公开(公告)号：US09722975B2

公开(公告)日：2017-08-01

申请号：US14789905

申请日：2015-07-01

Applicant: Apple Inc.

Inventor： Xiangying Yang ,  Li Li ,  Jerrold Von Hauck

IPC: H04L29/06

CPC classification number: H04L63/0853 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/065 ,  H04L63/068 ,  H04L63/105 ,  H04W12/04 ,  H04W12/06

Abstract: A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

公开(公告)号：US09626114B2

公开(公告)日：2017-04-18

申请号：US14682037

申请日：2015-04-08

Applicant: Apple Inc.

Inventor： Li Li ,  Ben-Heng Juang ,  Arun G. Mathias

IPC: G06F12/00 ,  G06F3/06 ,  G06F12/02 ,  G06F11/34 ,  H04W8/24

CPC classification number: G06F3/0617 ,  G06F3/0622 ,  G06F3/0637 ,  G06F3/0653 ,  G06F3/0679 ,  G06F11/3466 ,  G06F12/0246 ,  H04W8/245

Abstract: The invention provides a technique for managing write operations issued to a non-volatile memory included in a wireless device. A monitor software application executes on the wireless device and is configured to determine that a number of write operations issued to the non-volatile memory is greater than or equal to a write operation threshold associated with the non-volatile memory. In response, at least one application is isolated as the application responsible for issuing excessive write operations. The isolation can be carried out locally on the wireless device, or the isolation can be carried out remotely at a server by sending information about the write operations to the server. The monitor then limits additional write operations from being issued to the non-volatile memory so as to protect the non-volatile memory from becoming corrupted or inoperable.

公开(公告)号：US09473943B2

公开(公告)日：2016-10-18

申请号：US14639861

申请日：2015-03-05

Applicant: Apple Inc.

Inventor： Li Li ,  Ben-Heng Juang ,  Arun G. Mathias

IPC: H04M1/66 ,  H04L29/06 ,  G06F13/00 ,  H04W12/08 ,  H04W8/22 ,  H04W4/00 ,  H04W8/18 ,  H04W12/06

CPC classification number: H04W12/08 ,  H04L63/083 ,  H04W4/50 ,  H04W8/183 ,  H04W8/22 ,  H04W12/06

Abstract: Apparatus and methods for managing and sharing data across multiple access control clients in devices. In one embodiment, the access control clients comprise electronic Subscriber Identity Modules (eSIMs) disposed on an embedded Universal Integrated Circuit Card (eUICC). Each eSIM contains its own data. An Advanced Subscriber Identity Toolkit application maintained within the eUICC facilitates managing and sharing multiple eSIMs' data for various purposes such as sharing phonebook contacts or facilitating automatic switch-over between the multiple eSIMs (such as based on user context).

Abstract translation: 用于在设备中的多个访问控制客户端上管理和共享数据的装置和方法。 在一个实施例中，访问控制客户端包括设置在嵌入式通用集成电路卡（eUICC）上的电子订户身份模块（eSIM）。 每个eSIM都包含自己的数据。 在eUICC内部维护的高级用户身份工具包应用程序便于管理和共享多个eSIM的数据，用于各种目的，例如共享电话簿联系人或促进多个eSIM之间的自动切换（例如基于用户上下文）。

公开(公告)号：US09439062B2

公开(公告)日：2016-09-06

申请号：US14503048

申请日：2014-09-30

Applicant: Apple Inc.

Inventor： Li Li ,  Xiangying Yang

IPC: H04W8/18 ,  H04W88/06 ,  H04W8/20

CPC classification number: H04W8/183 ,  H04W8/205 ,  H04W88/06

Abstract: Embodiments are described for identifying and accessing an electronic subscriber identity module (eSIM) and associated content of the eSIM in a multiple eSIM configuration. An embedded Universal Integrated Circuit Card (eUICC) can include multiple eSIMs, where each eSIM can include its own file structures and applications. Some embodiments include a processor of a mobile device transmitting a special command to the eUICC, including an identification that uniquely identifies an eSIM in the eUICC. After selecting the eSIM, the processor can access file structures and applications of the selected eSIM. The processor can then use existing commands to access content in the selected eSIM. The special command can direct the eUICC to activate or deactivate content associated with the selected eSIM. Other embodiments include an eUICC platform operating system interacting with eSIMs associated with logical channels to facilitate identification and access to file structures and applications of the eSIMs.

Abstract translation: 描述了用于在多个eSIM配置中识别和访问电子订户身份模块（eSIM）和eSIM的相关内容的实施例。 嵌入式通用集成电路卡（eUICC）可以包括多个eSIM，每个eSIM可以包括其自己的文件结构和应用程序。 一些实施例包括向eUICC发送特殊命令的移动设备的处理器，包括在eUICC中唯一地标识eSIM的标识。 选择eSIM后，处理器可以访问所选eSIM的文件结构和应用程序。 然后，处理器可以使用现有命令访问所选eSIM中的内容。 特殊命令可以指示eUICC激活或停用与所选eSIM相关联的内容。 其他实施例包括与与逻辑信道相关联的eSIM交互的eUICC平台操作系统，以便于识别和访问eSIM的文件结构和应用。

公开(公告)号：US20150341791A1

公开(公告)日：2015-11-26

申请号：US14715761

申请日：2015-05-19

Applicant: Apple Inc.

Inventor： Xiangying Yang ,  Li Li ,  Jerrold Von Hauck

IPC: H04W12/08 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04W12/08 ,  G06F21/33 ,  G06F21/34 ,  G06F21/602 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0877 ,  H04L9/3234 ,  H04L63/0853 ,  H04L2209/80 ,  H04W8/205 ,  H04W12/06

Abstract: A method for preparing an eSIM for provisioning is provided. The method can include a provisioning server encrypting the eSIM with a symmetric key. The method can further include the provisioning server, after determining a target eUICC to which the eSIM is to be provisioned, encrypting the symmetric key with a key encryption key derived based at least in part on a private key associated with the provisioning server and a public key associated with the target eUICC. The method can additionally include the provisioning server formatting an eSIM package including the encrypted eSIM, the encrypted symmetric key, and a public key corresponding to the private key associated with the provisioning server. The method can also include the provisioning server sending the eSIM package to the target eUICC.

Abstract translation: 提供了一种用于准备用于配置的eSIM的方法。 该方法可以包括用对称密钥加密eSIM的供应服务器。 所述方法还可以包括所述供应服务器，在确定要向其提供所述eSIM的目标eUICC之后，至少部分地基于与所述供应服务器相关联的私钥和公共的公共密钥来加密所述对称密钥，所述密钥加密密钥 与目标eUICC相关联的关键。 该方法还可以包括配置服务器格式化包括加密eSIM，加密对称密钥和对应于与配置服务器相关联的私有密钥的公钥的eSIM包。 该方法还可以包括配置服务器将eSIM包发送到目标eUICC。

公开(公告)号：US09148841B2

公开(公告)日：2015-09-29

申请号：US13762897

申请日：2013-02-08

Applicant: Apple Inc.

Inventor： Li Li ,  Stephan V. Schell

IPC: H04M1/66 ,  H04W48/06 ,  H04W28/02 ,  H04W52/02 ,  H04W8/20 ,  H04W12/12 ,  H04L29/14 ,  H04W8/26 ,  H04W28/06 ,  H04W74/00

CPC classification number: H04W12/12 ,  H04L69/40 ,  H04W8/20 ,  H04W8/265 ,  H04W28/0289 ,  H04W28/06 ,  H04W48/06 ,  H04W52/0212 ,  H04W74/004 ,  Y02D70/1224 ,  Y02D70/1242 ,  Y02D70/1262 ,  Y02D70/142 ,  Y02D70/144 ,  Y02D70/146 ,  Y02D70/166

Abstract: Methods and apparatus for correcting error events associated with identity provisioning. In one embodiment, repeated requests for access control clients are responded to with the execution of a provisioning feedback mechanism which is intended to prevent the unintentional (or even intentional) over-consumption or waste of network resources via the delivery of an excessive amount of access control clients. These provisioning feedback mechanisms include rate-limiting algorithms and/or methodologies which place a cost on the user. Apparatus for implementing the aforementioned provisioning feedback mechanisms are also disclosed and include specialized user equipment and/or network side equipment such as a subscriber identity module provisioning server (SPS).

Abstract translation: 用于纠正与身份提供相关的错误事件的方法和装置。 在一个实施例中，对访问控制客户机的重复请求响应于供应反馈机制的执行，其旨在通过传递过多的访问来防止无意（甚至故意的）过度消费或浪费网络资源 控制客户端。 这些供应反馈机制包括对用户造成成本的速率限制算法和/或方法。 还公开了用于实现上述提供反馈机制的装置，并且包括专用用户设备和/或诸如订户身份模块提供服务器（SPS）的网络侧设备。

公开(公告)号：US20140143826A1

公开(公告)日：2014-05-22

申请号：US14085951

申请日：2013-11-21

Applicant: Apple Inc.

Inventor： Christopher B. Sharp ,  Yousuf H. Vaid ,  Li Li ,  Jerrold V. Hauck ,  Arun G. Mathias ,  Xiangying Yang ,  Kevin P. McLaughlin

IPC: G06F21/60

CPC classification number: G06F21/604 ,  H04L63/102 ,  H04L63/105 ,  H04L63/20 ,  H04W12/08

Abstract: A policy-based framework is described. This policy-based framework may be used to specify the privileges for logical entities to perform operations associated with an access-control element (such as an electronic Subscriber Identity Module) located within a secure element in an electronic device. Note that different logical entities may have different privileges for different operations associated with the same or different access-control elements. Moreover, the policy-based framework may specify types of credentials that are used by the logical entities during authentication, so that different types of credentials may be used for different operations and/or by different logical entities. Furthermore, the policy-based framework may specify the security protocols and security levels that are used by the logical entities during authentication, so that different security protocols and security levels may be used for different operations and/or by different logical entities.

Abstract translation: 描述了基于策略的框架。 该基于策略的框架可以用于指定逻辑实体执行与位于电子设备中的安全元件内的访问控制元素（例如电子订户身份模块）相关联的操作的权限。 注意，对于与相同或不同的访问控制元素相关联的不同操作，不同的逻辑实体可以具有不同的权限。 此外，基于策略的框架可以指定在认证期间由逻辑实体使用的凭证的类型，使得不同类型的凭证可以用于不同的操作和/或由不同的逻辑实体使用。 此外，基于策略的框架可以指定在认证期间由逻辑实体使用的安全协议和安全级别，使得不同的安全协议和安全级别可以用于不同的操作和/或不同的逻辑实体。