公开(公告)号：US20220086642A1

公开(公告)日：2022-03-17

申请号：US17455000

申请日：2021-11-15

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Shu GUO ,  Lijia ZHANG ,  Qian SUN ,  Huarui LIANG ,  Fangli XU ,  Yuqin CHEN ,  Haijing HU ,  Dawei ZHANG ,  Hao DUO ,  Lanpeng CHEN

IPC: H04W12/106 ,  H04W72/04 ,  H04L9/32 ,  H04W74/00 ,  H04W12/069 ,  H04W12/0433

Abstract: Techniques for identity-based message integrity protection and verification between a user equipment (UE) and a wireless network entity, include use of signatures derived from identity-based keys. To protect against attacks from rogue network entities before activation of a security context with a network entity, the UE verifies integrity of messages by checking a signature using an identity-based public key PKID derived by the UE based on (i) an identity value (ID) of the network entity and (ii) a separate public key PKPKG of a private key generator (PKG) server. The network entity generates signatures for messages using an identity-based private key SKID obtained from the PKG server, which generates the identity-based private key SKID using (i) the ID value of the network entity and (ii) a private key SKPKG that is known only by the PKG server and corresponds to the public key PKPKG.

公开(公告)号：US20210058774A1

公开(公告)日：2021-02-25

申请号：US17052163

申请日：2018-05-02

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Lijia ZHANG ,  Huarui LIANG ,  Dawei ZHANG

IPC: H04W12/00 ,  H04W12/08

Abstract: A device level lock policy, which applies to all smart secure platform (SSP) applications of a mobile device, is used to determine whether a particular SSP application can be activated. A tamper resistant hardware secure element (SE) includes a primary platform with a low level operating system (OS) and one or more SSP applications within one or more secondary platform bundles that include secondary platforms with high level OSs specific to the secondary platform bundles. The low level OS enforces the device level lock policy for all secondary platform bundles by verifying whether a lock policy for the SSP application is consistent with the device level lock policy. When verification succeeds, activation is allowed, and when verification fails, activation is disallowed. Subscription identifiers are not provided in unencrypted form to processing circuitry of the mobile device external to the tamper resistant hardware SE to provide subscriber identity privacy protection.

公开(公告)号：US20210021993A1

公开(公告)日：2021-01-21

申请号：US17042859

申请日：2018-03-27

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Lijia ZHANG ,  Dawei ZHANG ,  Huarui LIANG ,  Shu GUO ,  Rohan C. MALTHANKAR ,  Krisztian KISS

IPC: H04W12/02 ,  H04W12/00 ,  H04W12/04

Abstract: Techniques to protect subscriber identity in messages communicated between a user equipment (UE) and a cellular wireless network entity by using multiple ephemeral asymmetric keys are disclosed. The UE determines multiple ephemeral UE public and secret key pairs, while the cellular wireless network entity provides a network public key to the UE. The network public key may be updated over time. Multiple encryption keys based on the multiple ephemeral UE secret keys and the public network key are derived and used to encrypt a subscription permanent identifier (SUPI) to generate multiple subscription concealed identifiers (SUCIs). Each SUCI is used only once for messages communicated to a cellular wireless network and discarded after use. New SUCI are generated when the network public key is updated.

公开(公告)号：US20230164559A1

公开(公告)日：2023-05-25

申请号：US18150771

申请日：2023-01-05

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Huarui LIANG ,  Lijia ZHANG ,  Shu GUO ,  Haijing HU ,  Fangli XU ,  Yuqin CHEN ,  Dawei ZHANG ,  Li LI

IPC: H04W12/069 ,  H04W12/72 ,  H04W12/0433 ,  H04W12/03 ,  H04W12/122 ,  H04W12/041 ,  H04L9/08 ,  H04L9/16 ,  H04L9/32 ,  H04W12/02

CPC classification number: H04W12/069 ,  H04W12/72 ,  H04W12/0433 ,  H04W12/03 ,  H04W12/122 ,  H04W12/041 ,  H04L9/0822 ,  H04L9/0825 ,  H04L9/0844 ,  H04L9/0891 ,  H04L9/16 ,  H04L9/3228 ,  H04W12/02

Abstract: Techniques to protect a subscriber identity, by encrypting a subscription permanent identifier (SUPI) to form one-time use subscription concealed identifiers (SUCIs) using a set of one-time ephemeral asymmetric keys, generated by a user equipment (UE), and network provided keys are disclosed. Encryption of the SUPI to form the SUCIs can mitigate snooping by rogue network entities, such as fake base stations. The UE is restricted from providing the unencrypted SUPI over an unauthenticated connection to a network entity. In some instances, the UE uses a trusted symmetric fallback encryption key KFB or trusted asymmetric fallback public key PKFB to verify messages from an unauthenticated network entity and/or to encrypt the SUPI to form a fallback SUCIFB for communication of messages with the unauthenticated network entity.

公开(公告)号：US20210092603A1

公开(公告)日：2021-03-25

申请号：US17054148

申请日：2018-05-11

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Huarui LIANG ,  Lijia ZHANG ,  Shu GUO ,  Haijing HU ,  Fangli XU ,  Yuqin CHEN ,  Dawei ZHANG ,  Li LI

IPC: H04W12/06 ,  H04L9/08 ,  H04L9/16 ,  H04L9/32 ,  H04W12/02 ,  H04W12/00 ,  H04W12/04 ,  H04W12/12

Abstract: Techniques to protect a subscriber identity, by encrypting a subscription permanent identifier (SUPI) to form one-time use subscription concealed identifiers (SUCIs) using a set of one-time ephemeral asymmetric keys, generated by a user equipment (UE), and network provided keys are disclosed. Encryption of the SUPI to form the SUCIs can mitigate snooping by rogue network entities, such as fake base stations. The UE is restricted from providing the unencrypted SUPI over an unauthenticated connection to a network entity. In some instances, the UE uses a trusted symmetric fallback encryption key KFB or trusted asymmetric fallback public key PKFB to verify messages from an unauthenticated network entity and/or to encrypt the SUPI to form a fallback SUCIFB for communication of messages with the unauthenticated network entity.

公开(公告)号：US20200021993A1

公开(公告)日：2020-01-16

申请号：US16293521

申请日：2019-03-05

Applicant: Apple Inc.

Inventor： Xiangying YANG ,  Shu GUO ,  Lijia ZHANG ,  Qian SUN ,  Huarui LIANG ,  Fangli XU ,  Yuqin CHEN ,  Haijing HU ,  Dawei ZHANG ,  Hao DUO ,  Lanpeng CHEN

IPC: H04W12/10 ,  H04W72/04 ,  H04W74/00 ,  H04W12/04 ,  H04W12/06 ,  H04L9/32

Abstract: Techniques for identity-based message integrity protection and verification between a user equipment (UE) and a wireless network entity, include use of signatures derived from identity-based keys. To protect against attacks from rogue network entities before activation of a security context with a network entity, the UE verifies integrity of messages by checking a signature using an identity-based public key PKID derived by the UE based on (i) an identity value (ID) of the network entity and (ii) a separate public key PKPKG of a private key generator (PKG) server. The network entity generates signatures for messages using an identity-based private key SKID obtained from the PKG server, which generates the identity-based private key SKID using (i) the ID value of the network entity and (ii) a private key SKPKG that is known only by the PKG server and corresponds to the public key PKPKG.