Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication
First Claim
1. A method for authentication, the method performed by an embedded Universal Integrated Circuit Card (eUICC), the method comprising:
- recording, by the eUICC, a profile key and an eUICC identity, and sending the eUICC identity;
receiving, by the eUICC, a profile, wherein the eUICC uses the profile key to decrypt at least a portion of the profile, wherein the portion includes a first key K1 and a network module identity;
sending, by the eUICC, the network module identity, receiving a first pseudo-random number (RAND), processing a first response value (RES) using the first key K1, and sending the first RES;
receiving, by the eUICC, a key exchange token, wherein the eUICC uses a key derivation algorithm, a private key, and the received key exchange token to derive a second key K2; and
,sending, by the eUICC, the network module identity, receiving a second RAND, processing a second RES using the second key K2, and sending the second RES.
4 Assignments
0 Petitions
Accused Products
Abstract
A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone.
43 Citations
23 Claims
-
1. A method for authentication, the method performed by an embedded Universal Integrated Circuit Card (eUICC), the method comprising:
-
recording, by the eUICC, a profile key and an eUICC identity, and sending the eUICC identity; receiving, by the eUICC, a profile, wherein the eUICC uses the profile key to decrypt at least a portion of the profile, wherein the portion includes a first key K1 and a network module identity; sending, by the eUICC, the network module identity, receiving a first pseudo-random number (RAND), processing a first response value (RES) using the first key K1, and sending the first RES; receiving, by the eUICC, a key exchange token, wherein the eUICC uses a key derivation algorithm, a private key, and the received key exchange token to derive a second key K2; and
,sending, by the eUICC, the network module identity, receiving a second RAND, processing a second RES using the second key K2, and sending the second RES. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for supporting authentication, the system comprising:
-
a nonvolatile memory for recording an embedded Universal Integrated Circuit Card (eUICC) identity, an eUICC private key, and an address, wherein the eUICC private key is associated with an eUICC public key; a first server for encrypting (i) a profile using a profile key, and (ii) the profile key using the eUICC public key, wherein the first server is associated with an eUICC subscription manager; a network interface for sending the eUICC identity to the address, for receiving an encrypted profile and an encrypted profile key after sending the eUICC identity, wherein the encrypted profile key is decrypted with an asymmetric ciphering algorithm and the eUICC private key, wherein a first portion of the encrypted profile is decrypted with the decrypted profile key, and wherein the decrypted first portion includes a first key K1; a second server for deriving a symmetric key, wherein the second server is associated with a mobile network operator, wherein the mobile network operator is configured to send the first portion of the profile and a second portion of the profile to the eUICC subscription manager before the eUICC identity is sent from the network interface to the address; a network application for authenticating with a wireless network using the first key K1, and for receiving a key exchange token; a processor for deriving the symmetric key using the key exchange token and a key derivation function, for decrypting the second portion of the profile with the symmetric key, wherein the decrypted second portion includes a second key K2; and
,an eUICC for receiving a pseudo-random number (RAND), for calculating a response value (RES) using the RAND and the second key K2, and for sending the RES. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A system for supporting authentication, the system comprising:
-
a nonvolatile memory for recording an embedded Universal Integrated Circuit Card (eUICC) identity, an eUICC private key, and an address, wherein the eUICC private key is associated with an eUICC public key; a network interface for sending the eUICC identity to the address, for receiving an encrypted profile and an encrypted profile key after sending the eUICC identity, wherein the encrypted profile key is decrypted with an asymmetric ciphering algorithm and the eUICC private key, wherein the encrypted profile is decrypted with the decrypted profile key, and wherein the decrypted profile includes a first key K1; a network application for authenticating with a wireless network using the first key K1, and for receiving a key exchange token; a processor for deriving a second key K2 using the key exchange token and a key derivation algorithm; and
,an eUICC for receiving a pseudo-random number (RAND), for calculating a response value (RES) using the RAND and the second key K2, and for sending the RES. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
Specification