KR-20260064574-A - METHOD AND APPARATUS FOR PERSONALIZING A SECURE ELEMENT IN AN OEM FACTORY

Abstract

The present invention relates to a method for personalizing a security element (se) in an OEM factory. The se receives a generic and unbound se operating system (os) from a first server and installs it. The os starts in a factory state and prevents mobile network access. The se sends a factory profile request to a second server, including a token generated from a binding identifier. The second server returns a mobile network operator (mno) profile bound to the identifier. If the mno profile is successfully installed, the se sends a factory installation notification. Then, the second server issues a command to switch the os to a live state, in which it is fully operational but restricted from sending additional factory profile requests. Finally, the se switches the os to a live state.

Inventors

• 우글리에티, 지안니
• 마쿠다, 제킷

Assignees

• 아이데미아 프랑스

Dates

Publication Date

20260507

Application Date

20251027

Priority Date

20241031

Claims (12)

1. In a method for personalizing security elements (SE) (113) at an original manufacturer (OEM) factory, The above method is, Performed by SE(113), - A step (S202) of receiving a general and uncombined version of the SE operating system (OS) from a first server (114) operating at the above OEM factory, - Step of installing the OS of the SE on the SE (S203), - A step of running the OS of the SE in a manufacturing state where the OS of the SE cannot connect to a mobile network, - A step (S204) of transmitting a factory profile request to a second server (112) operating in the above OEM factory - The factory profile request includes a token generated by the OS of the above SE based on a combined identifier -, - A step of receiving a mobile network operator (MNO) profile combined with the combined identifier from the second server (112), - A step (S208) of sending a factory installation notification to the second server (112) indicating the successful installation of the MNO profile to the SE (113), - A step (S210) of receiving a command from the second server (112) to switch the OS of the SE to an active state in which the OS of the SE functions normally but can no longer transmit factory profile requests, - Step of switching the OS of the above SE to an active state (S211) including, method.
2. In paragraph 1, The above combined identifier is, ChipID identifying a chip including the above SE, method.
3. In paragraph 1, The above combined identifier is, eID identifying the above SE, method.
4. In paragraph 1, The above method is, When the above SE is first connected to a mobile network, a combined notification (S212) is transmitted to a third server (101) outside the OEM factory, the combined notification including a ChipID identifying the chip containing the SE, an eID identifying the SE, and an ICCID identifying the profile. including, method.
5. In any one of paragraphs 1 through 4, The above token is, Encrypted with a one-time symmetric key generated by the OS of the above SE, method.
6. In paragraph 5, The above token is, The combined identifier signed and encrypted with the above one-time symmetric key including, method.
7. In a method for personalizing security elements (SE) at an original equipment manufacturer (OEM) factory, The above method is, Performed by the first server (112) operating in the above OEM factory, - Step (S201) of receiving an uncombined protected mobile network operator (MNO) profile from a second server (101) outside the above OEM factory, - Step of receiving a factory profile request from the SE (S204) - The factory profile request includes a token generated by the SE based on a combined identifier -, - A step (S205) of combining the MNO profile to the SE based on the combination identifier and reserving the combination identifier to prevent additional combining of profiles using the same combination identifier, - The step of transmitting the combined MNO profile to the SE (S206), - Receiving a factory installation notification indicating that the MNO profile has been successfully installed in the SE (S208), - A step (S209) of incinerating the combination identifier to reliably prevent additional combination of profiles using the same combination identifier, - Step of transmitting a command to the SE to switch to an active state (S210) including, method.
8. In Paragraph 7, The above method is, Step of verifying the above token including, method.
9. In the security element (SE) (113) within the original manufacturer (OEM) factory, At least one processor and At least one memory communicating with the above-mentioned at least one processor Includes, and the at least one memory, Includes computer-readable instructions, The above commands are, When executed by the above at least one processor, The above SE, - A step (S202) of receiving a general and uncombined version of the SE operating system (OS) from the first server (114) operating in the above OEM factory, - Step of installing the OS of the SE on the SE (S203), A step of running the OS of the above SE in a manufacturing state where the OS of the above SE cannot connect to a mobile network, - A step (S204) of transmitting a factory profile request to a second server (112) operating in the above OEM factory - The factory profile request includes a token generated by the OS of the above SE based on a combined identifier -, - A step of receiving a mobile network operator (MNO) profile combined with the combined identifier from the second server (112), - A step (S208) of sending a factory installation notification to the second server (112) indicating the successful installation of the MNO profile to the SE (113), - A step (S210) of receiving a command from the second server (112) to switch the OS of the SE to an active state in which the OS of the SE functions normally but can no longer transmit factory profile requests, - Step of switching the OS of the above SE to an active state (S211) including, method.
10. In a server (112) operating within an original manufacturer (OEM) factory, To personalize the security element (SE) (113), At least one processor and At least one memory communicating with the above-mentioned at least one processor Includes, and the at least one memory, Includes computer-readable instructions, The above commands are, When executed by the above at least one processor, The above server (112) - Step (S201) of receiving an uncombined protected mobile network operator (MNO) profile from a second server (101) outside the above OEM factory, - Step of receiving a factory profile request from the SE (S204) - The factory profile request includes a token generated by the OS of the SE based on a combined identifier -, - A step (206) of transmitting a mobile network operator (MNO) profile combined with the above combined identifier to the SE, - A step of receiving a factory installation notification from the SE indicating that the MNO profile of the SE has been successfully installed (S208), - A step (S210) of transmitting a command to the above SE to switch the OS of the above SE to an active state in which the OS of the above SE functions normally but can no longer transmit factory profile requests causing to perform, Server.
11. In a computer program product for a programmable device, the computer program product is, When loaded and executed on the above-mentioned programmable device, A sequence of instructions for implementing a method according to any one of paragraphs 1 through 8 including, Computer program products.
12. In a computer-readable storage medium, The above computer-readable storage medium is, For implementing a method according to any one of paragraphs 1 through 8, Storing computer program instructions, Computer-readable storage media.

Description

Method and apparatus for personalizing a security element in an OEM factory The present disclosure relates to a method and a device for personalizing a secure element. In particular, it relates to a method of providing an OS and personalization data to a secure element. The secure element may be separated or integrated, such as an eUICC (embedded Universal Identity Circuit Card, also called eSIM in the case of an embedded Subscriber Identity Module), an eSE (embedded Secure Element), an IEuICC (integrated eUICC), or an IUICC (integrated UICC). Wireless user terminals, smartphones, connected objects, or any computer device equipped with communication capabilities using a communication network (e.g., mobile (phone) network, wireless network, radiocommunication network) are typically provided with removable, embedded, detachable, or integrated secure elements (SE). These secure elements include Universal Integrated Circuit Cards (UICCs), such as Subscriber Identity Module (SIM) cards, and embedded versions known as eUICCs or eSIMs (for embedded SIMs) for embedded UICCs, and integrated versions known as IUICCs (for integrated UICCs) or iSIMs (for integrated eSIMs). An eUICC module is typically a small hardware secured element that can be embedded in or integrated into communication devices, such as smartphones or TCUs (Telematics Control Units used in connected vehicles), to provide the same functionality as a conventional SIM card. eUICCs are also integrated into various communication devices in the context of the so-called Internet of Things (IoT). SEs are typically manufactured by SE manufacturers, such as SEMs, and supplied to Original Equipment Manufacturers (OEMs) so that they can be integrated into devices produced by the OEMs. To connect to and communicate on a mobile network, one must subscribe to a Mobile Network Operator (MNO). All parameters associated with the subscription are stored in the SE as an MNO profile. An SE may contain multiple MNO profiles corresponding to different subscriptions with one or more MNOs. The SE includes a processor capable of executing a computer program, memory for storing programs and data, and communication means capable of communicating with an integrated end device and, through this, communicating with a communication network. The SE is provided by the SEM along with an operating system OS that implements the functions of the SE. These functions include, for example, application protocol data units (APDUs) used for communication with the SE, the implementation of commands specified in standard ISO/IEC 7814 Part 4, or the computation of specific cryptographic responses or vectors to grant authentication and access to mobile network resources. The operating system of the SE should generally not be confused with the operating system running on the end device that integrates the SE. The physical factors of the SE follow a process that increases integration into the final device. Initially, the SE was proposed as a smart card that incorporated the well-known SIM card. The final device was provided with a card reader capable of inserting the SIM card. Subsequently, a new physical format called eSIM, short for Embedded SIM, was introduced. The eSIM is a dedicated chip hosting the SE, designed to be soldered onto the motherboard of the final device. A new physical format called Integrated eSIM, or simply iSIM, has now emerged, constituting a new stage in the integration process. In this new physical format, the security element can be integrated into a chip, typically a System-on-Chip (SOC), as one of the chip's hardware components. The SOC is a central component that manages many peripheral device components or resources (memory, processor, screen, interface, computing resources, security elements, communications, etc.). The SE must follow a personalization process involving several steps before it can operate to connect the end device to a cellular network. First, an operating system (OS) must be loaded into the SE. The loaded OS is typically a generic version of the OS. Once loaded into the SE, the OS is bound to a specific chip, either a chip dedicated to the SE or a chip that incorporates the SE as one of its hardware components. This binding step is based on a unique chip identifier, referred to as the ChipId in this document, which is assigned by the chip manufacturer to the chip constituting the SE. This binding step prevents the OS from running on a different chip with a different ChipId. Alternatively, an eID identifying the SE may be used instead of the ChipId. To operate the SE and enable the end device to connect to a cellular network, a particular subscription to a mobile network operator (MNO) must be used. All information associated with a particular subscription is provided as a profile containing the MNO's identification and the identification of the subscriber with credentials to connect to the MNO network. To allow the connection, at least one of these pr