公开(公告)号：US20200092095A1

公开(公告)日：2020-03-19

申请号：US16566723

申请日：2019-09-10

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI

IPC: H04L9/08 ,  H04W8/18 ,  H04L9/32 ,  H04L29/06

Abstract: This application describes various embodiments to manage multiple security certificates in a wireless device, including switching between different security certificates to support different functions, including supporting connectivity for multiple industry sectors that use different certificate authorities, and/or supporting different operational modes that require different security certificates for performing administrative functions. The wireless device includes a smart secure platform (SSP) or an embedded Universal Integrated Circuit Card (eUICC) that stores multiple security certificates to use for different industry sectors and/or for different operational modes.

公开(公告)号：US20190065749A1

公开(公告)日：2019-02-28

申请号：US16026912

申请日：2018-07-03

Applicant: Apple Inc.

Inventor： Xiangying YANG

IPC: G06F21/57 ,  G06F8/65 ,  H04L29/08 ,  H04W4/12

Abstract: An operating system (OS) update to a secure element (SE) may be commanded, for example, in order to fix a security bug, upgrade a version of an OS, provide mobile network operator (MNO) specific extensions such as to an application programming interface (API) or to cause OS/profile switching. Many of these OS updates will affect one or more profiles present on the SE. An MNO associated with a given profile will benefit in some instances by being provided with a notification of the OS update, since the OS update may affect SE capabilities and thus affect what a given profile can or cannot do after the OS update occurs. Embodiments provided herein create notification entries that will appropriately inform the concerned MNO. In some embodiments, a capability linking variable (“linkedcapability”) is used to determine whether an SE capability change should trigger transmission of a notification to the concerned MNO.

公开(公告)号：US20170353320A1

公开(公告)日：2017-12-07

申请号：US15686023

申请日：2017-08-24

Applicant: Apple Inc.

Inventor： Xiangying YANG

IPC: H04L9/32 ,  H04L9/08 ,  H04L29/06

CPC classification number: H04L9/3268 ,  H04L9/0825 ,  H04L9/3239 ,  H04L9/3247 ,  H04L63/0442 ,  H04L63/123 ,  H04L63/1425 ,  H04L2209/38 ,  H04L2209/56 ,  H04L2463/121 ,  H04W12/00502 ,  H04W12/0806 ,  H04W12/10 ,  H04W12/12

Abstract: A secure element (SE) with a notion of time useful for checking secure items is disclosed herein. Use of Public Key Infrastructure (PKI) with secure elements is improved by verifying secure items used by an SE. Methods of obtaining time information by the SE include push, pull, opportunistic, local interface, and multi-check methods. The SE uses the time information to evaluate arriving and stored public key certificates and to discard those which fail the evaluation. The SE, in some embodiments, uses the time information in cooperation with certificate revocation lists (CRLs) and/or online certificate status protocol (OCSP) stapling procedures. A multi-check architecture is provided herein by which more than entity is involved in checking a time value before the time value reaches the SE. The multi-check architecture uses both PKI and blockchain techniques.

公开(公告)号：US20170338954A1

公开(公告)日：2017-11-23

申请号：US15602027

申请日：2017-05-22

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06

CPC classification number: H04L9/0863 ,  H04L9/0838 ,  H04L9/0894 ,  H04L9/3273 ,  H04L63/0435 ,  H04L63/067 ,  H04L63/0853 ,  H04L2463/061 ,  H04W12/0023 ,  H04W12/02 ,  H04W12/04 ,  H04W12/06

Abstract: A device hosting a universal integrated circuit card (UICC or eUICC) initiates a provisioning call flow with an electronic subscriber identity module (eSIM) server. The purpose of the provisioning call flow is to perform a particular provisioning action or function. The eSIM server, the device and/or the eUICC maintain state information related to the provisioning call flow. The provisioning call flow includes generation of a one-time public key (otPK) at the eUICC. The provisioning call flow is interrupted by an error event before, for example, successful installation of a profile in the eUICC. A subsequent provisioning call flow is initiated. The eSIM server assists the eUICC to recover from the error event based on the state information of the eSIM server, the device and/or the eUICC. In some embodiments, the recovery and subsequent successful profile installation makes use of the otPK generated during the earlier provisioning call flow.

公开(公告)号：US20170280328A1

公开(公告)日：2017-09-28

申请号：US15619167

申请日：2017-06-09

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI ,  Jerrold Von HAUCK

IPC: H04W12/08 ,  G06F21/33 ,  G06F21/34 ,  G06F21/60 ,  H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04W12/06 ,  H04W8/20

CPC classification number: H04W12/08 ,  G06F21/33 ,  G06F21/34 ,  G06F21/602 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0877 ,  H04L9/3234 ,  H04L63/0853 ,  H04L2209/80 ,  H04W8/205 ,  H04W12/06

Abstract: A method for preparing an eSIM for provisioning is provided. The method can include a provisioning server encrypting the eSIM with a symmetric key. The method can further include the provisioning server, after determining a target eUICC to which the eSIM is to be provisioned, encrypting the symmetric key with a key encryption key derived based at least in part on a private key associated with the provisioning server and a public key associated with the target eUICC. The method can additionally include the provisioning server formatting an eSIM package including the encrypted eSIM, the encrypted symmetric key, and a public key corresponding to the private key associated with the provisioning server. The method can also include the provisioning server sending the eSIM package to the target eUICC.

公开(公告)号：US20170279619A1

公开(公告)日：2017-09-28

申请号：US15469387

申请日：2017-03-24

Applicant: Apple Inc.

Inventor： Xiangying YANG

IPC: H04L9/32 ,  H04L9/00

CPC classification number: H04L9/3268 ,  H04L9/006 ,  H04L9/3234 ,  H04L9/3236 ,  H04L2209/80

Abstract: A device assists an embedded Universal Integrated Circuit Card (eUICC) resident in the device with verification of public key information or of security materials. The verification provided by the device can be configured by the user and/or by the eUICC. The verification includes checking for expiration of public key information or presence of an associated public key in a trusted list. The trusted list in some instances includes pinning hash values. The device can warn an end user and/or an infrastructure entity, of an issue if the verification fails. An extension of certificate revocation lists includes a logical indication of least one new public key in a CRL list. A CRL data field may also indicate a previous CRL, where the previous CRL is the most recent CRL containing a public key listing with at least one new entry.

公开(公告)号：US20170250826A1

公开(公告)日：2017-08-31

申请号：US15442016

申请日：2017-02-24

Applicant: Apple Inc.

Inventor： Xiangying YANG

IPC: H04L9/32 ,  H04L29/06

CPC classification number: H04L9/3268 ,  H04L9/0891 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/0823

Abstract: A secure element (SE) with a notion of time useful for checking secure items is disclosed herein. Use of Public Key Infrastructure (PKI) with secure elements is improved by verifying secure items used by an SE. Methods of obtaining time information by the SE include push, pull, opportunistic, and local interface methods. The SE uses the time information to evaluate arriving and stored public key certificates and to discard those which fail the evaluation. The SE, in some embodiments, uses the time information in cooperation with certificate revocation lists (CRLs) and/or online certificate status protocol (OCSP) stapling procedures.

公开(公告)号：US20170127264A1

公开(公告)日：2017-05-04

申请号：US15340933

申请日：2016-11-01

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI

IPC: H04W8/18 ,  H04L29/06 ,  H04W12/10 ,  H04W12/04

CPC classification number: H04W8/183 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0823 ,  H04L2209/80 ,  H04W4/60 ,  H04W8/205 ,  H04W12/02 ,  H04W12/04 ,  H04W12/10

Abstract: Methods and apparatus for provisioning electronic Subscriber Identity Module (eSIM) data by a mobile device are disclosed. Processing circuitry of the mobile device transfers encrypted eSIM data to an embedded Universal Integrated Circuit Card (eUICC) of the mobile device as a series of data messages and receives corresponding response messages for each data message from the eUICC. The response messages from the eUICC are formatted with a tag field that indicates encryption and signature verification properties for the response message. Different values in the tag field indicate whether the response message is (i) encrypted and verifiably signed, (ii) verifiably signed only, or (iii) includes plain text information. Response messages without encryption are readable by the processing circuitry, and processing of the response messages, including forwarding to network elements, such as to a provisioning server are based at least in part on values in the tag field.

公开(公告)号：US20170093565A1

公开(公告)日：2017-03-30

申请号：US15279343

申请日：2016-09-28

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI

IPC: H04L9/08 ,  H04W12/04

CPC classification number: H04L9/0822 ,  H04L9/0841 ,  H04L63/0428 ,  H04L2209/80 ,  H04L2463/062 ,  H04W8/205 ,  H04W12/02 ,  H04W12/04 ,  H04W12/06

Abstract: Methods for provisioning electronic Subscriber Identity Modules (eSIMs) to electronic Universal Integrated Circuit Cards (eUICCs) are provided. One method involves a provisioning server configured to encrypt the eSIM with a symmetric key (Ke). The provisioning server, upon identifying a target eUICC, encrypts the symmetric key with a key encryption key (KEK) derived based at least in part on a private key associated with the provisioning server and a public key associated with the target eUICC. The provisioning server generates an eSIM package including the encrypted eSIM, the encrypted symmetric key, a public key corresponding to the private key associated with the provisioning server, as well as additional information that enables the target eUICC to, upon receipt of the eSIM package, identify a private key that corresponds to the public key associated with the target eUICC and used to derive the KEK.

公开(公告)号：US20250080970A1

公开(公告)日：2025-03-06

申请号：US18824522

申请日：2024-09-04

Applicant: Apple Inc.

Inventor： Raj S CHAUGULE ,  Hyewon LEE ,  Jean-Marc PADOVA ,  Li LI ,  Rohan C MALTHANKAR ,  Sherman X JIN ,  Suraj GUPTA ,  Xiangying YANG ,  Zexing SHI

IPC: H04W8/20

Abstract: An apparatus configured to engage in an embedded subscriber identity module (eSIM) profile transfer process to transfer an eSIM profile from a source device executing a first operating system (OS) that implements a first protocol stack related to eSIM profile transfers to a target device executing a second OS that implements a second protocol stack related to eSIM profile transfers, wherein the first protocol stack and the second protocol stack are different, process, based on signaling received from an entitlement server, a token for transferring the eSIM profile and generate, for transmission to the target device, a message comprising the token.