公开(公告)号：WO2019241999A1

公开(公告)日：2019-12-26

申请号：PCT/CN2018/092396

申请日：2018-06-22

Applicant: APPLE INC. ,  XU, Fangli

Inventor： XU, Fangli ,  YANG, Xiangying ,  BRIGGS, Elliot S. ,  POST, Samuel D. ,  SIERRA, Yannick L. ,  ZHANG, Dawei ,  HU, Haijing ,  LIANG, Huarui ,  LI, Li ,  ZHANG, Lijia ,  GUO, Shu ,  CHEN, Yuqin

IPC: H04W12/06

Abstract: This disclosure relates to techniques, base stations, and user equipment devices (UEs) for performing base station authentication through access stratum signaling transmissions. The UE may operate in idle mode and may receive an authentication message from a base station through the wireless interface while operating in idle mode. The UE may determine whether a signature comprised within the authentication message is valid, and the UE may continue a connection procedure with the base station based on a determination that the signature is valid. If it is determined that the signature is invalid, the UE may designate the base station as a barred base station and may perform cell re-selection. The authentication message may be one of a radio resource control (RRC) connection setup message, a special RRC message, a media access control (MAC) message, or a random access channel (RACH) message comprising a random access response (RAR) message.

公开(公告)号：WO2021108606A1

公开(公告)日：2021-06-03

申请号：PCT/US2020/062296

申请日：2020-11-25

Applicant: APPLE INC.

Inventor： LI, Li ,  ABDULRAHIMAN, Najeeb M. ,  MATHIAS, Arun G.

IPC: H04W12/45 ,  H04W12/48 ,  H04W12/06 ,  H04W12/126 ,  H04W8/20 ,  H04W8/18 ,  H04W88/06

Abstract: Techniques for flexible electronic subscriber identity module (eSIM) deployment to a wireless device by a network server, including generation of multiple eSIMs using an identical eSIM identifier value, such as an identical integrated circuit card identifier (ICCID) value, and subsequent selection of an eSIM based on capabilities of the wireless device. Multiple eSIMs that correspond to different sets of wireless device capabilities are generated without knowledge of the wireless communication standards that a wireless device supports. The multiple eSIMs include a first eSIM that includes fifth generation (5G) wireless communication protocol information and a second eSIM that excludes 5G wireless communication protocol information. The network server selects an eSIM from the multiple eSIMs based on whether the wireless device is 5G capable. After selection and binding of a profile package that includes the eSIM, the remaining eSIMs that use the identical ICCID value are deleted, for security enforcement against cloning.

公开(公告)号：WO2021031051A1

公开(公告)日：2021-02-25

申请号：PCT/CN2019/101239

申请日：2019-08-18

Applicant: APPLE INC. ,  GUO, Shu

Inventor： YANG, Xiangying ,  PADOVA, Jean-Marc ,  LI, Li

IPC: H04W8/18 ,  H04W12/08

Abstract: This application sets forth techniques for authenticating a mobile device with a cellular wireless network without electronic Subscriber Identity Module (eSIM) credentials by using an Extensible Authentication Protocol Transport Layer Security (EAP-TLS) procedure. The mobile device authenticates with an Authentication Server Function (AUSF) of the cellular wireless network using an embedded Universal Integrated Circuit Card (eUICC) certificate. Processing circuitry of the mobile wireless device external to the eUICC implements the EAP-TLS procedure and authenticates validity of the AUSF. In some embodiments, the eUICC provides key generation and storage for a session key for communication between the mobile device and the cellular wireless network. In some embodiments, a third-party managed Unified Data Management (UDM) broker authenticates the mobile device based on knowledge of the eUICC certificate and provides a session key to the cellular wireless network for subsequent communication with the mobile device, upon successful authentication of the mobile device.

公开(公告)号：WO2014081890A1

公开(公告)日：2014-05-30

申请号：PCT/US2013/071099

申请日：2013-11-20

Applicant: APPLE INC.

Inventor： SHARP, Christopher B. ,  VAID, Yousuf H. ,  LI, Li ,  HAUCK, Jerrold V. ,  MATHIAS, Arun G. ,  YANG, Xiangying ,  MCLAUGHLIN, Kevin P.

IPC: H04L29/06 ,  H04W12/08

CPC classification number: G06F21/604 ,  H04L63/102 ,  H04L63/105 ,  H04L63/20 ,  H04W12/08

Abstract: A policy-based framework is described. This policy-based framework may be used to specify the privileges for logical entities to perform operations associated with an access-control element (such as an electronic Subscriber Identity Module) located within a secure element in an electronic device. Note that different logical entities may have different privileges for different operations associated with the same or different access-control elements. Moreover, the policy-based framework may specify types of credentials that are used by the logical entities during authentication, so that different types of credentials may be used for different operations and/or by different logical entities. Furthermore, the policy-based framework may specify the security protocols and security levels that are used by the logical entities during authentication, so that different security protocols and security levels may be used for different operations and/or by different logical entities.

Abstract translation: 描述了基于策略的框架。 该基于策略的框架可以用于指定逻辑实体执行与位于电子设备中的安全元件内的访问控制元素（例如电子订户身份模块）相关联的操作的权限。 注意，对于与相同或不同的访问控制元素相关联的不同操作，不同的逻辑实体可以具有不同的权限。 此外，基于策略的框架可以指定在认证期间由逻辑实体使用的凭证的类型，使得不同类型的凭证可以用于不同的操作和/或由不同的逻辑实体使用。 此外，基于策略的框架可以指定在认证期间由逻辑实体使用的安全协议和安全级别，使得不同的安全协议和安全级别可以用于不同的操作和/或不同的逻辑实体。

公开(公告)号：WO2016164632A1

公开(公告)日：2016-10-13

申请号：PCT/US2016/026513

申请日：2016-04-07

Applicant: APPLE INC.

Inventor： YANG, Xiangying ,  LI, Li ,  MATHIAS, Arun, G.

IPC: H04W8/20 ,  H04W12/08 ,  H04W88/02 ,  G06K19/07

CPC classification number: H04W12/02 ,  H04W4/50

Abstract: Methods and apparatus for managing processing of electronic Subscriber Identity Modules (eSIM) data at a mobile device are disclosed. An eSIM management entity of an embedded Universal Integrated Circuit Card (eUICC) in the mobile device obtains an encrypted eSIM package, decrypts the eSIM package to obtain eSIM contents formatted generically and not specifically tailored to requirements of the eUICC. In some embodiments, the eSIM contents are formatted based on an abstract syntax notation (ASN) distinguished encoding rules (DER) format. The eSIM management entity parses the formatted eSIM contents to retrieve individual eSIM components and installs each eSIM component for the eSIM in an eSIM security domain on the eUICC. In some embodiments, the eSIM management entity acts as a local, personalization server to provide local Trusted Service Manager (TSM) server functionality for eSIM installation that transforms "generically formatted" eSIM contents into eSIM components that match specific requirements of the eUICC.

Abstract translation: 公开了在移动设备处理电子用户识别模块（eSIM）数据处理的方法和装置。 移动设备嵌入式通用集成电路卡（eUICC）的eSIM管理实体获取加密的eSIM包，解密eSIM包，获取一般格式的eSIM内容，而不是专门针对eUICC的要求。 在一些实施例中，基于抽象语法符号（ASN）区分编码规则（DER）格式来格式化eSIM内容。 eSIM管理实体解析格式化的eSIM内容，检索单个eSIM组件，并将eSIM的每个eSIM组件安装在eUICC的eSIM安全域中。 在一些实施例中，eSIM管理实体充当本地个性化服务器，为eSIM安装提供本地可信服务管理器（TSM）服务器功能，将“一般格式化”的eSIM内容转换为符合eUICC特定要求的eSIM组件。

公开(公告)号：WO2016153977A1

公开(公告)日：2016-09-29

申请号：PCT/US2016/023062

申请日：2016-03-18

Applicant: APPLE INC.

Inventor： LI, Li ,  YANG, Xiangying ,  HAUCK, Jerrold Von ,  SHARP, Christopher, B. ,  VAID, Yousuf, H. ,  MATHIAS, Arun, G. ,  HAGGERTY, David, T. ,  ABDULRAHIMAN, Najeeb, M.

IPC: H04W12/06 ,  H04L9/32 ,  G06F21/31 ,  H04W4/00

CPC classification number: H04W12/06 ,  H04L41/28 ,  H04L63/083 ,  H04L63/0838 ,  H04L63/0853

Abstract: Methods and apparatus for user authentication and human intent verification of administrative operations for eSIMs of an eUICC included in a mobile device are disclosed. Certain administrative operations, such as import, modification, and/or export, of an eSEVI and/or for an eUICCs firmware can require user authentication and/or human intent verification before execution of the administrative operations are performed or completed by the mobile device. A user of the mobile device provides information to link an external user account to an eSEVI upon (or subsequent to) installation on the eUICC. User credentials, such as a user name and password, and/or information generated therefrom, can be used to authenticate the user with an external server. In response to successful user authentication, the administrative operations are performed. Human intent verification can also be performed in conjunction with user authentication to prevent malware from interfering with eSIM and/or eUICC functions of the mobile device.

Abstract translation: 公开了用于移动设备中包括的eUICC的eSIM的管理操作的用户认证和人为意图验证的方法和装置。 eSEVI和/或eUICC固件的某些管理操作（例如导入，修改和/或导出）可能需要在由移动设备执行或完成执行管理操作之前的用户认证和/或人为意图验证。 移动设备的用户提供在eUICC上（或之后）安装时将外部用户帐户链接到eSEVI的信息。 可以使用诸如用户名和密码的用户凭证和/或从其生成的信息来用外部服务器认证用户。 响应成功的用户认证，执行管理操作。 人员意图验证还可以与用户认证一起执行，以防止恶意软件干扰移动设备的eSIM和/或eUICC功能。

公开(公告)号：WO2016004162A1

公开(公告)日：2016-01-07

申请号：PCT/US2015/038748

申请日：2015-07-01

Applicant: APPLE INC.

Inventor： YANG, Xiangying ,  LI, Li ,  HAUCK, Jerrold Von

IPC: H04L9/30 ,  H04L9/08

CPC classification number: H04L63/0853 ,  H04L63/0428 ,  H04L63/062 ,  H04L63/065 ,  H04L63/068 ,  H04L63/105 ,  H04W12/04 ,  H04W12/06

Abstract: A method for establishing a secure communication channel between an off-card entity and an electronic Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information.

Abstract translation: 提供了一种用于在卡外实体和电子通用集成电路卡（eUICC）之间建立安全通信信道的方法。 该方法涉及建立在范围上短暂的对称密钥。 具体来说，脱卡实体和由脱机实体管理的一组eUICC中的每个eUICC具有长期公钥基础设施（PKI）信息。 当在离线卡实体和eUICC之间建立一个安全通信信道时，eUICC和离开卡实体可以根据分别拥有的PKI信息（例如，验证公开密钥）来彼此认证。 认证后，离线卡实体和eUICC建立共享的基于会话的对称密钥，用于实现安全通信信道。 具体地，基于会话的对称密钥是根据是否需要完美的或半正向的安全来生成的。 一旦建立了共享的基于会话的对称密钥，离卡实体和eUICC就可以安全地传递信息。

公开(公告)号：WO2013119993A2

公开(公告)日：2013-08-15

申请号：PCT/US2013/025397

申请日：2013-02-08

Applicant: APPLE INC.

Inventor： LI, Li ,  SCHELL, Stephan, V.

IPC: H04W48/06

CPC classification number: H04W12/12 ,  H04L69/40 ,  H04W8/20 ,  H04W8/265 ,  H04W28/0289 ,  H04W28/06 ,  H04W48/06 ,  H04W52/0212 ,  H04W74/004 ,  Y02D70/1224 ,  Y02D70/1242 ,  Y02D70/1262 ,  Y02D70/142 ,  Y02D70/144 ,  Y02D70/146 ,  Y02D70/166

Abstract: Methods and apparatus for correcting error events associated with identity provisioning, in one embodiment, repeated requests for access control clients are responded to with the execution of a provisioning feedback mechanism which is intended to prevent the unintentional (or even intentional) over-consumption or waste of network resources via the delivery of an excessive amount of access control clients. These provisioning feedback mechanisms include rate-limiting algorithms and/or methodologies which place a cost on the user. Apparatus for implementing the aforementioned provisioning feedback mechanisms are also disclosed and include specialized user equipment and/or network side equipment such as a subscriber identity module provisioning server (SPS).

Abstract translation: 用于校正与身份提供相关联的错误事件的方法和装置，在一个实施例中，对访问控制客户端的重复请求响应于预设反馈机制的执行，其旨在防止无意（或甚至有意的）过度消费或浪费 的网络资源通过传递过多的访问控制客户端。 这些供应反馈机制包括对用户造成成本的费率限制算法和/或方法。 还公开了用于实现上述提供反馈机制的装置，并且包括专用用户设备和/或诸如订户身份模块提供服务器（SPS）的网络侧设备。

公开(公告)号：WO2016186901A1

公开(公告)日：2016-11-24

申请号：PCT/US2016/031670

申请日：2016-05-10

Applicant: APPLE INC.

Inventor： LI, Li ,  HAUCK, Jerrold Von ,  VAID, Yousuf H. ,  SHARP, Christopher B. ,  MATHIAS, Arun G. ,  HAGGERTY, David T.

IPC: H04W8/20 ,  H04W4/00 ,  H04W88/02

CPC classification number: H04L41/0806 ,  H04B1/3816 ,  H04B1/3827 ,  H04L63/0853 ,  H04L63/20 ,  H04W8/18 ,  H04W8/205

Abstract: Representative embodiments described herein set forth techniques for optimizing large-scale deliveries of electronic Subscriber Identity Modules (eSIMs) to mobile devices. Specifically, instead of generating and assigning eSIMs when mobile devices are being activated-which can require significant processing overhead-eSIMs are pre-generated with a basic set of information, and are later-assigned to the mobile devices when they are activated. This can provide considerable benefits over conventional approaches that involve generating and assigning eSIMs during mobile device activation, especially when new mobile devices (e.g., smartphones, tablets, etc.) are being launched and a large number of eSIM assignment requests are to be fulfilled in an efficient manner.

Abstract translation: 本文描述的代表性实施例阐述了用于优化向移动设备大规模地递送电子订户身份模块（eSIM）的技术。 具体而言，代替在移动设备被激活时生成和分配eSIM，这可能需要很大的处理开销 - eSIM是用一组基本信息预先生成的，并且在激活时被分配给移动设备。 这可以提供相当于在移动设备激活期间生成和分配eSIM的传统方法的显着优点，特别是当新的移动设备（例如，智能电话，平板电脑等）正在启动并且大量的eSIM分配请求将被满足时 有效的方式。

公开(公告)号：WO2015183582A1

公开(公告)日：2015-12-03

申请号：PCT/US2015/030876

申请日：2015-05-14

Applicant: APPLE INC.

Inventor： LI, Li ,  JUANG, Ben-Heng ,  MATHIAS, Arun G.

IPC: H04W8/18 ,  H04W4/00 ,  H04W88/02

CPC classification number: H04W8/183 ,  H04W8/20

Abstract: Embodiments are described for identifying and accessing an electronic subscriber identity module (eSIM) and associated content of the eSIM in a multiple eSIM configuration. An embedded Universal Integrated Circuit Card (eUICC) can include multiple eSIMs, where each eSIM can include its own file structures and applications. Some embodiments include a processor of a mobile device transmitting a special command to the eUICC, including an identification that uniquely identifies an eSIM in the eUICC. After selecting the eSIM, the processor can access file structures and applications of the selected eSIM. The processor can then use existing commands to access content in the selected eSIM. The special command can direct the eUICC to activate or deactivate content associated with the selected eSIM. Other embodiments include an eUICC platform operating system interacting with eSIMs associated with logical channels to facilitate identification and access to file structures and applications of the eSIMs.

Abstract translation: 描述了用于在多个eSIM配置中识别和访问电子订户身份模块（eSIM）和eSIM的相关内容的实施例。 嵌入式通用集成电路卡（eUICC）可以包括多个eSIM，每个eSIM可以包括其自己的文件结构和应用程序。 一些实施例包括向eUICC发送特殊命令的移动设备的处理器，包括在eUICC中唯一地标识eSIM的标识。 选择eSIM后，处理器可以访问所选eSIM的文件结构和应用程序。 然后，处理器可以使用现有命令访问所选eSIM中的内容。 特殊命令可以指示eUICC激活或停用与所选eSIM相关联的内容。 其他实施例包括与与逻辑信道相关联的eSIM交互的eUICC平台操作系统，以便于识别和访问eSIM的文件结构和应用。