公开(公告)号：US20180249332A1

公开(公告)日：2018-08-30

申请号：US15873856

申请日：2018-01-17

Applicant: Apple Inc.

Inventor： Stephan V. SCHELL ,  Arun G. MATHIAS ,  Jerrold Von HAUCK ,  David T. HAGGERTY ,  Kevin McLAUGHLIN ,  Ben-Heng JUANG ,  Li LI

IPC: H04W12/06 ,  H04W12/08 ,  H04W12/04 ,  H04W8/20 ,  H04L29/06 ,  H04W4/50 ,  G06F21/57 ,  G06F21/45 ,  H04W4/60 ,  H04L29/08

CPC classification number: H04W12/06 ,  G06F21/45 ,  G06F21/57 ,  H04L63/08 ,  H04L63/0853 ,  H04L63/123 ,  H04L63/20 ,  H04L67/34 ,  H04W4/50 ,  H04W4/60 ,  H04W8/205 ,  H04W12/04 ,  H04W12/08

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

公开(公告)号：US20170278097A1

公开(公告)日：2017-09-28

申请号：US15482478

申请日：2017-04-07

Applicant: Apple Inc.

Inventor： David T. HAGGERTY ,  Ahmer A. KHAN ,  Christopher B. SHARP ,  Jerrold Von HAUCK ,  Joakim LINDE ,  Kevin P. MCLAUGHLIN ,  Mehdi ZIAT ,  Yousuf H. VAID

IPC: G06Q20/36 ,  G06Q20/38 ,  G06Q20/34 ,  G06Q20/12 ,  G06Q20/32

CPC classification number: G06Q20/36 ,  G06Q20/1235 ,  G06Q20/3227 ,  G06Q20/3552 ,  G06Q20/382

Abstract: Methods and apparatus for the deployment of financial instruments and other assets are disclosed. In one embodiment, a security software protocol is disclosed that guarantees that the asset is always securely encrypted, that one and only one copy of an asset exists, and the asset is delivered to an authenticated and/or authorized customer. Additionally, exemplary embodiments of provisioning systems are disclosed that are capable of, among other things, handling large bursts of traffic (such as can occur on a so-called “launch day” of a device).

公开(公告)号：US20150256345A1

公开(公告)日：2015-09-10

申请号：US14279109

申请日：2014-05-15

Applicant: Apple Inc.

Inventor： Yousuf H. VAID ,  Christopher B. SHARP ,  Medhi ZIAT ,  Li LI ,  Jerrold Von HAUCK ,  Ramiro SARMIENTO ,  Jean-Marc PADOVA

IPC: H04L9/32

CPC classification number: H04L9/3268

Abstract: Disclosed herein is a technique for revoking a root certificate from at least one client device. In particular, the technique involves causing a secure element—which is included in the at least one client device and is configured to store the root certificate as well as at least one backup root certificate—to permanently disregard the root certificate and prevent the at least one client device from utilizing the specific root certificate. According to one embodiment, this revocation occurs in response to a receiving a revocation message that directly targets the root certificate, where the message includes at least two levels of authentication that are verified by the secure element prior to carrying out the revocation. Once the root certificate is revoked, the secure element can continue to utilize the at least one backup root certificate, while permanently disregarding the revoked root certificate.

Abstract translation: 本文公开了一种用于从至少一个客户端设备撤销根证书的技术。 特别地，该技术涉及引起安全元件，其包括在至少一个客户端设备中并且被配置为存储根证书以及至少一个备份根证书，以永久地忽略根证书，并且至少防止 一个客户端设备利用特定的根证书。 根据一个实施例，该撤销响应于接收直接针对根证书的撤销消息而发生，其中该消息包括在执行撤销之前由安全元件验证的至少两个认证级别。 根证书被撤销后，安全元素可以继续使用至少一个备份根证书，同时永久忽略已撤销的根证书。

公开(公告)号：US20140298018A1

公开(公告)日：2014-10-02

申请号：US14257971

申请日：2014-04-21

Applicant: Apple Inc.

Inventor： David T. HAGGERTY ,  Jerrold Von HAUCK ,  Kevin McLAUGHLIN

IPC: H04L29/06 ,  H04L9/30

CPC classification number: H04L63/10 ,  H04L9/30 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/0853 ,  H04L2209/24 ,  H04W4/02 ,  H04W4/60 ,  H04W8/265 ,  H04W12/02 ,  H04W12/06

Abstract: Apparatus and methods for efficiently distributing and storing access control clients within a network. In one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent “bottle necking” congestion, and provides reasonable disaster recovery capabilities. In one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

Abstract translation: 用于在网络内高效地分发和存储访问控制客户端的装置和方法。 在一个实施例中，访问客户端包括电子订户身份模块（eSIM），并且描述了实施eSIM​​唯一性和保存的eSIM分发网络基础设施，分发网络流量以防止“瓶颈缩小”拥塞，并提供合理的灾难恢复能力。 在一个变体中，eSIM被安全地存储在电子通用集成电路卡（eUICC）设备中，确保eSIM的独特性和保存性。 通过多个eSIM仓库访问eUICC设备，确保网络负载分布。 另外描述了持久存储，用于其他活动中的归档和备份。

公开(公告)号：US20200177450A1

公开(公告)日：2020-06-04

申请号：US16780621

申请日：2020-02-03

Applicant: Apple Inc.

Inventor： Li LI ,  Yousuf H. VAID ,  Christopher B. SHARP ,  Arun G. MATHIAS ,  David T. HAGGERTY ,  Jerrold Von HAUCK

IPC: H04L12/24 ,  H04W12/06 ,  H04W8/20 ,  H04L29/06 ,  H04W8/18 ,  H04B1/3827 ,  H04B1/3816

Abstract: Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated—which can require significant processing overhead—eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

公开(公告)号：US20180295511A1

公开(公告)日：2018-10-11

申请号：US15944738

申请日：2018-04-03

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI ,  Jerrold Von HAUCK

IPC: H04W12/06 ,  H04L9/32 ,  H04W4/60 ,  G06F21/32 ,  H04W12/08 ,  H04W4/50

CPC classification number: H04W12/06 ,  G06F21/32 ,  H04L9/3231 ,  H04L9/3271 ,  H04L2209/80 ,  H04W4/50 ,  H04W4/60 ,  H04W12/08

Abstract: The embodiments set forth techniques for an embedded Universal Integrated Circuit Card (eUICC) to conditionally require, when performing management operations in association with electronic Subscriber Identity Modules (eSIMs), human-based authentication. The eUICC receives a request to perform a management operation in association with an eSIM. In response, the eUICC determines whether a policy being enforced by the eUICC indicates that a human-based authentication is required prior to performing the management operation. Next, the eUICC causes the mobile device to prompt a user of the mobile device to carry out the human-based authentication. The management operation is then performed or ignored in accordance with results of the human-based authentication.

公开(公告)号：US20180278604A1

公开(公告)日：2018-09-27

申请号：US15936331

申请日：2018-03-26

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI ,  Jerrold Von HAUCK

IPC: H04L29/06 ,  H04W12/06 ,  H04W12/04

CPC classification number: H04L63/0853 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/065 ,  H04L63/068 ,  H04L63/105 ,  H04W12/04 ,  H04W12/06 ,  H05K999/99

Abstract: A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

公开(公告)号：US20170188234A1

公开(公告)日：2017-06-29

申请号：US15373308

申请日：2016-12-08

Applicant: Apple Inc.

Inventor： Stephan V. SCHELL ,  Jerrold Von HAUCK

IPC: H04W12/06 ,  H04W8/18 ,  H04L29/06

CPC classification number: H04W12/06 ,  H04L63/0823 ,  H04W4/50 ,  H04W4/60 ,  H04W8/18 ,  H04W8/205 ,  H04W8/265

Abstract: Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.

公开(公告)号：US20160345162A1

公开(公告)日：2016-11-24

申请号：US15157332

申请日：2016-05-17

Applicant: Apple Inc.

Inventor： Li LI ,  Yousuf H. VAID ,  Christopher B. SHARP ,  Arun G. MATHIAS ,  David T. HAGGERTY ,  Jerrold Von HAUCK

IPC: H04W8/18 ,  H04W12/06 ,  H04L12/24 ,  H04B1/3816 ,  H04B1/3827

Abstract: Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated—which can require significant processing overhead—eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

Abstract translation: 本文描述的代表性实施例阐述了用于优化向移动设备大规模地递送电子订户身份模块（eSIM）的技术。 具体而言，代替在移动设备被激活时生成和分配eSIM，这可能需要很大的处理开销 - eSIM是用一组基本信息预先生成的，并且在激活时被分配给移动设备。 这可以提供相当于在移动设备激活期间生成和分配eSIM的传统方法的显着优点，特别是当新的移动设备（例如，智能电话，平板电脑等）正在启动并且大量的eSIM分配请求将被满足时 有效的方式。

公开(公告)号：US20160249214A1

公开(公告)日：2016-08-25

申请号：US14868257

申请日：2015-09-28

Applicant: Apple Inc.

Inventor： Li LI ,  Jerrold Von HAUCK ,  Arun G. MATHIAS

IPC: H04W12/06

Abstract: Disclosed herein are different techniques for enabling a mobile device to dynamically support different authentication algorithms. A first technique involves configuring an eUICC included in the mobile device to implement various authentication algorithms that are utilized by MNOs (e.g., MNOs with which the mobile device can interact). Specifically, this technique involves the eUICC storing executable code for each of the various authentication algorithms. According to this technique, the eUICC is configured to manage at least one eSIM, where the eSIM includes (i) an identifier that corresponds to one of the various authentication algorithms implemented by the eUICC, and (ii) authentication parameters that are compatible with the authentication algorithm. A second technique involves configuring the eUICC to interface with an eSIM to extract (i) executable code for an authentication algorithm used by an MNO that corresponds to the eSIM, and (ii) authentication parameters that are compatible with the authentication algorithm.

Abstract translation: 这里公开了使移动设备能够动态地支持不同认证算法的不同技术。 第一种技术涉及配置包括在移动设备中的eUICC来实现由MNO（例如，移动设备可以与之交互的MNO）利用的各种认证算法。 具体地说，这种技术涉及用于各种认证算法中的每一种的可执行代码的eUICC。 根据该技术，eUICC被配置为管理至少一个eSIM，其中eSIM包括（i）对应于由eUICC实现的各种认证算法之一的标识符，以及（ii）与 认证算法。 第二种技术是将eUICC配置为与eSIM进行接口，以提取（i）与eSIM对应的MNO使用的认证算法的可执行代码，以及（ii）与认证算法兼容的认证参数。