SYSTEM AND METHODS FOR UICC-BASED SECURE COMMUNICATION

US 20150222631A1
Filed: 04/16/2015
Published: 08/06/2015
Est. Priority Date: 09/11/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, over a network by a system including a processor, a first request for service from a first end user device;

providing, by the system over the network to the first end user device, an authentication management function and an encryption key generator for execution by a secure element of the first end user device and an encryption engine for execution by a secure device processor of the first end user device, to cause the secure element and the secure device processor to authenticate each other using a mutual authentication keyset, wherein the secure element and the secure device processor are separate from each other;

receiving, by the system over the network from the first end user device, a second request for a secure signaling session, wherein the second request is initiated by the secure device processor of the first end user device;

providing, by the system over the network to the first end user device, a first authentication signal, wherein a secure application server associated with the system is authenticated by the authentication management function using a signaling authentication keyset;

communicating by the system with the first end user device via a first encrypted channel using a first signaling encryption keyset, wherein encryption and decryption of communications over the first encrypted channel is performed by the encryption engine and the first signaling encryption keyset is generated by the encryption key generator;

receiving, by the system over the network from the first end user device, a third request to establish a communication session with a second end user device; and

communicating by the system with the second end user device via a second encrypted channel using a second signaling encryption keyset,wherein the communicating by the system with the first and second end user devices enables establishing the communication session between the first and second end user devices, andwherein the mutual authentication keyset, the signaling authentication keyset, and the first and second signaling encryption keysets are distinct keysets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that incorporates the subject disclosure may include, for example, instructions which when executed cause a device processor to perform operations comprising sending a service request to a remote management server; receiving from the management server an authentication management function and an encryption key generator for execution by a secure element and an encryption engine for execution by a secure device processor, sending a request to establish a communication session with a remote device; and communicating with the remote device via a channel established using an application server. The secure element and the secure device processor authenticate each other using a mutual authentication keyset. The secure element, the secure device processor and the device processor each have a security level associated therewith; the security level associated with the secure device processor is intermediate between that of the secure element and that of the device processor. Other embodiments are disclosed.

7 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, over a network by a system including a processor, a first request for service from a first end user device;
  
  providing, by the system over the network to the first end user device, an authentication management function and an encryption key generator for execution by a secure element of the first end user device and an encryption engine for execution by a secure device processor of the first end user device, to cause the secure element and the secure device processor to authenticate each other using a mutual authentication keyset, wherein the secure element and the secure device processor are separate from each other;
  
  receiving, by the system over the network from the first end user device, a second request for a secure signaling session, wherein the second request is initiated by the secure device processor of the first end user device;
  
  providing, by the system over the network to the first end user device, a first authentication signal, wherein a secure application server associated with the system is authenticated by the authentication management function using a signaling authentication keyset;
  
  communicating by the system with the first end user device via a first encrypted channel using a first signaling encryption keyset, wherein encryption and decryption of communications over the first encrypted channel is performed by the encryption engine and the first signaling encryption keyset is generated by the encryption key generator;
  
  receiving, by the system over the network from the first end user device, a third request to establish a communication session with a second end user device; and
  
  communicating by the system with the second end user device via a second encrypted channel using a second signaling encryption keyset,wherein the communicating by the system with the first and second end user devices enables establishing the communication session between the first and second end user devices, andwherein the mutual authentication keyset, the signaling authentication keyset, and the first and second signaling encryption keysets are distinct keysets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first end user device receives a second authentication signal from the second end user device, wherein the second end user device is authenticated by the authentication management function using a bearer path authentication keyset, and wherein the bearer path authentication keyset is a distinct keyset from the mutual authentication keyset, the signaling authentication keyset, and the first and second signaling encryption keysets.
  - 3. The method of claim 1, wherein a user of the first end user device is authenticated using a user interface keyset, wherein user credentials are verified by the authentication management function.
  - 4. The method of claim 1, wherein the secure element is a universal integrated circuit card, wherein the secure element and the secure device processor form a secure service platform separate from a device processor of the first end user device, wherein the mutual authentication keyset is provided to the secure service platform by a management server of the system, and wherein the management server transmits information to the secure service platform using a remote management keyset.
  - 5. The method of claim 1, wherein the communication session between the first and second end user devices comprises an encrypted communication session with bi-directional encryption.
  - 6. The method of claim 1, wherein the receiving of the first request and the providing of the authentication management function, the encryption key generator, and the encryption engine is from a management server of the system.
  - 7. The method of claim 6, wherein the management server is authenticated by the authentication management function using a remote management keyset, to provide mutual authentication of the secure element and the management server and to provide mutual authentication of the secure device processor and the management server.
  - 8. The method of claim 1, wherein the receiving of the second request, the providing of the first authentication signal, the communicating via the first encrypted channel, and the communicating via the second encrypted channel is by the secure application server.
  - 9. The method of claim 1, wherein the secure element, the secure device processor and a device processor of the first end user device each have a security level associated therewith, and wherein the security level associated with the secure device processor is intermediate between that of the secure element and that of the device processor.

10. An end user device comprising:
- a secure element;
  
  a secure device processor separate from the secure element;
  
  a memory that store executable instructions; and
  
  a device processor separate from the secure device processor and coupled to the memory, the secure element and the secure device processor, wherein the device processor, responsive to executing the instructions, performs operations comprising;
  
  sending a first request for service over a network to a management server;
  
  receiving, from the management server, an authentication management function and an encryption key generator for execution by the secure element and an encryption engine for execution by the secure device processor, to cause the secure element and the secure device processor to authenticate each other using a mutual authentication keyset;
  
  authenticating a user of the device using a user interface keyset, wherein user credentials are verified by the authentication management function;
  
  sending a second request for a secure signaling session to a secure application server remote from the device, wherein the second request is initiated by the secure device processor;
  
  receiving from the secure application server a first authentication signal, wherein the secure application server is authenticated by the authentication management function using a signaling authentication keyset;
  
  communicating with the secure application server via a first encrypted channel using a first signaling encryption keyset, wherein encryption and decryption of communications over the first encrypted channel is performed by the encryption engine and the first signaling encryption keyset is generated by the encryption key generator; and
  
  sending a third request to the secure application server to establish an encrypted communication session with a second device, wherein the encrypted communication session provides bi-directional encryption,wherein the mutual authentication keyset, the user interface keyset, the signaling authentication keyset, and the first signaling encryption keyset are distinct keysets.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The end user device of claim 10, wherein the operations further comprise:
    - receiving, from the second device, a second authentication signal, wherein the second device is authenticated by the authentication management function using a bearer path authentication keyset,wherein the bearer path authentication keyset is a distinct keyset from the mutual authentication keyset, the user interface keyset, the signaling authentication keyset, and the first signaling encryption keyset.
  - 12. The end user device of claim 10, wherein the operations further comprise:
    - sending a notification message indicating that the encrypted communication session with bi-directional encryption has been established.
  - 13. The end user device of claim 10, wherein the secure element is a universal integrated circuit card, wherein the secure element and the secure device processor form a secure service platform separate from the device processor, wherein the mutual authentication keyset is provided to the secure service platform by the management server, and wherein the management server transmits information to the secure service platform using a remote management keyset.
  - 14. The end user device of claim 13, wherein the secure element and the management server authenticate each other using the remote management keyset, and wherein the authentication management function performs authentication of the management server by the secure element.
  - 15. The end user device of claim 13, wherein the secure device processor and the management server authenticate each other using the remote management keyset, and wherein the authentication management function performs authentication of the management server by the secure device processor.
  - 16. The end user device of claim 10, wherein the authentication management function comprises a network authentication service for mutual authentication between the device and equipment of the network.
  - 17. The end user device of claim 16, wherein the network is a cellular communications network, and wherein the second device and the secure application server are coupled to the network.
  - 18. The end user device of claim 10, wherein the secure application server communicates with the second device via a second encrypted channel using a second signaling encryption keyset, wherein the second encrypted channel is separate from the first encrypted channel and wherein the second signaling encryption keyset is distinct from the first signaling encryption keyset.

19. A computer-readable storage device comprising instructions, which when executed by a device processor of an end user device cause the device processor to perform operations comprising:
- receiving, over a network from a management server, an authentication management function and an encryption key generator for execution by a secure element and an encryption engine for execution by a secure device processor, to cause the secure element and the secure device processor to authenticate each other using a mutual authentication keyset, wherein the secure element and the secure device processor are separate from each other and coupled to the device processor;
  
  sending, over the network, a second request to establish a communication session with a second end user device;
  
  sending, over the network to a secure application server, a second request to establish the communication session with the second end user device; and
  
  receiving, over the network from the second end user device, a second authentication signal to enable establishing of the communication session as an encrypted communication session with bi-directional encryption.
- View Dependent Claims (20)
- - 20. The computer-readable storage device of claim 19, wherein the secure element is a universal integrated circuit card, wherein the secure element and the secure device processor form a secure service platform separate from the device processor, wherein the mutual authentication keyset is provided to the secure service platform by the management server, and wherein the management server transmits information to the secure service platform using a remote management keyset.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chastain, Walter Cooper, Chin, Stephen Emille

Granted Patent

US 9,461,993 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/445   by mutual authentication, e...

G06F 21/72   in cryptographic circuits

G06F 21/77   in smart cards

G06F 2221/2107   File encryption

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0428   wherein the data content is...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 9/0861   Generation of secret inform...

H04L 9/0877   using additional device, e....

H04L 9/3234   involving additional secure...

H04L 9/3273   for mutual authentication n...

H04W 12/04   Key management, e.g. using ...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

H04W 4/70   Services for machine-to-mac...

SYSTEM AND METHODS FOR UICC-BASED SECURE COMMUNICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHODS FOR UICC-BASED SECURE COMMUNICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others