Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication

US 20150163056A1
Filed: 12/06/2013
Published: 06/11/2015
Est. Priority Date: 11/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method for authentication, the method performed by a module, the method comprising:

recording a first key and an identity, and sending the identity;

receiving a profile, wherein the module uses the first key to decrypt a first portion of the profile, and wherein the first portion includes a first key K and a network module identity;

sending the network module identity, receiving a first pseudo-random number (RAND), processing a first response value (RES) using the first key K, and sending the first RES;

receiving a second key, wherein the module uses the second key to decrypt a second portion of the profile, and wherein the second portion includes a second key K; and

,receiving a second RAND, processing a second RES using the second key K, and sending the second RES.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone.

Citations

26 Claims

1. A method for authentication, the method performed by a module, the method comprising:
- recording a first key and an identity, and sending the identity;
  
  receiving a profile, wherein the module uses the first key to decrypt a first portion of the profile, and wherein the first portion includes a first key K and a network module identity;
  
  sending the network module identity, receiving a first pseudo-random number (RAND), processing a first response value (RES) using the first key K, and sending the first RES;
  
  receiving a second key, wherein the module uses the second key to decrypt a second portion of the profile, and wherein the second portion includes a second key K; and
  
  ,receiving a second RAND, processing a second RES using the second key K, and sending the second RES.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the module accesses an IP network after sending the first RES, and wherein a user accesses a user interface of the module to authenticate with a mobile network operator before the module receives the second key.
  - 3. The method of claim 1, wherein the first key comprises an eUICC profile key, wherein the second key comprises a symmetric key, wherein the first portion comprises a first ciphertext, wherein the second portion comprises a second ciphertext, wherein the module receives the eUICC profile key as the first key after sending the identity, and wherein the module records the first key after sending the identity.
  - 4. The method of claim 3, wherein a mobile network operator sends the first portion and the second portion to an eUICC subscription manager before the module sends the identity, and wherein the mobile network operator ciphers the second ciphertext with the symmetric key.
  - 5. The method of claim 1, wherein the first key comprises an eUICC private key, and further comprising the module:
    - receiving an encrypted eUICC profile key after sending the identity;
      
      decrypting the encrypted eUICC profile key using the eUICC private key and an asymmetric ciphering algorithm; and
      
      ,decrypting the first portion using the decrypted eUICC profile key and a symmetric ciphering algorithm.
  - 6. The method of claim 1, wherein the identity comprises an eUICC identity, wherein the module sends the identity to an eUICC subscription manager, wherein the module receives the profile from the eUICC subscription manager, and wherein the eUICC subscription manager receives the first portion and the second portion from a mobile network operator before the module sends the identity.
  - 7. The method of claim 1, wherein the second key comprises an encrypted symmetric key, and wherein the module (i) receives the encrypted symmetric key as the second key, (ii) decrypts the encrypted symmetric key using an eUICC private key and an asymmetric ciphering algorithm, and (iii) decrypts the second portion using the decrypted symmetric key.
  - 8. The method of claim 1, wherein the module includes an embedded universal integrated circuit card (eUICC), and wherein the module records the second key K in a protected nonvolatile memory after receiving the second key K.
  - 9. The method of claim 1, wherein the first key K comprises a null value, wherein the module accesses an IP network after sending the first RES, and wherein the module uses a transport layer security for a user to authenticate with a mobile network operator before the module receives the second key.

10. A method for authentication, the method performed by a module, the method comprising:
- recording a first key and an identity, and sending the identity;
  
  receiving a profile, wherein the module uses the first key to decrypt at least a portion of the profile, wherein the portion includes a first key K and a network module identity;
  
  sending the network module identity, receiving a first pseudo-random number (RAND), processing a first response value (RES) using the first key K, and sending the first RES;
  
  receiving a key exchange token, wherein the module uses a key exchange algorithm, a private key, and the received key exchange token to derive a second key K;
  
  sending the network module identity, receiving a second RAND, processing a second RES using the second key K, and sending the second RES.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the network module identity comprises a first network module identity and a second network module identity, wherein the module sends the first network module identity before receiving the first RAND, and wherein the module sends the second network module identity before receiving the second RAND.
  - 12. The method of claim 10, wherein the module accesses an IP network after sending the first RES, and wherein a user accesses a user interface of the module to authenticate with a mobile network operator before the module receives the key exchange token.
  - 13. The method of claim 10, further comprising the module using (i) a mobile network operator public key, (ii) the private key, and (iii) the key exchange token with the key exchange algorithm to derive the second key K, wherein the private key comprises an eUICC private key.
  - 14. The method of claim 13, wherein the key exchange algorithm includes a key derivation algorithm, wherein the key derivation algorithm outputs the second key K, and wherein the key derivation algorithm comprises one of (i) an elliptic curve Diffie-Hellman (ECDH) key exchange, wherein the key exchange token comprises a base point G, and (ii) a Diffie-Hellman key exchange.
  - 15. The method of claim 10, wherein the first key comprises an eUICC private key, and further comprising the module:
    - receiving an encrypted eUICC profile key after sending the identity;
      
      decrypting the encrypted eUICC profile key using the eUICC private key and an asymmetric ciphering algorithm; and
      
      ,decrypting the portion using the decrypted eUICC profile key and a symmetric ciphering algorithm.
  - 16. The method of claim 10, wherein the identity comprises an eUICC identity, wherein the module sends the identity to an eUICC subscription manager, wherein the module receives the profile from the eUICC subscription manager, and wherein the eUICC subscription manager receives the portion from a mobile network operator before the module sends the identity.
  - 17. The method of claim 10, wherein the module includes an embedded universal integrated circuit card (eUICC), and wherein the module records the second key K in a protected nonvolatile memory after deriving the second key K.
  - 18. The method of claim 10, wherein the first key K comprises a null value, wherein the module accesses an IP network after sending the first RES, and wherein the module uses a transport layer security for a user to authenticate with a mobile network operator before the module receives the key exchange token.

19. A system for supporting authentication, the system comprising:
- a nonvolatile memory for recording an identity, a private key, and an address;
  
  a network interface for sending the identity to the address, for receiving a profile and a profile key after sending the identity, wherein the profile key is decrypted with an asymmetric ciphering algorithm and the private key, wherein a first portion of the profile is decrypted with the decrypted profile key, and wherein the decrypted first portion includes a first key K;
  
  a random access memory for recording the first key K;
  
  a network application for authenticating with a wireless network using the first key K, and for receiving a symmetric key;
  
  a processor for decrypting a second portion of the profile with the symmetric key, wherein the decrypted second portion includes a second key K; and
  
  ,an embedded universal integrated circuit card for receiving a pseudo-random number (RAND), for calculating a response value (RES) using the RAND and the second key K, and for sending the RES.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19, wherein a user authenticates with a mobile network operator (i) after the network application authenticates using the first key K, and (ii) before the network application receives the symmetric key.
  - 21. The system of claim 19, wherein the received symmetric key comprises an encrypted symmetric key, and wherein the processor decrypts the encrypted symmetric key using a key deciphering algorithm and the private key before decrypting the second portion.
  - 22. The system of claim 19, wherein the first portion of the profile is decrypted with the decrypted profile key and a symmetric ciphering algorithm, wherein the decrypted first portion of the profile includes a plaintext network module identity, and wherein the network application authenticates with the wireless network using the plaintext network module identity.
  - 23. The system of claim 19, wherein a mobile network operator encrypts the first portion with the asymmetric ciphering algorithm and a public key associated with the private key, wherein the mobile network operator sends the first portion to an eUICC subscription manager, and wherein the eUICC subscription manager includes the first portion in the profile.
  - 24. The system of claim 19, wherein the private key is associated with a public key, wherein a first server uses a key ciphering algorithm and the public key to encrypt the profile key, wherein a second server uses a key ciphering algorithm and the public key to encrypt the symmetric key, and wherein the network application receives the encrypted symmetric key.
  - 25. The system of claim 24, wherein the first server is associated with an eUICC subscription manager, wherein the private key comprises an eUICC private key, wherein the public key comprises an eUICC public key, and wherein the second server is associated with a mobile network operator.
  - 26. System of claim 19, wherein a physical universal integrated circuit card (UICC) includes the eUICC, and wherein the network application communicates with the UICC using an UICC driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John A. Nix
Original Assignee
M2M and IoT Technologies LLC
Inventors
Nix, John A.

Granted Patent

US 9,100,175 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04B 1/3816   Mechanical arrangements for...

H04L 2209/80   Wireless

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 67/12   specially adapted for propr...

H04L 9/0819   Key transport or distributi...

H04L 9/0869   involving random numbers or...

H04L 9/3271   using challenge-response

H04W 12/03   Protecting confidentiality,...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

H04W 12/40   Security arrangements using...

H04W 4/70   Services for machine-to-mac...

H04W 8/18   Processing of user or subsc...

Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links