公开(公告)号：US20160063260A1

公开(公告)日：2016-03-03

申请号：US14815391

申请日：2015-07-31

Applicant: Apple Inc.

Inventor： Christopher B. SHARP ,  Yousuf H. VAID ,  Li LI ,  Jerrold Von HAUCK ,  Arun G. MATHIAS ,  Xiangying YANG ,  Kevin P. McLAUGHLIN

IPC: G06F21/60 ,  H04W12/08 ,  H04L29/06

CPC classification number: G06F21/604 ,  H04L63/102 ,  H04L63/105 ,  H04L63/20 ,  H04W12/08

Abstract: A policy-based framework is described. This policy-based framework may be used to specify the privileges for logical entities to perform operations associated with an access-control element (such as an electronic Subscriber Identity Module) located within a secure element in an electronic device. Note that different logical entities may have different privileges for different operations associated with the same or different access-control elements. Moreover, the policy-based framework may specify types of credentials that are used by the logical entities during authentication, so that different types of credentials may be used for different operations and/or by different logical entities. Furthermore, the policy-based framework may specify the security protocols and security levels that are used by the logical entities during authentication, so that different security protocols and security levels may be used for different operations and/or by different logical entities.

Abstract translation: 描述了基于策略的框架。 该基于策略的框架可以用于指定逻辑实体执行与位于电子设备中的安全元件内的访问控制元素（例如电子订户身份模块）相关联的操作的权限。 注意，对于与相同或不同的访问控制元素相关联的不同操作，不同的逻辑实体可以具有不同的权限。 此外，基于策略的框架可以指定在认证期间由逻辑实体使用的凭证的类型，使得不同类型的凭证可以用于不同的操作和/或由不同的逻辑实体使用。 此外，基于策略的框架可以指定在认证期间由逻辑实体使用的安全协议和安全级别，使得不同的安全协议和安全级别可以用于不同的操作和/或不同的逻辑实体。

公开(公告)号：US20150326568A1

公开(公告)日：2015-11-12

申请号：US14684273

申请日：2015-04-10

Applicant: Apple Inc.

Inventor： Jerrold Von HAUCK ,  David T. HAGGERTY ,  Kevin McLAUGHLIN

IPC: H04L29/06 ,  H04W12/06 ,  H04W12/04

CPC classification number: H04L9/32 ,  H04L9/08 ,  H04L9/12 ,  H04L9/30 ,  H04L63/06 ,  H04L63/0853 ,  H04W12/04 ,  H04W12/06

Abstract: Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

Abstract translation: 用于存储和控制访问控制客户端的装置和方法。 在一个实施例中，发送和接收设备确保在任何时间只有一个eSIM的副本被激活。 具体来说，每个转移的eSIM对目的设备进行加密; 来自源设备的eSIM被删除，停用或以其他方式呈现不可用。 还描述了网络基础设施的各个方面，包括电子通用集成电路卡（eUICC）电器和移动设备。 还披露了用于传送eSIM的各种场景。

公开(公告)号：US20150074780A1

公开(公告)日：2015-03-12

申请号：US14543773

申请日：2014-11-17

Applicant: Apple Inc.

Inventor： Stephan V. SCHELL ,  Jerrold Von HAUCK

IPC: H04W12/06 ,  H04L29/06

CPC classification number: H04W12/06 ,  H04L63/0823 ,  H04W4/50 ,  H04W4/60 ,  H04W8/18 ,  H04W8/205 ,  H04W8/265

Abstract: Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.

Abstract translation: 本文公开了一种用于将访问控制实体（例如，电子订户身份模块（eSIM）组件）安全地提供给用户设备（UE）设备的技术。 在一个实施例中，向UE设备分配唯一密钥和可用于向UE设备提供更新或新eSIM的签注证书。 基于使用唯一密钥的安全证书传输，UE设备可以信任由未知的第三方eSIM供应商提供的eSIM资料。 在另一方面，操作系统（OS）被划分成各种沙盒。 在操作期间，UE设备可以在对应于当前无线网络的沙箱中激活并执行OS。 连接到网络时收到的个性化包仅适用于该沙盒。 同样，当加载eSIM时，操作系统只需加载当前运行时环境所需的软件列表。 未使用的软件可以随后激活。

公开(公告)号：US20140349705A1

公开(公告)日：2014-11-27

申请号：US14288212

申请日：2014-05-27

Applicant: Apple Inc.

Inventor： David T. HAGGERTY ,  Jerrold Von HAUCK ,  Stephan V. SCHELL ,  Arun G. MATHIAS

IPC: H04W88/06

CPC classification number: H04W88/06 ,  G06Q30/06 ,  H04L67/34 ,  H04W4/50 ,  H04W8/183

Abstract: Apparatus and methods for distributing electronic access client modules for use with electronic devices. In one embodiment, the access client modules are virtual subscriber identity modules (VSIMs) that can be downloaded from online services for use with cellular-equipped devices such as smartphones. The online services may include a point of sale (POS) system that sells electronic devices to users. A broker may be used to facilitate the selection of a virtual subscriber identity module. A provisioning service may also be used to provision the selected VSIM.

Abstract translation: 用于分发用于电子设备的电子访问客户端模块的装置和方法。 在一个实施例中，接入客户端模块是虚拟订户身份模块（VSIM），其可以从在线服务下载，以便与配备蜂窝的设备如智能电话一起使用。 在线服务可以包括向用户销售电子设备的销售点（POS）系统。 可以使用代理来促进对虚拟订户身份模块的选择。 还可以使用供应服务来配置所选择的VSIM。

公开(公告)号：US20170280328A1

公开(公告)日：2017-09-28

申请号：US15619167

申请日：2017-06-09

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI ,  Jerrold Von HAUCK

IPC: H04W12/08 ,  G06F21/33 ,  G06F21/34 ,  G06F21/60 ,  H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04W12/06 ,  H04W8/20

CPC classification number: H04W12/08 ,  G06F21/33 ,  G06F21/34 ,  G06F21/602 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0877 ,  H04L9/3234 ,  H04L63/0853 ,  H04L2209/80 ,  H04W8/205 ,  H04W12/06

Abstract: A method for preparing an eSIM for provisioning is provided. The method can include a provisioning server encrypting the eSIM with a symmetric key. The method can further include the provisioning server, after determining a target eUICC to which the eSIM is to be provisioned, encrypting the symmetric key with a key encryption key derived based at least in part on a private key associated with the provisioning server and a public key associated with the target eUICC. The method can additionally include the provisioning server formatting an eSIM package including the encrypted eSIM, the encrypted symmetric key, and a public key corresponding to the private key associated with the provisioning server. The method can also include the provisioning server sending the eSIM package to the target eUICC.

公开(公告)号：US20160218874A1

公开(公告)日：2016-07-28

申请号：US15091424

申请日：2016-04-05

Applicant: Apple Inc.

Inventor： Jerrold Von HAUCK ,  David T. HAGGERTY ,  Kevin McLAUGHLIN

IPC: H04L9/32 ,  H04L9/30 ,  H04L29/06 ,  H04W12/04

CPC classification number: H04L9/32 ,  H04L9/08 ,  H04L9/12 ,  H04L9/30 ,  H04L63/06 ,  H04L63/0853 ,  H04W12/04 ,  H04W12/06

Abstract: Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

公开(公告)号：US20160044493A1

公开(公告)日：2016-02-11

申请号：US14814484

申请日：2015-07-30

Applicant: Apple Inc.

Inventor： Stephan V. SCHELL ,  Jerrold Von HAUCK

IPC: H04W8/18 ,  H04W12/06 ,  H04W4/00 ,  H04W8/20

CPC classification number: H04W8/183 ,  G06F21/34 ,  H04L63/0853 ,  H04L67/34 ,  H04W4/50 ,  H04W4/80 ,  H04W8/205 ,  H04W8/265 ,  H04W12/06

Abstract: Described herein is a simulacrum security device and methods. In one embodiment, a simulacrum or likeness of a physical security device is provided for use in conjunction with a software emulation of the security device. In one implementation, a “faux SIM card” is provided that does not contain Subscriber Identification Module (SIM) information itself, but instead enables a user to download Electronic SIM (eSIM) information (e.g., from a network or eSIM server) which is loaded into a software emulation of a Universal Integrated Circuit Card (UICC) device. The faux card is printed with an activation code, scan pattern, or other activation or access information. The subscriber purchases the faux card, and enters the activation code into a device; the entered activation code enables the device to log onto a network, and download the appropriate eSIM data. Delivery of eSIM information as enabled by the faux card addresses deficiencies in existing SIM distribution schemes, provides users with an enhanced perception of security, and further addresses various legal requirements.

Abstract translation: 这里描述的是模拟安全装置和方法。 在一个实施例中，提供物理安全设备的模拟或相似性以与安全设备的软件仿真结合使用。 在一个实现中，提供了不包含用户识别模块（SIM）信息本身的“人造SIM卡”，而是使用户能够下载电子SIM（eSIM）信息（例如，从网络或eSIM服务器） 加载到通用集成电路卡（UICC）设备的软件仿真中。 虚拟卡被打印有激活码，扫描模式或其他激活或访问信息。 用户购买人造卡，并将激活码输入设备; 输入的激活码使设备登录到网络上，并下载相应的eSIM数据。 通过人造卡实现的eSIM信息交付解决了现有SIM分配方案中的缺陷，为用户提供了增强的安全认知，并进一步解决了各种法律要求。

公开(公告)号：US20150312698A1

公开(公告)日：2015-10-29

申请号：US14629386

申请日：2015-02-23

Applicant: Apple Inc.

Inventor： Stephan V. SCHELL ,  Arun G. MATHIAS ,  Jerrold Von HAUCK ,  David T. HAGGERTY ,  Kevin McLAUGHLIN ,  Ben-Heng JUANG ,  Li LI

IPC: H04W4/00 ,  H04W12/04 ,  H04W12/06 ,  H04L29/06

CPC classification number: H04W12/06 ,  G06F21/45 ,  G06F21/57 ,  H04L63/08 ,  H04L63/0853 ,  H04L63/123 ,  H04L63/20 ,  H04L67/34 ,  H04W4/50 ,  H04W4/60 ,  H04W8/205 ,  H04W12/04 ,  H04W12/08

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract translation: 能够对无线装置的电子识别信息进行编程的方法和装置。 在一个实施例中，先前购买或部署的无线设备由蜂窝网络激活。 无线设备使用访问模块连接到蜂窝网络，以下载操作系统组件和/或访问控制客户端组件。 所描述的方法和装置能够更新，添加和替换各种组件，包括电子订户身份模块（eSIM）数据，OS组件。 本发明的一个示例性实施方式利用设备和蜂窝网络之间的可信密钥交换来维护安全性。

公开(公告)号：US20190239075A1

公开(公告)日：2019-08-01

申请号：US16384844

申请日：2019-04-15

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Li LI ,  Jerrold Von HAUCK

IPC: H04W12/06 ,  H04W4/60 ,  H04L9/32 ,  H04W12/00 ,  G06F21/32 ,  H04W4/50 ,  H04W12/08

CPC classification number: H04W12/06 ,  G06F21/32 ,  H04L9/3231 ,  H04L9/3271 ,  H04L2209/80 ,  H04W4/50 ,  H04W4/60 ,  H04W12/0023 ,  H04W12/08

Abstract: The embodiments set forth techniques for an embedded Universal Integrated Circuit Card (eUICC) to conditionally require, when performing management operations in association with electronic Subscriber Identity Modules (eSIMs), human-based authentication. The eUICC receives a request to perform a management operation in association with an eSIM. In response, the eUICC determines whether a policy being enforced by the eUICC indicates that a human-based authentication is required prior to performing the management operation. Next, the eUICC causes the mobile device to prompt a user of the mobile device to carry out the human-based authentication. The management operation is then performed or ignored in accordance with results of the human-based authentication.

公开(公告)号：US20180249333A1

公开(公告)日：2018-08-30

申请号：US15876875

申请日：2018-01-22

Applicant: Apple Inc.

Inventor： Li LI ,  Xiangying YANG ,  Jerrold Von HAUCK ,  Christopher B. SHARP ,  Yousuf H. VAID ,  Arun G. MATHIAS ,  David T. HAGGERTY ,  Najeeb M. ABDULRAHIMAN

IPC: H04W12/06 ,  H04L29/06 ,  H04L12/24

CPC classification number: H04W12/06 ,  H04L41/28 ,  H04L63/083 ,  H04L63/0838 ,  H04L63/0853 ,  H04W12/00514

Abstract: Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSIM and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSIM upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device.