公开(公告)号：WO2016032842A2

公开(公告)日：2016-03-03

申请号：PCT/US2015/046052

申请日：2015-08-20

Applicant: APPLE INC.

Inventor： YANG, Xiangying ,  LI, Li ,  HAUCK, Jerrold Von

IPC: H04W8/18 ,  H04W12/06 ,  H04W88/02

CPC classification number: H04W12/06 ,  G06F21/32 ,  H04L9/3231 ,  H04L9/3271 ,  H04L2209/80 ,  H04W4/50 ,  H04W4/60 ,  H04W12/08

Abstract: The embodiments set forth techniques for an embedded Universal Integrated Circuit Card (eUICC) to conditionally require, when performing management operations in association with electronic Subscriber Identity Modules (eSIMs), human-based authentication. The eUICC receives a request to perform a management operation in association with an eSIM. In response, the eUICC determines whether a policy being enforced by the eUICC indicates that a human-based authentication is required prior to performing the management operation. Next, the eUICC causes the mobile device to prompt a user of the mobile device to carry out the human-based authentication. The management operation is then performed or ignored in accordance with results of the human-based authentication.

Abstract translation: 这些实施例阐述了当执行与电子订户身份模块（eSIM）相关联的管理操作时，嵌入式通用集成电路卡（eUICC）有条件地要求基于人的认证的技术。 eUICC收到与eSIM关联的执行管理操作的请求。 作为响应，eUICC确定在执行管理操作之前eUICC执行的策略是否指示需要基于人的认证。 接下来，eUICC使移动设备提示移动设备的用户执行基于人的认证。 然后根据基于人的认证的结果执行或忽略管理操作。

公开(公告)号：WO2016153977A1

公开(公告)日：2016-09-29

申请号：PCT/US2016/023062

申请日：2016-03-18

Applicant: APPLE INC.

Inventor： LI, Li ,  YANG, Xiangying ,  HAUCK, Jerrold Von ,  SHARP, Christopher, B. ,  VAID, Yousuf, H. ,  MATHIAS, Arun, G. ,  HAGGERTY, David, T. ,  ABDULRAHIMAN, Najeeb, M.

IPC: H04W12/06 ,  H04L9/32 ,  G06F21/31 ,  H04W4/00

CPC classification number: H04W12/06 ,  H04L41/28 ,  H04L63/083 ,  H04L63/0838 ,  H04L63/0853

Abstract: Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSEVI and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSEVI upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device.

Abstract translation: 公开了用于移动设备中包括的eUICC的eSIM的管理操作的用户认证和人为意图验证的方法和装置。 eSEVI和/或eUICC固件的某些管理操作（例如导入，修改和/或导出）可能需要在由移动设备执行或完成执行管理操作之前的用户认证和/或人为意图验证。 移动设备的用户提供在eUICC上（或之后）安装时将外部用户帐户链接到eSEVI的信息。 可以使用诸如用户名和密码的用户凭证和/或从其生成的信息来用外部服务器认证用户。 响应成功的用户认证，执行管理操作。 人员意图验证还可以与用户认证一起执行，以防止恶意软件干扰移动设备的eSIM和/或eUICC功能。

公开(公告)号：WO2016004162A1

公开(公告)日：2016-01-07

申请号：PCT/US2015/038748

申请日：2015-07-01

Applicant: APPLE INC.

Inventor： YANG, Xiangying ,  LI, Li ,  HAUCK, Jerrold Von

IPC: H04L9/30 ,  H04L9/08

CPC classification number: H04L63/0853 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/065 ,  H04L63/068 ,  H04L63/105 ,  H04W12/04 ,  H04W12/06

Abstract: A method for establishing a secure communication channel between an off-card entity and an electronic Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

Abstract translation: 提供了一种用于在卡外实体和电子通用集成电路卡（eUICC）之间建立安全通信信道的方法。 该方法涉及建立在范围上短暂的对称密钥。 具体来说，脱卡实体和由脱机实体管理的一组eUICC中的每个eUICC具有长期公钥基础设施（PKI）信息。 当在离线卡实体和eUICC之间建立一个安全通信信道时，eUICC和离开卡实体可以根据分别拥有的PKI信息（例如，验证公开密钥）来彼此认证。 认证后，离线卡实体和eUICC建立共享的基于会话的对称密钥，用于实现安全通信信道。 具体地，基于会话的对称密钥是根据是否需要完美的或半正向的安全来生成的。 一旦建立了共享的基于会话的对称密钥，离卡实体和eUICC就可以安全地传递信息。

公开(公告)号：WO2014124108A1

公开(公告)日：2014-08-14

申请号：PCT/US2014/015050

申请日：2014-02-06

Applicant: APPLE INC.

Inventor： HAGGERTY, David T. ,  KHAN, Ahmer A. ,  SHARP, Christopher ,  HAUCK, Jerrold Von ,  LINDE, Joakim ,  MCLAUGHLIN, Kevin P. ,  ZIAT, Mehdi ,  VAID, Yousuf H.

IPC: G06Q20/40

CPC classification number: G06Q20/36 ,  G06Q20/1235 ,  G06Q20/3227 ,  G06Q20/3552 ,  G06Q20/382

Abstract: Methods and apparatus for the deployment of financial instruments and other assets are disclosed. In one embodiment, a security software protocol is disclosed that guarantees that the asset is always securely encrypted, that one and only one copy of an asset exists, and the asset is delivered to an authenticated and/or authorized customer. Additionally, exemplary embodiments of provisioning systems are disclosed that are capable of, among other things, handling large bursts of traffic (such as can occur on a so-called "launch day" of a device).

Abstract translation: 披露部署金融工具和其他资产的方法和手段。 在一个实施例中，公开了一种安全软件协议，其保证资产始终被安全地加密，存在资产的一个且仅一个副本，并且该资产被传递给认证的和/或授权的客户。 此外，公开了供应系统的示例性实施例，其能够处理大量业务突发（例如可能发生在设备的所谓“启动日”）。

公开(公告)号：WO2014043040A1

公开(公告)日：2014-03-20

申请号：PCT/US2013/058818

申请日：2013-09-09

Applicant: APPLE INC.

Inventor： LI, Li ,  JUANG, Ben-Heng ,  MATHIAS, Arun G. ,  HAUCK, Jerrold Von

IPC: H04W12/08 ,  H04W88/02

CPC classification number: H04W12/08 ,  H04W8/183

Abstract: Apparatus and methods for managing and sharing data across multiple access control clients in devices are disclosed herein. In one embodiment, the access control clients comprise electronic Subscriber Identity Modules (eSIMs) disposed on an embedded Universal Integrated Circuit Card (eUICC). Each eSIM contains its own data. An Advanced Subscriber Identity Toolkit application maintained within the eUICC facilitates managing and sharing multiple eSIMs' data for various purposes such as sharing phonebook contacts or facilitating automatic switch-over between the multiple eSIMs (such as based on user context).

Abstract translation: 本文公开了用于在设备中的多个访问控制客户端上管理和共享数据的装置和方法。 在一个实施例中，访问控制客户端包括设置在嵌入式通用集成电路卡（eUICC）上的电子订户身份模块（eSIM）。 每个eSIM都包含自己的数据。 在eUICC内部维护的高级用户身份工具包应用程序便于管理和共享多个eSIM的数据，用于各种目的，例如共享电话簿联系人或促进多个eSIM之间的自动切换（例如基于用户上下文）。

公开(公告)号：WO2016186901A1

公开(公告)日：2016-11-24

申请号：PCT/US2016/031670

申请日：2016-05-10

Applicant: APPLE INC.

Inventor： LI, Li ,  HAUCK, Jerrold Von ,  VAID, Yousuf H. ,  SHARP, Christopher B. ,  MATHIAS, Arun G. ,  HAGGERTY, David T.

IPC: H04W8/20 ,  H04W4/00 ,  H04W88/02

CPC classification number: H04L41/0806 ,  H04B1/3816 ,  H04B1/3827 ,  H04L63/0853 ,  H04L63/20 ,  H04W8/18 ,  H04W8/205

Abstract: Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated-which can require significant processing overhead-eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

Abstract translation: 本文描述的代表性实施例阐述了用于优化向移动设备大规模地递送电子订户身份模块（eSIM）的技术。 具体而言，代替在移动设备被激活时生成和分配eSIM，这可能需要很大的处理开销 - eSIM是用一组基本信息预先生成的，并且在激活时被分配给移动设备。 这可以提供相当于在移动设备激活期间生成和分配eSIM的传统方法的显着优点，特别是当新的移动设备（例如，智能电话，平板电脑等）正在启动并且大量的eSIM分配请求将被满足时 有效的方式。

公开(公告)号：WO2015179507A1

公开(公告)日：2015-11-26

申请号：PCT/US2015/031760

申请日：2015-05-20

Applicant: APPLE INC.

Inventor： YANG, Xiangying ,  LI, Li ,  HAUCK, Jerrold Von

IPC: H04W12/08 ,  H04W12/04 ,  H04W8/20

CPC classification number: H04W12/08 ,  G06F21/33 ,  G06F21/34 ,  G06F21/602 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0877 ,  H04L9/3234 ,  H04L63/0853 ,  H04L2209/80 ,  H04W8/205 ,  H04W12/06

Abstract: A method for preparing an eSIM for provisioning is provided. The method can include a provisioning server encrypting the eSIM with a symmetric key. The method can further include the provisioning server, after determining a target eUICC to which the eSIM is to be provisioned, encrypting the symmetric key with a key encryption key derived based at least in part on a private key associated with the provisioning server and a public key associated with the target eUICC. The method can additionally include the provisioning server formatting an eSIM package including the encrypted eSIM, the encrypted symmetric key, and a public key corresponding to the private key associated with the provisioning server. The method can also include the provisioning server sending the eSIM package to the target eUICC.

Abstract translation: 提供了一种用于准备用于配置的eSIM的方法。 该方法可以包括用对称密钥加密eSIM的配置服务器。 所述方法还可以包括：在确定要向其提供eSIM的目标eUICC之后，所述供应服务器至少部分地基于与所述供应服务器相关联的私钥和公共的公共密钥来加密所述对称密钥 与目标eUICC相关联的密钥。 该方法还可以包括配置服务器格式化包括加密eSIM，加密对称密钥和对应于与配置服务器相关联的私有密钥的公钥的eSIM包。 该方法还可以包括配置服务器将eSIM包发送到目标eUICC。

公开(公告)号：EP3275232A1

公开(公告)日：2018-01-31

申请号：EP16769395.1

申请日：2016-03-18

Applicant: Apple Inc.

Inventor： LI, Li ,  YANG, Xiangying ,  HAUCK, Jerrold Von ,  SHARP, Christopher, B. ,  VAID, Yousuf, H. ,  MATHIAS, Arun, G. ,  HAGGERTY, David, T. ,  ABDULRAHIMAN, Najeeb, M.

IPC: H04W12/06 ,  H04L9/32 ,  G06F21/31 ,  H04W4/00

Abstract: Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSIM and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSIM upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device.

公开(公告)号：EP3059923A1

公开(公告)日：2016-08-24

申请号：EP16152557.1

申请日：2016-01-25

Applicant: APPLE INC.

Inventor： LI, Li ,  HAUCK, Jerrold Von ,  MATHIAS, Arun G.

IPC: H04L29/06 ,  H04L29/08 ,  H04W4/00 ,  H04W8/20 ,  H04W12/04 ,  H04W12/06 ,  H04W12/08

Abstract: Disclosed herein are different techniques for enabling a mobile device to dynamically support different authentication algorithms. A first technique involves configuring an eUICC included in the mobile device to implement various authentication algorithms that are utilized by MNOs (e.g., MNOs with which the mobile device can interact). Specifically, this technique involves the eUICC storing executable code for each of the various authentication algorithms. According to this technique, the eUICC is configured to manage at least one eSIM, where the eSIM includes (i) an identifier that corresponds to one of the various authentication algorithms implemented by the eUICC, and (ii) authentication parameters that are compatible with the authentication algorithm. A second technique involves configuring the eUICC to interface with an eSIM to extract (i) executable code for an authentication algorithm used by an MNO that corresponds to the eSIM, and (ii) authentication parameters that are compatible with the authentication algorithm.

Abstract translation: 这里公开了使移动设备能够动态地支持不同认证算法的不同技术。 第一技术涉及配置包括在移动设备中的eUICC以实现由MNO（例如，移动设备可以与之交互的MNO）利用的各种认证算法。 具体地说，这种技术涉及用于各种认证算法中的每一种的可执行代码的eUICC。 根据该技术，eUICC被配置为管理至少一个eSIM，其中eSIM包括（i）对应于由eUICC实现的各种认证算法之一的标识符，以及（ii）与 认证算法。 第二种技术涉及配置eUICC与eSIM接口，以提取（i）与eSIM相对应的MNO使用的认证算法的可执行代码，以及（ii）与认证算法兼容的认证参数。

公开(公告)号：EP3164960A1

公开(公告)日：2017-05-10

申请号：EP15814676.1

申请日：2015-07-01

Applicant: Apple Inc.

Inventor： YANG, Xiangying ,  LI, Li ,  HAUCK, Jerrold Von

IPC: H04L9/30 ,  H04L9/08

CPC classification number: H04L63/0853 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/065 ,  H04L63/068 ,  H04L63/105 ,  H04W12/04 ,  H04W12/06 ,  H05K999/99

Abstract: A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

Abstract translation: 提供了用于在离卡实体和嵌入式通用集成电路卡（eUICC）之间建立安全通信信道的方法。 该方法涉及建立范围内短暂的对称密钥。 具体来说，一个非授权实体和一套由授权实体管理的eUICC中的每个eUICC拥有长期的公钥基础设施（PKI）信息。 当在离卡实体和eUICC之间建立安全通信信道时，eUICC和离卡实体可以根据各自拥有的PKI信息（例如，验证公钥）相互认证。 认证后，离卡实体和eUICC建立共享的基于会话的对称密钥，用于实现安全通信通道。 具体而言，根据是否期望完美或半前向安全性来生成共享的基于会话的对称密钥。 一旦建立了基于共享会话的对称密钥，离卡实体和eUICC就可以安全地传递信息。