| 发明名称 |
METHODS AND APPARATUS FOR ESTABLISHING A SECURE COMMUNICATION CHANNEL |
| 摘要 |
A method for establishing a secure communication channel between an off-card entity and an embedded Universal Integrated Circuit Card (eUICC) is provided. The method involves establishing symmetric keys that are ephemeral in scope. Specifically, an off-card entity, and each eUICC in a set of eUICCs managed by the off-card entity, possess long-term Public Key Infrastructure (PKI) information. When a secure communication channel is to be established between the off-card entity and an eUICC, the eUICC and the off-card entity can authenticate one another in accordance with the respectively-possessed PKI information (e.g., verifying public keys). After authentication, the off-card entity and the eUICC establish a shared session-based symmetric key for implementing the secure communication channel. Specifically, the shared session-based symmetric key is generated according to whether perfect or half forward security is desired. Once the shared session-based symmetric key is established, the off-card entity and the eUICC can securely communicate information. |
| 申请公布号 |
US2016006729(A1) |
申请公布日期 |
2016.01.07 |
| 申请号 |
US201514789905 |
申请日期 |
2015.07.01 |
| 申请人 |
Apple Inc. |
发明人 |
YANG Xiangying;LI Li;HAUCK Jerrold Von |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method for establishing a secure connection between a server and an embedded Universal Integrated Circuit Card (eUICC) included in a mobile device that is associated with a long-term public key (PKeUICC) and a long-term private key (SKeUICC), the method comprising:
at the server, which is associated with a long-term public key (PKserver) and a long-term private key (SKserver):
receiving, from the mobile device, a request to establish the secure connection with the mobile device, wherein the request includes PKeUICC; andupon authenticating the mobile device using PKeUICC:
generating an ephemeral public key (ePKserver) and an ephemeral private key (eSKserver);signing ePKserver using SKserver to produce a signed ePKserver;providing the signed ePKserver to the mobile device;receiving, from the mobile device, an ephemeral key (ePKeUICC) that is signed using SKeUICC;generating a shared symmetric key using eSKserver and ePKeUICC; andestablishing the secure connection using the shared symmetric key. |
| 地址 |
Cupertino CA US |
