Methods and apparatus for storage and execution of access control clients

US 8,924,715 B2
Filed: 04/05/2011
Issued: 12/30/2014
Est. Priority Date: 10/28/2010
Status: Active Grant

First Claim

Patent Images

1. A wireless apparatus, comprising:

at least one wireless adapter configured to communicate with at least one wireless network;

a secure element configured to store a plurality of electronic Subscriber Identity Modules (eSIMs), wherein;

the secure element is pre-associated with both a cryptographic key and a first endorsement certificate, and includes, for each eSIM in the plurality of eSIMs, a secure partition that is associated with the eSIM, andeach eSIM of the plurality of eSIMs represents a virtualization of a physical Subscriber Identity Module (SIM) card; and

a processor configured to cause the wireless apparatus to;

transmit, via the at least one wireless adapter, a request for an eSIM that is not included in the plurality of eSIMs, wherein the request includes the first endorsement certificate and is addressed to a third party entity that is different than a network operator associated with the at least one wireless network;

receive, via the at least one wireless adapter and from the third party entity, the eSIM and a second endorsement certificate associated with the third party entity; and

responsive to successful verification of the second endorsement certificate;

identify a secure partition that corresponds to the eSIM, andstore the eSIM to the secure partition.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.

Citations

26 Claims

1. A wireless apparatus, comprising:
- at least one wireless adapter configured to communicate with at least one wireless network;
  
  a secure element configured to store a plurality of electronic Subscriber Identity Modules (eSIMs), wherein;
  
  the secure element is pre-associated with both a cryptographic key and a first endorsement certificate, and includes, for each eSIM in the plurality of eSIMs, a secure partition that is associated with the eSIM, andeach eSIM of the plurality of eSIMs represents a virtualization of a physical Subscriber Identity Module (SIM) card; and
  
  a processor configured to cause the wireless apparatus to;
  
  transmit, via the at least one wireless adapter, a request for an eSIM that is not included in the plurality of eSIMs, wherein the request includes the first endorsement certificate and is addressed to a third party entity that is different than a network operator associated with the at least one wireless network;
  
  receive, via the at least one wireless adapter and from the third party entity, the eSIM and a second endorsement certificate associated with the third party entity; and
  
  responsive to successful verification of the second endorsement certificate;
  
  identify a secure partition that corresponds to the eSIM, andstore the eSIM to the secure partition.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The wireless apparatus of claim 1, wherein the secure element is pre-associated with the cryptographic key and the first endorsement certificate when the wireless apparatus is manufactured.
  - 3. The wireless apparatus of claim 1, wherein the at least one wireless network comprises a Global Standard for Mobile Communications (GSM) network.
  - 4. The wireless apparatus of claim 1, wherein the at least one wireless network comprises a Universal Mobile Telecommunications System (UMTS) network.
  - 5. The wireless apparatus of claim 1, wherein the at least one wireless network comprises a Code Division Multiple Access 2000 (CDMA 2000) network.
  - 6. The wireless apparatus of claim 1, wherein the cryptographic key is uniquely associated with the first endorsement certificate.
  - 7. The wireless apparatus of claim 1, wherein the cryptographic key is a private key associated with an asymmetric counterpart key that can be publicly distributed.
  - 8. The wireless apparatus of claim 7, wherein the asymmetric counterpart key enables secure transmission of the eSIM between the wireless apparatus and the third party entity.
  - 9. The wireless apparatus of claim 1, wherein the eSIM is encrypted with a session key.
  - 10. The wireless apparatus of claim 1, wherein the secure element is pre-associated with the cryptographic key and the first endorsement certificate when the wireless apparatus is activated.

11. A method for managing electronic subscriber identity modules (eSIMs) that enable a mobile device to access at least one wireless network, comprising:
- at the mobile device;
  
  identifying both a cryptographic key and a first endorsement certificate associated with a secure element included in the mobile device, wherein;
  
  the secure element stores a plurality of eSIMs and includes, for each eSIM in the plurality of eSIMs, a secure partition that is associated with the eSIM, andeach eSIM of the plurality of eSIMs represents a virtualization of a physical Subscriber Identity Module (SIM) card;
  
  issuing, to a third party trusted entity different than a network operator that provides the wireless network, a request for an eSIM that is not included in the plurality of eSIMs, wherein the request includes the first endorsement certificate;
  
  receiving, from the third party trusted entity, the eSIM and a second endorsement certificate; and
  
  responsive to verification of the second endorsement certificate;
  
  identifying a secure partition that corresponds to the eSIM, andstoring the eSIM to the associated secure partition included in the secure element.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The method of claim 11, wherein the cryptographic key is a private key of an asymmetric key pair.
  - 13. The method of claim 11, wherein the eSIM is encrypted with a session key.
  - 14. The method of claim 11, wherein the secure element is pre-associated with the cryptographic key and the first endorsement certificate when the mobile device is manufactured.
  - 15. The method of claim 11, wherein the at least one wireless network comprises a Global Standard for Mobile Communications (GSM) network.
  - 16. The method of claim 11, wherein the at least one wireless network comprises a Universal Mobile Telecommunications System (UMTS) network.
  - 17. The method of claim 11, wherein the at least one wireless network comprises a Code Division Multiple Access 2000 (CDMA 2000) network.
  - 18. The method of claim 11, wherein the cryptographic key is uniquely associated with the first endorsement certificate.
  - 19. The method of claim 11, wherein the cryptographic key is a private key associated with an asymmetric counterpart key that can be publicly distributed.
  - 20. The method of claim 19, wherein the asymmetric counterpart key enables secure transmission of the eSIM between the mobile device and the third party entity.
  - 21. The method of claim 11, wherein the eSIM is encrypted with a session key.

22. An apparatus configured to deliver electronic subscriber identity modules (eSIMs) to mobile devices over a wireless network, the apparatus comprising:
- a processor; and
  
  at least one network interface in data communication with the processor, wherein the processor is configured to cause the apparatus to;
  
  receive, via the at least one network interface and from a secure element included in a mobile device, a request for an eSIM that is not stored by the secure element, wherein the secure element includes a distinct partition for each eSIM of a plurality of eSIMs stored by the secure element, and the request includes a first endorsement certificate that is associated with the secure element and specifies a selection of a network operator;
  
  retrieve a second endorsement certificate that corresponds to the first endorsement certificate to verify the secure element;
  
  upon verification of the secure element, obtain the eSIM; and
  
  transmit the eSIM and a third endorsement certificate to the mobile device, wherein the third endorsement certificate enables the mobile device to verify the apparatus.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The apparatus of claim 22, wherein the processor is further configured to cause the apparatus to retrieve the second endorsement certificate from an endorsement certificate database that stores information about the mobile device.
  - 24. The apparatus of claim 22, wherein the first, the second, and the third endorsement certificates are uniquely associated with a first cryptographic key pair, a second cryptographic key pair, and a third cryptographic key pair, respectively.
  - 25. The apparatus of claim 22, wherein the eSIM is encrypted with a session key.
  - 26. The apparatus of claim 25, wherein the session key is randomly generated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Schell, Stephan V., Hauck, Jerrold Von
Primary Examiner(s)
HENNING, MATTHEW T

Application Number

US13/080,521
Publication Number

US 20120108205A1
Time in Patent Office

1,365 Days
Field of Search

None
US Class Current

713/156
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/35   Protecting application or s...

H04W 4/50   Service provisioning or rec...

H04W 4/60   Subscription-based services...

H04W 8/18   Processing of user or subsc...

H04W 8/205   Transfer to or from user eq...

H04W 8/265   for initial activation of n...

Methods and apparatus for storage and execution of access control clients

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for storage and execution of access control clients

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links