Method and system for mobile device credentialing

US 8,064,597 B2
Filed: 11/30/2007
Issued: 11/22/2011
Est. Priority Date: 04/20/2007
Status: Active Grant

First Claim

Patent Images

1. A method of facilitating over-the-air mobile communication device activation comprising, at a centralized device directory server:

storing a device record that comprises preliminary subscription credential information for a mobile device;

sending at least part of the preliminary subscription credential information securely to an initial provisioning party, for use in initially provisioning the mobile device;

receiving a device identifier for the mobile device from a credential server of a given network operator associated with an intended end-user of the mobile device, and correspondingly linking network address information of the credential server to the device record;

receiving a validation request from an authentication server, responsive to the mobile device attempting to access a wireless communication network using the preliminary subscription credential information;

sending an authentication vector to the authentication server that is based on a secret key included in the preliminary subscription credential information, if the preliminary subscription credential information for the mobile device is valid;

receiving a credential server address request from the mobile device, subsequent to the mobile device gaining temporary access to the wireless communication network via the authentication vector; and

sending network address information for the credential server to the mobile device, as linked in the device record stored for the mobile device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems taught herein allow mobile device manufacturers to preconfigure mobile devices for subscription with any network operator having access to a centralized device directory server. The directory server stores device records, each including a preliminary subscription identity. Manufacturers individually provision new mobile devices with these preliminary subscription identities, and network operators preliminarily register subscribers by submitting requests to the directory server that cause it to link individual device records with the appropriate credential server addresses. Mobile devices gain temporary network access by submitting their preliminary subscription identities, which get passed along to the directory server for verification. In turn, the directory server generates authentication vectors giving the mobile devices temporary network access, and returns the appropriate credential server addresses. The mobile devices use the address information to submit secure requests for permanent subscription credentials, and the involved credential servers securely return permanent subscription credentials responsive to valid requests.

48 Citations

View as Search Results

18 Claims

1. A method of facilitating over-the-air mobile communication device activation comprising, at a centralized device directory server:
- storing a device record that comprises preliminary subscription credential information for a mobile device;
  
  sending at least part of the preliminary subscription credential information securely to an initial provisioning party, for use in initially provisioning the mobile device;
  
  receiving a device identifier for the mobile device from a credential server of a given network operator associated with an intended end-user of the mobile device, and correspondingly linking network address information of the credential server to the device record;
  
  receiving a validation request from an authentication server, responsive to the mobile device attempting to access a wireless communication network using the preliminary subscription credential information;
  
  sending an authentication vector to the authentication server that is based on a secret key included in the preliminary subscription credential information, if the preliminary subscription credential information for the mobile device is valid;
  
  receiving a credential server address request from the mobile device, subsequent to the mobile device gaining temporary access to the wireless communication network via the authentication vector; and
  
  sending network address information for the credential server to the mobile device, as linked in the device record stored for the mobile device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein storing the device record comprises storing a Preliminary International Mobile Subscriber Identity, PIMSI, and the secret key for the mobile device.
  - 3. The method of claim 2, wherein receiving the device identifier for the mobile device from the credential server of the given network operator associated with the intended end-user of the mobile device comprises receiving a Public Device Identifier, PDI, that is derived from the Preliminary International Mobile Subscriber Identity, PIMSI, of the mobile device, and further comprising identifying the device record for the mobile device from the Public Device Identifier, PDI, and linking the device record to the network address information of the credential server.
  - 4. The method of claim 2, further comprising initially provisioning a trusted module of the mobile device with the Preliminary International Mobile Subscriber Identity, PIMSI, the secret key, and a public/private key pair, and further provisioning the mobile device with network address information for the centralized device directory server and a listing of network operators that support temporary wireless communication network access via use of the Preliminary International Mobile Subscriber Identity, PIMSI.
  - 5. The method of claim 4, further comprising gaining the temporary access to the wireless communication network by the mobile device based on the mobile device providing the Preliminary International Mobile Subscriber Identity, PIMSI, to the wireless communication network, and the wireless communication network forwarding the Preliminary International Mobile Subscriber Identity, PIMSI, to the authentication server for transfer to the centralized device directory server.
  - 6. The method of claim 5, further comprising gaining access to the credential server of the given network operator by the mobile device, based on the mobile device receiving the network address information for the credential server from the centralized device directory server, and sending a credential request from the mobile device to the credential server, said credential request including the public key of the public/private key pair stored in the mobile device, and said credentialing request protected by a temporary key derived from the secret key stored in the mobile device.
  - 7. The method of claim 6, further comprising, at the credential server, verifying the credentialing request from the mobile device, and generating a Soft Subscriber Identity Module, SSIM, and sending the SSIM to the mobile device in encrypted form using the public key of the mobile device, for use by the mobile device in installing permanent subscription credentials for the given network operator.
  - 8. The method of claim 2, further comprising, at the centralized device directory server, deriving a second secret key from the secret key, and sending the second secret key for storage at the credential server in association with end-user subscriber data, for later use in protecting Soft Subscriber Identity Module, SSIM, information generated by the credential server and sent over-the-air to the mobile device.

9. A system for facilitating over-the-air mobile communication device activation including a centralized device directory server that comprises one or more processing circuits configured to:
- store a device record that comprises preliminary subscription credential information for a mobile device;
  
  send at least part of the preliminary subscription credential information securely to an initial provisioning party, for use in initially provisioning the mobile device;
  
  receive a device identifier for the mobile device from a credential server of a given network operator associated with an intended end-user of the mobile device, and correspondingly link network address information of the credential server to the device record;
  
  receive a validation request from an authentication server, responsive to the mobile device attempting to access a wireless communication network using the preliminary subscription credential information;
  
  send an authentication vector to the authentication server that is based on a secret key included in the preliminary subscription credential information, if the preliminary subscription credential information for the mobile device is valid; and
  
  receive a credential server address request from the mobile device, subsequent to the mobile device gaining temporary access to the wireless communication network via the authentication vector, and to correspondingly send network address information for the credential server to the mobile device, as linked in the device record stored for the mobile device.
- View Dependent Claims (10, 11, 12, 13, 18)
- - 10. The system of claim 9, wherein the centralized device directory server is configured to store, as the device record, a Preliminary International Mobile Subscriber Identity, PIMSI, and the secret key for the mobile device.
  - 11. The system of claim 10, wherein the centralized device directory server includes a communication interface configured to communicate directly or indirectly with the credential server, and to receive, as the device identifier for the mobile device, a Public Device Identifier, PDI, that is derived from the Preliminary International Mobile Subscriber Identity, PIMSI, of the mobile device, and wherein the centralized device directory server is configured to identify the device record for the mobile device from the Public Device Identifier, PDI, and link the device record to the network address information of the credential server.
  - 12. The system of claim 10, further comprising an initial provisioning server configured to provision a trusted module of the mobile device with the Preliminary International Mobile Subscriber Identity, PIMSI, and the secret key, and to further provision the mobile device with network address information for the centralized device directory server, and a listing of network operators that support temporary wireless communication network access via use of the Preliminary International Mobile Subscriber Identity, PIMSI.
  - 13. The system of claim 12, wherein the initial provisioning server is further configured to provision the trusted module of the mobile device with a public/private key pair for later use in over-the-air activation of the mobile device.
  - 18. The system of claim 9, wherein the centralized device directory server is configured to derive a second secret key from the secret key, and send the second secret key for storage at the credential server in association with end-user subscriber data, for later use in protecting Soft Subscriber Identity Module, SSIM, information generated by the credential server and sent over-the-air to the mobile device.

14. The system of 12, wherein the authentication server is communicatively coupled to the wireless communication network and is configured to receive the Preliminary International Mobile Subscriber Identity, PIMSI, and to correspondingly receive an authentication vector for the mobile station in response to transferring the Preliminary International Mobile Subscriber Identity, PIMSI, to the centralized device directory server for verification, and to return the authentication vector to the wireless communication network for granting temporary access to the mobile device.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, wherein the centralized device directory server is configured to receive a credential server address request from the mobile device after the mobile device is granted temporary access based on the authentication vector, and to return the network address information of the credential server, as linked to the device record of the mobile device.
  - 16. The system of claim 15, wherein the mobile device is configured to receive the network address information for the credential server from the centralized device directory, and correspondingly to send a credential request for permanent subscription credentials to the credential server, said credential request including the public key of the public/private key pair stored in the mobile device, and said credentialing request protected by a temporary key derived from the secret key of the mobile device.
  - 17. The system of claim 16, wherein the credential server is configured to verify the credentialing request from the mobile device and correspondingly to generate a Soft Subscriber Identity Module, SSIM, and is further configured to send the SSIM to the mobile device in encrypted form as protected by the public key of the mobile device, for use by the mobile device in installing permanent subscription credentials for the given network operator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Gehrmann, Christian M
Primary Examiner(s)
Srivastava; Vivek
Assistant Examiner(s)
TRUONG, THONG P

Application Number

US11/948,352
Publication Number

US 20080260149A1
Time in Patent Office

1,453 Days
Field of Search

380/247, 455/419, 705/1
US Class Current

380/247
CPC Class Codes

G06Q 20/3821   Electronic credentials

H04W 12/06   Authentication

H04W 8/18   Processing of user or subsc...

H04W 8/265   for initial activation of n...

Method and system for mobile device credentialing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for mobile device credentialing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links