Search

KR-20260066635-A - PROVIDING AN EUICC WITH PROFILE DATA OF AT LEAST ONE PROFILE

KR20260066635AKR 20260066635 AKR20260066635 AKR 20260066635AKR-20260066635-A

Abstract

A method for establishing at least one profile within an euicc comprises: a) generating at least a portion of profile data within the euicc, referred to as onboard generated profile data (op); and the method further comprises: c) transmitting all or part of the onboard generated profile data (op) from the euicc to a verification entity (ver); d) generating a verification result in the verification entity (ver) indicating successful or unsuccessful verification of the onboard generated profile data (op) based on the transmitted onboard generated profile data (op), verification criteria, and verification information, and transmitting the verification result from the verification entity (ver) to a state manager entity; and e) providing an operative state of the profile within the euicc only under conditions where the verification result indicates successful verification of the onboard generated profile data (op), and preventing the operative state of the profile within the euicc under conditions where the verification result indicates unsuccessful verification of the onboard generated profile data (op).

Inventors

  • 디체 클라우스
  • 야거 바르바라
  • 윌리암스 디브야 미리암

Assignees

  • 기제케+데프린트 모바일 서큐리티 저머니 게엠베하

Dates

Publication Date
20260512
Application Date
20251031
Priority Date
20241104

Claims (15)

  1. A method for setting at least one profile within an eUICC, comprising profile data including at least a subscriber identification number (IMSI; SUPI; NAI) and a network authentication key K, a) generating at least a portion of the profile data referred to as onboard generated profile data (OP) within the eUICC; b) Setting a profile containing the above-mentioned onboard generated profile data (OP) within the eUICC Includes, The above method is, c) a step of transmitting all or part of the above-mentioned onboard generated profile data (OP) to a verification entity (VER); d) In the verification entity (VER), generating a verification result indicating successful or unsuccessful verification of the onboard generated profile data (OP) based on the transmitted onboard generated profile data (OP), verification criteria, and verification information, and transmitting the verification result from the verification entity (VER) to the state manager entity; e) A step in which the state manager entity provides the operating state of the profile within the eUICC only under conditions where the verification result indicates successful verification of the onboard generated profile data (OP), and prevents the operating state of the profile within the eUICC under conditions where the verification result indicates unsuccessful verification of the onboard generated profile data (OP). A method characterized by
  2. In paragraph 1, The above verification entity (VER) is the following entity: - SM-DP+ or SM-DPf server; - IFPP production machine; - EUM; - Verification server; - A verification server connected to an SM-DP+ or SM-DPf server or an IFPP production machine; - eIM; - The above eUICC; It is one of them or included in/or, The above state manager entity is the following entity: - SM-DP+ or SM-DPf server; - eIM; - The above eUICC One of the methods included therein.
  3. In paragraph 1 or 2, The above-mentioned onboard generated profile data (OP) includes at least one unique data item associated with the profile, wherein, Step c) includes transmitting the at least one unique identifier associated with the profile; Step d) includes verifying the uniqueness of at least one transmitted unique identifier associated with the profile; In step e), the successful verification includes confirming the uniqueness of at least one unique identifier generated onboard associated with the profile.
  4. In paragraph 3, The onboard generated profile data (OP), which is a unique data item associated with the above profile, is - International Mobile Subscriber Identity (IMSI); - Subscriber Permanent Identifier (SUPI); - Network Access Identifier (NAI); - eUICC identifier(eUICC identifier, EID); - Profile number, Integrated Circuit Card Identifier (ICCID); - Network Authentication Key K; - OTA Key Set; - Secure Channel Key Set A method comprising one or more of the following.
  5. In any one of paragraphs 1 through 4, Step c) of transmitting the above-mentioned onboard generated profile data (OP) is, - Directly transmit from the above eUICC to the above verification entity (VER); - This is performed by either indirectly transmitting from the above eUICC to the verification entity (VER) through one or more other external entities, and The aforementioned other external entities are, - If the above verification entity (VER) is not an SM-DP+ server, an SM-DP+ server; - If the above verification entity (VER) is not an IFPP production machine, an IFPP production machine hosting the above target eUICC; - If the above verification entity (VER) is not an SM-Df server, an SM-DPf server located outside the IFPP production environment; - If the above verification entity (VER) is not EUM, the operator server or EUM; - If the above verification entity is not eIM, eIM A method comprising one or more of the following.
  6. In any one of paragraphs 1 through 5, A method in which, before step a) is executed, the eUICC includes installed profile data of the profile, preferably excluding the onboard generated profile data (OP); or after step a) is executed, the eUICC is provided with installed profile data of the profile, preferably excluding the onboard generated profile data (OP).
  7. In any one of paragraphs 1 through 6, A method further comprising: step a) receiving, before or after, a profile package (BBP) containing profile data of the profile, preferably excluding the onboard generated profile data (OP), from the eUICC; and step 0-2) installing the profile data of the received profile package into the eUICC.
  8. In any one of paragraphs 1 through 7, A method in which step c) of transmitting the onboard generated profile data (OP) is performed by transmitting the onboard generated profile data (OP) within or together with the installation result notification (PIR).
  9. In Paragraph 7, Step c) of transmitting the above-mentioned onboard generated profile data (OP) is performed by transmitting the above-mentioned onboard generated profile data (OP) within or together with the installation result notification (PIR), and - The above installation result notification (PIR) is related to the installation of the profile data of the above received profile package (BBP); - The above Installation Result Notification (PIR) is transmitted after step a) of generating the above Onboard Generated Profile Data (OP) within the eUICC; - The above installation result notification (PIR) is a method that includes or accompanies the above onboard generated profile data (OP).
  10. In any one of paragraphs 1 through 9, Step b) of setting the profile including the above-mentioned onboard generated profile data (OP) within the eUICC includes (0-2) the step of installing the profile, and step e) of providing the operating state of the profile within the eUICC is combined with steps b) and e), (i) (0-2) Install and/or activate the profile only under conditions of successful verification of the onboard generated profile data (OP) in the verification entity (VER), and at least not activate the profile under conditions of unsuccessful verification of the onboard generated profile data (OP) in the verification entity (VER); or (ii) (0-2) Install and/or activate the profile only under conditions of successful verification of the onboard generated profile data (OP) in the verification entity (VER), maintain the state of the activated profile, and deactivate the profile under conditions of unsuccessful verification of the onboard generated profile data (OP) in the verification entity (VER). A method comprising any one of the following.
  11. In any one of paragraphs 1 through 10, A method further comprising the step of deleting the profile under a non-successful verification condition of the onboard generated profile data (OP) in the verification entity (VER).
  12. In any one of paragraphs 1 through 11, Step d) is the following characteristics of the onboard generated profile data (OP) in the verification entity (VER): - Errors, especially format errors, especially incorrect length and/or incorrect format; - Source of the above onboard generated profile data (OP) from the approved eUICC; - Authenticity of the above-mentioned onboard generated profile data (OP); - Integrity of the above-mentioned onboard generated profile data (OP) A method comprising an additional step of verifying one or more of the following.
  13. In any one of paragraphs 1 through 12, A method in which the transmitted onboard generated profile data (OP) is transmitted in a form encrypted with an encryption key and decrypted with a corresponding decryption key at the verification entity (VER).
  14. An eUICC configured to perform a method of setting at least one profile within the eUICC, the profile data including at least a subscriber identification number (IMSI; SUPI; NAI) and a network authentication key K, wherein the method comprises: a) generating at least a portion of the profile data referred to as onboard generated profile data (OP) within the eUICC; b) Setting a profile containing the above-mentioned onboard generated profile data (OP) within the eUICC Includes, c) a step of transmitting all or part of the above-mentioned onboard generated profile data (OP) to a verification entity (VER); d) Initiating the verification entity (VER) to generate a verification result indicating successful or unsuccessful verification of the onboard generated profile data (OP) based on the transmitted onboard generated profile data (OP) and verification criteria through the above transmission, and transmitting the verification result from the verification entity (VER) to the state manager entity; e) receiving instructions from the state manager entity to provide the operating state of the profile within the eUICC only under conditions where the verification result indicates successful verification of the onboard generated profile data (OP), and to prevent the operating state of the profile within the eUICC under conditions where the verification result indicates unsuccessful verification of the onboard generated profile data (OP). eUICC featuring
  15. A verification entity (VER) configured to perform a method of setting at least one profile within the eUICC, the profile data including at least a subscriber identification number (IMSI; SUPI; NAI) and a network authentication key K, wherein the method comprises: a) a step of generating at least a portion of profile data referred to as onboard generated profile data (OP) within the eUICC; and b) a step of setting a profile including the onboard generated profile data (OP) within the eUICC, after performing these steps in the eUICC, c) receiving all or part of the onboard generated profile data (OP) from the eUICC in the verification entity (VER); d) In the verification entity (VER), generating a verification result indicating successful or unsuccessful verification of the onboard generated profile data (OP) based on the transmitted onboard generated profile data (OP), verification criteria, and verification information, and transmitting the verification result from the verification entity (VER) to the state manager entity; e) Initiating the state manager to provide the operating state of the profile within the eUICC only under conditions where the verification result indicates successful verification of the onboard generated profile data (OP), and to prevent the operating state of the profile within the eUICC under conditions where the verification result indicates unsuccessful verification of the onboard generated profile data (OP). A validation entity (VER) comprising a step of performing a step characterized by

Description

Providing profile data from at least one profile to the EUICC The present invention relates to providing profile data of at least one profile to an eUICC designed to be hosted (can be plugged in or integrated) within a wireless network communication device (or briefly a mobile device). The world is connected through wireless communication networks, also referred to as mobile communication networks, and devices hosting eUICC communicate with each other and with wireless network background servers in a secure manner. An eUICC hosted within a device includes at least one or more subscription profiles (or simply profiles) comprising profile data such as an International Mobile Subscriber Identification Number, which can be implemented as an IMSI, or in 5G as a SUPI or NAI, an authentication key K, a profile number ICCID, an OTA key, and additional profile data, enabling communication in a wireless communication network. In the case of eUICC, various form factors are known, including plug-in SIM cards or pSIMs, embedded and soldered eUICCs or eSIMs in the strict sense, and integrated iUICCs or iSIMs integrated into the chipset of the device hosting the eUICC. In the context of the present invention, eUICC should be understood to include all form factors, including any of the enumerated form factors. Depending on the form factor of the eUICC, hosting the eUICC within a mobile device may be implemented in a form where the eUICC is plugged into, embedded in, or integrated into the mobile device. The device is known as an M2M wireless network communication device, including, for example, consumer wireless network communication devices such as smartphones and network-connectable tablet PCs, as well as automotive wireless network communication devices and industrial wireless network communication devices. Hereinafter, the device refers to a wireless network communication device that hosts an eUICC comprising one or more profiles and is configured to communicate with another device or network server via a mobile communication network, and includes an eUICC for authentication and other security-related tasks. Reference [1] [SGP.22] GSMA SGP.22 RSP Technical Specification Version 3.0 (October 19, 2022) and earlier versions 2.x describe the procedures and architecture for provisioning profiles to eUICCs hosted on consumer devices already in use in the field. In SGP.22 scenarios, the profile server to which profiles are downloaded to the eUICC is also referred to as SM-DP+. References [2] [SGP.41] GSMA SGP.41 eSIM IFPP Architecture and Requirements Version 1.0 Draft 17 and [3] [SGP.42] GSMA SGP.42 eSIM IFPP Technical Specification (not disclosed at the time of filing) relate to in-factory personalization or provisioning, which is a setup in which profiles are provisioned locally to the eUICC in a factory environment, in contrast to the standard remote provisioning procedure of [1] [SGP.22] in which profiles are downloaded from a remote profile provisioning server to the eUICC. In the in-factory procedure, the profile server from which profiles are downloaded to the eUICC is also referred to as SM-DPf. According to reference [1] [SGP.22], Section 2.5 "Profile Protection and Delivery," an operator's profile is protected within a profile package before being downloaded to the eUICC. As described in more detail in sub-section 2.5.1, "Profile Package Types Overview," profile packages can take various forms from creation to download, including the following: ● Unprotected Profile Package (UPP): Raw eUICC profile package TLV sequence. ● Protected Profile Package (PPP): BSP payload segmented and protected within the TLV. ● Bound Profile Package (BPP): Session key agreement info, key replacement package, and ISD-P generation and configuration information are prepended to the beginning. ● Segmented Bound Profile Package (SBPP): A BPP segmented into STORE DATA APDU scripts for loading into the eUICC. This step is performed by the LPD when the LPD is present in the device. Reference [1] [SGP.22] assumes that the profile package complies with the provisions set forth in Reference [6]. Reference [6] [TCP IPP] Trusted Connectivity Alliance, eUICC Profile Package: Interoperable Format Technical Specification, Version 3.3 (March 2023) describes details of the profile elements (profile data) provided in the profile, and a standard format of the profile package as a set of profile elements (profile data), which is used to load and install the interoperable profile package on any compatible eUICC. Reference [4] EP23020510.6 describes a method for setting profile data of at least one profile within a target eUICC, wherein the profile data includes at least a subscriber identification number such as IMSI, SUPI, or NAI and a network authentication key K, and the network authentication key K is generated within the target eUICC. Other profile data may be downloaded to the eUICC as a profile package and may be combined with the profile data genera