Electronic access client distribution apparatus and methods

US 8,887,257 B2
Filed: 04/26/2012
Issued: 11/11/2014
Est. Priority Date: 04/26/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus for distributing electronic Subscriber Identity Modules (eSIMs), comprising:

one or more eSIM appliances configured to encrypt a plurality of eSIMs, wherein the one or more eSIM appliances comprises hardware, software or a combination of hardware and software;

one or more secure eSIM storage components configured to store the plurality of eSIMs and associated eSIM metadata, wherein the one or more secure eSIM storage components is communicably coupled to the one or more eSIM appliances, and the one or more secure eSIM storage components comprises hardware or a combination of hardware and software;

one or more eSIM management entities configured to perform at least one of tracking, verification, and authorization for the plurality of eSIMs, wherein the one or more eSIM management entities comprises hardware, software or a combination of hardware and software; and

one or more secure element appliances configured to protect one or more cryptographic materials associated with the plurality of eSIMs that are transmitted to one or more device secure elements, wherein the one or more secure element appliances comprises hardware, software or a combination of hardware and software,wherein the one or more eSIM appliances is further configured to;

receive a request for at least one eSIM from among the plurality of eSIMs, andretrieve current state information associated with the at least one eSIM, wherein the current state information is used to determine whether to provide the at least one eSIM in response to the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure. Exemplary embodiments of the present invention can provide redundancy, thus ensuring maximal uptime for the overall network (or the portion thereof).

Citations

18 Claims

1. An apparatus for distributing electronic Subscriber Identity Modules (eSIMs), comprising:
- one or more eSIM appliances configured to encrypt a plurality of eSIMs, wherein the one or more eSIM appliances comprises hardware, software or a combination of hardware and software;
  
  one or more secure eSIM storage components configured to store the plurality of eSIMs and associated eSIM metadata, wherein the one or more secure eSIM storage components is communicably coupled to the one or more eSIM appliances, and the one or more secure eSIM storage components comprises hardware or a combination of hardware and software;
  
  one or more eSIM management entities configured to perform at least one of tracking, verification, and authorization for the plurality of eSIMs, wherein the one or more eSIM management entities comprises hardware, software or a combination of hardware and software; and
  
  one or more secure element appliances configured to protect one or more cryptographic materials associated with the plurality of eSIMs that are transmitted to one or more device secure elements, wherein the one or more secure element appliances comprises hardware, software or a combination of hardware and software,wherein the one or more eSIM appliances is further configured to;
  
  receive a request for at least one eSIM from among the plurality of eSIMs, andretrieve current state information associated with the at least one eSIM, wherein the current state information is used to determine whether to provide the at least one eSIM in response to the request.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, wherein the one or more secure element appliances comprises an electronic Universal Integrated Circuit Card (eUICC) appliance, and the one or more device secure elements comprises a device eUICC.
  - 3. The apparatus of claim 2, wherein the eUICC appliance comprises at least one networked server operated by a trusted entity, and the device eUICC is associated with a mobile device.
  - 4. The apparatus of claim 3, wherein the device eUICC comprises a physically secure card-like form factor receivable within the mobile device.
  - 5. The apparatus of claim 1, wherein the one or more cryptographic materials are transmitted to the one or more device secure elements via a wireless link between the one or more secure element appliances and the one or more device secure elements.

6. A system for distributing electronic Subscriber Identity Modules (eSIMs), comprising:
- one or more eSIM appliances configured to encrypt a plurality of eSIMs, wherein the one or more eSIM appliances comprises hardware, software or a combination of hardware and software;
  
  one or more secure eSIM storage components configured to store the plurality of eSIMs and associated first eSIM metadata, wherein the one or more secure eSIM storage components is coupled to the one or more eSIM appliances, and the one or more secure eSIM storage components comprises hardware or a combination of hardware and software;
  
  one or more eSIM managers, wherein each of the one or more eSIM managers is configured to track, verify, and authorize the plurality of eSIMs, and the one or more eSIM managers comprises hardware, software or a combination of hardware and software;
  
  one or more electronic Universal Integrated Circuit Card (eUICC) appliances, wherein each of the one or more eUICC appliances is configured to protect one or more cryptographic materials associated with the plurality of eSIMs that are transmitted to one or more device eUICCs, and the one or more eUICC appliances comprises hardware, software or a combination of hardware and software;
  
  one or more eUICC managers, wherein each of the one or more eUICC managers is configured to track, verify, and authorize the one or more device eUICCs, and the one or more eUICC managers comprises hardware, software or a combination of hardware and software; and
  
  one or more depots, wherein each depot of the one or more depots is configured to store a portion of the plurality of eSIMs and associated second eSIM metadata, and each depot of the one or more depots comprises;
  
  an eSIM inventory manager configured to distribute the portion of the plurality of eSIMs among the one or more eSIM managers, and track the second eSIM metadata to facilitate inventory management of the portion of the plurality of eSIMs, wherein the eSIM inventory manager comprises hardware, software or a combination of hardware and software;
  
  a system directory service configured to service one or more requests for information associated with the portion of the plurality of eSIMs, wherein the system directory service comprises hardware, software or a combination of hardware and software; and
  
  a pending eSIM storage configured to store the portion of the plurality of eSIMs for delivery to the one or more device eUICCs, wherein the pending eSIM storage comprises hardware, software or a combination of hardware and software.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The system of claim 6, wherein the eSIM inventory manager is configured to distribute the portion of the plurality of eSIMs based on a projected demand, a historical demand or an actual demand.
  - 8. The system of claim 6, wherein the second eSIM metadata is periodically checked to identify a stale copy of a particular eSIM from among the portion of the plurality of eSIMs.
  - 9. The system of claim 8, wherein the second eSIM metadata is periodically checked by the one or more eUICC appliances.
  - 10. The system of claim 6, wherein the portion of the plurality of eSIMs comprises a pre-personalized eSIM that is assigned a particular device eUICC of the one or more device eUICCs, and the pre-personalized eSIM is delivered to the particular device eUICC in response to a request from the particular device eUICC.
  - 11. The system of claim 6, wherein each depot of the one or more depots stores a copy of a particular eSIM from among the portion of the plurality of eSIMs, and in response to a delivery of a first copy of the particular eSIM to the one or more device UICCs from a first depot of the one or more depots, one or more remaining copies of the particular eSIM at other depots of the one or more depots is deleted or rendered inactive.
  - 12. The system of claim 6, wherein the one or more requests for information comprises a request for a location of a particular eSIM from among the portion of the plurality of eSIMs.
  - 13. The system of claim 6, wherein the one or more requests for information comprises a request for information regarding a type of particular eSIM from among the portion of the plurality of eSIMs.
  - 14. The system of claim 6, wherein the second eSIM metadata is encrypted with a key associated with the one or more depots.

15. A method for transmitting one or more cryptographic materials to a destination device from a source device according to a trusted relationship, the method comprising:
- encrypting, by a processor at the source device, an electronic Subscriber Identity Module (eSIM) based on at least a unique device key and an endorsement certificate, wherein the unique device key is unique to the destination device, the endorsement certificate uniquely identifies the source device as a trusted device, and the eSIM comprises the one or more cryptographic materials;
  
  in response to a request for the eSIM from the destination device, retrieving, by the processor at the source device, current state information associated with the eSIM, wherein the current state information is used to determine whether to provide the eSIM to the destination device;
  
  communicating, by the processor at the source device, the eSIM to the destination device, wherein the endorsement certificate of the source device is verified at the destination device and the eSIM is decrypted at the destination device; and
  
  deleting, by the processor at the source device, the eSIM that is communicated to the destination device,wherein the trusted relationship between the source device and the destination device ensures that the one or more cryptographic materials cannot be modified by untrusted entities.

16. A method for ensuring secure delivery of one or more cryptographic materials to a destination device according to a standard trusted relationship, comprising:
- encrypting, by a processor, an electronic Subscriber Identity Module (eSIM) based on a unique device key and an endorsement certificate, wherein the unique device key is unique to the destination device, and the eSIM comprises the one or more cryptographic materials;
  
  causing, by the processor, delivery of the eSIM to the destination device, wherein the destination device is associated with a subscriber, the eSIM is decrypted at the destination device, the delivery is accomplished via one or more depots, each depot of the one or more depots is configured to store a copy of the eSIM for delivery to the destination device, and when a first copy of the eSIM is delivered to the destination device from a first depot of the one or more depots, one or more remaining copies of the eSIM at other depots of the one or more depots is deleted or rendered inactive; and
  
  receiving, by the processor, a registration communication associated with the first copy of the eSIM from the destination device after the eSIM is decrypted, wherein when a subsequent registration communication associated with the one or more remaining copies of the eSIM is attempted, further utilization of the one or more cryptographic materials associated with the eSIM is precluded for any device other than the destination device.
- View Dependent Claims (17)
- - 17. The method of claim 16, wherein the destination device comprises a mobile device, and the registration communication is communicated via a wireless interface of the mobile device.

18. A non-transitory computer readable storage medium configured to store instructions that, when executed by a processor included in a computing device, cause the computing device to carry out steps that include:
- encrypting an electronic Subscriber Identity Module (eSIM) based on at least a unique device key and an endorsement certificate, wherein the unique device key is unique to a destination device, the endorsement certificate uniquely identifies a source device as a trusted device, and the eSIM comprises one or more cryptographic materials;
  
  in response to a request for the eSIM from the destination device, retrieving current state information associated with the eSIM, wherein the current state information is used to determine whether to provide the eSIM to the destination device;
  
  communicating the eSIM to the destination device, wherein the endorsement certificate of the source device is verified at the destination device and the eSIM is decrypted at the destination device; and
  
  deleting the eSIM that is communicated to the destination device,wherein a trusted relationship between the source device and the destination device ensures that the one or more cryptographic materials cannot be modified by untrusted entities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Haggerty, David T., McLaughlin, Kevin, Von Hauck, Jerrold, Mathias, Arun
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US13/457,333
Publication Number

US 20120331292A1
Time in Patent Office

929 Days
Field of Search

713/168, 726/9
US Class Current

726/9
CPC Class Codes

H04B 1/3816   Mechanical arrangements for...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/12   Detection or prevention of ...

H04W 12/35   Protecting application or s...

H04W 4/029   Location-based management o...

H04W 4/60   Subscription-based services...

H04W 88/06   adapted for operation in mu...

Electronic access client distribution apparatus and methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic access client distribution apparatus and methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links