Embedded universal integrated circuit card supporting two-factor authentication
First Claim
1. A method to support remotely changing network access credentials, the method performed by an embedded Universal Integrated Circuit Card (eUICC), the method comprising:
- recording, by the eUICC, an eUICC private key, an eUICC public key, an eUICC subscription manager public key, a symmetric key, and an eUICC identity;
sending the eUICC identity and a first digital signature using the eUICC private key, wherein the eUICC processes the first digital signature for a first pseudo-random number received by the eUICC, wherein the first pseudo-random number is received by the eUICC with a second digital signature, and wherein the eUICC verifies the second digital signature using the subscription manager public key;
receiving, by the eUICC, a first encrypted profile, wherein the eUICC uses the symmetric key to decrypt at least a portion of the first encrypted profile, wherein the portion includes a first key K and a first network module identity;
sending, by the eUICC, the first network module identity, receiving a second pseudo-random number, processing a first response value (RES) using the first key K, and sending the first RES;
receiving, by the eUICC, a server public key, wherein the eUICC uses a key exchange algorithm, the eUICC private key, and the received server public key to derive a profile key, wherein the key exchange algorithm uses at least, in part, a Diffie-Hellman key exchange, wherein the eUICC uses the profile key to decrypt a second encrypted profile, and wherein the second encrypted profile includes a second key K and a second network module identity; and
,sending, by the eUICC, the second network module identity, receiving a third pseudo-random number, processing a second RES using the second key K, and sending the second RES.
4 Assignments
0 Petitions
Accused Products
Abstract
A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone.
200 Citations
23 Claims
-
1. A method to support remotely changing network access credentials, the method performed by an embedded Universal Integrated Circuit Card (eUICC), the method comprising:
-
recording, by the eUICC, an eUICC private key, an eUICC public key, an eUICC subscription manager public key, a symmetric key, and an eUICC identity; sending the eUICC identity and a first digital signature using the eUICC private key, wherein the eUICC processes the first digital signature for a first pseudo-random number received by the eUICC, wherein the first pseudo-random number is received by the eUICC with a second digital signature, and wherein the eUICC verifies the second digital signature using the subscription manager public key; receiving, by the eUICC, a first encrypted profile, wherein the eUICC uses the symmetric key to decrypt at least a portion of the first encrypted profile, wherein the portion includes a first key K and a first network module identity; sending, by the eUICC, the first network module identity, receiving a second pseudo-random number, processing a first response value (RES) using the first key K, and sending the first RES; receiving, by the eUICC, a server public key, wherein the eUICC uses a key exchange algorithm, the eUICC private key, and the received server public key to derive a profile key, wherein the key exchange algorithm uses at least, in part, a Diffie-Hellman key exchange, wherein the eUICC uses the profile key to decrypt a second encrypted profile, and wherein the second encrypted profile includes a second key K and a second network module identity; and
,sending, by the eUICC, the second network module identity, receiving a third pseudo-random number, processing a second RES using the second key K, and sending the second RES. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for remotely changing network access credentials, the system comprising:
-
a nonvolatile memory for recording an eUICC private key, an eUICC public key, and eUICC subscription manager public key, a symmetric key, and an eUICC identity; an embedded Universal Integrated Circuit Card for sending the eUICC identity and a first digital signature using the eUICC private key, wherein the eUICC processes the first digital signature for a first pseudo-random number received by the eUICC, wherein the first pseudo-random number is received by the eUICC with a second digital signature, and wherein the eUICC verifies the second digital signature using the subscription manager public key; a system bus connected to the eUICC for receiving a first encrypted profile, wherein the eUICC uses the symmetric key to decrypt at least a portion of the first encrypted profile, wherein the portion includes a first key K and a first network module identity; an eUICC driver, for receiving from the eUICC the first network module identity, for receiving a second pseudo-random number (RAND), and for sending a first response (RES) from the eUICC to a network application; a processor in the eUICC for receiving a server public key, for deriving a profile key using a key exchange algorithm, the eUICC private key, and the received server public key, wherein the key exchange algorithm uses at least, in part, a Diffie-Hellman key exchange, wherein the processor uses the profile key to decrypt a second encrypted profile, and wherein the second encrypted profile includes a second key K and a second network module identity; and
,the network application for sending the second network module identity, for receiving a third pseudo-random number, and for sending a second RES, wherein the second RES is processed using the second key K. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A system for remotely changing network access credentials, the system comprising:
-
a nonvolatile memory for recording an embedded Universal Integrated Circuit Card (eUICC) identity, an eUICC private key, a first symmetric key, and an address, wherein the eUICC private key is associated with an eUICC public key; a network interface for sending the eUICC identity to the address, for receiving an encrypted first profile and an encrypted server public key after sending the eUICC identity, wherein the encrypted server public key is decrypted with a symmetric ciphering algorithm and the first symmetric key, wherein a profile key is derived using at least, in part a Diffie-Hellman key exchange, the eUICC private key, and the decrypted server public key, wherein the encrypted first profile is decrypted with the derived profile key, and wherein the decrypted first profile includes a first key K1; a network application for authenticating with a wireless network using the first key K1, and for receiving a key exchange token; a processor for deriving a second symmetric key using the key exchange token and a key derivation algorithm; and an eUICC for receiving a second encrypted profile, wherein the second encrypted profile is decrypted using the second symmetric key, wherein the decrypted second profile includes a second key K2; and
,the network application for receiving a pseudo-random number (RAND), for calculating a response value (RES) using the RAND and the second key K2, and for sending the RES. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
Specification