Embedded universal integrated circuit card supporting two-factor authentication

US 10,382,422 B2
Filed: 08/23/2018
Issued: 08/13/2019
Est. Priority Date: 12/06/2013
Status: Active Grant

First Claim

Patent Images

1. A module comprising:

1) one or more first processors; and

2) a first non-transitory computer-readable memory operatively connected to the one or more processors, the non-transitory computer-readable memory having stored thereon;

(i) a network application; and

(ii) machine-readable instructions that, when executed by the one or more processors cause the one or more processors to perform, using the network application, a method for providing information to and obtaining information from a subscription manager system and providing information to and receiving information from an embedded universal integrated circuit card in the module;

wherein the embedded universal integrated circuit card is operatively connected to the one or more first processors and comprises;

(I) one or more second processors; and

(II) a second non-transitory computer-readable memory operatively connected to the one or more second processors, the non-transitory computer-readable memory having stored thereon machine readable instructions that, when executed by the one or more second processors cause the one or more second processors to perform steps of;

(a) generating, by the embedded universal integrated circuit card, a first message comprising;

(1) an identity of the embedded universal integrated circuit card;

(2) a nonce; and

(3) a first digital signature, generated using a first eUICC private key, wherein the first eUICC private key corresponds to a first eUICC public key;

(b) providing, by the by the embedded universal integrated circuit card to the network application, the first message to be sent to the subscription manager system;

(c) deriving, by the embedded universal integrated circuit card, a second eUICC private key and a corresponding second eUICC public key using a first random number generator and a set of cryptographic algorithms;

(d) recording, by the embedded universal integrated circuit card, a subscription manager public key which corresponds to a subscription manager private key;

(e) deriving, by the embedded universal integrated circuit card, a profile key using a key exchange algorithm based on at least;

(i) the second eUICC private key, and(ii) the recorded subscription manager public key,wherein the profile key can also be derived at the subscription manager system based at least on;

(iii) the second eUICC public key, and(iv) the subscription manager private key;

(f) receiving, by the embedded universal integrated circuit card via the network application from the subscription manager, an encrypted profile comprising a ciphertext including a key K encrypted with a symmetric key;

(g) receiving, by the embedded universal integrated circuit card, the symmetric key;

(h) decrypting, by the embedded universal integrated circuit card, the ciphertext using the symmetric key;

(i) decrypting, by the embedded universal integrated circuit card, the encrypted profile using the profile key; and

(j) storing, by the embedded universal integrated circuit card, the decrypted profile in the embedded universal integrated circuit card for use in future communications.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone.

236 Citations

18 Claims

1. A module comprising:
- 1) one or more first processors; and
  
  2) a first non-transitory computer-readable memory operatively connected to the one or more processors, the non-transitory computer-readable memory having stored thereon;
  
  (i) a network application; and
  
  (ii) machine-readable instructions that, when executed by the one or more processors cause the one or more processors to perform, using the network application, a method for providing information to and obtaining information from a subscription manager system and providing information to and receiving information from an embedded universal integrated circuit card in the module;
  
  wherein the embedded universal integrated circuit card is operatively connected to the one or more first processors and comprises;
  
  (I) one or more second processors; and
  
  (II) a second non-transitory computer-readable memory operatively connected to the one or more second processors, the non-transitory computer-readable memory having stored thereon machine readable instructions that, when executed by the one or more second processors cause the one or more second processors to perform steps of;
  
  (a) generating, by the embedded universal integrated circuit card, a first message comprising;
  
  (1) an identity of the embedded universal integrated circuit card;
  
  (2) a nonce; and
  
  (3) a first digital signature, generated using a first eUICC private key, wherein the first eUICC private key corresponds to a first eUICC public key;
  
  (b) providing, by the by the embedded universal integrated circuit card to the network application, the first message to be sent to the subscription manager system;
  
  (c) deriving, by the embedded universal integrated circuit card, a second eUICC private key and a corresponding second eUICC public key using a first random number generator and a set of cryptographic algorithms;
  
  (d) recording, by the embedded universal integrated circuit card, a subscription manager public key which corresponds to a subscription manager private key;
  
  (e) deriving, by the embedded universal integrated circuit card, a profile key using a key exchange algorithm based on at least;
  
  (i) the second eUICC private key, and(ii) the recorded subscription manager public key,wherein the profile key can also be derived at the subscription manager system based at least on;
  
  (iii) the second eUICC public key, and(iv) the subscription manager private key;
  
  (f) receiving, by the embedded universal integrated circuit card via the network application from the subscription manager, an encrypted profile comprising a ciphertext including a key K encrypted with a symmetric key;
  
  (g) receiving, by the embedded universal integrated circuit card, the symmetric key;
  
  (h) decrypting, by the embedded universal integrated circuit card, the ciphertext using the symmetric key;
  
  (i) decrypting, by the embedded universal integrated circuit card, the encrypted profile using the profile key; and
  
  (j) storing, by the embedded universal integrated circuit card, the decrypted profile in the embedded universal integrated circuit card for use in future communications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The module of claim 1, wherein the subscription manager public key is downloaded.
  - 3. The module of claim 1, wherein the subscription manager public key was recorded at the time of manufacture of the module.
  - 4. The module of claim 1, wherein the key exchange algorithm is a Diffie-Hellman key exchange.
  - 5. The module of claim 1, wherein the key exchange algorithm is an Elliptic Curve Diffie-Hellman key exchange.
  - 6. The module of claim 1, wherein the encrypted profile is encrypted in a manner so that intermediate nodes on an IP network would not be able to read data within the profile in an unencrypted form.
  - 7. The module of claim 1, wherein the encrypted profile is encrypted with an eUICC profile key.
  - 8. The module of claim 1, wherein after the step 1(b), the module is authenticated by the subscription manager system using at least the identity of the embedded universal integrated circuit card included in the first message.
  - 9. The module of claim 1, wherein after the step 1(b), the module is authenticated by the subscription manager system using at least the digital signature included in the first message.
  - 10. The module of claim 1, wherein the decrypted profile is stored in nonvolatile memory of the embedded universal integrated circuit card.
  - 11. The module of claim 1, wherein the module is a machine-to-machine module.
  - 12. The module of claim 11, wherein the module comprises a module of a type selected from the group consisting of:
    - vending machine, automobile, alarm system, tracking device, monitoring device, security system and remote control device.
  - 13. The module of claim 1, wherein the module is a wireless module.
  - 14. The module of claim 13, wherein the module is configured to communicate using one or more wireless technologies of types selected from the group consisting of:
    - WiFi, WiMax, General Packet Radio Services, Enhanced Data rates for GSM Evolution and 3^rdGeneration Partnership Project technology.
  - 15. The module of claim 13, wherein the module comprises a module of a type selected from the group consisting of the following:
    - wireless handset, cellular phone, smartphone, laptop computer, tracking device, computer with a radio, circuit board with a radio, hand-held device, netbook, portable computer, multiprocessor system, microprocessor based consumer electronic, programmable consumer electronic, network personal computer, minicomputer, mainframe computer and smartcard.
  - 16. The module of claim 1, wherein the module is a wired module.
  - 17. The module of claim 16, wherein the module is configured to communicate using one or more wired connections of types selected from the groups consisting of:
    - Ethernet, fiber optic connection and Universal Serial Bus connection.
  - 18. The module of claim 16, wherein the module comprises a module of a type selected from the group consisting of:
    - computer, security camera, security monitoring device and networked controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John A. Nix
Original Assignee
Network-1 Technologies, Inc.
Inventors
Nix, John A.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Teng, Louis C

Application Number

US16/110,804
Publication Number

US 20180367522A1
Time in Patent Office

355 Days
Field of Search
US Class Current
CPC Class Codes

H04B 1/3816   Mechanical arrangements for...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 67/12   specially adapted for propr...

H04L 9/0819   Key transport or distributi...

H04L 9/0869   involving random numbers or...

H04L 9/3271   using challenge-response

H04W 12/03   Protecting confidentiality,...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

H04W 12/40   Security arrangements using...

H04W 4/70   Services for machine-to-mac...

H04W 8/18   Processing of user or subsc...

Embedded universal integrated circuit card supporting two-factor authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

236 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Embedded universal integrated circuit card supporting two-factor authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

236 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others