Methods and apparatus for establishing a secure communication channel

US 9,930,035 B2
Filed: 06/22/2017
Issued: 03/27/2018
Est. Priority Date: 07/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method by an embedded Universal Integrated Circuit Card (eUICC), the method comprising:

at the eUICC, which is associated with a long-term public key (PK_eUICC) and a long-term private key (SK_eUICC);

transmitting, to a server via a wireless device, a request to establish a first secure connection with the server, wherein the eUICC is present in the wireless device, and wherein the server is associated with a long-term public key (PKserver) and a long-term private key (SKserver);

producing a signature by using SK_eUICC;

sending the signature to the server via the wireless device;

authenticating the server using PK_server;

generating an ephemeral public key (ePK_eUICC) and an ephemeral private key (eSK_eUICC);

signing ePK_eUICCusing SK_eUICCto produce a signed ePK_eUICC;

providing the signed ePK_eUICCto the server via the wireless device;

receiving, from the server via the wireless device, an ephemeral key (ePK_sewer) that is signed using SK_server;

generating a shared symmetric key using SK_eUICCand ePK_server;

storing, within a security domain of the eUICC, the shared symmetric key;

establishing, at a first time, the first secure connection using the shared symmetric key; and

using, at a second time subsequent to the first time, the shared symmetric key to communicate with the server over a second secure connection.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

23 Citations

View as Search Results

20 Claims

1. A method by an embedded Universal Integrated Circuit Card (eUICC), the method comprising:
- at the eUICC, which is associated with a long-term public key (PK_eUICC) and a long-term private key (SK_eUICC);
  
  transmitting, to a server via a wireless device, a request to establish a first secure connection with the server, wherein the eUICC is present in the wireless device, and wherein the server is associated with a long-term public key (PKserver) and a long-term private key (SKserver);
  
  producing a signature by using SK_eUICC;
  
  sending the signature to the server via the wireless device;
  
  authenticating the server using PK_server;
  
  generating an ephemeral public key (ePK_eUICC) and an ephemeral private key (eSK_eUICC);
  
  signing ePK_eUICCusing SK_eUICCto produce a signed ePK_eUICC;
  
  providing the signed ePK_eUICCto the server via the wireless device;
  
  receiving, from the server via the wireless device, an ephemeral key (ePK_sewer) that is signed using SK_server;
  
  generating a shared symmetric key using SK_eUICCand ePK_server;
  
  storing, within a security domain of the eUICC, the shared symmetric key;
  
  establishing, at a first time, the first secure connection using the shared symmetric key; and
  
  using, at a second time subsequent to the first time, the shared symmetric key to communicate with the server over a second secure connection.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - receiving, from the server over the first secure connection, an electronic subscriber identity module (eSIM).
  - 3. The method of claim 1, further comprising:
    - receiving, from the server over the first secure connection, an update to an electronic subscriber identity module (eSIM) managed by the eUICC; and
      
      processing the update to the eSIM.
  - 4. The method of claim 1, further comprising:
    - receiving, from the server over the first secure connection, a command to remove an electronic subscriber identity module (eSIM) managed by the eUICC; and
      
      removing the eSIM from the eUICC.
  - 5. The method of claim 1, further comprising:
    - prior to authenticating the server;
      
      receiving, from the server via the wireless device, PK_server.
  - 6. The method of claim 1, wherein the using the shared symmetric key at the second time reduces overhead.

7. An embedded Universal Integrated Circuit Card (eUICC) comprising:
- a memory; and
  
  one or more processors, wherein the eUICC is present in a wireless device, and wherein the memory includes instructions that when executed by a processor of the one or more processors, cause the eUICC to perform operations comprising;
  
  transmitting, to a server via the wireless device, a request to establish a first secure connection with the server, wherein the server is associated with a long-term public key (PK_server) and a long-term private key (SK_server),producing a signature by using an eUICC long-term private key (SK_eUICC),sending the signature to the server via the wireless device,authenticating the server using PK_server,generating an ephemeral public key (ePK_eUICC) and an ephemeral private key (eSK_eUICC),signing ePK_eUICCusing SK_eUICCto produce a signed ePK_eUICC,providing the signed ePK_eUICCto the server via the wireless device,receiving, from the server via the wireless device, an ephemeral key (ePK_server) that is signed using SK_server,generating a shared symmetric key using SK_eUICCand ePK_server,storing, within a security domain of the eUICC, the shared symmetric key,establishing, at a first time, the first secure connection using the shared symmetric key, andusing, at a second time subsequent to the first time, the shared symmetric key to communicate with the server over a second secure connection.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The eUICC of claim 7, wherein the operations further comprise:
    - receiving, from the server over the first secure connection via the wireless device, an electronic subscriber identity module (eSIM).
  - 9. The eUICC of claim 7, wherein the operations further comprise:
    - receiving, from the server over the first secure connection via the wireless device, an update to an electronic subscriber identity module (eSIM) managed by the eUICC; and
      
      processing the update to the eSIM.
  - 10. The eUICC of claim 7, wherein the operations further comprise:
    - receiving, from the server over the first secure connection, a command to remove an electronic subscriber identity module (eSIM) managed by the eUICC; and
      
      removing the eSIM from the eUICC.
  - 11. The eUICC of claim 7, wherein the operations further comprise:
    - prior to authenticating the server;
      
      receiving, from the server via the wireless device, PK_server.
  - 12. The eUICC of claim 7, wherein the using the shared symmetric key at the second time reduces overhead.

13. An apparatus comprising:
- an embedded universal integrated circuit card, wherein the eUICC includes a memory; and
  
  one or more processors, wherein the memory includes instructions that when executed by a processor of the one or more processors, cause the eUICC to perform operations comprising;
  
  transmitting, to a server via the apparatus, a request to establish a first secure connection with a server, wherein the request includes PK_eUICC, wherein the server is associated with a long-term public key (PK_server) and a long-term private key (SK_server),producing a signature by using an eUICC a long-term private key (SK_eUICC),sending the signature to the server via the apparatus,authenticating the server using PK_server,providing PK_eUICCto the server,receiving, from the server via the apparatus, an ephemeral key (ePK_sewer) that is signed using SK_server,generating a shared symmetric key using SK_eUICCand ePK_sewer,storing, within a security domain of the eUICC, the shared symmetric key,establishing, at a first time, the first secure connection using the shared symmetric key, andusing, at a second time subsequent to the first time, the shared symmetric key to communicate with the server over a second secure connection.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The apparatus of claim 13, further comprising:
    - receiving, from the server over the first secure connection, an electronic subscriber identity module (eSIM).
  - 15. The apparatus of claim 13, further comprising:
    - receiving, from the server over the first secure connection, an update to an electronic subscriber identity module (eSIM) managed by the eUICC; and
      
      processing the update to the eSIM.
  - 16. The apparatus of claim 13, further comprising:
    - receiving, from the server over the first secure connection, a command to remove an electronic subscriber identity module (eSIM) managed by the eUICC; and
      
      removing the eSIM from the eUICC.
  - 17. The apparatus of claim 13, further comprising:
    - prior to authenticating the server;
      
      receiving, from the server via the apparatus, PKI information.
  - 18. The apparatus of claim 17, wherein the PKI information comprises PK_server.
  - 19. The apparatus of claim 17, further comprising:
    - parsing from the PKI information a certificate authority (CA) signature, wherein the authenticating the server comprises verifying the CA signature.
  - 20. The apparatus of claim 13, wherein the using the shared symmetric key at the second time reduces overhead.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Yang, Xiangying, Li, Li, Hauck, Jerrold Von
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
STEINLE, ANDREW J

Application Number

US15/630,710
Publication Number

US 20170289142A1
Time in Patent Office

278 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/065   for group communications cr...

H04L 63/068   using time-dependent keys, ...

H04L 63/0853   using an additional device,...

H04L 63/105   Multiple levels of security

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

H05K 999/99   dummy group

Methods and apparatus for establishing a secure communication channel

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for establishing a secure communication channel

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links