公开(公告)号：US09626520B2

公开(公告)日：2017-04-18

申请号：US14815391

申请日：2015-07-31

Applicant: Apple Inc.

Inventor： Christopher B. Sharp ,  Yousuf H. Vaid ,  Li Li ,  Jerrold Von Hauck ,  Arun G. Mathias ,  Xiangying Yang ,  Kevin P. McLaughlin

IPC: H04L29/06 ,  G06F21/60 ,  H04W12/08

CPC classification number: G06F21/604 ,  H04L63/102 ,  H04L63/105 ,  H04L63/20 ,  H04W12/08

Abstract: A policy-based framework is described. This policy-based framework may be used to specify the privileges for logical entities to perform operations associated with an access-control element (such as an electronic Subscriber Identity Module) located within a secure element in an electronic device. Note that different logical entities may have different privileges for different operations associated with the same or different access-control elements. Moreover, the policy-based framework may specify types of credentials that are used by the logical entities during authentication, so that different types of credentials may be used for different operations and/or by different logical entities. Furthermore, the policy-based framework may specify the security protocols and security levels that are used by the logical entities during authentication, so that different security protocols and security levels may be used for different operations and/or by different logical entities.

公开(公告)号：US09619799B2

公开(公告)日：2017-04-11

申请号：US14174791

申请日：2014-02-06

Applicant: Apple Inc.

Inventor： David T. Haggerty ,  Ahmer A. Khan ,  Christopher B. Sharp ,  Jerrold Von Hauck ,  Joakim Linde ,  Kevin P. McLaughlin ,  Mehdi Ziat ,  Yousuf H. Vaid

IPC: G06Q20/36 ,  G06Q20/38 ,  G06Q20/32 ,  G06Q20/12 ,  G06Q20/34

CPC classification number: G06Q20/36 ,  G06Q20/1235 ,  G06Q20/3227 ,  G06Q20/3552 ,  G06Q20/382

Abstract: Methods and apparatus for the deployment of financial instruments and other assets are disclosed. In one embodiment, a security software protocol is disclosed that guarantees that the asset is always securely encrypted, that one and only one copy of an asset exists, and the asset is delivered to an authenticated and/or authorized customer. Additionally, exemplary embodiments of provisioning systems are disclosed that are capable of, among other things, handling large bursts of traffic (such as can occur on a so-called “launch day” of a device).

公开(公告)号：US09332012B2

公开(公告)日：2016-05-03

申请号：US14684273

申请日：2015-04-10

Applicant: Apple Inc.

Inventor： Jerrold Von Hauck ,  David T. Haggerty ,  Kevin McLaughlin

IPC: G06F21/00 ,  H04L29/06 ,  H04W12/04 ,  H04W12/06 ,  H04L9/08 ,  H04L9/30 ,  H04L9/12

CPC classification number: H04L9/32 ,  H04L9/08 ,  H04L9/12 ,  H04L9/30 ,  H04L63/06 ,  H04L63/0853 ,  H04W12/04 ,  H04W12/06

Abstract: Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

公开(公告)号：US10856148B2

公开(公告)日：2020-12-01

申请号：US16557770

申请日：2019-08-30

Applicant: Apple Inc.

Inventor： Li Li ,  Xiangying Yang ,  Jerrold Von Hauck ,  Christopher B. Sharp ,  Yousuf H. Vaid ,  Arun G. Mathias ,  David T. Haggerty ,  Najeeb M. Abdulrahiman

IPC: H04L29/06 ,  H04W12/06 ,  H04L12/24 ,  H04W12/00

Abstract: Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSIM and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSIM upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device.

公开(公告)号：US10425818B2

公开(公告)日：2019-09-24

申请号：US16384844

申请日：2019-04-15

Applicant: Apple Inc.

Inventor： Xiangying Yang ,  Li Li ,  Jerrold Von Hauck

IPC: H04W12/06 ,  H04W4/60 ,  H04L9/32 ,  H04W12/00 ,  H04W4/50 ,  H04W12/08 ,  G06F21/32

Abstract: The embodiments set forth techniques for an embedded Universal Integrated Circuit Card (eUICC) to conditionally require, when performing management operations in association with electronic Subscriber Identity Modules (eSIMs), human-based authentication. The eUICC receives a request to perform a management operation in association with an eSIM. In response, the eUICC determines whether a policy being enforced by the eUICC indicates that a human-based authentication is required prior to performing the management operation. Next, the eUICC causes the mobile device to prompt a user of the mobile device to carry out the human-based authentication. The management operation is then performed or ignored in accordance with results of the human-based authentication.

公开(公告)号：US09930527B2

公开(公告)日：2018-03-27

申请号：US15373308

申请日：2016-12-08

Applicant: Apple Inc.

Inventor： Stephan V. Schell ,  Jerrold Von Hauck

IPC: H04W12/06 ,  H04L29/06 ,  H04W4/00 ,  H04W8/18 ,  H04W8/20 ,  H04W8/26

CPC classification number: H04W12/06 ,  H04L63/0823 ,  H04W4/50 ,  H04W4/60 ,  H04W8/18 ,  H04W8/205 ,  H04W8/265

Abstract: Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.

公开(公告)号：US09930035B2

公开(公告)日：2018-03-27

申请号：US15630710

申请日：2017-06-22

Applicant: Apple Inc.

Inventor： Xiangying Yang ,  Li Li ,  Jerrold Von Hauck

IPC: H04L29/06

CPC classification number: H04L63/0853 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/065 ,  H04L63/068 ,  H04L63/105 ,  H04W12/04 ,  H04W12/06

Abstract: A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

公开(公告)号：US09877194B2

公开(公告)日：2018-01-23

申请号：US15099444

申请日：2016-04-14

Applicant: Apple Inc.

Inventor： Stephan V. Schell ,  Arun G. Mathias ,  Jerrold Von Hauck ,  David T. Haggerty ,  Kevin McLaughlin ,  Ben-Heng Juang ,  Li Li

IPC: H04L29/06 ,  H04W12/06 ,  H04W4/00 ,  H04W12/08 ,  G06F21/45 ,  G06F21/57 ,  H04W12/04 ,  H04L29/08

CPC classification number: H04W12/06 ,  G06F21/45 ,  G06F21/57 ,  H04L63/08 ,  H04L63/0853 ,  H04L63/123 ,  H04L63/20 ,  H04L67/34 ,  H04W4/50 ,  H04W4/60 ,  H04W8/205 ,  H04W12/04 ,  H04W12/08

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

公开(公告)号：US09843585B2

公开(公告)日：2017-12-12

申请号：US14995154

申请日：2016-01-13

Applicant: Apple Inc.

Inventor： David T. Haggerty ,  Jerrold Von Hauck ,  Ben-Heng Juang ,  Li Li ,  Arun G. Mathias ,  Kevin McLaughlin ,  Avinash Narasimhan ,  Christopher Sharp ,  Yousuf H. Vaid ,  Xiangying Yang

IPC: H04L29/06 ,  H04W12/06 ,  H04W8/18 ,  H04W8/20

CPC classification number: H04L63/10 ,  H04L63/06 ,  H04L63/0823 ,  H04L63/0853 ,  H04L63/205 ,  H04W8/18 ,  H04W8/183 ,  H04W8/20 ,  H04W12/06

Abstract: Methods and apparatus for large scale distribution of electronic access control clients. In one aspect, a tiered security software protocol is disclosed. In one exemplary embodiment, a server electronic Universal Integrated Circuit Card (eUICC) and client eUICC software comprise a so-called “stack” of software layers. Each software layer is responsible for a set of hierarchical functions which are negotiated with its corresponding peer software layer. The tiered security software protocol is configured for large scale distribution of electronic Subscriber Identity Modules (eSIMs).

公开(公告)号：US09621356B2

公开(公告)日：2017-04-11

申请号：US14279109

申请日：2014-05-15

Applicant: Apple Inc.

Inventor： Yousuf H. Vaid ,  Christopher B. Sharp ,  Medhi Ziat ,  Li Li ,  Jerrold Von Hauck ,  Ramiro Sarmiento ,  Jean-Marc Padova

IPC: H04L9/32

CPC classification number: H04L9/3268

Abstract: Disclosed herein is a technique for revoking a root certificate from at least one client device. In particular, the technique involves causing a secure element—which is included in the at least one client device and is configured to store the root certificate as well as at least one backup root certificate—to permanently disregard the root certificate and prevent the at least one client device from utilizing the specific root certificate. According to one embodiment, this revocation occurs in response to a receiving a revocation message that directly targets the root certificate, where the message includes at least two levels of authentication that are verified by the secure element prior to carrying out the revocation. Once the root certificate is revoked, the secure element can continue to utilize the at least one backup root certificate, while permanently disregarding the revoked root certificate.