METHODS AND APPARATUS FOR ESTABLISHING A SECURE COMMUNICATION CHANNEL

US 20160006729A1
Filed: 07/01/2015
Published: 01/07/2016
Est. Priority Date: 07/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method for establishing a secure connection between a server and an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device that is associated with a long-term public key (PK_eUICC) and a long-term private key (SK_eUICC), the method comprising:

at the server, which is associated with a long-term public key (PK_server) and a long-term private key (SK_server);

receiving, from the mobile device, a request to establish the secure connection with the mobile device, wherein the request includes PK_eUICC; and

upon authenticating the mobile device using PK_eUICC;

generating an ephemeral public key (ePK_server) and an ephemeral private key (eSK_server);

signing ePK_serverusing SK_serverto produce a signed ePK_server;

providing the signed ePK_serverto the mobile device;

receiving, from the mobile device, an ephemeral key (ePK_eUICC) that is signed using SK_eUICC;

generating a shared symmetric key using eSK_serverand ePK_eUICC; and

establishing the secure connection using the shared symmetric key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

49 Citations

View as Search Results

20 Claims

1. A method for establishing a secure connection between a server and an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device that is associated with a long-term public key (PK_eUICC) and a long-term private key (SK_eUICC), the method comprising:
- at the server, which is associated with a long-term public key (PK_server) and a long-term private key (SK_server);
  
  receiving, from the mobile device, a request to establish the secure connection with the mobile device, wherein the request includes PK_eUICC; and
  
  upon authenticating the mobile device using PK_eUICC;
  
  generating an ephemeral public key (ePK_server) and an ephemeral private key (eSK_server);
  
  signing ePK_serverusing SK_serverto produce a signed ePK_server;
  
  providing the signed ePK_serverto the mobile device;
  
  receiving, from the mobile device, an ephemeral key (ePK_eUICC) that is signed using SK_eUICC;
  
  generating a shared symmetric key using eSK_serverand ePK_eUICC; and
  
  establishing the secure connection using the shared symmetric key.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - transmitting, over the secure connection, an electronic Subscriber Identity Module (eSIM) to the eUICC.
  - 3. The method of claim 1, further comprising:
    - providing, over the secure connection, an update to an eSIM managed by the eUICC.
  - 4. The method of claim 1, further comprising:
    - causing, over the secure connection, the eUICC to remove an eSIM managed by the eUICC.
  - 5. The method of claim 1, further comprising:
    - caching, within a security domain associated with the eUICC, the shared symmetric key for establishing a different secure connection at a later time with the mobile device.

6. A method for establishing a secure connection between a server and an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device that is associated with a long-term public key (PK_eUICC) and a long-term private key (SK_eUICC), the method comprising:
- at the server, which is associated with a long-term public key (PK_server) and a long-term private key (SK_server);
  
  receiving, from the mobile device, a request to establish the secure connection with the mobile device, wherein the request includes PK_eUICC; and
  
  upon authenticating the mobile device using PK_eUICC;
  
  generating an ephemeral public key (ePK_server) and an ephemeral private key (eSK_server);
  
  signing ePK_serverusing SK_serverto produce a signed ePK_server;
  
  providing the signed ePK_serverto the mobile device;
  
  generating a shared symmetric key using eSK_serverand PK_eUICC; and
  
  establishing the secure connection using the shared symmetric key.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, further comprising:
    - transmitting, over the secure connection, an electronic Subscriber Identity Module (eSIM) to the eUICC.
  - 8. The method of claim 6, further comprising:
    - providing, over the secure connection, an update to an eSIM managed by the eUICC.
  - 9. The method of claim 6, further comprising:
    - causing, over the secure connection, the eUICC to remove an eSIM managed by the eUICC.
  - 10. The method of claim 6, further comprising:
    - caching, within a security domain associated with the eUICC, the shared symmetric key for establishing a different secure connection at a later time with the mobile device.

11. A method for establishing a secure connection between an embedded Universal Integrated Circuit Card (eUICC) and a server that is associated with a long-term public key (PK_server) and a long-term private key (SK_server), the method comprising:
- at the eUICC, which is associated with a long-term public key (PK_eUICC) and a long-term private key (SK_eUICC);
  
  transmitting, to the server, a request to establish the secure connection with the server, wherein the request includes PK_eUICC;
  
  receiving, from the server, PK_server; and
  
  upon authenticating the server using PK_server;
  
  generating an ephemeral public key (ePK_eUICC) and an ephemeral private key (eSK_eUICC);
  
  signing ePK_eUICCusing SK_eUICCto produce a signed ePK_eUICC;
  
  providing the signed ePK_eUICCto the server;
  
  receiving, from the server, an ephemeral key (ePK_server) that is signed using SK_server;
  
  generating a shared symmetric key using SK_eUICCand ePK_server; and
  
  establishing the secure connection using the shared symmetric key.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising:
    - receiving, from the server over the secure connection, an electronic Subscriber Identity Module (eSIM).
  - 13. The method of claim 11, further comprising:
    - receiving, from the server over the secure connection, an update to an eSIM managed by the eUICC; and
      
      processing the update to the eSIM.
  - 14. The method of claim 11, further comprising:
    - receiving, from the server over the secure connection, a command to remove an eSIM managed by the eUICC; and
      
      removing the eSIM from the eUICC.
  - 15. The method of claim 11, further comprising:
    - caching, within a security domain of the eUICC, the shared symmetric key for establishing a different secure connection at a later time with the server.

16. A method for establishing a secure connection between an embedded Universal Integrated Circuit Card (eUICC) and a server that is associated with a long-term public key (PK_server) and a long-term private key (SK_server), the method comprising:
- at the eUICC, which is associated with a long-term public key (PK_eUICC) and a long-term private key (SK_eUICC);
  
  transmitting, to the server, a request to establish the secure connection with the server, wherein the request includes PK_eUICC;
  
  receiving, from the server, PK_server; and
  
  upon authenticating the server using PK_server;
  
  providing PK_eUICCto the server;
  
  receiving, from the server, an ephemeral key (ePK_server) that is signed using SK_server;
  
  generating a shared symmetric key using SK_eUICCand ePK_server; and
  
  establishing the secure connection using the shared symmetric key.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising:
    - receiving, from the server over the secure connection, an electronic Subscriber Identity Module (eSIM).
  - 18. The method of claim 16, further comprising:
    - receiving, from the server over the secure connection, an update to an eSIM managed by the eUICC; and
      
      processing the update to the eSIM.
  - 19. The method of claim 16, further comprising:
    - receiving, from the server over the secure connection, a command to remove an eSIM managed by the eUICC; and
      
      removing the eSIM from the eUICC.
  - 20. The method of claim 16, further comprising:
    - caching, within a security domain associated with the eUICC, the shared symmetric key for establishing a different secure connection at a later time with the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
YANG, Xiangying, LI, Li, HAUCK, Jerrold Von

Granted Patent

US 9,722,975 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/068   using time-dependent keys, ...

H04L 63/0853   using an additional device,...

H04L 63/105   Multiple levels of security

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

H05K 999/99   dummy group

METHODS AND APPARATUS FOR ESTABLISHING A SECURE COMMUNICATION CHANNEL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR ESTABLISHING A SECURE COMMUNICATION CHANNEL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links