Key derivation for a module using an embedded universal integrated circuit card

US 9,742,562 B2
Filed: 04/15/2016
Issued: 08/22/2017
Est. Priority Date: 09/10/2013
Status: Active Grant

First Claim

Patent Images

1. A method for a module using an embedded integrated circuit card (eUICC) to support authentication, the method comprising the module:

reading a module identity from a protected memory and sending the module identity to an eUICC subscription manager;

reading an eUICC subscription manager public key from the protected memory;

authenticating the eUICC subscription manager using the eUICC subscription manager public key;

receiving a first profile for the eUICC, wherein the first profile includes a first network module identity and a first key K, and wherein the module sends the module identity to the eUICC subscription manager before receiving the first profile;

using the eUICC, the first network module identity, and the first key K to authenticate with a first wireless network;

receiving from an eUICC subscription manager a server public key after authenticating with the first key K;

deriving a shared secret key using (i) the received server public key, (ii) an eUICC private key, and (iii) a shared secret algorithm;

receiving a second profile for the eUICC, wherein the module decrypts the second profile using the derived shared secret key, wherein the decrypted second profile includes a second network module identity and a second key K; and

authenticating with a second wireless network using the second network module identity and the second key K.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.

189 Citations

11 Claims

1. A method for a module using an embedded integrated circuit card (eUICC) to support authentication, the method comprising the module:
- reading a module identity from a protected memory and sending the module identity to an eUICC subscription manager;
  
  reading an eUICC subscription manager public key from the protected memory;
  
  authenticating the eUICC subscription manager using the eUICC subscription manager public key;
  
  receiving a first profile for the eUICC, wherein the first profile includes a first network module identity and a first key K, and wherein the module sends the module identity to the eUICC subscription manager before receiving the first profile;
  
  using the eUICC, the first network module identity, and the first key K to authenticate with a first wireless network;
  
  receiving from an eUICC subscription manager a server public key after authenticating with the first key K;
  
  deriving a shared secret key using (i) the received server public key, (ii) an eUICC private key, and (iii) a shared secret algorithm;
  
  receiving a second profile for the eUICC, wherein the module decrypts the second profile using the derived shared secret key, wherein the decrypted second profile includes a second network module identity and a second key K; and
  
  authenticating with a second wireless network using the second network module identity and the second key K.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising authenticating with the second wireless network using the decrypted second profile, wherein the module (i) sends the second network module identity, (ii) receives a random number (RAND), (iii) uses the RAND, the second key K, and a set of cryptographic algorithms to calculate a response (RES), and (iv) sends the RES to the second wireless network.
  - 3. The method of claim 1, wherein the first profile includes a first set of cryptographic parameters and the second profile includes a second set of cryptographic parameters, and wherein the module uses (i) the first set of cryptographic parameters to authenticate with the first wireless network and (ii) the second set of cryptographic parameters to authenticate with the second wireless network.
  - 4. The method of claim 1, wherein the module uses an elliptic curve cryptography (ECC) algorithm with the server public key, and wherein the module uses a symmetric ciphering algorithm with the derived shared secret key to decrypt the second profile.
  - 5. The method of claim 1, wherein the first network module identity used with the first key K comprises a first international mobile subscriber identity (IMSI), and wherein the second network module identity used with the second key K comprises a second IMSI.
  - 6. The method of claim 1, wherein the eUICC subscription manager derives the server public key and a server private key using a key pair generation algorithm, and wherein the eUICC subscription manager uses the server private key and the eUICC public key to derive the second shared secret key.

7. A method for a module using an embedded integrated circuit card (eUICC) to support authentication, the method comprising the module:
- reading a module identity from a protected memory and sending the module identity to an eUICC subscription manager;
  
  receiving a first profile for the eUICC, wherein the first profile includes a first network module identity and a first key K;
  
  using the eUICC, the first network module identity, and the first key K to authenticate with a first wireless network;
  
  receiving from an eUICC subscription manager a server public key after authenticating with the first key K;
  
  deriving a shared secret key using (i) the received server public key, (ii) an eUICC private key, and (iii) a shared secret algorithm;
  
  receiving a second profile for the eUICC, wherein the module decrypts the second profile using the derived shared secret key, wherein the decrypted second profile includes a second network module identity and a second key K; and
  
  authenticating with a second wireless network using the second network module identity and the second key K, wherein the module (i) sends the second network module identity, (ii) receives a random number (RAND), (iii) uses the RAND, the second key K, and a set of cryptographic algorithms to calculate a response (RES), and (iv) sends the RES to the second wireless network.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7, further comprising:
    - reading an eUICC subscription manager public key from the protected memory;
      
      authenticating the eUICC subscription manager using the eUICC subscription manager public key; and
      
      sending the module identity to the eUICC subscription manager before receiving the first profile.
  - 9. The method of claim 7, wherein the first profile includes a first set of cryptographic parameters and the second profile includes a second set of cryptographic parameters, and wherein the module uses (i) the first set of cryptographic parameters to authenticate with the first wireless network and (ii) the second set of cryptographic parameters to authenticate with the second wireless network.
  - 10. The method of claim 7, wherein the module uses an elliptic curve cryptography (ECC) algorithm with the server public key, and wherein the module uses a symmetric ciphering algorithm with the derived shared secret key to decrypt the second profile.
  - 11. The method of claim 7, wherein the first network module identity used with the first key K comprises a first international mobile subscriber identity (IMSI), and wherein the second network module identity used with the second key K comprises a second IMSI.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John A. Nix
Original Assignee
M2M and IoT Technologies LLC
Inventors
Nix, John A.
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US15/130,146
Publication Number

US 20160234020A1
Time in Patent Office

494 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/445   by mutual authentication, e...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

H04J 11/00   Orthogonal multiplex system...

H04L 12/2854   Wide area networks, e.g. pu...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/72   Signcrypting, i.e. digital ...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 67/04   specially adapted for termi...

H04L 9/006 : involving public key infras...

H04L 9/0816 : Key establishment, i.e. cry...

H04L 9/0841 : involving Diffie-Hellman or...

H04L 9/085 : Secret sharing or secret sp...

H04L 9/0861 : Generation of secret inform...

H04L 9/088 : Usage controlling of secret...

H04L 9/0894 : Escrow, recovery or storing...

H04L 9/14 : using a plurality of keys o...

H04L 9/30 : Public key, i.e. encryption...

H04L 9/3066 : involving algebraic varieti...

H04L 9/32 : including means for verifyi...

H04L 9/321 : involving a third party or ...

H04L 9/3239 : involving non-keyed hash fu...

H04L 9/3247 : involving digital signatures

H04L 9/3249 : using RSA or related signat...

H04L 9/3263 : involving certificates, e.g...

H04W 12/02 : Protecting privacy or anony...

H04W 12/033 : of the user plane, e.g. use...

H04W 12/04 : Key management, e.g. using ...

H04W 12/06 : Authentication

H04W 12/069 : using certificates or pre-s...

H04W 12/40 : Security arrangements using...

H04W 4/70 : Services for machine-to-mac...

H04W 40/005 : Routing actions in the pres...

H04W 52/0216 : using a pre-established act...

H04W 52/0235 : where the received signal i...

H04W 52/0277 : according to available powe...

H04W 76/27 : Transitions between radio r...

H04W 8/082 : for traffic bypassing of mo...

H04W 80/04 : Network layer protocols, e....

H04W 84/12 : WLAN [Wireless Local Area N...

H04W 88/12 : Access point controller dev...

H05K 999/99 : dummy group

Y02D 30/70 : in wireless communication n...

View All

Key derivation for a module using an embedded universal integrated circuit card

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

189 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Key derivation for a module using an embedded universal integrated circuit card

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

189 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links