Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication

US 20150296379A1
Filed: 06/25/2015
Published: 10/15/2015
Est. Priority Date: 11/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method for authentication, the method performed by an embedded Universal Integrated Circuit Card (eUICC), the method comprising:

recording, by the eUICC, a profile key and an eUICC identity, and sending the eUICC identity;

receiving, by the eUICC, a profile, wherein the eUICC uses the profile key to decrypt at least a portion of the profile, wherein the portion includes a first key K1 and a network module identity;

sending, by the eUICC, the network module identity, receiving a first pseudo-random number (RAND), processing a first response value (RES) using the first key K1, and sending the first RES;

receiving, by the eUICC, a key exchange token, wherein the eUICC uses a key derivation algorithm, a private key, and the received key exchange token to derive a second key K2; and

,sending, by the eUICC, the network module identity, receiving a second RAND, processing a second RES using the second key K2, and sending the second RES.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone.

43 Citations

View as Search Results

23 Claims

1. A method for authentication, the method performed by an embedded Universal Integrated Circuit Card (eUICC), the method comprising:
- recording, by the eUICC, a profile key and an eUICC identity, and sending the eUICC identity;
  
  receiving, by the eUICC, a profile, wherein the eUICC uses the profile key to decrypt at least a portion of the profile, wherein the portion includes a first key K1 and a network module identity;
  
  sending, by the eUICC, the network module identity, receiving a first pseudo-random number (RAND), processing a first response value (RES) using the first key K1, and sending the first RES;
  
  receiving, by the eUICC, a key exchange token, wherein the eUICC uses a key derivation algorithm, a private key, and the received key exchange token to derive a second key K2; and
  
  ,sending, by the eUICC, the network module identity, receiving a second RAND, processing a second RES using the second key K2, and sending the second RES.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the network module identity comprises a first network module identity and a second network module identity, wherein the eUICC sends the first network module identity before receiving the first RAND, and wherein the eUICC sends the second network module identity before receiving the second RAND.
  - 3. The method of claim 1, wherein a hardware module includes the eUICC, and wherein the hardware module accesses an IP network after sending the first RES, and wherein a user accesses a user interface of the hardware module to authenticate with a mobile network operator before the eUICC receives the key exchange token.
  - 4. The method of claim 1, further comprising the eUICC using (i) a mobile network operator public key, (ii) the private key, and (iii) the key exchange token with the key derivation algorithm to derive the second key K2, wherein the private key comprises an eUICC private key.
  - 5. The method of claim 4, wherein the key derivation algorithm outputs the second key K2, and wherein the key derivation algorithm comprises one of (i) an elliptic curve Diffie-Hellman (ECDH) key exchange and the key exchange token comprises a base point G, and (ii) a Diffie-Hellman key exchange.
  - 6. The method of claim 1, wherein the profile key comprises an eUICC private key, and further comprising the eUICC:
    - receiving an encrypted symmetric key after sending the eUICC identity;
      
      decrypting the symmetric key using the eUICC private key and an asymmetric ciphering algorithm; and
      
      ,decrypting the portion using the decrypted symmetric key and a symmetric ciphering algorithm.
  - 7. The method of claim 1, wherein a hardware module includes the eUICC, wherein the hardware module sends the eUICC identity to an eUICC subscription manager, wherein the hardware module receives the profile from the eUICC subscription manager, and wherein the eUICC subscription manager receives the portion from a mobile network operator before the hardware module sends the eUICC identity.
  - 8. The method of claim 1, wherein a hardware module includes the eUICC, wherein the eUICC comprises a surface mount package soldered onto a circuit board of the hardware module, wherein the hardware module records the second key K2 in a protected nonvolatile memory after deriving the second key K2.
  - 9. The method of claim 1, wherein the first key K1 comprises a null value, wherein a hardware module includes the eUICC, wherein the hardware module accesses an IP network after sending the first RES, and wherein the hardware module uses a transport layer security for a user to authenticate with a mobile network operator before the hardware module receives the key exchange token.

10. A system for supporting authentication, the system comprising:
- a nonvolatile memory for recording an embedded Universal Integrated Circuit Card (eUICC) identity, an eUICC private key, and an address, wherein the eUICC private key is associated with an eUICC public key;
  
  a first server for encrypting (i) a profile using a profile key, and (ii) the profile key using the eUICC public key, wherein the first server is associated with an eUICC subscription manager;
  
  a network interface for sending the eUICC identity to the address, for receiving an encrypted profile and an encrypted profile key after sending the eUICC identity, wherein the encrypted profile key is decrypted with an asymmetric ciphering algorithm and the eUICC private key, wherein a first portion of the encrypted profile is decrypted with the decrypted profile key, and wherein the decrypted first portion includes a first key K1;
  
  a second server for deriving a symmetric key, wherein the second server is associated with a mobile network operator, wherein the mobile network operator is configured to send the first portion of the profile and a second portion of the profile to the eUICC subscription manager before the eUICC identity is sent from the network interface to the address;
  
  a network application for authenticating with a wireless network using the first key K1, and for receiving a key exchange token;
  
  a processor for deriving the symmetric key using the key exchange token and a key derivation function, for decrypting the second portion of the profile with the symmetric key, wherein the decrypted second portion includes a second key K2; and
  
  ,an eUICC for receiving a pseudo-random number (RAND), for calculating a response value (RES) using the RAND and the second key K2, and for sending the RES.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein a user authenticates with the mobile network operator (i) after the network application authenticates using the first key K1, and (ii) before the network application receives the key exchange token.
  - 12. The system of claim 10, wherein the processor (A) derives the symmetric key using the key exchange token, the eUICC private key, and a public key for the mobile network operator before (B) decrypting the second portion with the derived symmetric key.
  - 13. The system of claim 10, wherein the first portion of the profile is decrypted with the decrypted profile key and a symmetric ciphering algorithm, wherein the decrypted first portion of the profile includes a plaintext network module identity, and wherein the network application authenticates with the wireless network using the plaintext network module identity.
  - 14. The system of claim 10, wherein the second server derives the symmetric key using the key exchange token, the eUICC public key, and a private key for the mobile network operator, wherein the mobile network operator encrypts the second portion with a symmetric ciphering algorithm and the symmetric key, wherein the mobile network operator sends the second portion to the eUICC subscription manager as a ciphertext, and wherein the eUICC subscription manager includes the ciphertext in the profile.
  - 15. The system of claim 10, wherein a physical universal integrated circuit card (UICC) includes the eUICC, wherein the network application communicates with the UICC using an UICC driver, and wherein the network application sends the eUICC the key exchange token using the UICC driver.

16. A system for supporting authentication, the system comprising:
- a nonvolatile memory for recording an embedded Universal Integrated Circuit Card (eUICC) identity, an eUICC private key, and an address, wherein the eUICC private key is associated with an eUICC public key;
  
  a network interface for sending the eUICC identity to the address, for receiving an encrypted profile and an encrypted profile key after sending the eUICC identity, wherein the encrypted profile key is decrypted with an asymmetric ciphering algorithm and the eUICC private key, wherein the encrypted profile is decrypted with the decrypted profile key, and wherein the decrypted profile includes a first key K1;
  
  a network application for authenticating with a wireless network using the first key K1, and for receiving a key exchange token;
  
  a processor for deriving a second key K2 using the key exchange token and a key derivation algorithm; and
  
  ,an eUICC for receiving a pseudo-random number (RAND), for calculating a response value (RES) using the RAND and the second key K2, and for sending the RES.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The system of claim 16, wherein the processor derives the second key K2 using the key exchange token, the eUICC private key, and a mobile network operator public key, and wherein the mobile network operator public key is included in the profile.
  - 18. The system of claim 16, further comprising a server for encrypting (i) a profile using a profile key, and (ii) the profile key using the eUICC public key, wherein the server is associated with an eUICC subscription manager.
  - 19. The system of claim 18, wherein a mobile network operator is configured to send the profile to the eUICC subscription manager before the eUICC identity is sent from the network interface to the address.
  - 20. The system of claim 16, further comprising a mobile network operator for deriving the second key K2 using the key exchange token, the eUICC public key, a mobile network operator public key, and the key derivation algorithm, and wherein the mobile network operator sends the pseudo-random number (RAND), calculates the response value (RES) using the RAND and the derived second key K2, and receives the RES from a hardware module with the eUICC.
  - 21. The system of claim 16, wherein a hardware module includes the eUICC, and wherein the hardware module accesses an IP network after authenticating with the wireless network using the first key K1, and wherein a user accesses a user interface of the hardware module to authenticate with a mobile network operator before the network application receives the key exchange token.
  - 22. The system of claim 16, wherein the key derivation algorithm outputs the second key K2, and wherein the key derivation algorithm comprises one of (i) an elliptic curve Diffie-Hellman (ECDH) key exchange and the key exchange token comprises a base point G, and (ii) a Diffie-Hellman key exchange.
  - 23. The system of claim 16, wherein a physical universal integrated circuit card (UICC) includes the eUICC, wherein the network application communicates with the UICC using an UICC driver, and wherein the network application sends the eUICC the key exchange token using the UICC driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John A. Nix
Original Assignee
M2M and IoT Technologies LLC
Inventors
Nix, John A.

Granted Patent

US 9,961,060 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04B 1/3816   Mechanical arrangements for...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 67/12   specially adapted for propr...

H04L 9/0819   Key transport or distributi...

H04L 9/0869   involving random numbers or...

H04L 9/3271   using challenge-response

H04W 12/03   Protecting confidentiality,...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

H04W 12/40   Security arrangements using...

H04W 4/70   Services for machine-to-mac...

H04W 8/18   Processing of user or subsc...

Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links