Methods and apparatus for storage and execution of access control clients
First Claim
1. A wireless apparatus, comprising:
- at least one wireless adapter configured to communicate with at least one wireless network;
a secure element configured to store a plurality of electronic Subscriber Identity Modules (eSIMs), wherein;
the secure element is pre-associated with both a cryptographic key and a first endorsement certificate, and includes, for each eSIM in the plurality of eSIMs, a secure partition that is associated with the eSIM, andeach eSIM of the plurality of eSIMs represents a virtualization of a physical Subscriber Identity Module (SIM) card; and
a processor configured to cause the wireless apparatus to;
transmit, via the at least one wireless adapter, a request for an eSIM that is not included in the plurality of eSIMs, wherein the request includes the first endorsement certificate and is addressed to a third party entity that is different than a network operator associated with the at least one wireless network;
receive, via the at least one wireless adapter and from the third party entity, the eSIM and a second endorsement certificate associated with the third party entity; and
responsive to successful verification of the second endorsement certificate;
identify a secure partition that corresponds to the eSIM, andstore the eSIM to the secure partition.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.
-
Citations
26 Claims
-
1. A wireless apparatus, comprising:
-
at least one wireless adapter configured to communicate with at least one wireless network; a secure element configured to store a plurality of electronic Subscriber Identity Modules (eSIMs), wherein; the secure element is pre-associated with both a cryptographic key and a first endorsement certificate, and includes, for each eSIM in the plurality of eSIMs, a secure partition that is associated with the eSIM, and each eSIM of the plurality of eSIMs represents a virtualization of a physical Subscriber Identity Module (SIM) card; and a processor configured to cause the wireless apparatus to; transmit, via the at least one wireless adapter, a request for an eSIM that is not included in the plurality of eSIMs, wherein the request includes the first endorsement certificate and is addressed to a third party entity that is different than a network operator associated with the at least one wireless network; receive, via the at least one wireless adapter and from the third party entity, the eSIM and a second endorsement certificate associated with the third party entity; and responsive to successful verification of the second endorsement certificate; identify a secure partition that corresponds to the eSIM, and store the eSIM to the secure partition. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for managing electronic subscriber identity modules (eSIMs) that enable a mobile device to access at least one wireless network, comprising:
at the mobile device; identifying both a cryptographic key and a first endorsement certificate associated with a secure element included in the mobile device, wherein; the secure element stores a plurality of eSIMs and includes, for each eSIM in the plurality of eSIMs, a secure partition that is associated with the eSIM, and each eSIM of the plurality of eSIMs represents a virtualization of a physical Subscriber Identity Module (SIM) card; issuing, to a third party trusted entity different than a network operator that provides the wireless network, a request for an eSIM that is not included in the plurality of eSIMs, wherein the request includes the first endorsement certificate; receiving, from the third party trusted entity, the eSIM and a second endorsement certificate; and responsive to verification of the second endorsement certificate; identifying a secure partition that corresponds to the eSIM, and storing the eSIM to the associated secure partition included in the secure element. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
22. An apparatus configured to deliver electronic subscriber identity modules (eSIMs) to mobile devices over a wireless network, the apparatus comprising:
-
a processor; and at least one network interface in data communication with the processor, wherein the processor is configured to cause the apparatus to; receive, via the at least one network interface and from a secure element included in a mobile device, a request for an eSIM that is not stored by the secure element, wherein the secure element includes a distinct partition for each eSIM of a plurality of eSIMs stored by the secure element, and the request includes a first endorsement certificate that is associated with the secure element and specifies a selection of a network operator; retrieve a second endorsement certificate that corresponds to the first endorsement certificate to verify the secure element; upon verification of the secure element, obtain the eSIM; and transmit the eSIM and a third endorsement certificate to the mobile device, wherein the third endorsement certificate enables the mobile device to verify the apparatus. - View Dependent Claims (23, 24, 25, 26)
-
Specification