Search

EP-4738906-A1 - METHOD AND APPARATUS FOR PERSONALIZING A SECURE ELEMENT IN AN OEM FACTORY

EP4738906A1EP 4738906 A1EP4738906 A1EP 4738906A1EP-4738906-A1

Abstract

The present invention concerns a method of personalization of a secure element, SE, in an original equipment manufacturer, OEM, factory, the method comprising by the SE the steps of: receiving from a first server operating in the OEM factory a generic unbound version of an SE operating system, OS; installing the SE's OS in the SE; launching the SE's OS in a manufacture state where the SE's OS is prevented to connect to a mobile network; sending to a second server operating in the OEM factory an in-factory profile request, the in-factory profile request comprising a token generated by the SE's OS based on a binding identifier; receiving from the second server a mobile network operator, MNO, profile bound to the binding identifier; sending to the second server a factory install notification indicating successful installation of the MNO profile in the SE; receiving from the second server a command for switching the SE's OS to a live state where the SE's OS is fully functional but prevented to send a further in-factory profile request; and switching the SE's OS to live state.

Inventors

  • UGLIETTI, Gianni
  • MACUDA, Jacek

Assignees

  • IDEMIA France

Dates

Publication Date
20260506
Application Date
20241031

Claims (12)

  1. A method of personalization of a secure element, SE, (113) in an original equipment manufacturer, OEM, factory, the method comprising by the SE (113) the steps of: - receiving (S202) from a first server (114) operating in the OEM factory a generic unbound version of an SE operating system, OS; - installing (S203) the SE's OS in the SE; - launching the SE's OS in a manufacture state where the SE's OS is prevented to connect to a mobile network; - sending (S204) to a second server (112) operating in the OEM factory an in-factory profile request, the in-factory profile request comprising a token generated by the SE's OS based on a binding identifier; - receiving from the second server (112) a mobile network operator, MNO, profile bound to the binding identifier; - sending (S208) to the second server (112) a factory install notification indicating successful installation of the MNO profile in the SE (113); - receiving (S210) from the second server (112) a command for switching the SE's OS to a live state where the SE's OS is fully functional but prevented to send a further in-factory profile request; - switching (S211) the SE's OS to live state.
  2. The method of claim 1, wherein the binding identifier is a ChipID identifying the chip comprising the SE.
  3. The method of claim 1, wherein the binding identifier is an elD identifying the SE.
  4. The method of claim 1, wherein the method further comprises: - Sending (S212) a binding notification comprising a ChipID identifying the chip comprising the SE, an elD identifying the SE and an ICCID identifying the profile to a third server (101) outside the OEM factory at first connection of the SE to a mobile network.
  5. The method of any claim 1 to 4, wherein the token is encrypted with a one-time symmetric key generated by the SE's OS.
  6. The method of claim 5, wherein the token comprises the binding identifier signed and encrypted with the one-time symmetric key.
  7. A method of personalization of a secure element, SE, in an original equipment manufacturer, OEM, factory, the method comprising by a first server (112) operating in the OEM factory, the steps of: - receiving (S201) from a second server (101) outside of the OEM factory an unbound protected mobile network operator, MNO, profile; - receiving (S204) from the SE an in-factory profile request, the in-factory profile request comprising a token generated by the SE based on a binding identifier; - binding (S205) the MNO profile to the SE based on the Binding identifier and reserving the Binding identifier for preventing further binding of profiles using the same Binding identifier; - sending (S206) the bound MNO profile to the SE; - receiving (S208) a factory install notification indicating successful installation of the MNO profile in the SE; - burning (S209) the Binding identifier for definitively preventing further binding of profiles using the same Binding identifier; - sending (S210) a command to the SE for switching to a live state.
  8. The method of claim 7, wherein the method further comprises: - validating the token.
  9. A secure element, SE, (113) in an original equipment manufacturer, OEM, factory comprising at least one processor and at least one memory in communication with the at least one processor, the at least one memory including computer-readable instructions stored thereon that, when executed by the at least one processor, cause the SE to: - receiving (S202) from a first server (114) operating in the OEM factory a generic unbound version of an SE operating system, OS; - installing (S203) the SE's OS in the SE; - launching the SE's OS in a manufacture state where the SE's OS is prevented to connect to a mobile network; - sending (S204) to a second server (112) operating in the OEM factory an in-factory profile request, the in-factory profile request comprising a token generated by the SE's OS based on a binding identifier; - receiving from the second server (112) a mobile network operator, MNO, profile bound to the binding identifier; - sending (S208) to the second server (112) a factory install notification indicating successful installation of the MNO profile in the SE (113); - receiving (S210) from the second server (112) a command for switching the SE's OS to a live state where the SE's OS is fully functional but prevented to send a further in-factory profile request; - switching (S211) the SE's OS to live state.
  10. A server (112) operating in an original equipment manufacturer, OEM, factory comprising, for personalizing a secure element, SE, (113) at least one processor and at least one memory in communication with the at least one processor, the at least one memory including computer-readable instructions stored thereon that, when executed by the at least one processor, cause the server (112) to: - receiving (S202) from a first server (114) operating in the OEM factory a generic unbound version of an SE operating system, OS; - installing (S203) the SE's OS in the SE; - launching the SE's OS in a manufacture state where the SE's OS is prevented to connect to a mobile network; - sending (S204) to a second server (112) operating in the OEM factory an in-factory profile request, the in-factory profile request comprising a token generated by the SE's OS based on a binding identifier; - receiving from the second server (112) a mobile network operator, MNO, profile bound to the Binding identifier; - sending (S208) to the second server (112) a factory install notification indicating successful installation of the MNO profile in the SE (113); - receiving (S210) from the second server (112) a command for switching the SE's OS to a live state where the SE's OS is fully functional but prevented to send a further in-factory profile request; - switching (S211) the SE's OS to live state.
  11. A computer program product for a programmable apparatus, the computer program product comprising a sequence of instructions for implementing a method according to any one of claims 1 to 8, when loaded into and executed by the programmable apparatus.
  12. A computer-readable storage medium storing instructions of a computer program for implementing a method according to any one of claims 1 to 8.

Description

FIELD OF THE INVENTION The present disclosure concerns a method and a device for personalization of a secure element. It concerns more particularly a method for providing the secure element with an OS and personalization data. The secure element may be discrete or integrated, such as eUICC (for embedded Universal Identity Circuit Card, also called eSIM, for embedded Subscriber Identity Module), eSE (for embedded Secure Element), ieUICC (for integrated eUICC) or iUICC (for integrated UICC). BACKGROUND OF INVENTION A wireless user terminal, a smartphone, connected objects or any computer device with communication capabilities using a telecommunication network (e.g. mobile (phone) network, wireless network, radiocommunication network) is traditionally provided with a secure element, SE, that may be removable, embedded, discrete or integrated. Such secure elements comprise Universal Integrated Circuit Cards, UICC, as Subscriber Identity Modules, SIM, cards, and their embedded versions known as eUICC for embedded UICC or eSIM (for embedded SIM), their integrated versions known as iUICC (for integrated UICC) or ieUICC (for integrated eUICC) or iSIM (for integrated eSIM). An eUICC module is a hardware secured element, generally of small size, which can be embedded or integrated in a communication device like a smartphone or TCU (for Telematics Control Unit used for connected vehicles) to provide the same functionalities of a traditional SIM card. eUICC are also integrated in many different communicating devices in the context of the so-called Internet of Things, loT. An SE is typically manufactured by an SE manufacturer, SEM, to be provided to an Original Equipment Manufacturer, OEM, for integration in the devices produced by the OEM. In order to connect to and be able to communicate with a mobile network, a subscription is required with a Mobile Network Operator, MNO. All the parameters associated with the subscription are stored as an MNO profile in the SE. An SE may comprise several MNO profiles corresponding to different subscriptions with one or several MNOs. An SE comprises a processor that can execute computer programs, memory for storing programs and data, and communication means for communicating with the final device it is integrated in, and through which it can communicate to a communication network. SEs are provided by the SEM with an operating system, OS, that implements the functionalities of the SE. These functionalities comprise for example the implementation of application protocol data unit, APDU, commands as specified in the standard ISO/IEC 7814 part 4, used for communicating with the SE, or for example computation of specific cryptographic responses or vectors in order to grant an authentication and an access to mobile network resources. The operating system of the SE is not to be confused with the operating system that typically runs the final device integrating the SE. The physical factor of SEs follows a process of increasing integration into the final device. Initially the SE was proposed as a smart card hosting the SE as a ship on the card, the well-known SIM card. The final device was provided with a card reader to allow the SIM card to be inserted in the final device. Then, a new physical format has been introduced, the eSIM standing for embedded SIM. An eSIM is a dedicated chip hosting the SE which is intended to be soldered on the mother board of the final device. A new physical format, the integrated eSIM or simply iSIM, is now appearing constituting a new step in the integration process. In this new physical format, the secure element may be integrated in a chip, typically a System On Chip, SOC, as one of the hardware component of the chip. The SOC is a central component which manage a lot of peripheral components or resources (memories, processors, screen, interfaces, computing resources, secure element, communications, ...). Before being operational to allow the final device to connect to a cellular network, the SE must follow a personalization process including several steps. First an operating system, OS, must be loaded in the SE. The loaded OS is typically a generic version of the OS. Once loaded in the SE, the OS is bound to the particular chip on which it has been loaded, the chip being dedicated to the SE or a chip comprising the SE as one of its hardware components. This binding step is based on the unique chip identifier, called in this document Chipld, assigned to the chip comprising the SE by the chip manufacturer. This binding step ensures that the OS cannot run on any other chip with a different Chipld. Alternatively, the elD identifying the SE may be used instead of the Chipld. To make operational the SE and allow the final device to connect to a cellular network it is required to use a particular subscription to a mobile network operator, MNO. All the information linked to a particular subscription is provided as a profile comprising the identification of the MNO, th