公开(公告)号：US20180084426A1

公开(公告)日：2018-03-22

申请号：US15689829

申请日：2017-08-29

Applicant: Apple Inc.

Inventor： Xiangying YANG

IPC: H04W12/08 ,  G06F21/62 ,  H04L29/06 ,  H04W12/06

CPC classification number: H04W12/08 ,  G06F21/6218 ,  H04L63/0807 ,  H04L63/102 ,  H04L63/126 ,  H04L63/20 ,  H04W12/0023 ,  H04W12/06 ,  H04W12/10 ,  H04W48/02

Abstract: A secure element (SE) in a device processes profile policy rule (PPR) update information received in a message. The SE uses a rule authorization table (RAT), when processing the message, to control whether a PPR ON/OFF state will be adjusted. The PPR information identifies a profile. For example, a mobile network operator (MNO) in control of the profile may specify a policy indicating that the profile is to be deleted when the profile is disabled. The SE consults the RAT to determine verification rules for the identified policy. In some embodiments, public key infrastructure techniques authenticating a signature are used to verify that the MNO has signed the message. If the signature fails the verification, no change is made to the PPR ON/OFF state.

公开(公告)号：US20160373932A1

公开(公告)日：2016-12-22

申请号：US15153672

申请日：2016-05-12

Applicant: Apple Inc.

Inventor： Xiangying YANG

IPC: H04W12/08 ,  H04W8/26 ,  H04W60/00 ,  H04L29/06

CPC classification number: H04W12/08 ,  H04W4/00 ,  H04W8/26 ,  H04W12/04 ,  H04W60/00

Abstract: Representative embodiments set forth techniques for enabling a mobile device to be a member of various trust circles. According to some embodiments, an embedded Universal Integrated Circuit Card (eUICC) included in the mobile device can be configured to store, for each trust circle of which the eUICC is a member, at least one digital certificate associated with a Certificate Authority (CA) that serves as a root of the trust circle. In this manner, the at least one digital certificate for each trust circle enables the eUICC to participate as a member of the trust circle. According to some embodiments, the eUICC can be pre-configured to include digital certificates that establish membership to trust circles that the mobile device may encounter during operation. Moreover, the eUICC can also be updated to modify the different trust circles, which can further enable the functionality of the mobile device to evolve throughout its operation.

Abstract translation: 代表性实施例阐述了使移动设备成为各种信任圈的成员的技术。 根据一些实施例，包括在移动设备中的嵌入式通用集成电路卡（eUICC）可以被配置为针对eUICC所属的每个信任圈存储与认证中心（CA）相关联的至少一个数字证书， 作为信任圈的根源。 以这种方式，每个信任圈的至少一个数字证书使得eUICC可以作为信任圈的成员来参与。 根据一些实施例，可以将eUICC预先配置为包括在操作期间建立移动设备可能遇到的信任圈的成员身份的数字证书。 此外，eUICC还可以更新以修改不同的信任圈，这可以进一步使移动设备的功能在整个操作过程中发展。

公开(公告)号：US20160277051A1

公开(公告)日：2016-09-22

申请号：US15073426

申请日：2016-03-17

Applicant: Apple Inc.

Inventor： Xiangying YANG

IPC: H04B1/3816 ,  H04L29/06 ,  H04L12/24

Abstract: The embodiments set forth techniques for enabling mobile devices to trigger an electronic Subscriber Identity Module (eSIM) provisioning process. In some embodiments, a main operating system (OS) of the mobile device communicates a provisioning command to an embedded Universal Integrated Circuit Card (eUICC) included in the mobile device. In turn, the provisioning command causes the eUICC to establish a secure channel with a provisioning server. The provisioning command can include, for example, a network address (e.g., a uniform resource locator (URL), Internet Protocol (IP) address, etc.) associated with the provisioning server, an indication of a security protocol to be used for the secure channel, and/or other information. Using this information, the eUICC establishes the secure channel with the provisioning server, whereupon the provisioning server can provision the eSIM to the eUICC over the secure channel.

Abstract translation: 实施例阐述了使移动设备能够触发电子订户身份模块（eSIM）供应过程的技术。 在一些实施例中，移动设备的主要操作系统（OS）将配置命令传送到包括在移动设备中的嵌入式通用集成电路卡（eUICC）。 反过来，配置命令使得eUICC与配置服务器建立安全通道。 配置命令可以包括例如与配置服务器相关联的网络地址（例如，统一资源定位符（URL），因特网协议（IP）地址等），用于为配置服务器使用的安全协议的指示 安全通道和/或其他信息。 使用该信息，eUICC与配置服务器建立安全通道，供应服务器可以通过安全通道将eSIM配置到eUICC。

公开(公告)号：US20160006729A1

公开(公告)日：2016-01-07

申请号：US14789905

申请日：2015-07-01

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI ,  Jerrold Von HAUCK

IPC: H04L29/06

CPC classification number: H04L63/0853 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/065 ,  H04L63/068 ,  H04L63/105 ,  H04W12/04 ,  H04W12/06

Abstract: A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

Abstract translation: 提供了一种用于在卡外实体和嵌入式通用集成电路卡（eUICC）之间建立安全通信信道的方法。 该方法涉及建立在范围上短暂的对称密钥。 具体来说，脱卡实体和由脱机实体管理的一组eUICC中的每个eUICC都具有长期公钥基础设施（PKI）信息。 当在离线卡实体和eUICC之间建立一个安全通信信道时，eUICC和离开卡实体可以根据分别拥有的PKI信息（例如，验证公开密钥）来彼此认证。 认证后，离线卡实体和eUICC建立共享的基于会话的对称密钥，用于实现安全通信信道。 具体地，基于会话的对称密钥是根据是否需要完美的或半正向的安全来生成的。 一旦建立了共享的基于会话的对称密钥，离卡实体和eUICC就可以安全地传递信息。

公开(公告)号：US20250080969A1

公开(公告)日：2025-03-06

申请号：US18824394

申请日：2024-09-04

Applicant: Apple Inc.

Inventor： Raj S CHAUGULE ,  Hyewon LEE ,  Jean-Marc PADOVA ,  Li LI ,  Rohan C MALTHANKAR ,  Sherman X JIN ,  Suraj GUPTA ,  Xiangying YANG ,  Zexing SHI

IPC: H04W8/20 ,  H04W12/06

Abstract: An apparatus configured to engage in an embedded subscriber identity module (eSIM) profile transfer process to receive at a target device, executing a first operating system (OS) that implements a first protocol stack related to eSIM profile transfers, an eSIM profile from a source device executing a second OS that implements a second protocol stack related to eSIM profile transfers to the target device, wherein the first protocol stack and the second protocol stack are different, process, based on signals received from the source device, a token for transferring the eSIM profile, generate, for transmission to an enablement server, a request for the eSIM profile, wherein the request comprises the token and process, based on signals received from the enablement server, the eSIM profile.

公开(公告)号：US20240414536A1

公开(公告)日：2024-12-12

申请号：US18808879

申请日：2024-08-19

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Jean-Marc PADOVA ,  Li LI ,  Shu GUO

IPC: H04W12/069 ,  H04L9/32 ,  H04L9/40 ,  H04W8/20 ,  H04W12/041 ,  H04W12/0431

Abstract: This application sets forth techniques for authenticating a mobile device with a cellular wireless network without electronic Subscriber Identity Module (eSIM) credentials by using an Extensible Authentication Protocol Transport Layer Security (EAP-TLS) procedure. The mobile device authenticates with an Authentication Server Function (AUSF) of the cellular wireless network using an embedded Universal Integrated Circuit Card (eUICC) certificate. Processing circuitry of the mobile wireless device external to the eUICC implements the EAP-TLS procedure and authenticates validity of the AUSF. In some embodiments, the eUICC provides key generation and storage for a session key for communication between the mobile device and the cellular wireless network. In some embodiments, a third-party managed Unified Data Management (UDM) broker authenticates the mobile device based on knowledge of the eUICC certificate and provides a session key to the cellular wireless network for subsequent communication with the mobile device, upon successful authentication of the mobile device.

公开(公告)号：US20220303767A1

公开(公告)日：2022-09-22

申请号：US17593460

申请日：2020-08-06

Applicant: Apple Inc.

Inventor： Shu GUO ,  Dawei ZHANG ,  Fangli XU ,  Haijing HU ,  Huarui LIANG ,  Mona AGNEL ,  Ralf ROSSBACH ,  Sudeep Manithara VAMANAN ,  Xiangying YANG ,  Yuqin CHEN

IPC: H04W12/06 ,  H04W12/08

Abstract: A user equipment (UE) may attempt to access an edge data network. The UE generates a first credential based on a second credential, the second credential generated for a procedure between the UE and a cellular network, generating an identifier corresponding to the first credential, and generates a multi-access edge computing (MEC) authorization parameter. The UE then transmits an application registration request message to a server associated with an edge data network, the application registration request message including an indication of the first credential, the identifier corresponding to the first credential and the first authorization parameter. The UE then receives an authentication accept message or an authentication reject message from the server associated with the edge data network.

公开(公告)号：US20210314148A1

公开(公告)日：2021-10-07

申请号：US17211749

申请日：2021-03-24

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Jean-Marc PADOVA

IPC: H04L9/08 ,  H04L9/30 ,  H04W12/037 ,  H04W12/72

Abstract: Embodiments described herein relate to credential wrapping for secure transfer of electronic SIMs (eSIMs) between wireless devices. Transfer of an eSIM from a source device to a target device includes re-encryption of sensitive eSIM data, e.g., eSIM encryption keys, financial transaction credentials, transit authority credentials, and the like, using new encryption keys that include ephemeral elements applicable to a single, particular transfer session between the source device and the target device. The sensitive eSIM data encrypted with a symmetric key (Ks) is re-wrapped with a new header that includes a version of Ks encrypted with a new key encryption key (KEK) and information to derive KEK by the target device. The re-encrypted sensitive SIM data is formatted with additional eSIM data into a new bound profile package (BPP) to transfer the eSIM from the source device to the target device.

公开(公告)号：US20210021993A1

公开(公告)日：2021-01-21

申请号：US17042859

申请日：2018-03-27

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Lijia ZHANG ,  Dawei ZHANG ,  Huarui LIANG ,  Shu GUO ,  Rohan C. MALTHANKAR ,  Krisztian KISS

IPC: H04W12/02 ,  H04W12/00 ,  H04W12/04

Abstract: Techniques to protect subscriber identity in messages communicated between a user equipment (UE) and a cellular wireless network entity by using multiple ephemeral asymmetric keys are disclosed. The UE determines multiple ephemeral UE public and secret key pairs, while the cellular wireless network entity provides a network public key to the UE. The network public key may be updated over time. Multiple encryption keys based on the multiple ephemeral UE secret keys and the public network key are derived and used to encrypt a subscription permanent identifier (SUPI) to generate multiple subscription concealed identifiers (SUCIs). Each SUCI is used only once for messages communicated to a cellular wireless network and discarded after use. New SUCI are generated when the network public key is updated.

公开(公告)号：US20200186367A1

公开(公告)日：2020-06-11

申请号：US16708310

申请日：2019-12-09

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Ahmer A. KHAN

IPC: H04L9/32 ,  H04L9/08 ,  G06F21/35 ,  G06F21/33 ,  H04L29/06 ,  H04L29/08 ,  H04W4/80

Abstract: A device for wireless terminal authentication may include at least one processor configured to receive, from a wireless terminal device, a request for user information, the request comprising a certificate corresponding to the wireless terminal device. The at least one processor may be further configured to verify the certificate based at least in part on a public key stored on the electronic device. The at least one processor may be further configured to, when the certificate is verified, determine whether the certificate indicates that the wireless terminal device is authorized to receive the requested user information. The at least one processor may be further configured to transmit, to the wireless terminal device, the requested user information when the certificate indicates that the wireless terminal device is authorized to receive the requested user information.