Key derivation for a module using an embedded universal integrated circuit card

US 10,187,206 B2
Filed: 08/18/2017
Issued: 01/22/2019
Est. Priority Date: 09/10/2013
Status: Active Grant

First Claim

Patent Images

1. A method for securely distributing a profile from a subscription manager system to a module comprising the steps of:

(a) recording, in memory operatively connected to the subscription manager system, a digital signature algorithm comprising an elliptic curve digital signature algorithm;

(b) recording, by the memory operatively connected to the subscription manager system, a server private key and a corresponding server public key, wherein the server public key and the server private key use elliptic curve cryptography;

(c) recording, by the memory operatively connected to the subscription manager system, a symmetric ciphering algorithm, wherein the symmetric ciphering algorithm comprises an Advanced Encryption Standard with a 128 bit key length;

(d) receiving, by the subscription manager system, a certificate associated with the module from a module provider system associated with a module provider, wherein the certificate includes a module public key;

(e) receiving, by the subscription manager system, a challenge from the module;

(f) generating, by the subscription manager system, a network private key and a corresponding network public key, using a key pair generation algorithm;

(g) sending the generated network public key to the module; and

(h) sending a digital signature and the challenge to the module, wherein the digital signature is generated using the server private key and the digital signature algorithm;

(i) generating, by the subscription manager system, a mutually derived shared key using Elliptic Curve Diffie-Hellman based on at least;

(1) the module public key, and(2) the network private key;

wherein the mutually derived shared key is derived by the module based on at least;

(i) a module private key associated with the module public key, and(ii) the network public key;

(j) encrypting, by the subscription manager system, the profile using;

(1) the symmetric ciphering algorithm, and(2) the mutually derived shared key;

(k) sending, from the subscription manager system to the module, the encrypted profile, wherein the profile includes network access credentials for a wireless network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.

204 Citations

13 Claims

1. A method for securely distributing a profile from a subscription manager system to a module comprising the steps of:
- (a) recording, in memory operatively connected to the subscription manager system, a digital signature algorithm comprising an elliptic curve digital signature algorithm;
  
  (b) recording, by the memory operatively connected to the subscription manager system, a server private key and a corresponding server public key, wherein the server public key and the server private key use elliptic curve cryptography;
  
  (c) recording, by the memory operatively connected to the subscription manager system, a symmetric ciphering algorithm, wherein the symmetric ciphering algorithm comprises an Advanced Encryption Standard with a 128 bit key length;
  
  (d) receiving, by the subscription manager system, a certificate associated with the module from a module provider system associated with a module provider, wherein the certificate includes a module public key;
  
  (e) receiving, by the subscription manager system, a challenge from the module;
  
  (f) generating, by the subscription manager system, a network private key and a corresponding network public key, using a key pair generation algorithm;
  
  (g) sending the generated network public key to the module; and
  
  (h) sending a digital signature and the challenge to the module, wherein the digital signature is generated using the server private key and the digital signature algorithm;
  
  (i) generating, by the subscription manager system, a mutually derived shared key using Elliptic Curve Diffie-Hellman based on at least;
  
  (1) the module public key, and(2) the network private key;
  
  wherein the mutually derived shared key is derived by the module based on at least;
  
  (i) a module private key associated with the module public key, and(ii) the network public key;
  
  (j) encrypting, by the subscription manager system, the profile using;
  
  (1) the symmetric ciphering algorithm, and(2) the mutually derived shared key;
  
  (k) sending, from the subscription manager system to the module, the encrypted profile, wherein the profile includes network access credentials for a wireless network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - (1) sending, from the subscription manager system to the module, the generated network public key after the module authenticates with a network associated with the subscription manager system.
  - 3. The method of claim 1, further comprising:
    - (1) generating the network public key using an elliptic curve algorithm based on a first elliptic curve, wherein the module public key is generated using the elliptic curve algorithm using the first elliptic curve.
  - 4. The method of claim 3, wherein the certificate associated with the module further comprises the first elliptic curve.
  - 5. The method of claim 1, further comprising sending the generated network public key to the module without a certificate for the network public key.
  - 6. The method of claim 1, wherein the network access credentials include an international mobile subscriber identity and a key K.
  - 7. The method of claim 1, wherein the module receives the server public key using a domain name and downloading the server public key.
  - 8. The method of claim 1, wherein the module provider further services the module and loads an initial profile into the module, and wherein the encrypted profile is received by the module using the initial profile to connect with an initial wireless network.
  - 9. The method of claim 1, wherein prior to step (e), a server associated with the subscription manager system has recorded a pre-shared secret key, and the module has recorded the pre-shared secret key.
  - 10. The method of claim 1, wherein the module includes an embedded universal integrated circuit card, and wherein the embedded universal integrated circuit card records in second memory within the embedded universal integrated circuit card the module private key and the profile.
  - 11. The method of claim 1, further comprising:
    - (1) generating, by the subscription manager system, the mutually derived shared key using American National Standards Institute standard X-9.63.
  - 12. The method of claim 1, wherein the sending step (h) occurs before the generating step (i).
  - 13. The method of claim 1, wherein the sending step (h) occurs after the generating step (i).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John A. Nix
Original Assignee
Network-1 Technologies, Inc.
Inventors
Nix, John A.
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US15/680,758
Publication Number

US 20170373845A1
Time in Patent Office

522 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/35   communicating wirelessly

G06F 21/445   by mutual authentication, e...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

H04J 11/00   Orthogonal multiplex system...

H04L 12/2854   Wide area networks, e.g. pu...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/72   Signcrypting, i.e. digital ...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 67/04   specially adapted for termi...

H04L 9/006 : involving public key infras...

H04L 9/0816 : Key establishment, i.e. cry...

H04L 9/0841 : involving Diffie-Hellman or...

H04L 9/085 : Secret sharing or secret sp...

H04L 9/0861 : Generation of secret inform...

H04L 9/088 : Usage controlling of secret...

H04L 9/0894 : Escrow, recovery or storing...

H04L 9/14 : using a plurality of keys o...

H04L 9/30 : Public key, i.e. encryption...

H04L 9/3066 : involving algebraic varieti...

H04L 9/32 : including means for verifyi...

H04L 9/321 : involving a third party or ...

H04L 9/3239 : involving non-keyed hash fu...

H04L 9/3247 : involving digital signatures

H04L 9/3249 : using RSA or related signat...

H04L 9/3263 : involving certificates, e.g...

H04W 12/02 : Protecting privacy or anony...

H04W 12/033 : of the user plane, e.g. use...

H04W 12/04 : Key management, e.g. using ...

H04W 12/06 : Authentication

H04W 12/069 : using certificates or pre-s...

H04W 12/40 : Security arrangements using...

H04W 4/70 : Services for machine-to-mac...

H04W 40/005 : Routing actions in the pres...

H04W 52/0216 : using a pre-established act...

H04W 52/0235 : where the received signal i...

H04W 52/0277 : according to available powe...

H04W 76/27 : Transitions between radio r...

H04W 8/082 : for traffic bypassing of mo...

H04W 80/04 : Network layer protocols, e....

H04W 84/12 : WLAN [Wireless Local Area N...

H04W 88/12 : Access point controller dev...

H05K 999/99 : dummy group

Y02D 30/70 : in wireless communication n...

View All

Key derivation for a module using an embedded universal integrated circuit card

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

204 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Key derivation for a module using an embedded universal integrated circuit card

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

204 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others