Network supporting two-factor authentication for modules with embedded universal integrated circuit cards
First Claim
1. A method for authentication, the method performed by a set of servers communicating through at least one local area network interface, the set of servers including at least one computer processor for performing the steps of the method, the method comprising:
- processing a network module identity, a first key K, and a second key K;
encrypting the second key K with a symmetric key;
sending the network module identity, the first key K, and the encrypted second key K to a subscription manager;
receiving the network module identity from a module;
conducting a first authentication using the network module identity and the first key K;
conducting a second authentication of a user associated with the network module identity;
sending, after the second authentication, the symmetric key to the module; and
, conducting a third authentication with the module using the second key K.
4 Assignments
0 Petitions
Accused Products
Abstract
A network with a set of servers can support authentication from a module, where the module includes an embedded universal integrated circuit card (eUICC). The network can send a first network module identity, a first key K, and an encrypted second key K for an eUICC profile to an eUICC subscription manager. The second key K can be encrypted with a symmetric key. The module can receive and activate the eUICC profile, and the network can authenticate the module using the first network module identity and the first key K. The network can (i) authenticate the user of the module using a second factor, and then (ii) send the symmetric key to the module. The module can decrypt the encrypted second key K using the symmetric key. The network can authenticate the module using the second key K. The module can comprise a mobile phone.
158 Citations
26 Claims
-
1. A method for authentication, the method performed by a set of servers communicating through at least one local area network interface, the set of servers including at least one computer processor for performing the steps of the method, the method comprising:
-
processing a network module identity, a first key K, and a second key K; encrypting the second key K with a symmetric key; sending the network module identity, the first key K, and the encrypted second key K to a subscription manager; receiving the network module identity from a module; conducting a first authentication using the network module identity and the first key K; conducting a second authentication of a user associated with the network module identity; sending, after the second authentication, the symmetric key to the module; and
, conducting a third authentication with the module using the second key K. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for authentication, the method performed by a set of servers communicating through at least one local area network interface, the set of servers including at least one computer processor for performing the steps of the method, the method comprising:
-
sending a network module identity and first key K to a subscription manager; receiving the network module identity from a module; conducting a first authentication using the network module identity and the first key K; receiving (i) a public key of an embedded universal integrated circuit card (eUICC) for the module, and (ii) an eUICC identity for the module; conducting a second authentication of a user associated with the network module identity; deriving a symmetric key using a key exchange algorithm with input of at least the public key and a private key associated with a server, wherein a second key K is encrypted using the symmetric key; sending, after the second authentication, the encrypted second key K to the module; and
,conducting a third authentication with the module using the second key K. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A system to support authentication of a module, the system comprising:
-
a first server for processing a network module identity, a first key K, and a second key K, wherein the first server encrypts the second key K with a symmetric key, and for sending the network module identity, the first key K, and the encrypted second key K to a subscription manager; a second server for receiving the network module identity from the module via a wireless network, and for conducting a first authentication using the network module identity and the first key K, and, after a second authentication, for conducting a third authentication with the module using the second key K; a third server for conducting the second authentication of a user associated with the network module identity, and for enabling the wireless network to use, after the second authentication, the symmetric key with the module. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
Specification