Apparatus and method for secure provisioning of a communication device

US 10,200,367 B2
Filed: 01/16/2018
Issued: 02/05/2019
Est. Priority Date: 11/01/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining, by a secure processing device of a communication device, an over-the-air programming message that includes programming data, wherein the programming data is for use by the communication device, wherein the secure processing device includes a processor, and wherein the over-the-air programming message is obtained from an over-the-air programming server;

decrypting, by the secure processing device, the over-the-air programming message utilizing a first keyset obtained by the secure processing device to generate a first-keyset decrypted over-the-air programming message, wherein the first keyset is obtained from a remote management server via transmission by the over-the-air programming server; and

providing, by the secure processing device, the first-keyset decrypted over-the-air programming message to a secure element, wherein the providing of the first-keyset decrypted over-the-air programming message to the secure element enables the secure element to further decrypt the first-keyset decrypted over-the-air programming message utilizing a second keyset, and wherein the secure processing device does not have access to the second keyset.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that incorporates the subject disclosure may perform, for example, obtaining programming data via an over-the-air programming message for use by a communication device, wherein the over-the-air programming message is obtained from, and encrypted by an over-the-air programming server. The over-the-air programming message is decrypted utilizing a first keyset obtained by a secure device processor processing the first keyset obtained from a remote management server via transmission by the over-the-air programming server, to generate a first-key decrypted over-the-air programming message. The decrypted over-the-air programming message is provided to a secure element to enable the secure element to further decrypt the first-key decrypted over-the-air programming message utilizing a second keyset, wherein the secure device processor does not have access to the second keyset. Other embodiments are disclosed.

246 Citations

20 Claims

1. A method comprising:
- obtaining, by a secure processing device of a communication device, an over-the-air programming message that includes programming data, wherein the programming data is for use by the communication device, wherein the secure processing device includes a processor, and wherein the over-the-air programming message is obtained from an over-the-air programming server;
  
  decrypting, by the secure processing device, the over-the-air programming message utilizing a first keyset obtained by the secure processing device to generate a first-keyset decrypted over-the-air programming message, wherein the first keyset is obtained from a remote management server via transmission by the over-the-air programming server; and
  
  providing, by the secure processing device, the first-keyset decrypted over-the-air programming message to a secure element, wherein the providing of the first-keyset decrypted over-the-air programming message to the secure element enables the secure element to further decrypt the first-keyset decrypted over-the-air programming message utilizing a second keyset, and wherein the secure processing device does not have access to the second keyset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - determining, by the secure processing device, a schedule for providing messages to the secure element of the communication device, wherein the secure processing device is separate from the secure element and in communication with the secure element.
  - 3. The method of claim 1, wherein the over-the-air programming message originates from a service provisioning system, wherein the over-the-air programming server does not have access to the second keyset, and wherein the service provisioning system has access to the second keyset.
  - 4. The method of claim 3, comprising:
    - determining, by the secure processing device, that a response has been generated by the secure element and is associated with the over-the-air programming message; and
      
      providing, by the secure processing device, the response to the over-the-air programming server for transmission to the service provisioning system, wherein the response is encrypted by the secure element utilizing the second keyset, and wherein the response is configured for decryption by the service provisioning system utilizing the second keyset.
  - 5. The method of claim 1, further comprising:
    - monitoring, by the secure processing device, for a response provided by the secure element;
      
      determining, by the secure processing device, that the response is associated with the over-the-air programming message;
      
      encrypting, by the secure processing device, the response utilizing the first keyset to generate an encrypted response; and
      
      providing, by the secure processing device, the encrypted response to the over-the-air programming server to enable the over-the-air programming server to decrypt the encrypted response for transmission to a service provisioning system.
  - 6. The method of claim 5, further comprising:
    - authenticating, by the secure processing device, with the secure element utilizing a third keyset; and
      
      obtaining, by the secure processing device, the first keyset from the secure element,wherein the first keyset is generated by the secure element from a static key that is provided by the remote management server to the secure element and to the over-the-air programming server.
  - 7. The method of claim 6, wherein the providing of the static key to the secure element by the remote management server is based on another over-the-air programming message that utilizes short message service transport protocol.
  - 8. The method of claim 1, comprising:
    - providing, by the secure processing device, a request to the secure element for the first keyset responsive to a determination that the over-the-air programming message has been encrypted; and
      
      obtaining, by the secure processing device, the first keyset from the secure element.
  - 9. The method of claim 1, comprising retransmitting, by the secure processing device, the first-keyset decrypted over-the-air programming message to the secure element.

10. A method comprising:
- generating, by a processing system of a server, a first keyset from a static key obtained from a remote management server via a secure element of a communication device, wherein the processing system includes a processor, and wherein the secure element generates a first keyset from the static key to enable the secure element to provide the first keyset to a secure device processor of the communication device;
  
  encrypting, by the processing system of the server, an over-the-air programming message utilizing the first keyset to generate an encrypted over-the-air programming message, wherein the over-the-air programming message includes programming data for use by the communication device; and
  
  providing, by the processing system of the server, the encrypted over-the-air programming message to the secure device processor of the communication device to enable the secure device processor to decrypt the encrypted over-the-air programming message utilizing the first keyset, wherein the providing of the encrypted over-the-air programming message further enables the secure device processor to provide the programming data to the secure element of the communication device for provisioning of the communication device, wherein the secure device processor is separate from the secure element and in communication with the secure element, wherein the providing of the programming data to the secure element enables the secure element to further decrypt the programming data utilizing a second keyset, and wherein the secure device processor does not have access to the second keyset.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, comprising obtaining, by the processing system of the server, the over-the-air programming message from a service provisioning system, wherein the over-the-air programming message is encrypted by the service provisioning system utilizing a second keyset.
  - 12. The method of claim 10, wherein the providing of the encrypted over-the-air programming message to the secure device processor utilizes a hypertext transfer protocol.
  - 13. The method of claim 10, wherein the secure device processor provide the programming data to the secure element of the communication device according to a schedule for provisioning of the communication device.
  - 14. The method of claim 13, wherein the schedule is determined by the secure device processor.
  - 15. The method of claim 10, comprising:
    - obtaining, by the processing system of the server, the over-the-air programming message from a service provisioning system;
      
      obtaining, by the processing system of the server, a request from the service provisioning system to provide the over-the-air programming message to a second communication device;
      
      determining, by the processing system of the server, that the second communication device is not registered with the server; and
      
      providing, by the processing system of the server, a notice to the service provisioning system indicating that a second secure device processor of the second communication device is not registered with the server.
  - 16. The method of claim 10, comprising:
    - obtaining, by the processing system of the server, a response to the over-the-air programming message;
      
      decrypting, by the processing system of the server, the response utilizing the first keyset to generate a first-keyset decrypted response; and
      
      providing, by the processing system of the server, the first-keyset decrypted response to a service provisioning system that originated the over-the-air programming message.

17. A communication device comprising:
- a secure element having a secure element memory with first executable instructions, wherein the secure element, responsive to executing the first executable instructions, facilitate performance of first operations, the first operations comprising;
  
  providing a first keyset to a secure device processor; and
  
  performing an additional decryption of a first-keyset decrypted over-the-air programming message obtained from the secure device processor, utilizing a second keyset, wherein the secure device processor does not have access to the second keyset; and
  
  the secure device processor having a secure device processor memory with second executable instructions, wherein the secure device processor, responsive to executing the second executable instructions, performs second operations comprising;
  
  decrypting an over-the-air programming message utilizing the first keyset to generate the first-keyset decrypted over-the-air programming message, wherein the over-the-air programming message includes programming data for provisioning the communication device,wherein the secure device processor is separate from the secure element and in communication with the secure element; and
  
  a device processor that facilitates wireless communications of the communication device, wherein the device processor is separate from the secure device processor and the secure element.
- View Dependent Claims (18, 19, 20)
- - 18. The communication device of claim 17, wherein the first operations further comprise:
    - obtaining a static key via a remote management server, wherein the remote management server provides the static key to an over-the-air programming server that provides the over-the-air programming message to the secure device processor; and
      
      generating the first keyset from the static key.
  - 19. The communication device of claim 17, wherein the secure element comprises a universal integrated circuit card, and wherein the over-the-air programming message utilizes a hypertext transfer protocol.
  - 20. The communication device of claim 17, wherein the first operations further comprise:
    - generating a secure message for transmission;
      
      encrypting the secure message utilizing the second keyset to generate an encrypted secure message; and
      
      providing the encrypted secure message to the secure device processor for transmission to a destination device via an intermediate server to enable the destination device to decrypt the encrypted secure message utilizing the second keyset, wherein the encrypted secure message is further encrypted by the secure device processor utilizing the first keyset to obtain a twice encrypted secure message, and wherein the twice encrypted secure message is further decrypted by the intermediate server utilizing the first keyset prior to delivery to the intermediate server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chastain, Walter Cooper, Chin, Stephen Emille
Primary Examiner(s)
Shehni, Ghazal B

Application Number

US15/872,622
Publication Number

US 20180145980A1
Time in Patent Office

385 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04W 12/02   Protecting privacy or anony...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

H04W 4/50   Service provisioning or rec...

H04W 8/20   Transfer of user or subscri...

Apparatus and method for secure provisioning of a communication device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

246 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for secure provisioning of a communication device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

246 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links