Apparatus and methods for storing electronic access clients

US 9,009,475 B2
Filed: 04/25/2011
Issued: 04/14/2015
Est. Priority Date: 04/05/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus configured to provide access data elements to peer devices, the apparatus comprising:

a first secure element adapted to store a plurality of access data elements; and

a processor configured to cause the apparatus to;

receive, from a peer device, a request for at least one access data element of the plurality of access data elements, wherein the request includes;

a public key that is unique to a second secure element included in the peer device, anda unique identifier that is generated by the peer device in conjunction with the request;

obtain, from the first secure element, the at least one access data element;

encrypt the at least one access data element using the public key;

generate a package that includes the encrypted at least one access data element and the unique identifier;

sign the package to produce a signed package, wherein the signed package enables the peer device to authenticate the apparatus;

transfer the signed package to the peer device; and

in response to receiving, from the peer device, an indication that the at least one access data element is stored in the second secure element;

remove the at least one access data element from the first secure element.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

68 Citations

View as Search Results

22 Claims

1. An apparatus configured to provide access data elements to peer devices, the apparatus comprising:
- a first secure element adapted to store a plurality of access data elements; and
  
  a processor configured to cause the apparatus to;
  
  receive, from a peer device, a request for at least one access data element of the plurality of access data elements, wherein the request includes;
  
  a public key that is unique to a second secure element included in the peer device, anda unique identifier that is generated by the peer device in conjunction with the request;
  
  obtain, from the first secure element, the at least one access data element;
  
  encrypt the at least one access data element using the public key;
  
  generate a package that includes the encrypted at least one access data element and the unique identifier;
  
  sign the package to produce a signed package, wherein the signed package enables the peer device to authenticate the apparatus;
  
  transfer the signed package to the peer device; and
  
  in response to receiving, from the peer device, an indication that the at least one access data element is stored in the second secure element;
  
  remove the at least one access data element from the first secure element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein each access data element of the plurality of access data elements is associated with a mobile network operator (MNO).
  - 3. The apparatus of claim 1, wherein each access data element of the plurality of access data elements is associated with a user.
  - 4. The apparatus of claim 1, wherein each access data element of the plurality of access data elements is associated with a different use case for a same user.
  - 5. The apparatus of claim 1, wherein the processor is further configured to cause the apparatus to negotiate a transfer protocol with the peer device prior to receiving the request from the peer device.
  - 6. The apparatus of claim 5, wherein the processor is further configured to cause the apparatus to encrypt the signed package based on the negotiated transfer protocol.
  - 7. The apparatus of claim 6, wherein negotiating the transfer protocol comprises identifying that the transfer protocol is supported by the apparatus and the peer device.
  - 8. The apparatus of claim 1, wherein the processor is further configured to cause the apparatus to identify a number of times the at least one access data element has been transferred between different devices.
  - 9. The apparatus of claim 8, wherein the processor is further configured to cause the apparatus to transfer the signed package to the peer device subsequent to verifying that the number of times satisfies a predetermined threshold.
  - 10. The apparatus of claim 1, wherein each access data element of the plurality of access data elements is an electronic Subscriber Identity Module (eSIM).
  - 11. The apparatus of claim 1, wherein the apparatus is a Hardware Security Module (HSM).

12. A method for transferring access data elements to peer devices, the method comprising:
- at an apparatus including a first secure element that stores a plurality of access data elements;
  
  receiving, from a peer device, a request for at least one access data element of the plurality of access data elements, wherein the request includes;
  
  a public key that is unique to a second secure element included in the peer device, anda unique identifier that is generated by the peer device in conjunction with the request;
  
  obtaining, from the first secure element, the at least one access data element;
  
  encrypting the at least one access data element using the public key;
  
  generating a package that includes the encrypted at least one access data element and the unique identifier;
  
  signing the package to produce a signed package, wherein the signed package enables the peer device to authenticate the apparatus;
  
  transferring the signed package to the peer device; and
  
  in response to receiving, from the peer device, an indication that the at least one access data element is stored in the second secure element;
  
  removing the at least one access data element from the first secure element.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, wherein each access data element of the plurality of access data elements is associated with a mobile network operator (MNO).
  - 14. The method of claim 12, further comprising negotiating a transfer protocol with the peer device prior to receiving the request from the peer device.
  - 15. The method of claim 12, further comprising identifying a number of times the at least one access data element has been transferred between different devices.
  - 16. The method of claim 15, wherein the signed package is transferred upon verifying that the number of times satisfies a predetermined threshold.
  - 17. The method of claim 12, further comprising identifying device restrictions associated with the peer device.
  - 18. The method of claim 17, wherein the signed package is transferred to the peer device subsequent to verifying that the device restrictions do not prohibit the transfer of the signed package.
  - 19. The method of claim 12, wherein each access data element of the plurality of access data elements is an electronic Subscriber Identity Module (eSIM).

20. A mobile device, comprising:
- a secure element; and
  
  a processor configured to cause the mobile device to;
  
  issue, to an apparatus configured to store a plurality of access data elements, a request for at least one access data element of the plurality of access data elements, wherein the request includes;
  
  a public key that is unique to the secure element, anda unique identifier that is generated in conjunction with issuing the request;
  
  receive a package from the apparatus, wherein the package includes;
  
  a digital signature generated by the apparatus;
  
  the at least one access data element, wherein the at least one access data element is encrypted based on the public key, and the unique identifier;
  
  verify the package in accordance with the digital signature;
  
  decrypt the at least one access data element using a private key that corresponds to the public key; and
  
  store the at least one access data element into the secure element.
- View Dependent Claims (21, 22)
- - 21. The mobile device of claim 20, wherein the package is received from the apparatus subsequent to the apparatus verifying that the at least one access data element has been transferred a number of times that satisfies a particular threshold.
  - 22. The mobile device of claim 20, wherein each access data element of the plurality of access data elements is an electronic Subscriber Identity Module (eSIM).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Hauck, Jerrold Von, Haggerty, David T., McLaughlin, Kevin
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US13/093,722
Publication Number

US 20120260090A1
Time in Patent Office

1,450 Days
Field of Search

370/338, 455/558, 455/556, 726/6, 726/22, 713/168
US Class Current

713/168
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/0853   using an additional device,...

H04L 9/08   Key distribution or managem...

H04L 9/12   Transmitting and receiving ...

H04L 9/30   Public key, i.e. encryption...

H04L 9/32   including means for verifyi...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

H04W 12/43   using shared identity modul...

Apparatus and methods for storing electronic access clients

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and methods for storing electronic access clients

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links