Electronic access client distribution apparatus and methods
First Claim
1. An apparatus for distributing electronic Subscriber Identity Modules (eSIMs), comprising:
- one or more eSIM appliances configured to encrypt a plurality of eSIMs, wherein the one or more eSIM appliances comprises hardware, software or a combination of hardware and software;
one or more secure eSIM storage components configured to store the plurality of eSIMs and associated eSIM metadata, wherein the one or more secure eSIM storage components is communicably coupled to the one or more eSIM appliances, and the one or more secure eSIM storage components comprises hardware or a combination of hardware and software;
one or more eSIM management entities configured to perform at least one of tracking, verification, and authorization for the plurality of eSIMs, wherein the one or more eSIM management entities comprises hardware, software or a combination of hardware and software; and
one or more secure element appliances configured to protect one or more cryptographic materials associated with the plurality of eSIMs that are transmitted to one or more device secure elements, wherein the one or more secure element appliances comprises hardware, software or a combination of hardware and software,wherein the one or more eSIM appliances is further configured to;
receive a request for at least one eSIM from among the plurality of eSIMs, andretrieve current state information associated with the at least one eSIM, wherein the current state information is used to determine whether to provide the at least one eSIM in response to the request.
1 Assignment
0 Petitions
Accused Products
Abstract
Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure. Exemplary embodiments of the present invention can provide redundancy, thus ensuring maximal uptime for the overall network (or the portion thereof).
-
Citations
18 Claims
-
1. An apparatus for distributing electronic Subscriber Identity Modules (eSIMs), comprising:
-
one or more eSIM appliances configured to encrypt a plurality of eSIMs, wherein the one or more eSIM appliances comprises hardware, software or a combination of hardware and software; one or more secure eSIM storage components configured to store the plurality of eSIMs and associated eSIM metadata, wherein the one or more secure eSIM storage components is communicably coupled to the one or more eSIM appliances, and the one or more secure eSIM storage components comprises hardware or a combination of hardware and software; one or more eSIM management entities configured to perform at least one of tracking, verification, and authorization for the plurality of eSIMs, wherein the one or more eSIM management entities comprises hardware, software or a combination of hardware and software; and one or more secure element appliances configured to protect one or more cryptographic materials associated with the plurality of eSIMs that are transmitted to one or more device secure elements, wherein the one or more secure element appliances comprises hardware, software or a combination of hardware and software, wherein the one or more eSIM appliances is further configured to; receive a request for at least one eSIM from among the plurality of eSIMs, and retrieve current state information associated with the at least one eSIM, wherein the current state information is used to determine whether to provide the at least one eSIM in response to the request. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for distributing electronic Subscriber Identity Modules (eSIMs), comprising:
-
one or more eSIM appliances configured to encrypt a plurality of eSIMs, wherein the one or more eSIM appliances comprises hardware, software or a combination of hardware and software; one or more secure eSIM storage components configured to store the plurality of eSIMs and associated first eSIM metadata, wherein the one or more secure eSIM storage components is coupled to the one or more eSIM appliances, and the one or more secure eSIM storage components comprises hardware or a combination of hardware and software; one or more eSIM managers, wherein each of the one or more eSIM managers is configured to track, verify, and authorize the plurality of eSIMs, and the one or more eSIM managers comprises hardware, software or a combination of hardware and software; one or more electronic Universal Integrated Circuit Card (eUICC) appliances, wherein each of the one or more eUICC appliances is configured to protect one or more cryptographic materials associated with the plurality of eSIMs that are transmitted to one or more device eUICCs, and the one or more eUICC appliances comprises hardware, software or a combination of hardware and software; one or more eUICC managers, wherein each of the one or more eUICC managers is configured to track, verify, and authorize the one or more device eUICCs, and the one or more eUICC managers comprises hardware, software or a combination of hardware and software; and one or more depots, wherein each depot of the one or more depots is configured to store a portion of the plurality of eSIMs and associated second eSIM metadata, and each depot of the one or more depots comprises; an eSIM inventory manager configured to distribute the portion of the plurality of eSIMs among the one or more eSIM managers, and track the second eSIM metadata to facilitate inventory management of the portion of the plurality of eSIMs, wherein the eSIM inventory manager comprises hardware, software or a combination of hardware and software; a system directory service configured to service one or more requests for information associated with the portion of the plurality of eSIMs, wherein the system directory service comprises hardware, software or a combination of hardware and software; and a pending eSIM storage configured to store the portion of the plurality of eSIMs for delivery to the one or more device eUICCs, wherein the pending eSIM storage comprises hardware, software or a combination of hardware and software. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for transmitting one or more cryptographic materials to a destination device from a source device according to a trusted relationship, the method comprising:
-
encrypting, by a processor at the source device, an electronic Subscriber Identity Module (eSIM) based on at least a unique device key and an endorsement certificate, wherein the unique device key is unique to the destination device, the endorsement certificate uniquely identifies the source device as a trusted device, and the eSIM comprises the one or more cryptographic materials; in response to a request for the eSIM from the destination device, retrieving, by the processor at the source device, current state information associated with the eSIM, wherein the current state information is used to determine whether to provide the eSIM to the destination device; communicating, by the processor at the source device, the eSIM to the destination device, wherein the endorsement certificate of the source device is verified at the destination device and the eSIM is decrypted at the destination device; and deleting, by the processor at the source device, the eSIM that is communicated to the destination device, wherein the trusted relationship between the source device and the destination device ensures that the one or more cryptographic materials cannot be modified by untrusted entities.
-
-
16. A method for ensuring secure delivery of one or more cryptographic materials to a destination device according to a standard trusted relationship, comprising:
-
encrypting, by a processor, an electronic Subscriber Identity Module (eSIM) based on a unique device key and an endorsement certificate, wherein the unique device key is unique to the destination device, and the eSIM comprises the one or more cryptographic materials; causing, by the processor, delivery of the eSIM to the destination device, wherein the destination device is associated with a subscriber, the eSIM is decrypted at the destination device, the delivery is accomplished via one or more depots, each depot of the one or more depots is configured to store a copy of the eSIM for delivery to the destination device, and when a first copy of the eSIM is delivered to the destination device from a first depot of the one or more depots, one or more remaining copies of the eSIM at other depots of the one or more depots is deleted or rendered inactive; and receiving, by the processor, a registration communication associated with the first copy of the eSIM from the destination device after the eSIM is decrypted, wherein when a subsequent registration communication associated with the one or more remaining copies of the eSIM is attempted, further utilization of the one or more cryptographic materials associated with the eSIM is precluded for any device other than the destination device. - View Dependent Claims (17)
-
-
18. A non-transitory computer readable storage medium configured to store instructions that, when executed by a processor included in a computing device, cause the computing device to carry out steps that include:
-
encrypting an electronic Subscriber Identity Module (eSIM) based on at least a unique device key and an endorsement certificate, wherein the unique device key is unique to a destination device, the endorsement certificate uniquely identifies a source device as a trusted device, and the eSIM comprises one or more cryptographic materials; in response to a request for the eSIM from the destination device, retrieving current state information associated with the eSIM, wherein the current state information is used to determine whether to provide the eSIM to the destination device; communicating the eSIM to the destination device, wherein the endorsement certificate of the source device is verified at the destination device and the eSIM is decrypted at the destination device; and deleting the eSIM that is communicated to the destination device, wherein a trusted relationship between the source device and the destination device ensures that the one or more cryptographic materials cannot be modified by untrusted entities.
-
Specification