Apparatus and method for secure provisioning of a communication device

US 10,701,072 B2
Filed: 01/04/2019
Issued: 06/30/2020
Est. Priority Date: 11/01/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

decrypting, by a secure processing system including a processor of a communication system, an over-the-air programming message that includes programming data, utilizing a first keyset obtained by the secure processing system to generate a first-keyset decrypted over-the-air programming message, wherein the first keyset is obtained from a remote management server via transmission by an over-the-air programming server; and

providing, by the secure processing system, the first-keyset decrypted over-the-air programming message to a secure element, wherein the providing of the first-keyset decrypted over-the-air programming message to the secure element enables the secure element to further decrypt the first-keyset decrypted over-the-air programming message utilizing a second keyset, and wherein the secure processing system does not have access to the second keyset.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that incorporates the subject disclosure may perform, for example, obtaining programming data via an over-the-air programming message for use by a communication device, wherein the over-the-air programming message is obtained from, and encrypted by an over-the-air programming server. The over-the-air programming message is decrypted utilizing a first keyset obtained by a secure device processor processing the first keyset obtained from a remote management server via transmission by the over-the-air programming server, to generate a first-key decrypted over-the-air programming message. The decrypted over-the-air programming message is provided to a secure element to enable the secure element to further decrypt the first-key decrypted over-the-air programming message utilizing a second keyset, wherein the secure device processor does not have access to the second keyset. Other embodiments are disclosed.

265 Citations

20 Claims

1. A method comprising:
- decrypting, by a secure processing system including a processor of a communication system, an over-the-air programming message that includes programming data, utilizing a first keyset obtained by the secure processing system to generate a first-keyset decrypted over-the-air programming message, wherein the first keyset is obtained from a remote management server via transmission by an over-the-air programming server; and
  
  providing, by the secure processing system, the first-keyset decrypted over-the-air programming message to a secure element, wherein the providing of the first-keyset decrypted over-the-air programming message to the secure element enables the secure element to further decrypt the first-keyset decrypted over-the-air programming message utilizing a second keyset, and wherein the secure processing system does not have access to the second keyset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - determining, by the secure processing system, a schedule for providing messages to the secure element of the communication system, wherein the secure processing system is separate from the secure element and in communication with the secure element.
  - 3. The method of claim 1, wherein the over-the-air programming message originates from a service provisioning system, wherein the over-the-air programming server does not have access to the second keyset, and wherein the service provisioning system has access to the second keyset.
  - 4. The method of claim 3, comprising:
    - determining, by the secure processing system, that a response has been generated by the secure element and is associated with the over-the-air programming message; and
      
      providing, by the secure processing system, the response to the over-the-air programming server for transmission to the service provisioning system, wherein the response is encrypted by the secure element utilizing the second keyset, and wherein the response is configured for decryption by the service provisioning system utilizing the second keyset.
  - 5. The method of claim 1, further comprising:
    - monitoring, by the secure processing system, for a response provided by the secure element;
      
      determining, by the secure processing system, that the response is associated with the over-the-air programming message;
      
      encrypting, by the secure processing system, the response utilizing the first keyset to generate an encrypted response; and
      
      providing, by the secure processing system, the encrypted response to the over-the-air programming server to enable the over-the-air programming server to decrypt the encrypted response for transmission to a service provisioning system.
  - 6. The method of claim 5, further comprising:
    - authenticating, by the secure processing system, with the secure element utilizing a third keyset; and
      
      obtaining, by the secure processing system, the first keyset from the secure element, wherein the first keyset is generated by the secure element from a static key that is provided by the remote management server to the secure element and to the over-the-air programming server.
  - 7. The method of claim 6, wherein the providing of the static key to the secure element by the remote management server is based on another over-the-air programming message that utilizes short message service transport protocol.
  - 8. The method of claim 1, comprising:
    - providing, by the secure processing system, a request to the secure element for the first keyset responsive to a determination that the over-the-air programming message has been encrypted; and
      
      obtaining, by the secure processing system, the first keyset from the secure element.
  - 9. The method of claim 1, comprising retransmitting, by the secure processing system, the first-keyset decrypted over-the-air programming message to the secure element.

10. A non-transitory, machine-readable storage medium, comprising executable instructions that, when executed by a processing system including a processor, facilitate performance of operations, the operations comprising:
- decrypting an encrypted over-the-air programming message that includes programming data, utilizing a first keyset at secure processing device to generate a first-keyset decrypted over-the-air programming message, wherein the first keyset is obtained from a remote management server via transmission by an over-the-air programming server; and
  
  forwarding the first-keyset decrypted over-the-air programming message to a secure element, wherein the forwarding of the first-keyset decrypted over-the-air programming message to the secure element enables the secure element to further decrypt the first-keyset decrypted over-the-air programming message utilizing a second keyset, and wherein the secure processing device does not have access to the second keyset.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The non-transitory, machine-readable storage medium of claim 10, wherein the encrypted over-the-air programming message is obtained from a service provisioning system, and wherein the encrypted over-the-air programming message is encrypted by the service provisioning system utilizing the second keyset.
  - 12. The non-transitory, machine-readable storage medium of claim 10, wherein the encrypted over-the-air programming message is provided to the secure processing device according to a hypertext transfer protocol.
  - 13. The non-transitory, machine-readable storage medium of claim 10, wherein the first-keyset decrypted over-the-air programming message is forwarded to the secure element according to a provisioning schedule.
  - 14. The non-transitory, machine-readable storage medium of claim 13, wherein the provisioning schedule is determined by the secure processing device.
  - 15. The non-transitory, machine-readable storage medium of claim 10, wherein the operations further comprise:
    - obtaining the encrypted over-the-air programming message from a service provisioning system;
      
      obtaining a request from the service provisioning system to provide the encrypted over-the-air programming message to another communication device;
      
      determining that the another communication device is not registered with the remote management server; and
      
      providing a notice to the service provisioning system indicating that a secure device processor of the another communication device is not registered with the over-the-air programming server.
  - 16. The non-transitory, machine-readable storage medium of claim 10, wherein the operations further comprise:
    - obtaining a response to the encrypted over-the-air programming message;
      
      decrypting the response utilizing the first keyset to generate a first-keyset decrypted response; and
      
      providing the first-keyset decrypted response to a service provisioning system that originated the encrypted over-the-air programming message.

17. A communication device comprising:
- a secure processing system including a processor; and
  
  a memory that stores executable instructions that, when executed by the secure processing system, facilitate performance of operations, the operations comprising;
  
  decrypting an over-the-air programming message utilizing a first key to obtain a first-key decrypted over-the-air programming message, wherein the over-the-air programming message includes programming data for provisioning the communication device, and wherein the first key is obtained from a remote device via an over-the-air transmission; and
  
  providing the first-key decrypted over-the-air programming message to a secure element, wherein the providing of the first-key decrypted over-the-air programming message to the secure element enables the secure element to further decrypt the first-key decrypted over-the-air programming message utilizing a second key, and wherein the secure processing system does not have access to the second key.
- View Dependent Claims (18, 19, 20)
- - 18. The communication device of claim 17, wherein the operations further comprise:
    - obtaining a static key via a remote management server, wherein the remote management server provides the static key to an over-the-air programming server that provides the over-the-air programming message to the secure processing system; and
      
      generating the first key from the static key.
  - 19. The communication device of claim 17, wherein the secure element comprises a universal integrated circuit card, and wherein the over-the-air programming message utilizes a hypertext transfer protocol.
  - 20. The communication device of claim 17, wherein the operations further comprise:
    - determining, by the secure processing system, a schedule for providing messages to the secure element of the communication device, wherein the secure processing system is separate from the secure element and in communication with the secure element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chastain, Walter Cooper, Chin, Stephen Emille
Primary Examiner(s)
Shehni, Ghazal B

Application Number

US16/240,420
Publication Number

US 20190141038A1
Time in Patent Office

543 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 63/123   received data contents, e.g...

H04W 12/02   Protecting privacy or anony...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

H04W 4/50   Service provisioning or rec...

H04W 8/20   Transfer of user or subscri...

Apparatus and method for secure provisioning of a communication device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

265 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Apparatus and method for secure provisioning of a communication device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

265 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others