Network Supporting Two-Factor Authentication for Modules with Embedded Universal Integrated Circuit Cards

US 20150180847A1
Filed: 12/23/2013
Published: 06/25/2015
Est. Priority Date: 11/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method for authentication, the method performed by a network, the method comprising:

processing a first network module identity, a first key K, and a second key k;

encrypting the second key K with a symmetric key;

sending the first network module identity, the first key K, and the encrypted second key K to a subscription manager;

receiving the first network module identity from a module;

conducting a first authentication using the first network module identity and the first key K;

conducting a second authentication of a user associated with the first network module identity;

sending, after the second authentication, the symmetric key to the module; and

,conducting a third authentication using the second key K.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network with a set of servers can support authentication from a module, where the module includes an embedded universal integrated circuit card (eUICC). The network can send a first network module identity, a first key K, and an encrypted second key K for an eUICC profile to an eUICC subscription manager. The second key K can be encrypted with a symmetric key. The module can receive and activate the eUICC profile, and the network can authenticate the module using the first network module identity and the first key K. The network can (i) authenticate the user of the module using a second factor, and then (ii) send the symmetric key to the module. The module can decrypt the encrypted second key K using the symmetric key. The network can authenticate the module using the second key K. The module can comprise a mobile phone.

80 Citations

View as Search Results

26 Claims

1. A method for authentication, the method performed by a network, the method comprising:
- processing a first network module identity, a first key K, and a second key k;
  
  encrypting the second key K with a symmetric key;
  
  sending the first network module identity, the first key K, and the encrypted second key K to a subscription manager;
  
  receiving the first network module identity from a module;
  
  conducting a first authentication using the first network module identity and the first key K;
  
  conducting a second authentication of a user associated with the first network module identity;
  
  sending, after the second authentication, the symmetric key to the module; and
  
  ,conducting a third authentication using the second key K.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the subscription manager comprises an embedded universal integrated circuit card (eUICC) subscription manager, wherein the eUICC subscription manager includes at least the first network module identity, the first key K, and the encrypted second key K in an eUICC profile, and wherein the eUICC subscription manager encrypts at least a portion of the eUICC profile with a profile key.
  - 3. The method of claim 2, wherein the module receives the encrypted eUICC profile from the eUICC subscription manager, wherein the module decrypts the encrypted eUICC profile, wherein the eUICC profile includes a set of network parameters, wherein the module uses the network parameters to connect with the network, wherein the module receives a pseudo-random number (RAND) for the first authentication, and wherein the module processes a response using the RAND and the first key K from the eUICC profile.
  - 4. The method of claim 3, wherein a mobile network operator sends the first portion and the second portion to an eUICC subscription manager before the module sends the identity, and wherein the mobile network operator ciphers the second ciphertext with the symmetric key.
  - 5. The method of claim 1, wherein a home subscriber server processes the first network module identity, the first key K, and a second key k, and wherein a mobility management entity conducts the first authentication and the third authentication.
  - 6. The method of claim 1, further comprising enabling limited access to an IP network for the module after the first authentication, wherein a user accesses a user interface on the module and the IP network to conduct the second authentication.
  - 7. The method of claim 1, wherein the user comprises an M2M service provider, wherein the network receives a series of identities from the M2M service provider, and wherein the network uses the received first network module identity and the series in order to conduct the second authentication.
  - 8. The method of claim 1, further comprising sending a signal to the subscription manager after the first authentication, wherein the subscription manager deprecates a profile comprising the first network module identity, the first key K, and the second key k after receiving the signal.
  - 9. The method of claim 1, wherein after the second authentication, the module inputs the symmetric key and the encrypted second key into a symmetric ciphering algorithm in order to read the second key K, and wherein, for the third authentication, the module (i) sends a second network identity associated with the second key K, (ii) receives a pseudo-random number (RAND), and (iii) processes a response using the RAND and the second key K.
  - 10. The method of claim 1, further comprising encrypting the symmetric key with an asymmetric ciphering algorithm and a public key associated with the module, wherein the network sends the encrypted symmetric key to the module after the second authentication.

11. A method for authentication, the method performed by a network, the method comprising:
- sending a first network module identity and first key K to a subscription manager;
  
  receiving the first network module identity from a module;
  
  conducting a first authentication using the first network module identity and the first key K;
  
  sending the first network module identity to the subscription manager and receiving an a public key for the module;
  
  conducting a second authentication of a user associated with the first network module identity;
  
  deriving a second key K using a key exchange algorithm with input of at least the public key, a private key associated with the network, and a key exchange token;
  
  sending, after the second authentication, the key exchange token to the module; and
  
  ,conducting a third authentication using the second key K;
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein the subscription manager comprises an embedded universal integrated circuit card (eUICC) subscription manager, wherein the eUICC subscription manager includes at least the first network module identity and the first key K in an eUICC profile, and wherein the eUICC subscription manager encrypts the eUICC profile with a profile key.
  - 13. The method of claim 11, wherein the module receives the encrypted eUICC profile from the eUICC subscription manager, wherein the module decrypts the encrypted eUICC profile, wherein the eUICC profile includes a set of network parameters, wherein the module uses the network parameters to connect with the network, wherein the module receives a pseudo-random number (RAND) for the first authentication, and wherein the module processes a response (RES) using the RAND and the first key K from the eUICC profile.
  - 14. The method of claim 11, wherein a home subscriber server processes (i) the first network module identity and the first key K, and (ii) a first authentication vector using the first key K, wherein the home subscriber server sends a first authentication vector to a mobility management entity for conducting the first authentication, wherein the mobility management entity receives a second authentication vector after the network derives the second key K, and wherein the second authentication vector is processed using the derived second key K.
  - 15. The method of claim 11, further comprising enabling limited access to an IP network for the module after the first authentication, wherein a user accesses a user interface on the module and the IP network to conduct the second authentication.
  - 16. The method of claim 11, wherein the user comprises an M2M service provider, wherein the network receives a series of identities from the M2M service provider, and wherein the network uses the received first network module identity and the series in order to conduct the second authentication.
  - 17. The method of claim 11, further comprising sending a signal to the subscription manager after the first authentication, wherein the subscription manager deprecates a profile comprising the first network module identity and the first key K.
  - 18. The method of claim 11, wherein, for the third authentication, the network (i) receives a second network identity associated with the second key K, (ii) sends a pseudo-random number (RAND), and (iii) compares a received response (RES) with a recorded RES from an authentication vector for the second network identity, wherein the recorded RES is processed by the network using the RAND and the second key K.

19. A system for a network to support authentication, the system comprising:
- a first server for processing a first network module identity, a first key K, and a second key K, wherein the network encrypts the second key K with a symmetric key, and for sending the first network module identity, the first key K, and the encrypted second key K to a subscription manager;
  
  a second server for receiving the first network module identity from a module via a wireless network, and for conducting a first authentication using the first network module identity and the first key K, and, after a second authentication, for conducting a third authentication with the module using the second key K;
  
  a third server for conducting the second authentication of a user associated with the first network module identity, and for enabling the network to send, after the second authentication, the symmetric key to the module;
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19, wherein the subscription manager comprises an embedded universal integrated circuit card (eUICC) subscription manager, wherein the eUICC subscription manager includes at least the first network module identity, the first key K, and the encrypted second key K in an eUICC profile, and wherein the eUICC subscription manager encrypts at least a portion of the eUICC profile with a profile key.
  - 21. The system of claim 20, wherein the module receives the encrypted eUICC profile from the eUICC subscription manager, wherein the module decrypts the encrypted eUICC profile, wherein the eUICC profile includes a set of network parameters, wherein the module uses the network parameters to connect with the network, wherein the module receives a pseudo-random number (RAND) for the first authentication, and wherein the module processes a response using the RAND and the first key K from the eUICC profile.
  - 22. The system of claim 19, wherein the first server comprises a home subscriber server (HSS), and wherein the second server comprises a mobility management entity (MME), and wherein each of the first server, the second server, and the third servers comprise a plurality of computers distributed throughout the network.
  - 23. The system of claim 19, wherein the second server enables limited access to an IP network for the module after the first authentication, wherein a user accesses a user interface of the module and the IP network in order to conduct the second authentication with the third server.
  - 24. The system of claim 19, wherein the user comprises an M2M service provider, wherein the network receives a series of identities from the M2M service provider, and wherein the network uses the received first network module identity and the series in order to conduct the second authentication.
  - 25. The system of claim 19, wherein after the second authentication, the network sends the symmetric key to the module, wherein the module inputs the symmetric key and the encrypted second key into a symmetric ciphering algorithm in order to read the second key K, and wherein, for the third authentication, the network (i) receives a second network identity associated with the second key K, (ii) sends a pseudo-random number (RAND), and (iii) compares a received response (RES) with a recorded RES from an authentication vector for the second network identity, wherein the recorded RES is processed by the network using the RAND and the second key K.
  - 26. System of claim 19, wherein the network encrypts the symmetric key with an asymmetric ciphering algorithm and a public key associated with the module, wherein the network uses an identity from the first authentication to receive the public key, and wherein the network sends the encrypted symmetric key to the module after the second authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John A. Nix
Original Assignee
M2M and IoT Technologies LLC
Inventors
Nix, John A.

Granted Patent

US 9,351,162 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04B 1/3816   Mechanical arrangements for...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 67/12   specially adapted for propr...

H04L 9/0819   Key transport or distributi...

H04L 9/0869   involving random numbers or...

H04L 9/3271   using challenge-response

H04W 12/03   Protecting confidentiality,...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

H04W 12/40   Security arrangements using...

H04W 4/70   Services for machine-to-mac...

H04W 8/18   Processing of user or subsc...

Network Supporting Two-Factor Authentication for Modules with Embedded Universal Integrated Circuit Cards

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

80 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Network Supporting Two-Factor Authentication for Modules with Embedded Universal Integrated Circuit Cards

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links