Network supporting two-factor authentication for modules with embedded universal integrated circuit cards

US 9,351,162 B2
Filed: 12/23/2013
Issued: 05/24/2016
Est. Priority Date: 11/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method for authentication, the method performed by a set of servers communicating through at least one local area network interface, the set of servers including at least one computer processor for performing the steps of the method, the method comprising:

processing a network module identity, a first key K, and a second key K;

encrypting the second key K with a symmetric key;

sending the network module identity, the first key K, and the encrypted second key K to a subscription manager;

receiving the network module identity from a module;

conducting a first authentication using the network module identity and the first key K;

conducting a second authentication of a user associated with the network module identity;

sending, after the second authentication, the symmetric key to the module; and

, conducting a third authentication with the module using the second key K.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network with a set of servers can support authentication from a module, where the module includes an embedded universal integrated circuit card (eUICC). The network can send a first network module identity, a first key K, and an encrypted second key K for an eUICC profile to an eUICC subscription manager. The second key K can be encrypted with a symmetric key. The module can receive and activate the eUICC profile, and the network can authenticate the module using the first network module identity and the first key K. The network can (i) authenticate the user of the module using a second factor, and then (ii) send the symmetric key to the module. The module can decrypt the encrypted second key K using the symmetric key. The network can authenticate the module using the second key K. The module can comprise a mobile phone.

158 Citations

26 Claims

1. A method for authentication, the method performed by a set of servers communicating through at least one local area network interface, the set of servers including at least one computer processor for performing the steps of the method, the method comprising:
- processing a network module identity, a first key K, and a second key K;
  
  encrypting the second key K with a symmetric key;
  
  sending the network module identity, the first key K, and the encrypted second key K to a subscription manager;
  
  receiving the network module identity from a module;
  
  conducting a first authentication using the network module identity and the first key K;
  
  conducting a second authentication of a user associated with the network module identity;
  
  sending, after the second authentication, the symmetric key to the module; and
  
  , conducting a third authentication with the module using the second key K.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the subscription manager comprises an embedded universal integrated circuit card (eUICC) subscription manager, wherein the eUICC subscription manager sends at least the network module identity, the first key K, and the encrypted second key K in a profile, and wherein the eUICC subscription manager encrypts at least a portion of the profile using an eUICC profile key.
  - 3. The method of claim 2, wherein the module receives the encrypted profile from the eUICC subscription manager, wherein the module decrypts the profile using the eUICC profile key, wherein the profile includes a set of network parameters, wherein the module uses the set of network parameters to connect with a mobile network operator, wherein the module receives a pseudo-random number (RAND) for the first authentication, and wherein the module processes a response for the first authentication using the RAND and the first key K from the profile.
  - 4. The method of claim 3, wherein the mobile network operator sends the network module identity to the eUICC subscription manager before the set of servers receives the network module identity from the module.
  - 5. The method of claim 1, wherein a home subscriber server processes the network module identity, the first key K, and the second key K, and wherein a mobility management entity conducts the first authentication and the third authentication.
  - 6. The method of claim 1, further comprising enabling limited access to an IP network for the module after the first authentication, wherein the user accesses a user interface on the module and the IP network to conduct the second authentication.
  - 7. The method of claim 1, wherein the user comprises an M2M service provider, wherein the set of servers receives a series of identities from the M2M service provider, and wherein the set of servers uses the received network module identity and the series of identities in order to conduct the second authentication.
  - 8. The method of claim 1, further comprising sending a signal to the subscription manager after the first authentication, wherein the subscription manager deprecates a profile comprising the network module identity, the first key K, and the second key K after receiving the signal.
  - 9. The method of claim 1, wherein after the second authentication, the module uses the symmetric key and the encrypted second key K with a symmetric ciphering algorithm in order to read the second key K, and wherein, for the third authentication, the module (i) sends the network identity associated with the second key K, (ii) receives a pseudo-random number (RAND), and (iii) processes a response using the RAND and the second key K.
  - 10. The method of claim 1, further comprising encrypting the symmetric key with an asymmetric ciphering algorithm and a public key associated with the module, wherein the set of servers sends the encrypted symmetric key to the module after the second authentication.

11. A method for authentication, the method performed by a set of servers communicating through at least one local area network interface, the set of servers including at least one computer processor for performing the steps of the method, the method comprising:
- sending a network module identity and first key K to a subscription manager;
  
  receiving the network module identity from a module;
  
  conducting a first authentication using the network module identity and the first key K;
  
  receiving (i) a public key of an embedded universal integrated circuit card (eUICC) for the module, and (ii) an eUICC identity for the module;
  
  conducting a second authentication of a user associated with the network module identity;
  
  deriving a symmetric key using a key exchange algorithm with input of at least the public key and a private key associated with a server, wherein a second key K is encrypted using the symmetric key;
  
  sending, after the second authentication, the encrypted second key K to the module; and
  
  ,conducting a third authentication with the module using the second key K.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein the subscription manager comprises an eUICC subscription manager, wherein the eUICC subscription manager includes at least the network module identity and the first key K in an eUICC profile, and wherein the eUICC subscription manager encrypts the eUICC profile with an eUICC profile key.
  - 13. The method of claim 12, wherein the module receives the encrypted eUICC profile from the eUICC subscription manager, wherein the module decrypts the encrypted eUICC profile, wherein the eUICC profile includes a set of network parameters, wherein the module uses the set of network parameters to connect with a wireless network, wherein the module receives a pseudo-random number (RAND) for the first authentication, and wherein the module for the first authentication processes a response (RES) using the RAND and the first key K from the eUICC profile.
  - 14. The method of claim 11, wherein a home subscriber server processes (i) the network module identity and the first key K, and (ii) a first authentication vector using the first key K, wherein the home subscriber server sends the first authentication vector to a mobility management entity for conducting the first authentication, wherein the mobility management entity receives a second authentication vector after the second key K is encrypted using the symmetric key, and wherein the second authentication vector is processed using the second key K.
  - 15. The method of claim 11, further comprising enabling limited access to an IP network for the module after the first authentication, wherein the user accesses (i) a user interface on the module and (ii) the IP network to conduct the second authentication.
  - 16. The method of claim 11, wherein the user comprises an M2M service provider, wherein the set of servers receives a series of identities from the M2M service provider, and wherein the set of servers uses the received network module identity and the series of identities in order to conduct the second authentication.
  - 17. The method of claim 11, further comprising sending a signal to the subscription manager after the first authentication, wherein the subscription manager deprecates a profile comprising the network module identity and the first key K.
  - 18. The method of claim 11, wherein, for the third authentication, a wireless network (i) receives the network module identity associated with the second key K, (ii) sends a pseudo-random number (RAND), and (iii) compares a received response (RES) with a recorded RES from an authentication vector for the network module identity, wherein the recorded RES is processed by the wireless network using the RAND and the second key K.

19. A system to support authentication of a module, the system comprising:
- a first server for processing a network module identity, a first key K, and a second key K, wherein the first server encrypts the second key K with a symmetric key, and for sending the network module identity, the first key K, and the encrypted second key K to a subscription manager;
  
  a second server for receiving the network module identity from the module via a wireless network, and for conducting a first authentication using the network module identity and the first key K, and, after a second authentication, for conducting a third authentication with the module using the second key K;
  
  a third server for conducting the second authentication of a user associated with the network module identity, and for enabling the wireless network to use, after the second authentication, the symmetric key with the module.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19, wherein the subscription manager comprises an embedded universal integrated circuit card (eUICC) subscription manager, wherein the eUICC subscription manager includes at least the network module identity, the first key K, and the encrypted second key K in an eUICC profile, and wherein the eUICC subscription manager encrypts at least a portion of the eUICC profile with a profile key.
  - 21. The system of claim 20, wherein the module receives the encrypted eUICC profile from the eUICC subscription manager, wherein the module decrypts the encrypted eUICC profile, wherein the eUICC profile includes a set of network parameters, wherein the module uses the set of network parameters to connect with the wireless network, wherein the module receives a pseudo-random number (RAND) for the first authentication, and wherein the module processes a response using the RAND and the first key K from the eUICC profile.
  - 22. The system of claim 19, wherein the first server comprises a home subscriber server (HSS), and wherein the second server comprises a mobility management entity (MME), and wherein the wireless network operates the first server and the second server.
  - 23. The system of claim 19, wherein the second server enables limited access to an IP network for the module after the first authentication, wherein the user accesses a user interface of the module and the IP network in order to conduct the second authentication with the third server.
  - 24. The system of claim 19, wherein the user comprises an M2M service provider, wherein the wireless network receives a series of identities from the M2M service provider, and wherein the wireless network uses the received network module identity and the series of identities in order to conduct the second authentication.
  - 25. The system of claim 19, wherein after the second authentication, the wireless network sends the symmetric key to the module, wherein the module inputs the symmetric key and the encrypted second key into a symmetric ciphering algorithm in order to read the second key K, and wherein, for the third authentication, the wireless network (i) receives the network module identity associated with the second key K, (ii) sends a pseudo-random number (RAND), and (iii) compares a received response (RES) with a recorded RES from an authentication vector for the network module identity, wherein the recorded RES is processed by the wireless network using the RAND and the second key K.
  - 26. The system of claim 19, wherein the first server encrypts the symmetric key with an asymmetric ciphering algorithm and a public key associated with the module, and wherein the second server uses an eUICC identity from the first authentication to receive the public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John A. Nix
Original Assignee
M2M and IoT Technologies LLC
Inventors
Nix, John A.
Primary Examiner(s)
Vostal, O. C.

Application Number

US14/139,419
Publication Number

US 20150180847A1
Time in Patent Office

883 Days
Field of Search

713/168
US Class Current

1/1
CPC Class Codes

H04B 1/3816   Mechanical arrangements for...

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 67/12   specially adapted for propr...

H04L 9/0819   Key transport or distributi...

H04L 9/0869   involving random numbers or...

H04L 9/3271   using challenge-response

H04W 12/03   Protecting confidentiality,...

H04W 12/06   Authentication

H04W 12/35   Protecting application or s...

H04W 12/40   Security arrangements using...

H04W 4/70   Services for machine-to-mac...

H04W 8/18   Processing of user or subsc...

Network supporting two-factor authentication for modules with embedded universal integrated circuit cards

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

158 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Network supporting two-factor authentication for modules with embedded universal integrated circuit cards

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

158 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links