELL, Stephan V., HAUCK, Jerrold Von

Granted Patent

US 9,532,219 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/35   Protecting application or s...

H04W 4/50   Service provisioning or rec...

H04W 4/60   Subscription-based services...

H04W 8/18   Processing of user or subsc...

H04W 8/205   Transfer to or from user eq...

H04W 8/265   for initial activation of n...

METHODS AND APPARATUS FOR STORAGE AND EXECUTION OF ACCESS CONTROL CLIENTS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR STORAGE AND EXECUTION OF ACCESS CONTROL CLIENTS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links