METHODS AND APPARATUS FOR ESTABLISHING A SECURE COMMUNICATION CHANNEL
First Claim
1. A method for establishing a secure connection between a server and an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device that is associated with a long-term public key (PKeUICC) and a long-term private key (SKeUICC), the method comprising:
- at the server, which is associated with a long-term public key (PKserver) and a long-term private key (SKserver);
receiving, from the mobile device, a request to establish the secure connection with the mobile device, wherein the request includes PKeUICC; and
upon authenticating the mobile device using PKeUICC;
generating an ephemeral public key (ePKserver) and an ephemeral private key (eSKserver);
signing ePKserver using SKserver to produce a signed ePKserver;
providing the signed ePKserver to the mobile device;
receiving, from the mobile device, an ephemeral key (ePKeUICC) that is signed using SKeUICC;
generating a shared symmetric key using eSKserver and ePKeUICC; and
establishing the secure connection using the shared symmetric key.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.
49 Citations
20 Claims
-
1. A method for establishing a secure connection between a server and an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device that is associated with a long-term public key (PKeUICC) and a long-term private key (SKeUICC), the method comprising:
at the server, which is associated with a long-term public key (PKserver) and a long-term private key (SKserver); receiving, from the mobile device, a request to establish the secure connection with the mobile device, wherein the request includes PKeUICC; and upon authenticating the mobile device using PKeUICC; generating an ephemeral public key (ePKserver) and an ephemeral private key (eSKserver); signing ePKserver using SKserver to produce a signed ePKserver; providing the signed ePKserver to the mobile device; receiving, from the mobile device, an ephemeral key (ePKeUICC) that is signed using SKeUICC; generating a shared symmetric key using eSKserver and ePKeUICC; and establishing the secure connection using the shared symmetric key. - View Dependent Claims (2, 3, 4, 5)
-
6. A method for establishing a secure connection between a server and an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device that is associated with a long-term public key (PKeUICC) and a long-term private key (SKeUICC), the method comprising:
at the server, which is associated with a long-term public key (PKserver) and a long-term private key (SKserver); receiving, from the mobile device, a request to establish the secure connection with the mobile device, wherein the request includes PKeUICC; and upon authenticating the mobile device using PKeUICC; generating an ephemeral public key (ePKserver) and an ephemeral private key (eSKserver); signing ePKserver using SKserver to produce a signed ePKserver; providing the signed ePKserver to the mobile device; generating a shared symmetric key using eSKserver and PKeUICC; and establishing the secure connection using the shared symmetric key. - View Dependent Claims (7, 8, 9, 10)
-
11. A method for establishing a secure connection between an embedded Universal Integrated Circuit Card (eUICC) and a server that is associated with a long-term public key (PKserver) and a long-term private key (SKserver), the method comprising:
at the eUICC, which is associated with a long-term public key (PKeUICC) and a long-term private key (SKeUICC); transmitting, to the server, a request to establish the secure connection with the server, wherein the request includes PKeUICC; receiving, from the server, PKserver; and upon authenticating the server using PKserver; generating an ephemeral public key (ePKeUICC) and an ephemeral private key (eSKeUICC); signing ePKeUICC using SKeUICC to produce a signed ePKeUICC; providing the signed ePKeUICC to the server; receiving, from the server, an ephemeral key (ePKserver) that is signed using SKserver; generating a shared symmetric key using SKeUICC and ePKserver; and establishing the secure connection using the shared symmetric key. - View Dependent Claims (12, 13, 14, 15)
-
16. A method for establishing a secure connection between an embedded Universal Integrated Circuit Card (eUICC) and a server that is associated with a long-term public key (PKserver) and a long-term private key (SKserver), the method comprising:
at the eUICC, which is associated with a long-term public key (PKeUICC) and a long-term private key (SKeUICC); transmitting, to the server, a request to establish the secure connection with the server, wherein the request includes PKeUICC; receiving, from the server, PKserver; and upon authenticating the server using PKserver; providing PKeUICC to the server; receiving, from the server, an ephemeral key (ePKserver) that is signed using SKserver; generating a shared symmetric key using SKeUICC and ePKserver; and establishing the secure connection using the shared symmetric key. - View Dependent Claims (17, 18, 19, 20)
Specification