СРАБАТЫВАЕМОЕ НА ОСНОВЕ АКТИВНОСТИ ОБЕСПЕЧЕНИЕ ПОРТАТИВНЫХ БЕСПРОВОДНЫХ СЕТЕЙ

Изобретение относится к автоматической конфигурации беспроводных сетей связи в ответ на активность пользователя. Техническим результатом является обеспечение беспрепятственного и безопасного осуществления доступа устройств пользователя к Интернету посредством удаленной сети. Устройство и связанные способы относятся к конфигурированию сети, удаленной от персональной сети пользователя, с помощью параметров, регулирующих персональную сеть пользователя, в ответ на активность пользователя, а также в местоположении и момент времени, которые основаны на активности пользователя. В иллюстративном примере сеть может представлять собой сеть Wi-Fi. Персональная сеть пользователя может представлять собой, например, домашний SSID пользователя для осуществления доступа к персональному устройству доступа Wi-Fi пользователя. В некоторых примерах активность пользователя может представлять собой запрос доступа к удаленной сети с использованием домашнего SSID пользователя. Запрошенный доступ может быть предоставлен ...

БЕСПРОВОДНОЕ УСТРОЙСТВО, СПОСОБ ЗАПРОСА ПОЛЬЗОВАТЕЛЬСКОГО КЛИЕНТА УПРАВЛЕНИЯ ДОСТУПОМ И СПОСОБ ВЫПОЛНЕНИЯ КЛИЕНТА УПРАВЛЕНИЯ ДОСТУПОМ

Изобретение относится к беспроводной связи, а именно к способу для безопасной передачи клиента управления доступом. Техническим результатом является повышение безопасности. Способ содержит запрос пользовательского клиента управления доступом из беспроводной сети, при этом запрос связан с первым подтверждающим сертификатом; прием пользовательского клиента управления доступом и второго подтверждающего сертификата, при этом первый и второй подтверждающий сертификаты выданы доверенной структурой; и сохранение пользовательского клиента управления доступом в безопасном элементе, если второй подтверждающий сертификат действителен; причем пользовательский клиент управления доступом сохраняют в индивидуальном сегменте из числа множества сегментов, из которых состоит безопасный элемент, и последующие модификации сохраненного пользовательского клиента управления доступом могут быть выполнены только с использованием второго подтверждающего сертификата; а доступ к беспроводной сети ограничен (i) доступом ...

СЛУЖБА IOT-ИНИЦИАЛИЗАЦИИ

Изобретение относится к технологии, направленной на инициализацию устройств в IoT-окружении. Техническим результатом является обеспечение возможности инициализации IoT-устройств в IoT-концентраторе. Система для связи для Интернета вещей (IoT) содержит службу инициализации, включающую в себя по меньшей мере один процессор, который обеспечивает прием идентификационного сообщения, при этом идентификационное сообщение включает в себя информацию, которая связана с идентификацией первого IoT-устройства, проверку достоверности первого IoT-устройства, выполнение определения IoT-концентратора из множества IoT-концентраторов, который должен быть ассоциирован с первым IoT-устройством, на основе, по меньшей мере отчасти, идентификационного сообщения, и предписание регистрации первого IoT-устройства в упомянутом определенном IoT-концентраторе. 3 н. и 17 з.п. ф-лы, 9 ил.

ИНТЕГРИРОВАННЫЙ МОБИЛЬНЫЙ ДОВЕРЕННЫЙ МЕНЕДЖЕР УСЛУГ

... 1. Способ обработки сообщения, относящегося к приложению мобильных платежей на элементе безопасности устройства мобильной связи, через концентратор услуг взаимосвязности, причем способ содержит этапы, на которых:принимают сообщение от первого субъекта по первому протоколу;определяют посредством серверного компьютера доверенный менеджер услуг, ассоциированный с элементом безопасности, из числа множества доверенных менеджеров услуг, используя таблицу маршрутизации, содержащую информацию маршрутизации, соответствующую заранее заданным взаимоотношениям управления элемента безопасности;определяют второй протокол, соответствующий доверенному менеджеру услуг, ассоциированному с элементом безопасности;преобразовывают упомянутое сообщение во второй протокол; ипосылают преобразованное сообщение доверенному менеджеру услуг, причем доверенный менеджер услуг осуществляет связь с элементом безопасности.2. Способ по п. 1, в котором первый протокол также представляет собой второй протокол.3. Способ по ...

СПОСОБ И СИСТЕМА ПРОГРАММИРОВАНИЯ ОБСЛУЖИВАНИЯ ПОСРЕДСТВОМ РАДИОСИГНАЛОВ

... 1. Способ программирования обслуживания посредством радиосигналов (ПОР) мобильной станции в гостевой коммуникационной сети радиосвязи, заключающийся в том, что формируют временный идентификатор, представляющий мобильную станцию, причем временный идентификатор формируют в центре коммутации мобильных станций гостевой коммуникационной сети радиосвязи, передают временный идентификатор из центра коммутации мобильных станций в регистр исходного местоположения через регистр местоположения абонентов-визитеров, принимают идентификатор мобильной станции из центра коммутации мобильных станций с помощью регистра исходного местоположения, устанавливают прозрачную линию передачи данных между регистром исходного местоположения и мобильной станцией и осуществляют программирование обслуживания мобильной станции из регистра исходного местоположения. 2. Способ по п.1, отличающийся тем, что программирование обслуживания мобильной станции включает в себя изменение конфигурации обслуживания мобильной станции ...

ОСНОВАННАЯ НА ОБЛАКЕ ПРИВЯЗКА ПЕРЕНОСИМЫХ КОМПОНЕНТОВ

... 1. Один или более машиночитаемых носителей, содержащих машиноисполняемые инструкции, которые, когда выполняются одним или более процессорами в мобильном вычислительном устройстве, выполняют действия, включающие в себя: ! запрос из переносимого компонента, физически подключенного к мобильному вычислительному устройству, но съемного с мобильного вычислительного устройства, криптографически защищенного идентификатора [302], привязанного к переносимому компоненту, идентифицирующего переносимый компонент, и недешифруемого мобильным вычислительным устройством, но дешифруемого удаленным вычислительным устройством, способным связываться с мобильным вычислительным устройством с помощью сети связи мобильных устройств; ! прием криптографически защищенного идентификатора из переносимого компонента [304]; !передачу криптографически защищенного идентификатора удаленному вычислительному устройству по сети связи мобильных устройств, чтобы запрашивать разрешение на использование защищенного мультимедийного ...

СПОСОБ И СИСТЕМА ПРЕДОСТАВЛЕНИЯ ДАННЫХ ДОСТУПА НА МОБИЛЬНОЕ УСТРОЙСТВО

УСТРОЙСТВО И СПОСОБ АУТЕНТИФИКАЦИИ В БЕСПРОВОДНОЙ СЕТИ

... 1. Беспроводное устройство, содержащееодну или более линий связи, реализованных с возможностью осуществления связи с поставщиком обслуживания;защищенный элемент, выполненный с возможностью сохранения клиента доступа;процессор; изапоминающее устройство, выполненное с возможностью осуществления обмена данными с процессором, причем запоминающее устройство содержит выполняемые компьютером команды, обеспечивающие при их выполнении осуществление устройством:аутентификации у поставщика обслуживания, причем указанная успешная аутентификация приводит к предоставлению поставщиком обслуживания клиента доступа;сохранения клиента доступа в защищенном элементе в ответ на прием клиента доступа.2. Устройство по п.1, отличающееся тем, что содержит систему схем беспроводной связи дальнего действия.3. Устройство по п.2, отличающееся тем, что дополнительно содержит систему схем беспроводной связи ближнего действия.4. Устройство по п.2, отличающееся тем, что дополнительно содержит систему схем ближней бесконтактной ...

СПОСОБЫ ДЛЯ ЗАЩИТЫ ЦЕЛОСНОСТИ ДАННЫХ ПОЛЬЗОВАТЕЛЬСКОЙ ПЛОСКОСТИ

СПОСОБ АВТОРИЗАЦИИ АКТУАЛИЗАЦИИ ПРОГРАММНОГО ОБЕСПЕЧЕНИЯ В ТРАНСПОРТНОМ СРЕДСТВЕ И ТРАНСПОРТНОЕ СРЕДСТВО

СПОСОБ ЗАГРУЗКИ ПОДПИСКИ В UICC, ВСТРОЕННУЮ В ТЕРМИНАЛ

... 1. Способ загрузки подписки в универсальную карту с интегральной схемой (UICC), встроенную в терминал, причем упомянутый способ включает в себя этапы, на которых:переносят ICCID в упомянутый терминал;отправляют упомянутый ICCID no IP линии связи в защищенное хранилище;выбирают в упомянутом защищенном хранилище подписку, соответствующую упомянутому ICCID;передают упомянутую подписку в упомянутый терминал по упомянутой IP линии связи;сохраняют упомянутую подписку в упомянутом терминале.2. Способ по п. 1, в котором упомянутый ICCID переносят наряду с секретным кодом активации ICCID, и в котором упомянутое защищенное хранилище проверяет сопряжение ICCID и секретного кода активации перед передачей упомянутой подписки в упомянутый терминал.3. Способ по п. 2 или 3, в котором упомянутый ICCID содержится в маркере, и при этом упомянутый ICCID переносят в упомянутый терминал через NFC.4. Способ по п. 3, в котором упомянутый маркер является меткой NFC.5. Способ загрузки подписки в универсальную карту ...

СПОСОБЫ И УСТРОЙСТВО ДЛЯ КРУПНОМАСШТАБНОГО РАСПРОСТРАНЕНИЯ ЭЛЕКТРОННЫХ КЛИЕНТОВ ДОСТУПА

... 1. Способ распространения электронных клиентов контроля доступа мобильным беспроводным устройствам, содержащий этапы, на которых, на серверном объекте, который управляет множеством электронных клиентов контроля доступа:определяют принадлежность по меньшей мере одного электронного клиента контроля доступа из множества электронных клиентов контроля доступа, причем определение принадлежности включает в себя этап, на котором:идентифицируют мобильное беспроводное устройство, которому соответствует этот по меньшей мере один электронный клиент контроля доступа;определяют, скопирован ли данный по меньшей мере один электронный клиент контроля доступа на мобильном беспроводном устройстве; ипри определении того, что данный по меньшей мере один электронный клиент контроля доступа не скопирован на мобильном беспроводном устройстве:шифруют упомянутый по меньшей мере один электронный клиент контроля доступа, чтобы создать зашифрованный электронный клиент контроля доступа для переноса на мобильное беспроводное ...

VERFAHREN ZUM VEREINFACHTEN AUSTAUSCH EINER SIM-KARTE BEI TEILNEHMERN EINES DIGITALEN MOBILKOMMUNIKATIONSNETZES

VERFAHREN UND SYSTEM ZUR DURCHFÜHRUNG VON POST-AUSGABE-KONFIGURATIONS UND DATENÄNDERUNGEN AN EINEM PERSÖNLICHEN SICHERHEITSGERÄT UNTER VERWENDUNG EINER KOMMUNIKATIONS-PIPELINE

Telefonanlage für das Fernladen von Fernsprechabonnement-Daten einer autonomen Station.

Verfahren zur Optimierung von Rekonfigurationsprozessen in Mobilfunknetzwerken mit rekonfigurierbaren Endgeräten durch Sammlung und Bereitstellung geeigneter Messdaten sowie eine entsprechende Anordnung

Die Erfindung betrifft im Wesentlichen zugriffsgeschützte Speicherbereiche auf im Netzwerk eines Betreibers lokalisierten, die Rekonfiguration von SDR-Terminals unterstützenden Netzwerkelementen in Kombination mit Verfahren zur geschützten Datenübertragung, welche vorzugsweise Verfahren zur Authentisierung und Autorisierung der Kommunikationspartner sowie für die geschützte Kommunikation, insbesondere dem Schutz der Integrität und der Vertraulichkeit, betreffen. Derartige zugriffsgeschützte Daten stammen entweder vom Terminal und werden im Rahmen von Verhandlungen an das Radio Access Network (RAN) übertragen und dort zwischengespeichert, oder sie werden im Rahmen von auf das Terminal bezogenen Vorgängen direkt im RAN generiert. Ein weiterer wichtiger Aspekt der Erfindung liegt in der Generierung und Verwaltung zugriffsgeschützter Speicherbereiche durch den Netzwerkbetreiber. DOLLAR A Dies führt zu einer massiven Entlastung der Luftschnittstelle sowie auch im Hinblick auf die Signalisierung ...

Sichere Bearbeitung von Verbindungseinstellungen eines eingebetteten Modems durch Kommunikation über Kurznachrichtenübermittlungsdienst

Ein Fahrzeug kann mindestens eine Steuerung umfassen, die konfiguriert ist, einen Kommunikationskanal über ein Netz zwischen einem Fahrzeug und einem Fahrzeug-Dienstserver durch einen Zugangspunktknoten aufrecht zu erhalten. Die mindestens eine Steuerung kann ferner konfiguriert sein, über das Netz außerhalb des Bandes vom Kommunikationskanal eine Aktualisierungsnachricht zu empfangen, welche aktualisierte Kommunikationskanal-Verbindungsinformationen umfasst, und den Kommunikationskanal bei Empfang der Nachricht gemäß den aktualisierten Verbindungsinformationen erneut verbindet. Ein sicherer Server kann konfiguriert sein, die Aktualisierungsnachricht, die mindestens eine von aktualisierten Zugangspunktknoteninformationen und aktualisierten Adressinformationen spezifiziert, zu erzeugen, die Aktualisierungsnachricht gemäß einem Chiffrierungsschlüssel, der mit einem Fahrzeugziel geteilt wird, zu verschlüsseln und die Aktualisierungsnachricht über ein Netz außerhalb des Bandes vom Kommunikationskanals ...

Netzwerkzugangsunterstützung

Zur Unterstützung des Zugangs eines Endgeräts (10) zu einem Mobilfunknetzwerk (200) werden dem Endgerät seitens eines Zugangsunterstützungs-Servers (100) eine Netzwerkteilnehmerkennung (50) und eine Mehrzahl von Authentisierungsdatensätzen (60) zu dieser Netzwerkteilnehmerkennung übertragen (S4; S10). Die Mehrzahl der Authentisierungsdatensätze (60) ist dabei zuvor von einem Server (210) des Mobilfunknetzwerks (200) erzeugt worden (S6), nachdem der Zugangsunterstützungs-Server (100) dem Server (210) die Netzwerkteilnehmerkennung übermittelt (S5) hat. Zur Prüfung (G4) einer Authentisierungsinformation des Endgeräts (10) bei der Anmeldung gegenüber dem Mobilfunknetzwerk (200) wird einem Authentifizierungs-Server (220) des Mobilfunknetzwerks (200), beispielsweise durch den Server (210), ein Authentisierungsdatensatz (62) aus der Mehrzahl der Authentisierungsdatensätze (60) übermittelt.

System und Verfahren zur Verwaltung der sicheren Registrierung für ein Mobilkommunikationsgerät

System und Verfahren zur Verwaltung der sicheren Registrierung für ein Mobilkommunikationsgerät

System and method for retail SIM marketplace

A system and method for accessing a carrier network by a client device. The method includes: receiving a selection of a first plan from a carrier marketplace that includes at least the first plan and a second plan, wherein the first plan corresponds to a first set of services provided by a first carrier network, and the second plan corresponds to a second set of services provided by a second carrier network; downloading a carrier profile from the server device to a multi-profile UICC (Universal Integrated Circuit Card) included in the client device, wherein the carrier profile is associated with the first plan; and storing the carrier profile in the multi-profile UICC.

Mobile communications

METHOD OF OPERATING RADIO TELEPHONE SYSTEM

Digital rights management

Smart Card Web Server (SCWS) administration within a plurality of security domains

The invention relates to a method for remotely managing content on a web server, the web server being hosted in a storage device within an architecture consisting of a plurality of security domains and the web server being managed though a plurality of administrative agents, each agent using one or more corresponding administrative protocols, the method including securing the administrative protocol processed by each administrative agent by a cryptographic keyset containing at least one key and preventing any given administrative agent from using the keys of any other agent. The web server may be a Smart Card Web Server (SCWS). The security domains may be implemented in accordance with Global Platform specifications and the administrative protocol may be an OMA (Open Mobile Alliance) Full Administrative Protocol or Lightweight Administrative Protocol. The managed content may include executable applications accessible at one or more URLs, and at least one of the executable applications may ...

NETWORK ACCESS CONTROL VIA MOBILE TERMINAL GATEWAY

The invention provides for telecommunications user equipment 12, such as a mobile phone or PDA, including network access control means operative responsive to control parameters and further including a subscriber module e.g. SIM or USIM accessible remote from the user equipment and arranged to store the said control parameters for use by the access control means. The subscriber module can comprise a mobile equipment offering gateway functionality such as between a public access network 16 and a local IP link 14. It is envisaged that a mobile terminal's internal or co-located external devices may connect to the internet wirelessly, through the mobile terminal, with the mobile terminal acting as a border gateway. The local IP sub-network would be hidden behind the single IP address of the mobile terminal, and this application seeks to control the network access available to the mobile device.

Provisioning apparatus and methods therefor

A secondary wireless communication unit (625) contains a UICC which requires provisioning/re-provisioning comprises a transmitter arranged to transmit a subscription request 650 to a primary subscriber wireless communication unit 620; a receiver arranged to receive a provisioning profile in response to the subscription request; and a Universal Integrated Circuit Card (UICC) 630 arranged to be provisioned with the received provisioning profile. A primary subscriber wireless communication unit (620) comprises: a signal processor; a transmitter arranged to establish a connection with a mobile network operator and inform a secondary wireless communication unit (625) of said established connection; and a receiver arranged to receive a subscription request from the secondary wireless communication unit (326) based at least partly in response to informing the secondary wireless communication unit (326) of said established connection. The connection may be a radio, wired, or NFC connection. The ...

Data transmission links

Server initiated remote device registration

Web server administration

Distributed management system for internet of things devices and methods thereof

Distributed management of Internet of Things (IoT) devices is achieved using gateway devices. A gateway device connects to a security entity, e.g. a server, to obtain a gateway digital certificate, signed by a root of trust, and permission to perform tasks on the IoT device. The gateway connects to the IoT device and uses the gateway digital certificate to obtain management control of it. The IoT device has a private /public key pair and stores its private key and a certificate from the root of trust. The IoT device is able to check the root of trust of the gateway certificate with its own. The gateway may control multiple IoT devices and may be given permission to modify firmware of the IoT devices. A distributed management system comprises multiple gateways with each gateway managing multiple IoT devices. In another claimed arrangement the gateway receives from a security entity credentials to obtain control of the IoT devices and also an assignment of tasks for the gateway to perform ...

Control of mobile communication devices

Protecting usage of key store content

Trax print document/item verification process using digital closed loop system

The use of mobile (cell) technology to validate printed documents. A secure QR code is printed into or adhered on a document that needs to be secured, and the document scanned into a database. When validation is required the QR code is scanned using a proprietary scanner application and an electronic copy of the document is sent to the mobile phone to be compared to the physical copy. The owner of the document is also alerted that a scan has been performed. If a fabricated QR code is used the document will not be found; if a code from a different document is used the wrong document will be displayed.

Profiles in deployable wireless communications systems

METHOD AND DEVICE FOR AUTHENTICATING A MOBILE STATION ON AN ALTERNATIVE COMMUNICATIONS NETWORK

METHODS, SYSTEMS AND COMPUTER READABLE MEDIA FOR ELECTRONICALLY DELIVERING A PREPAID CARD TO A MOBILE DEVICE

Cellular public telephone and cellular public telephone network

Mobile device with secure element

Methods, systems and computer readable media for electronically delivering a prepaid card to a mobile device.

SAFE PROCEDURE FOR THE NOTIFICATION OF A SERVICE COMPLETION

SYSTEM FOR THE ADMINISTRATION OF THE IDENTITY OF THE MOBILE STATIONS THE BETWEEN PORTABLE RADIO NETWORKS WANDERING

SYSTEM AND PROCEDURE FOR IMPROVED SECURITY IN SUPPLY AND UMPROGRAMMIERUNG OF HAND ATTACHMENTS

SYSTEM AND PROCEDURE FOR COMPACTING OF IN THE FIELD UPDATE-CASH SOFTWARE CODE SECTIONS OF A WIRELESS COMMUNICATIONS EQUIPMENT

PROCEDURE FOR AUTHENTIFIKATION OF APPLICATIONS

PROCEDURE FOR THE ADMINISTRATION OF A PERIPHERAL UNIT BY A SIM MAP IN WIRELESS COMMUNICATION TERMINALS AND PERIPHERAL UNIT FOR THE IMPLEMENTATION OF THE PROCEDURE

PROCEDURE FOR ADJUSTMENT THE KEY AND FOR ADJUSTMENT THE INITIAL PATENT KEY IN A MOBILE TERMINAL

PROCEDURE AND DEVICE FOR ERMÍGLICHUNG THE ADMINISTRATION OF THE MULTICAST DELIVERY AT MOBILE MECHANISMS

PROCEDURE FOR THE SUBDIVIDED SUPPLY OF AN ELECTRONIC SERVICE

PROCEDURE AND SYSTEM FOR THE ACTUALIZATION OF A SECRET KEY

ENTRANCE PROCEDURE FOR A OF A VIRTUAL OPERATOR SUGGESTING SPECIFIC SERVICE AND SMART CARD FOR AN APPROPRIATE DEVICE

TO DOWNLOAD SYSTEM AND PROCEDURE AROUND A SOFTWARE CODE SECTION OF A WIRELESS COMMUNICATIONS EQUIPMENT

SYSTEM AND PROCEDURE FOR IMPROVED SECURITY WITH THE UMPROGRAMMIERUNG OF A HAND ATTACHMENT

DEVICE AND PROCEDURES FOR BI-DIRECTIONAL COMMUNICATION AND EXECUTION COMMANDCORRODE MORE DYNAMICALLY

PROCEDURE AND SYSTEM FOR THE EXECUTION OF POST OFFICE EXPENDITURE CONFIGURATION AND DATA CHANGES AT PERSONAL SAFETY EQUIPMENT USING A COMMUNICATION PIPELINE

IDENTIFICATION MAP AND IDENTIFICATION PROCEDURE

Internet of things device burning verification method and apparatus, and identity authentication method and apparatus

Provided in the present application are an Internet of Things device burning verification method and apparatus, and an identity authentication method and apparatus, the burning verification method comprising: a burning verification apparatus receives a burning request sent by a burning production line, the burning request being used for requesting the burning apparatus to allocate an identity ID and device keys to an Internet of Things device to be burned; the device keys comprise a device private key and a device public key; the burning verification apparatus verifies whether the burning request is legitimate, and if so, then allocates an identity ID and device keys to the Internet of Things device to be burned; and the burning verification apparatus sends the identity ID and the device keys to the burning production line, such that the burning production line burns the identity ID and the device keys to the corresponding Internet of Things device. Using the embodiments of the present ...

Automatic device fulfillment configuration

A system (100) and method (300) for fulfilling a customer order including a desired quantity of portable communication devices. The method (300) includes receiving the customer order, receiving at least one unique identifier for each of the portable communication devices of the desired quantity, and transmitting each of the at least one unique identifier to a provisioning server (104), from the order processing management computer (402). The method (300) further includes associating the at least one unique identifier with a subscription to a service network of a mobile virtual network operator (404), transmitting the at least one unique identifier to the mobile virtual network operator (404) to activate an integrated circuit card for each of the portable communication device (105), receiving updated subscription information for each of the portable communication devices, and transmitting, the updated subscription information for each of the portable communication devices to the device management ...

Improvements in and relating to network communications

A method for authenticating a client device in a communications network, including obtaining network access credentials (32) for the client device from an authentication server apparatus for a communications network, and displaying on the client device a user interface arranged for receiving a user input command to connect the client device to the communications network. The method includes receiving the user input command (33) at the client device and in response thereto disassociating the client device from the network. The method includes transmitting the network access credentials (38, 39) for the client device to the authentication server apparatus which is responsive thereto to transmit to the client device an access accept message (39, 40).

Authentication key management system and method

Mobile WLAN gateway

Management of mobile unit configuration in wlans

Platform validation and management of wireless devices

Methods, components and apparatus for implementing platform validation and management (PVM) are disclosed. PVM provides the functionality and operations of a platform validation entity with remote management of devices by device management components and systems such as a home node-B management system or component. Example PVM operations bring devices into a secure target state before allowing connectivity and access to a core network.

Setup of new subscriber radiotelephone service using the internet

APPLET DOWNLOAD IN A COMMUNICATION SYSTEM

MOBILE INTERNET SOLUTION USING JAVA APPLICATION COMBINED WITH LOCAL WIRELESS INTERFACE

Safe application distribution and execution in a wireless environment

System and method for updating persistent data in a wireless communications device

Enhanced data interface for contactless communications

Embodiments of the invention are directed at an enhanced data interface (EDI) for contactless communications between a mobile application operating on a mobile device and an access device (e.g., contactless reader) that allows for enhanced verification between the mobile device and access device. One embodiment of the invention is directed to a method. The method comprises a mobile device receiving a request for available applets from an access device and providing a list of available applets including trusted applet identifiers and untrusted applet identifiers to the access device. The method further comprises receiving a selection of an untrusted applet identifier from the list and an entity identifier associated with the access device, validating that the access device is authorized to access credentials associated with the selected untrusted applet identifier using the entity identifier, and providing the credentials associated with the selected untrusted applet identifier to the access ...

CREDENTIAL MANAGEMENT SYSTEM

A server may communicate with a mobile device and/or a reader device via an Internet connection. The server may be configured to generate a credential and transmit the credential to the mobile device. The mobile device may use the credential in an access control system, a payment system, a transit system, a vending system, or the like.

Method and device for embedded SIM provisioning

A method and an electronic device are provided for embedded SIM (eSIM) provisioning. The electronic device includes a first interface configured to transmit a request message for requesting a profile from a profile generation server, and to receive a plurality of packets associated with installation of the profile, in response to the request message; a processor configured to generate an image file from the plurality of packets; an authentication module configured to perform authentication with the profile generation server and authenticate an electronic device including an embedded SIM (eSIM); and a second interface configured to connect the server device to the electronic device, and to transmit the image file to the electronic device, if the electronic device is authenticated.

Method and terminal for data service transmission

The present invention relates to a method and device for data service transmission. The method comprises that: when arriving at a roaming location, the terminal receives a first message sent by a network operator in the roaming location, and the first message carries identification information of a virtual Subscriber Identity Module (SIM) card of the network operator in the roaming location; after passing the network authentication of the network operator in the roaming location, the terminal downloads virtual SIM card information according to the identification information of the virtual SIM card in the first message; and the terminal performs service transmission through the virtual SIM card by using a service provided by the network operator in the roaming location. With the present invention, the problem of using a data service by a user of a roaming terminal is solved, and usage expense of a roaming data service is reduced.

Method and device for authenticating a mobile station on an alternative communications network

A method of authenticating a mobile station on an alternate communications network is disclosed, the mobile station being associated with a default communications network. The mobile station comprises a baseband processor to manage the antenna-related functions and a SIM card to accommodate a default SIM associated with the default communications network for receiving network credentials from the baseband processor. The method comprises providing a SIM card device to intercept communications between the baseband processor and the SIM card, monitoring the network credentials in respect of the network that the mobile station is actively in communication with, determining whether the mobile station needs to switch to an alternate network, and identifying or receiving from a user the alternate network, consulting a SIM bank, comprising at least one alternate SIM, and selecting an alternate SIM having a mobile station identification variable compatible with the alternate network, receiving a ...

Enhanced short message and method for synchronising and ensuring security of enhanced short messages exchanged in cellular radio communication system

ENHANCED DEVICE UPDATING

Systems, methods, and related technologies for device software monitoring and device software updating are described. In certain aspects, a device is selected based on being a smart device and a software version of associated with the software of the device is determined. The device software may then be automatically updated if newer software is available.

SYSTEMS AND METHODS FOR INITIALIZATION AND ACTIVATION OF SECURE ELEMENTS

Disclosed herein are secure transaction systems having secure elements that are initialized and activated independent from each other. The secure element is first initialized to make the secure element turn to a state in which the secure element can be packaged, sold within retail stores, and then injected with encryption keys. The initialization process of the secure element formulates the secure element to ensure trust between the secure elements and secure element activation servers. The process of independently initializing and activating the secure elements while still addressing the security protocols allows the secure element to be packaged and sold within retail stores after initialization, and then activating the secure element at a later date and time when the secure element is ready to be used by a merchant.

TECHNIQUES FOR MANAGING SECURITY IN NEXT GENERATION COMMUNICATION NETWORKS

Disclosed techniques provide enhanced security for a communications network. Access terminal devices (figure 1, 5) intended for operation via the network are expected to have security agent functionality, e.g. in the form security agent software loaded into or otherwise enabled on each of the access terminal devices. Registration procedures include verification that such an agent is present/enabled on an access terminal and that the agent currently implemented on the terminal device provides adequate security for the communications network against malicious traffic from that device.

SYSTEM AND METHOD FOR MANAGING SECURE REGISTRATION OF A MOBILE COMMUNICATIONS DEVICE

In one embodiment, a scheme is provided for managing secure registration of a mobile communications device (116). Upon being provided with an upgraded registration process that requires encryption, the mobile communications device (116) has the option of continuing to register with a network node (216) using a downgraded registration process within a specified time window which involves unencrypted registration. requests and responses. Thereafter, the mobile communications device (116) is operable to select between the upgraded and downgraded registration processes.

WRITING APPLICATION DATA TO A SECURE ELEMENT

... ²² Systems, methods, computer programs, and devices are disclosed herein for ²partitioning the namespace of a secure element in contactless smart card ²devices and for ²writing application data in the secure element using requests from a software ²application ²outside the secure element. The secure element is a component of a contactless ²smart card ²incorporated into a contactless smart card device. A control software ²application resident in ²the same or a different secure element provides access types and access bits, ²for each access ²memory block of the secure element namespace, thereby portioning the namespace ²into ²different access types. Further, a software application outside the secure ²element manages ²the control software application by passing commands using a secure channel to ²the secure ²element, thereby enabling an end-user of the contactless smart card device or ²a remote ²computer to control the partitioning and use of software applications within ²the secure ²element ...

METHOD AND SYSTEM FOR SECURE PROVISIONING OF A WIRELESS DEVICE

A method and system for enabling one or more communication services on a wireless device are provided. The method comprises: sending a request for provisioning information from a carrier provisioning system to a device developer provisioning system; receiving, from the device developer provisioning system, secure provisioning information corresponding to the request; and sending the secure provisioning information corresponding to the request from the carrier provisioning system to the wireless device.

SYSTEM AND METHOD FOR REMOTE PROVISIONING OF EMBEDDED UNIVERSAL INTEGRATED CIRCUIT CARDS

Methods and devices are described for provisioning embedded universal integrated circuit cards (EUICCs). A certification server may store records for each EUICC containing provisioned profile data. A regulatory domain server may govern a regulatory domain containing a plurality of mobile network operators (MNOs) and may assist with provisioning wireless devices containing EUICCs. The EUICC may store a hierarchy of profiles, including a device profile, a regulatory domain profile, and/or an MNO profile. The EUICC may include a fully-qualified domain name for the certification server, the device installation server, and/or the regulatory domain server so as to trigger provisioning or re-provisioning over an IP connection.

WRITING APPLICATION DATA TO A SECURE ELEMENT

Systems, methods, computer programs, and devices are disclosed herein for partitioning the namespace of a secure element in contactless smart card devices and for writing application data in the secure element using requests from a software application outside the secure element. The secure element is a component of a contactless smart card incorporated into a contactless smart card device. A control software application resident in the same or a different secure element provides access types and access bits, for each access memory block of the secure element namespace, thereby portioning the namespace into different access types. Further, a software application outside the secure element manages the control software application by passing commands using a secure channel to the secure element, thereby enabling an end-user of the contactless smart card device or a remote computer to control the partitioning and use of software applications within the secure element.

METHOD FOR DOWNLOADING A SUBSCRIPTION IN AN UICC EMBEDDED IN A TERMINAL

The invention proposes a method for downloading a subscription in an UlCC embedded in a terminal, this method consisting in: transferring an ICCID to the terminal; sending the ICCID over an IP link to a secure vault; selecting in the secure vault a subscription corresponding to the ICCID; transmitting the subscription to the terminal over the IP link; storing the subscription in the terminal.

PERSONALIZING A SIM BY MEANS OF A UNIQUE PERSONALIZED MASTER SIM

Method for starting up and personalising a further second non-personalised identification module (VSIM), in particular for operation of a mobile radio terminal, wherein a first identification module MasterSIM (MSIM) containing a personalised user data set is present, characterised in that an authentication and/or checking of the second identification module (VSIM) is carried out and the user data set for storage on the second identification module (VSIM) for personalising the second identification module (VSIM) is read from the MasterSIM (MSIM), transmitted to the second identification module (VSIM) and stored therein, in particular containing one or more unique definitive user identification (IMSI).

CREDENTIAL MANAGEMENT SYSTEM

A server may communicate with a mobile device and/or a reader device via an Internet connection. The server may be configured to generate a credential and transmit the credential to the mobile device. The mobile device may use the credential in an access control system, a payment system, a transit system, a vending system, or the like.

CREDENTIAL MANAGEMENT SYSTEM

A server may communicate with a mobile device and/or a reader device via an Internet connection. The server may be configured to generate a credential and transmit the credential to the mobile device. The mobile device may use the credential in an access control system, a payment system, a transit system, a vending system, or the like.

METHODS AND APPARATUS FOR PREPROVISIONING AUTHENTICATION TOKENS TO MOBILE APPLICATIONS

In some embodiments, a non-transitory processor-readable medium includes code to cause a processor (e.g., on an enterprise server) to receive, from a communication device, a request for a client application, and in response to the request provision the installation file data associated with the client application to include an application token associated with the client application. The code is to cause the processor to send the installation file that includes the application token to the communication device such that the communication device uses the installation file to install the client application that authenticates to an application module using the application token extracted from the installation file.

Method for Personalisation of an Active Card

SYSTEM AND METHOD FOR AUTOMATIC REGISTRATION NOTIFICATION FOR OVER-THE-AIR ACTIVATION

A method and system automatically activates a mobile station in a wireless communications network. The system includes an over the air activation funct ion (OTAF) processor in the network that initiates an activation process in resp onse to receiving a registration message from a mobile switching center serving the mobile station requesting the activation. Each mobile station has a unit of informa tion stored into it at the time of its manufacture to enable it to request over the air activation. That unit of information is either the network routing address of the OTAF proces sor, or alternately, it is a value that is translatable into that address, either an OTAF ID number that is the same value for every mobile station or it is a sequential ly serialized dummy value for the mobile identification number (a dummy MIN). When the mob ile station is turned on for the first time in the network, it requests activati on over the air by transmitting to the local mobile switching center a registration ...

SYSTEM AND METHOD FOR USER-PROGRAMMABLE SERVICE PROGRAMMING OF CELLULAR TELEPHONES

A system for user-programming of system parameters of a cellular telephone (100). Data values for the system parameters are stored in a nonvolatile memory (112) within the cellular telephone. A password storage area (116) stores one or more predetermined passwords. After purchasing the telephone (100), the end-user calls a predetermined telephone number and receives one of the predetermined passwords. The user enables a programming mode and enters the predetermined password using the cellular telephone keypad (20). If the user-entered password matches the stored predetermined password, the cellular telephone (100) allows user access to at least a portion of the system parameters in the nonvolatile memory (112). A counter (120) tracks the number of user-programming attempts and terminates the programming after either a predetermined number of failures or successful programming of all the desired system parameter values.

METHOD FOR ROUTING AREA (RA) UPDATE

The present invention relates to a method for routing area (RA) update request messages which in accordance with a time period broadcasted from the network are periodically sent from an MS (Mobile Station) to an SGSN (Serving GPRS Support Node) through a BSS (Base Station System), which SGSN supports GPRS (General Packet Radio Service), and which as a result of a routing area update procedure will return an appropriate accept message, and for the purpose of taking into account the differentiation in nature of normal routing area update procedure and periodic updates, it is according to the present invention suggested that for the purpose of simplifying said routing area update procedure, there is broadcasted a new indicator from the network together with the time period for the periodic routing updates, said indicator being adapted to determine whether the periodic routing update procedure is performed ciphered instead of unciphered.

Method for managing media for wireless communication.

Gemäss einem Aspekt der Erfindung wird ein Verfahren zum Durchführen eines Schreib- und/oder -leseprozesses, unter Verwendung eines ersten, aktiv betriebenen Mediums (301), auf bzw. von einem passiv betriebenen zweiten Medium (302) zur Verfügung gestellt, wobei das erste Medium eine gesicherte Umgebung (311) aufweist, und das Verfahren folgende Schritte beinhaltet: Zur-Verfügung-Stellen eines Schreib- und/oder Leseapplets (312) in der gesicherten Umgebung (311), Zur-Verfügung-Stellen einer Applikation (351) ausserhalb der gesicherten Umgebung, Übermitteln eines Schreib- und/oder Lesebefehls durch die Applikation an das Applet, Umsetzen des Schreib- und/oder Lesebefehls in ein Schreib- und/oder Lesesignal durch das Applet, und Übermitteln des Schreib- und/oder Lesesignals an das passiv betriebene zweite Medium (302).

provisionamento de credenciais em comunicações sem fio

Method and apparatus for access credential provisioning

A method and apparatus are provided for access credential provisioning. A method may include receiving, at a first mobile apparatus, information about a second mobile apparatus. The first mobile apparatus may be provisioned with network access credential information to be transferred from the first mobile apparatus to the second mobile apparatus. The method may further include causing the information about the second mobile apparatus to be provided to a provisioning apparatus for the network. The method may additionally include receiving authorization form the provisioning apparatus to transfer the network access credential information from the first mobile apparatus to the second mobile apparatus. The method may also include, in response to receipt of the authorization, causing the network access credential information to be provided to the second mobile apparatus. A corresponding apparatus is also provided.

Methods and apparatus for delivering electronic identification components over a wireless network

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Method and apparatus for H(e)NB integrity verification and validation

An apparatus and method for providing home evolved node-B (H(e)NB) integrity verification and validation using autonomous validation and semi-autonomous validation is disclosed herein.

Management systems for multiple access control entities

Credential provisioning

Disclosed is a method in a provisioning apparatus. The method comprises obtaining a family key, a family key defining a family; submitting the family key to a security element in a secure manner (2-2); using the family key for securing credential data; submitting said secured credential data to the security element (2-4); using the family key for binding an application to the family; and submitting said binding to the security element (2-5). Also a method in a related security element and related apparatuses, systems and computer programs are disclosed.

Efficient key generator for distribution of sensitive material from multiple application service providers to a secure element such as a universal integrated circuit card (UICC)

A method provides end-to-end security for transport of a profile to a target device (e.g., a mobile computing device) over at least one communications network that includes a plurality of nodes. In accordance with the method, the profile is encrypted for transport between the target device and an initial node of the network through which the profile is transported. The encryption is an end-to-end inner layer encryption performed prior to hop-to-hop encryption. The encrypting uses a public key of a public, private key pair. The private key is derivable from a seed securely provisioned in the target device using a public key algorithm. The encrypted profile is transmitted over the communications network to the target device.

METHOD AND SYSTEM FOR ESTABLISHING A SERVICE RELATIONSHIP BETWEEN A MOBILE COMMUNICATION DEVICE AND A MOBILE DATA SERVER FOR CONNECTING TO A WIRELESS NETWORK

A method and system for establishing a service relationship between a mobile communication device and a mobile data server for connecting to a wireless network are disclosed. In accordance with one embodiment, an Internet browser receives a request to establish a service relationship between a mobile communication device and a mobile data server. A device identifier and device capability data is received from the mobile communication device. Service data for the mobile communication device is received from a mobile data administration server in accordance with the device identifier and device capability data, which is then stored in a memory of the mobile communication device.

Setup and Configuration of Relay Nodes

Systems and methods for the configuration of network nodes without a secured connection in a telecommunications system are described herein. These network nodes can be wireless network nodes which are part of the network infrastructure, such as, wireless relays, wireless repeaters and self-back-hauled eNodeBs.

System and method for network provisioning of mobile entities for peer-to-peer service

Techniques are provided for peer-to-peer (P2P) service provisioning. For example, there is provided a method, operable by a network entity, that may involve determining a set of region-specific parameters for use in the P2P service in a coverage area. The method may involve providing the set of the region-specific parameters to at least one user equipment (UE) for configuration of the at least one UE for the P2P service, in response to the at least one UE entering the coverage area. In related aspects, the set of the region-specific parameters may include RF parameters, service discovery parameters, connection establishment parameters, and/or security parameters

Systems and Methods for Encrypting Mobile Device Communications

Embodiments of the invention can provide systems and methods for encrypting mobile device communications. According to one example embodiment of the invention, a method for encrypting mobile device communications is provided. The method can include generating, by a first application stored on a first memory of a mobile device, a message to be communicated to an intended recipient; providing, by the first application to an authentication application stored on a second memory of the mobile device, the message; encrypting, by the authentication application, the message; providing, by the authentication application to the first application, the encrypted message; and directing, by the first application, communication of the message to the intended recipient.

Systems and Methods for Authenticating Mobile Devices

Embodiments of the invention provide systems and methods for authenticating mobile devices. A registration request and identifying information for a mobile device or a secure element associated with the mobile device may be received. Based upon the received identifying information and a base level key, a rotated key for the mobile device may be determined. The determined rotated key may then be provided to the mobile device, and the rotated key may be utilized for subsequent authentication of the mobile device.

Real-time mobile application management

Some embodiments relate to mobile application management. An example embodiment includes a method of mobile device management. The method includes installing a client-side engine of an enforcement engine on a mobile device. The enforcement engine further includes a runtime engine. The method also includes routing communications between the mobile device and a network/cloud or an enterprise network through the enforcement engine. In addition, the method includes generating a policy regarding the mobile applications from a signature database (“SigDB”). The SigDB includes signatures pertaining to mobile applications. Compliance of the mobile device with the policy is enforced in real time.

Method for the authentication of applications

Authentication method of at least one application using resources stored in a security module associated to an equipment connected to a control server via a network. The control server receives via the network, analyses and verifies identification data comprising at least an identifier of the equipment and an identifier of the security module, generates a cryptogram comprising a digest of the application, the identification data and instructions intended for the security module and transmits the cryptogram, via the network and the equipment, to the security module. The latter verifies the application by comparing the digest extracted from the cryptogram with a calculated digest, wherein, during at least one of initialization and activation of the application, the security module executes the instructions extracted from the cryptogram and either releases or blocks access to certain resources of said security module according to a result of the verification of the application.

Mobile communications

A mobile data communications system that includes a mobile device having a reconfigurable user identification module that stores a mobile identity and provides mobile data communication via a mobile network, subject to the mobile identity being registered with the mobile network, and an account control server that includes memory to store identification and payment details for a user of the mobile device and a mobile identity provider to provide a mobile identity to the mobile device and to an authorization server of a mobile network. In response to a request by a user of the mobile device to obtain data access by a particular mobile network, the account control server provides a mobile identity to the mobile device for storage by the user identification module, provides the same mobile identity to the authorization server of that mobile network, and provides user identification and payment details to that mobile network.

Enabling users to select between secure service providers using a key escrow service

Systems and methods are described herein for enabling users to select from available secure service providers (each having a Trusted Service Manager (“TSM”)) for provisioning applications and services on a secure element installed on a device of the user. The device includes a service provider selector (“SPS”) module that provides a user interface for selecting the secure service provider. In one embodiment, the SPS communicates with a key escrow service that maintains cryptographic keys for the secure element and distributes the keys to the user selected secure service provider. The key escrow service also revokes the keys from deselected secure service providers. In another embodiment, the SPS communicates with a central TSM that provisions applications and service on behalf of the user selected secure service provider. The central TSM serves as a proxy between the secure service providers and the secure element.

Systems and Methods for Multi-Device Wireless SIM Management

Devices, systems and methods are disclosed for automated multi-device, multi-persona wireless SIM management. A virtual SIM database associated with a user is maintained on the mobile service provider's network. Such a virtual SIM database contains multiple personas for that user. For each of the user devices they wish to use on the mobile service network, the user is furnished with one “stub” SIM to be installed on the user device, onto which may be loaded any one of the personas maintained by the virtual SIM database. Upon an event, a selected user device downloads a selected persona from the network and loads it onto its stub SIM, so that the selected device is now registered on the network with that persona.

Mediation Server, Control Method Therefor, Communication Device, Control Method Therefor, Communication System, and Computer Program

A mediation server which is able to communicate with a plurality of account managing servers ( 104 ) and mediates requests for issuing subscription information transmitted from a plurality of communication devices between each communication device and any one of the plurality of account managing servers ( 104 ), the mediation server comprising, a selection unit configured to select the account managing server to which the request is to be transmitted based on information regarding a current operational status of each account managing server stored in a database, when the request is received from the communication device, and a transmission unit configured to transmit the request for issuing the subscription information to the selected account managing server.

Network operator-neutral provisioning of mobile devices

Techniques are disclosed for provisioning mobile devices in a network operator-neutral manner in communication networks. For example, a method comprises a mobile device that is operator neutral attaching to a first operator network, and the operator neutral mobile device establishing a provisioning bearer in the first operator network.

Method and apparatus for registering a computing device with a service provider

A method and apparatus for providing authentication of a computing device with a communications service. A subscriber identity module image is transmitted to the device and stored in a general memory of the device and soft SIM data. A secure module on the device permits access to the soft SIM data. The Soft SIM data is registered with the service provider in association with a unique identification of the device. The soft SIM data has a one to one relationship with the device. A device can have many instances of soft SIM data.

Financial transfers from mobile devices

Computer-implemented systems, methods, and computer-readable media for financial transfers from a mobile device, comprising: receiving a mobile device identifier, a unique user identifier, a merchant identifier, and an amount from a mobile device; determining whether the transaction is authorized based on the mobile device identifier and the unique user identifier; transmitting an authorization failure message to at least one of the mobile device and a merchant device associated with the merchant identifier if it is determined that the transaction is not authorized; and transmitting to a payment gateway an account identifier associated with the unique user identifier and mobile device identifier, the merchant identifier, and the amount if it is determined that the transaction is authorized.

Methods and apparatus for securing a software application on a mobile device

A method of securing a software application on a mobile device is described. The method includes configuring the mobile device with a management server to allow the mobile device to communicate wirelessly over a wireless network. A listing of applications is transmitted to the management server over the wireless network. The management server generates user credentials data to associate at least one user with an authorization to access at least one application residing on the mobile device. The management server transmits the user credentials data to the mobile device over the wireless network. The mobile device accesses the user credentials data when a user attempts to access the software application on the mobile device. The user is permitted to execute the software application when the user credentials data indicates that the user is authorized to access the software application.

Multiple System Images for Over-The-Air Updates

In one embodiment, a mobile device performs an over-the-air firmware update by writing the updated firmware to a inactive system image partition, and rebooting the device. The security of the OTA update is maintained through checking a plurality of security signatures in an OTA manifest, and the integrity of the data is maintained by checking a hash value of the downloaded system image.

Methods and apparatuses for access credential provisioning

Methods and apparatuses are provided for access credential provisioning. A method may include causing a trusted device identity for a mobile apparatus to be provided to an intermediary apparatus. The intermediary apparatus may serve as an intermediary between the mobile apparatus and a provisioning apparatus for a network. The method may further include receiving, from the intermediary apparatus, network access credential information for the network. The network access credential information may be provisioned to the mobile apparatus by the provisioning apparatus based at least in part on the trusted device identity. Corresponding apparatuses are also provided.

Processing messages received at a vehicle

A system and method for processing messages received at a vehicle. The method carried by the system involves wirelessly receiving at a vehicle a first communication message having secure credentials and a message signature for a second communication message. Then, the vehicle authenticates the first communication message via its secure credentials. Later, the vehicle wirelessly receives the second communication message and validates this second message using the message signature from the first message. In response to the validation, the second message is processed at the vehicle.

Configuration of an end device for an access to a wireless communication network

A method is provided to configure an end device ( 3 ) for an access to a first wireless communication network ( 9 ) formed by a network facility ( 4 ) with the participation of a configuration facility ( 5 ). The end device ( 3 ) is connectable with the configuration facility ( 5 ) via a second communication network ( 1 ) and the network facility ( 4 ) is connectable with the configuration facility ( 5 ) via a third communication network ( 2 ). Furthermore a configuration facility ( 5 ) and a network facility ( 4 ), is provided to at least partially perform one of the methods defined by the present invention.

Method for managing content on a secure element connected to an equipment

The invention concerns a method for managing content on a secure element connected to an equipment, this content being managed on the secure element from a distant administrative platform. According to the invention, the method consists in: establishing, at the level of the administrative platform a secure channel between the equipment and the administrative platform, thanks to session keys generated by the secure element and transmitted to the equipment; transmitting to the administrative platform a request to manage content of the secure element; and verifying at the level of the administrative platform that this request originates from the same secure element that has generated the session keys and, if positive, authorizing the management and, if negative, forbid this management.

Apparatus and methods for selecting services of mobile network operators

A system that incorporates teachings of the subject disclosure may include, for example, a method for detecting, by a first device including a least one processor and a first Universal Integrated Circuit Card (UICC), a second device having a second UICC, detecting, by the first device, that the second UICC is unprovisioned, selecting, by the first device, one of a plurality of selectable options, where the selection identifies a first network operator selected from a plurality of network operators, receiving, by the first device, first credential information of the first network operator, and transmitting, by the first device, to the second device the first credential information for enabling the second device to facilitate establishment of communication services with network equipment of the first network operator according to the first credential information. Other embodiments are disclosed.

Method for personalizing a secure element comprised in a terminal

The invention proposes a method for personalizing a first secure element comprised in a first terminal, said method consisting in: Providing the user of the first terminal with a second secure element; Linking the first and second secure elements in or through the first terminal; Personalizing securely the first secure element with data comprised in the second secure element, security being based on certificate verification and asymmetric encryption between the secure elements.

Key derivation

To facilitate a change in network authentication key (Ki) for use by a smart card (SIM) during authentication on a cellular telecommunications network, there is provided a smart card management scheme that combines key derivation with over the air (OTA) provisioning. This scheme ensures both that the Ki is never transmitted OTA and that the Ki is stored in two locations only: on the SIM and at an authentication centre (AuC).

Methods and apparatus for delivering electronic identification components over a wireless network

Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

WEARABLE DEVICE HAVING HIGH SECURITY AND STABLE BLOOD PRESSURE DETECTION

A wearable device including a skin sensor and a processor is provided. The processor is configured to receive an authentication data for authenticating a user when a wearing state of the wearable device is adjacent to a skin surface of the user, execute a predetermined function in response to a request when the authentication data matches a pre-stored data and the skin sensor determines that the wearable device does not leave the skin surface after the authentication data is received, and reject or ignore the request when the skin sensor determines that the wearable device leaves the skin surface before the predetermined function is executed. The processor further calculates blood pressures according to PPG signals detected by a PPG sensor of the skin sensor. 1. A wearable device , comprising:a photoplethysmography (PPG) sensor configured to generate a PPG signal; and receive an authentication data for authenticating the user when the wearable device is determined to be in contact with a skin surface of the user according to the PPG signal,', 'execute a predetermined function for the user in response to a request when the authentication data matches a pre-stored data and the wearable device is determined to be still in contact with the skin surface according to the PPG signal, and', 'reject or ignore the request when the wearable device is determined to be no longer in contact with the skin surface according to the PPG signal after the authentication data is received and before the predetermined function is executed,, 'a processor, configured to'} calculate at least one blood pressure corresponding to each pulse duration according to at least one blood pressure estimation model and a time difference between two feature points within one pulse duration of the PPG signal, and', 'average calculated blood pressures within a predetermined time interval to generate an average blood pressure., 'wherein the processor is further configured to'}2. The wearable device of claim ...

Security hierarchy on a digital transaction processing unit (dtpu)

A Digital Transaction Processing Unit (DTPU) operable to host one or more transaction applications for digitally transacting with a Digital Transaction Device (DTD), the DTPU including a security hierarchy for hosting the one or more transaction applications, wherein the security hierarchy is configured to host at least one transaction application for transacting in contact digital transactions.

APPLICATION LOCKING AND UNLOCKING ON A DIGITAL TRANSACTION PROCESSING UNIT (DTPU)

A Digital Transaction Processing Unit (DTPU) operable to host one or more transaction applications, the DTPU further operable to reversibly unlock at least one of the one or more transaction applications, wherein each unlocked transaction application is operable for a digital transaction with a Digital Transaction Device (DTD). 1. A Digital Transaction Processing Unit (DTPU) operable to host one or more transaction applications , the DTPU further operable to reversibly unlock at least one of the one or more transaction applications , wherein each unlocked transaction application is operable for a digital transaction with a Digital Transaction Device (DTD).2. A DTPU in accordance with claim 1 , wherein the DTPU is further operable to reversibly lock each any other of the one or more transaction applications claim 1 , such that each locked transaction application is inoperable for a digital transaction with a DTD.3. A DTPU in accordance with claim 1 , wherein the DTPU is included on a Digital Payment Device (DPD).4. A DTPU in accordance with claim 3 , wherein the at least one of the one or more transaction applications to be unlocked is selected claim 3 , the DPD being operable by a user to select the selected at least one of the one or more transaction applications.5. A DTPU in accordance with claim 3 , wherein each of the one or more transaction applications is associated with a primary identifier claim 3 , the DPD being operable for a user to select the at least one selected transaction application based on the primary identifier of each of the one or more transaction applications.6. A DTPU in accordance with claim 5 , wherein the primary identifier is a Personal Account Number (PAN).7. A DTPU in accordance with claim 3 , wherein each of the one or more transaction applications is associated with a tokenized primary identifier claim 3 , the DPD being operable for a user to select the at least one selected transaction application based on the tokenized primary ...

Goal-Driven Provisioning in IoT Systems

Techniques are disclosed for provisioning Internet of Things (IoT) devices in accordance with a state machine model. More particularly, collections of IoT devices may be organized into enclaves, groups or “shoals” that operate as autonomous or semi-autonomous groups of devices functioning as a collective having a common objective or mission. IoT devices participating in a shoal may be provisioned with shoal-specific context information as part of their device-specific provisioning activity. By way of example, a shoal context object can include a current state variable and a target next state variable. The shoal's target next state variable establishes a goal (e.g., for provisioning activity) without dictating how the individual shoal members (IoT device) are to achieve that goal. This mechanism may be used to drive a shoal's separate devices through their individual provisioning state machines until the shoal itself is made operational.

Service activation using algorithmically defined key

Systems and methods for service activation using algorithmically defined keys are disclosed. A consumer who has a relationship with a first party may wish to enroll in a service provided by a third party. The first party can maintain control of such enrollments through the use of algorithmically defined keys. The algorithmically defined keys also allow the third party service provider to verify data provided by the consumer as matching data stored by the first party. The verification provides for data synchronization without requiring the third party to have access to the first parties data systems.

Systems and Methods for Activating Functionality

Broadly speaking, embodiments of the present techniques provide methods for activating functionality on a client device when the client device is determined by a sensor to be in a particular environment. Advantageously, the client device and sensor(s) do not communicate directly so there is no requirement for a trust relationship to be established therebetween, which may consume power, take time and may require user involvement. The functionality on the client device may instead be activated by a trusted server, and the trust relationship may be established when a user of the client device registers to use the system.

Method and device for authenticating a mobile station on an alternative communications network

A method of authenticating a mobile station on an alternate communications network is disclosed, the mobile station being associated with a default communications network. The mobile station comprises a baseband processor to manage the antenna-related functions and a SIM card to accommodate a default SIM associated with the default communications network for receiving network credentials from the baseband processor. The method comprises providing a SIM card device to intercept communications between the baseband processor and the SIM card, monitoring the network credentials in respect of the network that the mobile station is actively in communication with, determining whether the mobile station needs to switch to an alternate network, and identifying or receiving from a user the alternate network, consulting a SIM bank, comprising at least one alternate SIM, and selecting an alternate SIM having a mobile station identification variable compatible with the alternate network, receiving a network authentication request on the mobile station from the alternate network, and allocating the selected mobile station identification variable to the mobile station so as to identify the user of the mobile station on the alternate network.

Secure provisioning of devices for manufacturing and maintenance

Described herein are methods, apparatuses, and systems for secure provisioning of devices for manufacturing and maintenance. A method includes provisioning a sensor device by storing identification data for the sensor device and information used to authenticate the identification data in the sensor device. A method includes storing subassembly data for the sensor device and information used to authenticate the subassembly data in the sensor device in response to the sensor device being received and installed in a subassembly unit. The sensor device is installed in response to validating authenticity of the identification data. A method includes connecting the sensor device to a wireless sensor network in response to validating authenticity of one or more of the identification data and the subassembly data. The sensor device is integrated into a larger unit comprising the wireless sensor network.

SYSTEM AND METHOD FOR PROVIDING NETWORK SUPPORT SERVICES AND PREMISES GATEWAY SUPPORT INFRASTRUCTURE

A service management system communicates via wide area network with gateway devices located at respective user premises. The service management system remotely manages delivery of application services, which can be voice controlled, by a gateway, e.g. by selectively activating/deactivating service logic modules in the gateway. The service management system also may selectively provide secure communications and exchange of information among gateway devices and among associated endpoint devices. An exemplary service management system includes a router connected to the network and one or more computer platforms, for implementing management functions. Examples of the functions include a connection manager for controlling system communications with the gateway devices, an authentication manager for authenticating each gateway device and controlling the connection manager and a subscription manager for managing applications services and/or features offered by the gateway devices. A service manager, controlled by the subscription manager, distributes service specific configuration data to authenticated gateway devices. 122-. (canceled)23. A management device for operation at a user premises to provide local application services for a plurality of endpoint devices at the user premises , the management device comprising:at least one processor;one or more interfaces operably coupled to the at least one processors and configured to enable (1) local, bi-directional communication with the plurality of endpoint devices that is located at the user premises and (2) communication with a service provider remote from the user premises; and receive user command data from a control device at the user premises, wherein the control device is separate from the plurality of endpoint devices;', 'operate the one or more interfaces to deliver at least a portion of content based on the user-command data, via the at least one local application, to at least one endpoint device of the plurality of ...

Method and system for securely authenticating an electronic user device to a vehicle

A vehicle processing device authenticates that an authorized user has requested an action by the vehicle, and generates an authentication acknowledgement message. At least two security devices being present within the cabin of, or close to, the vehicle during a predetermined period following an authentication trigger event that occurs while the user performs a predetermined sequence of authentication activities (i.e., button presses, operating the vehicle or a part of it, etc.) provides a basis for the authentication acknowledgement message. Typically, information unique to each security device has been associated with the vehicle at a service provider's server. The authentication acknowledgement may include an activation code that results from processing the information, unique to each security device, received from the security devices and other random information, such as date. A service provider's server, or a user device, provides services to, or can access, respectively, the vehicle upon receiving the authentication acknowledgement.

METHOD AND DEVICE FOR MANAGING EUICC PROFILE INSTALLATION RIGHTS

Provided is a terminal for managing a profile by using an embedded universal integrated circuit card (eUICC) in a wireless communication system. The terminal includes: a transceiver; and at least one processor configured to: receive, from a first server, a command code including event download information for downloading an event related to a profile; perform verification for processing the command code; when the verification is successful, generate a message requesting downloading of the event, by using the event download information, and transmit the same to a second server; and receive, from the second server, the event in response to the message requesting the downloading of the event. 1. A method performed by a terminal in a wireless communication system , the method comprising:transmitting, to a local profile assistant (LPA) installed in the terminal, a remote subscriber identity module provisioning (RSP) procedure start request message including information about whether an unsigned command code is to be used;transmitting, to a server of a second operator, a command code generation request message including command code generation information, based on the RSP procedure start request message;receiving, from the server of the second operator, a command code in response to the command code generation request message;verifying the command code;transmitting, to a profile server of a first operator, an RSP request message including information about the command code, based on a result of the verifying; andreceiving, from the profile server of the first operator, data about a profile, in response to the RSP request message.2. The method of claim 1 , wherein the command code generation information comprises at least one of information about the terminal or information about an embedded universal integrated circuit card (eUICC) of the terminal.3. The method of claim 1 , wherein the command code is generated claim 1 , by the server of the second operator claim 1 , ...

Low friction device enrollment

A constrained device includes an exterior surface affixed with a public key associated with the constrained device. Alternatively, or in addition, the public key may be included in a container that stores the constrained device. The constrained device also includes memory, which stores a private key, wherein the private key corresponds to the public key that is affixed on the exterior surface of the constrained device. By displaying the public key on the constrained device, a system administrator may document the public key and related information about the device and its intended role in the network without requiring any human interface or any establishment of power or network at the installation site.

Mesh network commissioning

In embodiments of mesh network commissioning, a commissioning device establishes a secure commissioning communication session between the commissioning device and a border router of a mesh network to securely establish network communication sessions for joining one or more joining devices to the mesh network. The commissioning device can activate joining for the mesh network, and receive a request from a joining device to join the mesh network. The commissioning device can establish a secure joiner communication session between the commissioning device and the joining device, authenticate the joining device using an encrypted device identifier, and join the joining device to the mesh network.

Methods and systems for securing and utilizing a personal date store on a mobile device

Methods and apparatus for securing access to an encrypted personal data store on a mobile device. In some embodiments, a universal integrated circuit card (UICC) processor receives, from a mobile device processor of a mobile device having an encrypted Personal Data Store (PDS), a PDS access request associated with a mobile application, then determines that access control rules are stored in at least one access control rules database and transmits to the mobile device processor, the access control rules governing access to the data in the encrypted PDS. The process also includes the UICC processor receiving a request for a symmetric shared secret and transmitting the symmetric shared secret to the mobile device processor for use in accessing the PID of the user stored in the encrypted PDS in accordance with the access control rules.

Authentication system and method for server-based payments

A method of performing a payment transaction employing a two-factor authentication mechanism. The method includes engaging in cryptographic processing with a cryptographic function having a secret key encoded therein. The cryptographic function is stored in a computing device. The secret key serves as a first authentication factor. The method further includes utilizing a second authentication factor in performing the payment transaction.

METHOD AND SYSTEM FOR UPDATING A MEDICAL DEVICE

The present disclosure includes methods, devices and systems for establishing a connection between a medical device and a remote computing device, receiving an upgrade command at the medical device, storing a current version of persistent data and a current version of executable code in a first storage area of the medical device, transmitting at least the current version of the persistent data to the remote computing device, receiving a second format of the current version of the persistent data and an upgraded version of executable code at the medical device, storing the second format of the current version of the persistent data and the upgraded version of the executable code in a second storage area of the medical device, and executing the upgraded version of the executable code with the second format of the current version of the persistent data. 139-. (canceled)40. A system comprising: a transcutaneous glucose sensor, wherein a portion of the transcutaneous glucose sensor is configured to be positioned in the body of the user and sense an in vivo glucose level of the user; and', 'a transmitter unit coupled with the transcutaneous glucose sensor, wherein the transmitter unit is configured to wirelessly transmit data to a first receiver device according to a Bluetooth communication protocol; and, '(1) an on body device configured to be positioned on a body of a user, the on body device comprising communication circuitry configured to establish communication with a plurality of receiver devices including the first receiver device and a secondary receiver device, wherein the communication circuitry is further configured to receive from the first receiver device a first sensor data based on the in vivo glucose level of the user sensed by the transcutaneous glucose sensor of the on body device, and', transmit to the secondary receiver device a second sensor data, wherein the second sensor data is also based on the in vivo glucose level of the user sensed by the ...

Proof of presence via tag interactions

A system and method for determining presence information for mobile devices ( 104 ) are disclosed. Specifically, the presence information for a mobile device ( 104 ) can be determined based on whether or not the mobile device ( 104 ) is having a unique interaction with a smart tag ( 108 ). If a unique interaction is detected, then the mobile device ( 104 ) can be said to be within the presence of the smart tag ( 108 ) and the location or presence information for the mobile device ( 104 ) can be correlated to location information known for the smart tag ( 108 ).

Method and device for selective communication service in communication system

The present disclosure relates to a sensor network, Machine Type Communication (MTC), Machine-to-Machine (M2M) communication, and technology for Internet of Things (IoT). The present disclosure may be applied to intelligent services based on the above technologies, such as smart home, smart building, smart city, smart car, connected car, health care, digital education, smart retail, security and safety services. A user equipment in a communication system, according to various embodiments of the present disclosure, includes: a controller that determines at least one communication service to deactivate among communication services that are able to be provided and a transmitter that transmits, to a server, a message for identifying the at least one communication service to deactivate.

SCALABLE CERTIFICATE MANAGEMENT SYSTEM ARCHITECTURES

An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority. It may also include one or more load balancers communicatively connected to the one or more compute engines, the one or more load balancers to perform operations comprising distributing at least one request to the one or more compute engines. 1. A scalable certificate management system for securely providing certificates to a provisioning controller , the scalable certificate management system comprising:one or more application platforms that run a registration authority application and that are communicatively connected to one or more compute engines that perform cryptographic computations requested by the registration authority application;one or more application platforms that run a pseudonym certificate authority application and that are communicatively connected to one or more compute engines that perform cryptographic computations requested by the pseudonym certificate authority application, wherein the pseudonym certificate authority application is operable to generate and conditionally transmit digital assets to the registration authority application; andone or more load balancers communicatively connected to the one or more compute engines, the one or more load balancers being configured to ...

SYSTEMS, METHODS, AND DEVICES FOR MULTI-STAGE PROVISIONING AND MULTI-TENANT OPERATION FOR A SECURITY CREDENTIAL MANAGEMENT SYSTEM

A system for securely provisioning a plurality of computerized devices of a tenant, is provided. The system includes a processor, and a computer storage medium including instructions that when executed by the processor cause the processor to perform operations. The operations include receiving provisioning requests from r the plurality of computerized devices needing certificates, each provisioning request indicating a tenant identifier identifying the tenant, and transmitting the provisioning requests to a set of security credential management system backend components based on the tenant identifier. The set of SCMS backend components includes enrollment certificate authorities operable to generate enrollment certificates, each provisioning request being transmitted to one of the one or more enrollment certificate authorities based on the tenant identifier of each provisioning request, and a pseudonym certificate authority operable to generate digital assets in response to receiving a provisioning request. 1. A system for securely provisioning a plurality of computerized devices of a tenant , the system comprising:a processor; and receiving provisioning requests from respective ones of the plurality of computerized devices needing certificates, each provisioning request indicating a tenant identifier (ID) identifying the tenant; and', 'transmitting the provisioning requests to a set of security credential management system (SCMS) backend components based on the tenant identifier,, 'a non-transitory computer storage medium comprising instructions that when executed by the processor cause the processor to perform operations comprising one or more enrollment certificate authorities operable to generate enrollment certificates in response to receiving provisioning requests for the enrollment certificates from computerized devices, each provisioning request being transmitted to one of the one or more enrollment certificate authorities based on the tenant identifier of ...

SUBSCRIPTION ACTIVATION FOR MOBILE WIRELESS DEVICES

This Application sets forth techniques for provisioning and activating electronic subscriber identity modules (eSIMs) for mobile wireless devices. An eSIM is reserved during a sales order process and later activated during device activation after receipt by a user. An option for eSIM installation in place of (or in addition to) physical SIM installation is provided when purchasing the mobile wireless device. The reserved eSIM can replace a previous SIM/eSIM or be a new eSIM. During device activation, installation and activation of the eSIM occurs. Activation of the eSIM can occur before or after deactivation of a transferred SIM/eSIM. The mobile wireless device accounts for propagation delay of eSIM activation through MNO servers by disabling and re-enabling the eSIM until initial attachment to an MNO cellular wireless network succeeds or a maximum number of retry attempts is reached. 1. A method for installing and activating an electronic Subscriber Identity Module (eSIM) for access to services of a mobile network operator (MNO) by a mobile wireless device , the method comprising:by the mobile wireless device:sending, to a network-based server, a request activation message to initiate eSIM installation and activation;receiving, from the network-based server, responsive to the request activation message, an initiate activation message including a credential challenge to authenticate a user of the mobile wireless device;sending, to the network-based server, a credential response for authentication;receiving, from the network-based server, responsive to successful authentication of the user of the mobile wireless device, an activation ticket indicating the eSIM reserved for the mobile wireless device;establishing a secure connection to an MNO provisioning server associated with the eSIM;obtaining, via the secure connection, the eSIM from the MNO provisioning server;installing the eSIM on an embedded universal integrated circuit card (eUICC) of the mobile wireless ...

Methods And Systems For Managing Network Hotspots

Disclosed are various systems and methods for monitoring and maintaining networks, such as networks associated with a wireless access point. In an aspect, a user device that was connected the wireless access point and loses connectivity to the access point can receive network parameters for implementing a new wireless network, where the network parameters are associated with the network as implemented by the wireless access point that is no longer available. The user device can activate a new wireless hotspot mode using the received network parameters. The resulting new wireless hotspot can implement various aspects of the wireless access point and associated network. The new wireless hotspot enabled by the user device can allow other devices, previously connected to the access point, to automatically connect to the new wireless hotspot. 1. A method , comprising:determining, by a user device, that a geographic distance between the user device and a network device satisfies a threshold;enabling, by the user device, based on determining that the geographic distance between the user device and the network device satisfies the threshold, a wireless hotspot mode of the user device; andestablishing, by the user device and based on the wireless hotspot mode, a network connection with a second user device previously connected to the network device.2. The method of claim 1 , wherein the wireless hotspot mode implements claim 1 , as at least one network parameter of the wireless hotspot mode claim 1 , at least one network parameter of a wireless network associated with the network device.3. The method of claim 2 , further comprising:determining that the geographic distance between the user device and the network device no longer satisfies the threshold; andmodifying, based on determining that the geographic distance between the user device and the network device no longer satisfies the threshold, at least a portion of at least one network parameter of the wireless hotspot ...

Digital letter of approval (dloa) for device compliance

A digital letter of approval (DLOA) is used by a subscription manager (SM) server to determine whether a device is compliant with requirements for an application to be provisioned. If the device is compliant, the application is provisioned to the device or to an embedded universal integrated circuit card (eUICC) included in the device. To increase the security of the device DLOA, the device DLOA is linked to the eUICC, in some embodiments. The linkage may be based on one or more platform label fields in the device DLOA. A database is consulted, in some embodiments, to confirm a relationship between the device and the eUICC identified in the device DLOA. In some embodiments, the eUICC signs the device DLOA and the device DLOA with eUICC signature is sent to the SM server. In some embodiments, the device provides a device signature on the DLOA independent of the eUICC.

Method for an euicc embedded into a machine type communication device to trigger the download of a subscription profile

The invention related to a method for an eUICC embedded into a machine type communication device to trigger the download of a subscription profile from a first network operator, the eUICC being provisioned with an eUICC identifier and a pre-loaded data set memorizing a range of International Mobile Subscription Identifiers-associated to a second network operator, the method comprising the steps of: selecting randomly by the eUICC an IMSI number in the range memorized in the pre-loaded data set; sending an attachment request comprising the randomly selected IMSI; receiving in an authentication request message the request for getting the eUICC identifier; as a response, sending to the discovery server a authentication failure message; receiving in an authentication request message a temporary IMSI from the discovery server so that the machine type communication device is able to attach to the first network operator and download the pending subscription profile.

Allocation of profiles to a plurality of installed sim card terminals

A method implemented by a control server for configuring a security module connected to a telecommunication terminal. In particular, the control server allocates a unique activation code corresponding to a subscription including a plurality of N profiles to allocate to a fleet of N respective terminals. Thus the control server: a) after activation of the code with a first terminal, allocates a profile to the first terminal and records the profile allocation to the first terminal, and b) for a new profile allocation request corresponding to the activation code, repeats step a) if the N profiles have not already been allocated.

Systems and methods for initialization and activation of secure elements

Disclosed herein are secure transaction systems having secure elements that are initialized and activated independent from each other. The secure element is first initialized to make the secure element turn to a state in which the secure element can be packaged, sold within retail stores, and then injected with encryption keys. The initialization process of the secure element formulates the secure element to ensure trust between the secure elements and secure element activation servers. The process of independently initializing and activating the secure elements while still addressing the security protocols allows the secure element to be packaged and sold within retail stores after initialization, and then activating the secure element at a later date and time when the secure element is ready to be used by a merchant.

Method and device for downloading profile of operator

Embodiments of the present invention provide a method and device for downloading a profile of an operator, where one method includes: sending, by a terminal to the SM-DP by using an SM-SR, a request for downloading a profile of an operator, where the download request carries the download certificate, an ID of an eUICC of the terminal, and addressing information of the SM-DP; and receiving, by the terminal, the profile of the operator that is sent by the SM-DP by using the SM-SR and is corresponding to the download request, and transmitting the profile of the operator to the eUICC, where the profile of the operator is obtained by the SM-DP according to an identity of the profile of the operator after the SM-DP verifies that the certificate that is for downloading the profile of the operator and is carried in the download request is valid.

Mesh network commissioning

In embodiments of mesh network commissioning, a commissioning device of a mesh network can determine steering data for the mesh network, where the steering data is an indication of a device identifier associated with a device that is allowed to join the mesh network. The commissioning device can then propagate the steering data from the commissioning device for the mesh network to one or more routers in the mesh network, and the steering data indicates that a commissioner is active on the mesh network. The commissioning device propagating the steering data enables the one or more routers to transmit the steering data in a beacon message, and the steering data is effective to enable the device associated with the device identifier to identify that the device is allowed to join the mesh network.

METHOD FOR REMOTE SUBSCRIPTION MANAGEMENT OF AN eUICC, CORRESPONDING TERMINAL

Remote subscription management of an eUICC comprising a private key and a public certificate, the public certificate comprising information allowing a subscription manager server to decide if it can agree to manage the eUICC. The method includes: establishing a secure channel between the terminal and the subscription manager server by using the public certificate and dedicated cryptographic services of the eUICC; sendingto the subscription manager server a subscription management request; verifying, based on the information in the public certificate in the subscription manager server, whether the eUICC is entitled to be managed by the subscription manager server and, if yes: performing a key establishment procedure between the subscription manager server and the eUICC by using the eUICC public certificate; establishing between the subscription manager server and the eUICC a secure channel with the established keys; and, executing by the subscription manager server the subscription management request on the eUICC.

Method and apparatus for requesting usage permission, and method and apparatus for acquiring usage permission

The present disclosure discloses a method performed at a computer acting as a third-party system for requesting for a usage permission. The third-party system receives download information sent by means of a page of a first application, the download information at least including a download identifier, and the download identifier being used for indicating a first device identifier of a first device running the first application, a first account logging into the first application, and a second application identifier of a downloaded second application. After authenticating the download information, the third-party system requests a server of the first application to configure the usage permission for the first account in response to an authentication result and return such configuration to the first application running at the first device.

Identifying a slice name information error in a dispersed storage network

A method begins by a processing module sending list digest requests to a set of dispersed storage (DS) units. The method continues with the processing module receiving list digest responses from at least some of the set of DS units and determining whether an inconsistency exists between first and second list digest responses of the list digest responses. The method continues with the processing module requesting at least a portion of each of the slice name information lists from first and second DS units of the set of DS units and identifying a slice name information error associated with the inconsistency based on the at least a portion of each of the slices name information lists of the first and second DS units when the inconsistency exists between first and second list digest responses of the list digest responses.

Wireless firmware updates

Disclosed are methods and devices for securely updating firmware of locking devices. One method includes receiving a lock identifier from a locking device; determining that the lock identifier is associated with a user profile by comparing the lock identifier to a set of lock identifiers; receiving a firmware update packet from a server, wherein the firmware packet is encrypted by a lock key; transmitting the firmware update packet to the lock; decrypting the firmware update using the lock key; validating the encrypted firmware update; and installing the firmware update.

Mobile wlan gateway

A technique for operating a mobile station as wireless local-area network [“WLAN”] gateway. The mobile station is provided with a gateway application to control the following operations: activating ( 3 - 0 ) the WLAN means as a WLAN base station capable of communicating with at least one WLAN terminal over a WLAN network; creating a network identifier ( 3 - 2, 3 - 4 ) for the WLAN base station; assigning ( 3 - 8, 3 - 10 ) an internet protocol address for the at least one WLAN terminal; resolving domain name service [“DNS”] queries ( 3 - 12 . . . 3 - 18 ) in cooperation with an external DNS service system; assigning at least one port number for each protocol supported by the gateway application; and tunneling internet traffic ( 3 - 30 . . . 3 - 36 ) between the at least one WLAN terminal and an internet host over the broadband connection.

Method of personalizing a security element cooperating with an apparatus

The invention relates to a method of personalizing a security element cooperating with an apparatus. This personalization includes downloading data, which is related to a subscription to a network of a mobile radiotelephony operator, in the security element. The method further includes: (i) connecting the apparatus to a card reader; (ii) reading from the card operator data corresponding to at least one subscription to a network of a mobile radiotelephony operator; (iii) transmitting the operator data from the reader to an operator network; (iv) transmitting from the operator network to a subscription manager a request for transferring data related to the subscription to the mobile radiotelephony operator network; and (v) transmitting, from the manager to the security element, the data related to the subscription to the mobile radiotelephony operator network.

APPARATUS AND METHOD FOR MANAGING CONCURRENT ACTIVATION OF BUNDLE INSTALLED IN SMART SECURITY PLATFORM

The disclosure provides a method of managing a bundle installed in an SSP, the method including obtaining SSP setting information and determining a concurrent enabling limit value for each bundle family identifier based on the obtained SSP setting information. 1. A method of managing a bundle installed in a smart secure platform (SSP) , the method comprising:obtaining SSP setting information; anddetermining a concurrent enabling limit value for each bundle family identifier based on the obtained SSP setting information,wherein the concurrent enabling limit value is determined based on performance information of a user equipment.2. The method of claim 1 , wherein the bundle family identifier comprises a telecom bundle identifier.3. The method of claim 1 , wherein the performance information of the user equipment comprises at least one of antenna performance of a communication modem of the user equipment or performance of a cellular baseband.4. The method of claim 1 , further comprising:receiving a user input to request enabling of a target bundle; anddetermining a possibility of enabling of the target bundle based on the concurrent enabling limit value.5. The method of claim 4 , further comprising claim 4 , when a number of currently enabled bundles is less than the concurrent enabling limit value claim 4 , enabling the target bundle.6. The method of claim 4 , further comprising:when a number of currently enabled bundles is greater than or equal to the concurrent enabling limit value, disabling at least one of the currently enabled bundles; andenabling the target bundle.7. The method of claim 6 , wherein the disabling of at least one of the currently enabled bundles comprises receiving a user input to select at least one of the currently enabled bundles and disabling the at least one bundle selected based on the user input.8. The method of claim 1 , further comprising:obtaining bundle information in the SSP; anddisplaying at least one of a number of currently enabled ...

SYSTEM AND METHOD FOR SUPPORTING MOVABLE OBJECT APPLICATION DEVELOPMENT

Systems and methods can support application development in a movable object environment. A movable object manager can establish a connection with a movable object, and receives one or more data packets from the movable object. Then, the movable object manager can provide information in said one or more data packets to an application on a user terminal. 130.-. (canceled)31. A system for authenticating applications requesting control of a movable object , comprising:one or more processors; and assign an application key to an application;', 'transmit the application key to a user terminal on which the application is deployed;', 'receive, from the application deployed on the user terminal, an activation request including a request for at least one privilege to control the movable object by the user terminal and the application key associated with the application; and', 'determine, based on the application key, whether the at least one privilege should be granted to the application., 'an application development environment, running on the one or more processors, wherein the application development environment operates to32. The system of claim 31 , wherein the application development environment further operates to:generate, responsive to determining the requested control of the movable object should be granted, a response including a grant of the at least one privilege to the application; andsend, to the application deployed on the user terminal, the response including the grant of the at least one privilege.33. The system of claim 31 , wherein the application development environment further operates to:generate, responsive to determining the requested control of the movable object should not be granted, a response including a denial of the at least one privilege to the application; andsend, to the application deployed on the user terminal, the response including the denial of the at least one privilege.34. The system of claim 31 , wherein the movable object is an ...

ENTERPRISE EMBEDDED SUBSCRIBER IDENTIFICATION MODULE SOLUTIONS

Methods, apparatus, and systems for providing an embedded subscriber identity module (eSIM) solution are disclosed. In one example, a method for providing an eSIM solution to enterprises includes receiving, by a network server operated by a network operator, a request from an enterprise device management system requesting an eSIM profile for a communication device. The method also includes transmitting, by the network server, information to a discovery server associated with the communication device to register the communication device with the discovery sever. 120-. (canceled)21. A method for obtaining an embedded subscriber identity module (eSIM) profile in an enterprise environment , comprising:{'claim-text': 'wherein the profile token corresponds to an eSIM profile of the communication device, and wherein the eSIM profile is prepared by a profile preparation server operated by a service provider;', '#text': 'receiving, by a communication device associated with an enterprise, a profile token from an enterprise management system,'}{'claim-text': 'wherein the communication device is registered with the discovery server based on a unique identifier of the communication device; and', '#text': 'retrieving, by the communication device, an address of the profile preparation server from a discovery server operated by an Original Equipment Manufacturer (OEM) of the communication device,'}acquiring, by the communication device, the eSIM profile from the service provider using the address of the profile preparation server.22. The method of claim 21 , wherein the profile preparation server comprises a Subscription Manager-Data Preparation+ (SM-DP+) server that is compliant with a Global System for Mobile Communications standard.23. The method of claim 21 , wherein the unique identifier of the communication device comprises an Embedded Universal Integrated Circuit Card Identification.24. The method of claim 21 , comprising:providing, by the communication device, the unique ...

FACILITATION OF SECURITY FOR ELECTRONIC SUBSCRIBER IDENTITY MODULE FOR 5G OR OTHER NEXT GENERATION NETWORK

Electronic subscriber identity modules (eSIM) can be more susceptible to hackers and more vulnerable than physical subscriber identity modules. The current disclosure discusses systems and methods to facilitate eSIM security by utilizing a management software application (MSA) hosted on a mobile device. This MSA can cross-reference eSIM registration data with mobile device signature data to determine if the correct user identity is associated with mobile device prior to an eSIM being issued to the mobile device. Additionally, various degrees of data flagging can be utilized to allow an end user to properly address an indication of mobile device vulnerability. 1. A method , comprising:assessing, by a user equipment comprising a processor, identification data representative of a user identity associated with the user equipment, wherein assessing the identification data comprises comparing a first text message associated with a birth date corresponding to the user identity to a second text message associated with the birth date corresponding to the user identity, resulting in verification data; andin response to a condition associated with correlating the identification data to service provider registration data relating to a registration with a service provider being determined to have been satisfied, prompting, by the user equipment, performance of an action to facilitate provisioning the user equipment via network equipment associated with the service provider, wherein the action comprises requesting additional verification data that is not comprised in the verification data.2. The method of claim 1 , wherein prompting the performance comprises prompting claim 1 , using the user identity claim 1 , for additional identification data associated with the user identity that is not comprised in the identification data.3. The method of claim 2 , further comprising:in response to prompting for the additional identification data, receiving, by the user equipment, the ...

Validating authorization for use of a set of features of a device

A device obtains proof of its authority to use a first set of selectively activated features (first proof). An authorization server signs the first proof with its private key. The device sends a request to use a network service to a network node. The device sends the first proof to the network node. The network node validates the first proof using a public key of the authorization server. The network node grants the request to use the network service. The device sends a request for proof of authority for the network node to provide the network service (second proof). The device obtains the second proof, signed by another authorization server, and validates the second proof before using the network service. The first proof and the second proof each include a list of selectively activated features, where the selectively activated features are needed to use or provide the network service.

System, method and apparatus for using a virtual bucket to transfer electronic data

A system that enables a mobile communication device to transfer data to or from a computer system using communication data read from an NFC tag. The first device transfers the data and is temporarily held until the second device removes the data. Once the data is removed, the location where the data was temporarily held is emptied.

System and method for supporting movable object application devlopment

Systems and methods can support application development in a movable object environment. A movable object manager can establish a connection with a movable object, and receives one or more data packets from the movable object. Then, the movable object manager can provide information in said one or more data packets to an application on a user terminal.

Method for adding authentication algorithm program, and relevant device and system

Embodiments of the present invention disclose a method for adding an authentication algorithm program, and a relevant device and system, where the method includes: receiving, by an SM-DP+ server, an authentication algorithm program sent by an MNO, where the authentication algorithm program corresponds to target information, and the target information is at least one of: firmware version information of an eUICC, an EID issuer identifier of the eUICC, platform/operating system version information of the eUICC, or capability information of the eUICC; and generating, by the SM-DP+ server, a bound profile package that includes the authentication algorithm program, and sending the bound profile package to the eUICC by using an LPA. As can be learned, the eUICC can add the authentication algorithm program into the eUICC in time by implementing the authentication algorithm program described in a first aspect.

Method and apparatus for limiting a number of simultaneous users of software

A user's device will periodically send short PTT bursts to an application talkgroup and wait for an acknowledgement (ACK). The acknowledgement will allow the software application to execute the application as part of the site license. If the site license is used up (i.e., a maximum number of simultaneous users has been reached), then a negative acknowledgment (NACK) will be sent to the device, and the software will deny the user access to the software.

INFORMATION-PROCESSING DEVICE AND COMMUNICATION SYSTEM

An in-vehicle mobile station is presented. When a user purchases vehicle including in-vehicle mobile station, s/he operates his/her communication device and in-vehicle mobile station to write a profile in a SIM of in-vehicle mobile station and to activate the SIM. Specifically, the user initially operates communication device to register a profile to be written in the SIM of in-vehicle mobile station, in contract information management device. Subsequently, the user operates in-vehicle mobile station to write the profile registered in contract information management device, in in-vehicle mobile station, and to activate the mobile station. 18.-. (canceled)9. An information-processing device comprising:a first acquisition unit configured to acquire subscriber identify module card (SIM) identification information of a SIM of an in-vehicle mobile station, and telecommunications carrier identification information for identifying a telecommunications carrier that provides a communication service to the in-vehicle mobile station;a storage unit configured to store the SIM identification information and the telecommunications carrier identification information that are acquired by the first acquisition unit, in association with authentication information for authenticating a user of the in-vehicle mobile station;a notification unit configured, upon detecting that a communication service contract is signed between the user and a telecommunications carrier identified by the telecommunications carrier identification information acquired by the first acquisition unit, to notify a communication device of the user of the authentication information;a second acquisition unit configured to acquire, from the in-vehicle mobile station, authentication information input in the in-vehicle mobile station and the SIM identification information of the in-vehicle mobile station;an authentication unit configured to perform user authentication by checking the authentication information and the ...

METHOD AND APPARATUS FOR MANAGING EVENT IN COMMUNICATION SYSTEM

Disclosed is a terminal including a transceiver; and at least one processor, wherein the at least one processor transmits a first message which makes a request for an event to a subscription relay server, receives event-related information from the subscription relay server in response to the first message, transmits a second message which makes a request for an event to a profile provision server, based on the event-related information, and controls the transceiver to receive information related to event processing from the profile provision server in response to the second message.

System and method for initially establishing and periodically confirming trust in a software application

Systems and methods for providing trust provisioning are disclosed. A utilization request requesting to utilize data stored by a secure element associated with the device may be processed by a software application. In response to processing the utilization request, a registration request message for registering the software application may be communicated to a management server. A validation code may be received from the management server in reply to the registration request message. The received validation code may be verified to match a second validation code. Subsequent to successful verification, a passcode and an identifier of the secure element may be communicated to the management server. In response to communicating the passcode and the secure element identifier, an acknowledgement may be received from the management server specifying whether registration of the software application was successful.

Enhanced data interface for contactless communications

An enhanced data interface (EDI) for communications between an application operating on a communication device and an access device can provide enhanced verification between the communication device and access device. The communication process may include the access device sending a request for available applets to a communication device, and receiving a list of available applets from the communication device. The access device may select an untrusted applet identifier, and provide the selected untrusted applet identifier and an entity identifier associated with the access device to the communication device. The communication device can validate the access device as being authorized to access credentials associated with the selected untrusted applet identifier by comparing the entity identifier to a list of trusted entity identifiers, and provide credentials associated with the selected untrusted applet identifier to the access device.

Accessing a Primary Device Using a Wearable Device and a Wireless Link

A method of operation includes detecting that a wearable device is being worn, receiving a certificate from a primary device over a secure wireless link where the wearable device is paired to the primary device using the secure wireless link, storing the certificate in memory of the wearable device, and sending the certificate, over the secure wireless link, to the primary device to unlock the primary device. The method may further include detecting that the wearable device is no longer being worn, and eradicating the certificate from memory of the wearable device in response to detecting that the wearable device is no longer being worn. In some embodiments, the method may also include detecting that the secure wireless link is disconnected, and eradicating the certificate from memory of the wearable device in response to detecting that the secure wireless link is disconnected. The present disclosure also provides a wearable device.

System and method for managing application data of contactless card applications

For managing application data of different contactless card applications for a plurality of mobile communication devices ( 2 ), a card emulation module and application data for contactless card applications are transferred (S 2 , S 3 ) by a computer system ( 1 ) to one of the mobile communication devices ( 2 ). The card emulation module is configured to control the mobile communication device ( 2 ) to emulate a contactless card module and to execute data transactions (S 6 , S 7 ) via a close range wireless communication interface of the mobile communication device ( 2 ) using the application data. The computer system ( 1 ) maintains (S 20 , S 30 , S 40 , S 50 , S 60 ) for the mobile communication devices ( 2 ) a card database with representations of the card emulation modules and their application data. The computer system ( 1 ) makes it possible to manage centrally and flexibly the application data of different contactless card applications and different application providers for a plurality of mobile communication devices ( 2 ).

LINKING PAYMENT TO SECURE DOWNLOADING OF APPLICATION DATA

A communication node for delivering secure content in respect of a requested service to a target entity. The communication node has respective interfaces towards: at least one network for communicating with mobile terminals; a service-provider node providing the requested service; and an authorization node for effecting payments. After having completed a set-up phase and in response to a payment, the communication node enables forwarding of secure content, relating to at least one service requested by a user of a first mobile terminal to a target entity associated with the first mobile terminal. The set-up phase involves: identifying the at least one requested service from the first mobile terminal; linking in the service-provider node the at least one requested service to the first mobile terminal; and assigning a reference in the service-provider node to a payment to be made in respect of the at least one requested service. 1. A non-transitory computer readable medium storing a program , the program for causing a first processor to establish a communication node on a first computer for delivering secure content of a requested service to a target entity , the communication node configured by the first processor to:establish a first communication link directly between the communication node of the first computer and at least one network for direct communication with a plurality of mobile terminals connected to the at least one network;establish a second communication link directly between the communication node of the first computer and a service-provider node, the service-provider node established by a second processor on a second computer connected to the at least one network, the service-provider node configured by the second processor to provide the secured content of the requested service by directly interacting with the communication node in a delivery phase; andestablish a third communication link directly between the communication node of the first computer ...

METHOD AND APPARATUS FOR DISCUSSING DIGITAL CERTIFICATE BY ESIM TERMINAL AND SERVER

The present disclosure relates to a communication technique for convergence of IoT technology and a 5G communication system for supporting a higher data transfer rate beyond a 4G system, and a system therefor. The present disclosure can be applied to intelligent services (e.g., smart homes, smart buildings, smart cities, smart or connected cars, health care, digital education, retail business, and services associated with security and safety) on the basis of 5G communication technology and IoT-related technology. Disclosed are a method and an apparatus for securely providing a profile to a terminal in a communication system 1. A method performed by a terminal including a universal integrated circuit card (UICC) in a wireless communication system , the method comprising:obtaining a certificate issuer (CI) public key identifier;obtaining, from the UICC, UICC information including a list of public key identifiers supported by the UICC;in case that a public key identifier for an authentication is restricted to the CI public key identifier, modifying the list by removing at least one public key identifier not matched with the CI public key identifier from the list of the public key identifiers supported by the UICC; andtransmitting, to a server, a message for initiating the authentication, the message including the modified list.2. The method of claim 1 , wherein modifying the list further comprises:comparing the CI public key identifier with the list included in the UICC information.3. The method of claim 1 , wherein the CI public key identifier is obtained by any one of: receiving a user input with respect to the terminal claim 1 , retrieving information stored in the UICC claim 1 , receiving an activation code claim 1 , or receiving a command code.4. The method of claim 1 , further comprising receiving claim 1 , from the server claim 1 , another message in response to the message claim 1 ,wherein the other message includes a CI public key identifier to be used by the ...

CONTROLLING EQUIPMENT ACCESS TO SLICES IN A 5G NETWORK

5G introduces the concept of network slices. Although the 5G standard contemplates some form of slice access control, it is premised on subscriber identity-based checks. Because subscriber identities are associated with/maintained via subscriber identity module (SIM) cards, and because SIM cards can be swapped from one device (user equipment) to another, slice access control based on subscriber identities can fail to prevent unauthorized device access. Systems and methods are provided for enhanced slice access control vis-à-vis an enhanced access and mobility management (AMF), and equipment identity register (EIR) functions. In some embodiments, a localized EIR function can reduce latency/messaging overhead. 1. A system , comprising:a processor; and{'claim-text': ['determine available network slices in a communications network;', 'receive from a user equipment (UE), information regarding at least one requested network slice of the communications network to which the UE seeks access;', 'determine, in conjunction with a locally implemented network slice control function, whether the UE is subscribed to any network slice in the communications network based on at least UE identifier information specific to the UE;', 'determine if a common subset of one or more network slices exists between the available network slices, the at least one requested network slice, and any network slice to which the UE is subscribed; and', 'in response to a determination that a common subset of one or more network slices exists, return to the UE, an indication of the common subset of the one or more network slices facilitating access by the UE to the one or more network slices.'], '#text': 'a memory unit operatively connected to the processor and including computer code that when executed, causes the processor to:'}2. The system of claim 1 , wherein the system comprises an enhanced 5G access management function instantiated in a tenant-defined region of the communications network claim 1 , ...

Subscriber identity systems, servers, methods for controlling a subscriber identity system, and methods for controlling a server

A subscriber identity system may be provided. The subscriber identity system may include: at least one Virtual SIM Host; a memory configured to store an authorization certificate; a transmitter configured to transmit to a server a request for Virtual SIM Essence, the request including data based on the authorization certificate; a receiver configured to receive from the server the Virtual SIM Essence.

Visp authentication service for third party applications

An authentication device receives, from an application executing at a mobile device, a request for an authentication token, the request including an application identifier and an encrypted session identifier (SID). The application identifier identifies the application and the SID uniquely identifies a session between the application and a destination network device. The authentication device decrypts, using a first private key of a first public/private key pair, the encrypted SID to produce a decrypted SID; and determines a first hash value of certain data that includes the application identifier and session information associated with the session. The authentication device further encrypts, using a second public key of a second public/private key pair, the determined first hash value and the decrypted SID to produce an authentication token comprising the encrypted first hash value and the SID; and sends the authentication token to the application at the mobile device.

Systems, methods, and devices for multi-stage provisioning and multi-tenant operation for a security credential management system

A system for provisioning computerized devices of a plurality of tenants is provided. The system includes a security credential management system (SCMS) host connected to the devices and that is operable to receive provisioning requests from respective ones of the devices needing certificates, each provisioning request indicating a tenant identifier uniquely identifying a tenant, at least one registration authority that is communicatively connected to the SCMS host and transmits the provisioning requests to SCMS backend components based on the tenant identifier of each provisioning request. The SCMS backend components includes a plurality of enrollment certificate authorities operable to generate the enrollment certificates in response to the provisioning requests, each provisioning request being transmitted to one of the plurality of enrollment certificate authorities based on the tenant identifier of each provisioning request, and a pseudonym certificate authority operable to generate pseudonym certificates in response to provisioning requests for pseudonym certificates.

DATA FEEDS FOR MANAGEMENT OF CONSUMER ESIMS BY AN ESIM PROFILE MANAGEMENT PLATFORM

One or more service data feeds that indicate a plurality of consumer eSIM profiles received are loaded into one or more profile data stores of at least one subscription management service are received at an Embedded Subscriber Identity Module (eSIM) profile management platform of a wireless communication carrier. A request from an entity to perform an action with respect to a particular consumer eSIM profile having a specific Integrated Circuit Card identifier (ICCID) may be received at the eSIM profile management platform. A request for performing the action with respect to the particular consumer eSIM profile is forwarded by the eSIM profile management platform to a subscription management service at least in response to determining that the specific ICCID matches an ICCID of a consumer eSIM profile that is indicated by the service data feed as being loaded into the profile data store of the subscription management service. 1. A computer-implemented method , comprising:receiving, at an Embedded Subscriber Identity Module (eSIM) profile management platform of a wireless communication carrier, one or more service data feeds that indicate a plurality of consumer eSIM profiles received from at least one eSIM profile vendor are loaded into one or more profile data stores of at least one subscription management service from the at least one subscription management service;receiving, at the eSIM profile management platform, a request from an entity to perform an action with respect to a particular consumer eSIM profile having a specific Integrated Circuit Card identifier (ICCID);determining that the specific ICCID matches an ICCID of a consumer eSIM profile that is indicated by a service data feed as being loaded into a profile data store of the subscription management service; andforwarding, by the eSIM profile management platform, the request for performing the action with respect to the particular consumer eSIM profile to a subscription management service at least in ...

Device agnostic remote esim provisioning

Systems and methods for device agnostic remote eSIM provisioning. One example method includes detecting, with an electronic processor, a provisioning trigger event. The method includes, responsive to detecting the provisioning trigger event, transmitting, via a transceiver, a provisioning request to a mobile device management server, the provisioning request including a device identifier and an identifier for an integrated circuit card of the wireless communication device. The method includes receiving, from the mobile device management server, an activation code. The method includes transmitting, to the integrated circuit card, a provisioning command based on the activation code.

TRANSFER FUNCTIONALITY BETWEEN SECURE ELEMENTS SERVERS

It is provided a method for transferring and managing data packages between a first portable secure element, SE, server implemented in a portable device () and a second portable SE server implemented in an embedded UICC, eUICC (), comprised in a user's device () which is local to the portable device (), the first and second portable SE severs comprising Subscription Manager, SM, functionalities, the method comprises the first and the second portable SE servers establishing off-line communication using local data transport protocols in a secured mode, the first or the second portable SE server implementing first transfer functionalities () for performing secure transfer of the data packages and the first or the second portable SE server implementing second transfer functionalities () for performing end-to-end securing of the data packages after the secure transfer of the data packages. 1100200120240110230100200. Method for transferring and managing data packages between a first portable secure element , SE , server implemented in a portable device ( , ) and a second portable SE server implemented in an embedded UICC , eUICC ( , ) , comprised in a user's device ( , ) which is local to the portable device ( , ) , the first and second portable SE severs comprising Subscription Manager , SM , functionalities , the method comprising:the first and the second portable SE servers establishing off-line communication using local data transport protocols in a secured mode;{'b': ['140', '260'], '#text': 'the first or the second portable SE server implementing first transfer functionalities (, ) for performing secure transfer of the data packages; and'}{'b': ['140', '260'], '#text': 'the first or the second portable SE server implementing second transfer functionalities (, ) for performing end-to-end securing of the data packages after the secure transfer of the data packages.'}2140260. The method for transferring and managing data packages according to claim 1 , wherein the ...

PARTIAL LIMITATION OF A MOBILE NETWORK DEVICE

In some embodiments, a local user is prevented from accessing certain content and/or capabilities of a mobile network device while allowing him control over other functions of the device. For example, an administrator may prevent certain undesired activities. Optionally, by means of an MDM server and/or a remote server, the local user controls other aspects of his device as he wills More specifically but not exclusively the method works on IOS devices. An aspect of some embodiments of the current invention relates to a method of selecting a level of filtering for individual members of a network and/or packets. Optionally, a device pertinent to aggressive filtering may signal to the server and/or other devices will be less aggressively filtered. Alternatively or additionally, a server may determine from certain behaviors and/or packet characteristics that a device and/or packet should be filtered aggressively or not. 1. A method of limiting access of a local user to a mobile network device comprising:installing mobile device management MDM onto the device to allow a remote server to remove an application from the device;preventing a local user from using a local user interface for removing the application;installing an application interface on the device to request that the remote server to disable the application upon request from the local user.2. The method of claim 1 , wherein said preventing includes preventing a local user from using a local user interface for removing any application from said device.3. The method of claim 2 , further comprising: configuring said remote server forremoving by said remote server of a first application from said device in response to a request from said local user using said application interface andrefusing a request from said local user for removing a second application from said to device.4. The method of claim 1 , further comprising:installing a filtering application onto said device that inhibits access by said local user to ...

Cloud enrollment initiation via separate device

Systems and methods for initiating enrollment of a local device in a cloud environment using a separate device are presented. In an example embodiment, a device identifier for the local device is received from the local device by a separate device that is trusted by a cloud computing system. The separate device causes the displaying of an indicator for the local device. In response to receiving an activation of the indicator for the local device, the separate device issues a request to the cloud computing system to receive credential information enabling the local device to enroll with the cloud computing system. The separate device receives the credential information from the cloud computing system and transmits the credential information to the local device.

Iot provisioning service

The disclosed technology is generally directed to device provisioning in an IoT environment. For example, such technology is usable in provisioning IoT devices to an IoT Hub. In one example of the technology, an identification message that includes information associated with identification of a first IoT device is received. The validity of the first IoT device is then verified. After the first IoT device is verified, based at least in part on the identification message, an IoT hub is selected from a plurality of IoT hubs. The first IoT device is then caused to be registered with the selected IoT hub.

Instantiating a slice of a 5g or other next generation service network in an underserved area

Techniques for creating a service slice of a network in an underserved area are presented. A vehicle can be associated with a slice component that can generate service slices of a service network for various services. The vehicle can travel to an underserved area that does not have adequate wireless coverage or advance capabilities. For a communication device associated with an entity located in an underserved area, slice component can generate a service slice to connect the communication device to the communication network (and service network), establish a session with the communication device, provide applications, including VNF applications, to the communication device, and communicate information between the communication device and communication network (and service network). If no radio access to the network is available, slice component can continue the session with an internal slice and store information in its service database, which is synced when reconnected to the network.

Method and Apparatus For Enabling Machine To Machine Communication

A method and apparatus for performing secure Machine-to-Machine (M2M) provisioning and communication is disclosed. In particular a temporary private identifier, or provisional connectivity identification (PCID), for uniquely identifying machine-to-machine equipment (M2ME) is also disclosed. Additionally, methods and apparatus for use in validating, authenticating and provisioning a M2ME is also disclosed. The validation procedures disclosed include an autonomous, semi-autonomous, and remote validation are disclosed. The provisioning procedures include methods for re-provisioning the M2ME. Procedures for updating software, and detecting tampering with the M2ME are also disclosed.

Method and apparatus for supporting transfer of profile between devices in wireless communication system

The present disclosure relates to a communication scheme and system for the convergence of a 5G communication system for supporting a higher data transfer rate after the 4G system and the IoT technology. The present disclosure may be applied to intelligent services (e.g., a smart home, a smart building, a smart city, a smart car or connected car, healthcare, digital education, retain business, security and safety-related service) based on the 5G communication technology and IoT-related technology. The present disclosure provides methods and apparatus for supporting a profile transfer between terminals and methods and apparatus for supporting easy use of a communication product.

Method and System for Updating Certificate Issuer Public Key, and Related Device

A method includes: receiving, by an embedded universal integrated circuit card eUICC, first information sent by a local profile assistant LPA, where the first information includes a first certificate issuer CI public key identifier, and the first CI public key identifier is a CI public key identifier that the eUICC does not have; sending, by the eUICC, second information to an OPS by using the LPA, where the second information includes the first CI public key identifier; receiving, by the eUICC, a patch package sent by the OPS by using the LPA, where the patch package includes at least a first CI public key corresponding to the first CI public key identifier; and updating, by the eUICC, a CI public key of the eUICC by using the first CI public key. 1. A method for updating a certificate issuer public key , wherein the method comprises:sending, by a local profile assistant, LPA, an embedded universal integrated circuit card, eUICC, information to a subscription manager-data preparation, SM-DP+, server, wherein the eUICC information comprises a verification certificate issuer, CI, public key identifier list of an eUICC;receiving, by the LPA, first information from the SM-DP+ server, and sending, by the LPA, the first information to the eUICC;receiving, by the eUICC, the first information sent by the LPA, wherein the first information comprises a first CI public key identifier, wherein the first CI public key identifier is a CI public key identifier that is stored on the SM-DP+ server and that does not match any CI public key identifier in the verification CI public key identifier list, the first CI public key identifier is used for bidirectional authentication between the SM-DP+ server and the eUICC;sending, by the eUICC, second information to an operating system patch server, OPS, by using the LPA, wherein the second information comprises the first CI public key identifier;receiving, by the eUICC, a patch package sent by the OPS by using the LPA, wherein the patch ...

Providing web service for new user account after installation of application on mobile device

Mobile devices often communicate with network services that require an account. Because it may be undesirable to require user interaction when creating an account, it may be desirable to automatically create an account associating a mobile device to a network service after a new application is installed on the mobile device. In an embodiment, a new application is remotely installed on a mobile device. After the installation, the device monitors itself for an occurrence of an event. In response to detecting the occurrence, the device launches the new application. After the launch, the new application automatically obtains data from the mobile device, and then sends the data to a server that automatically creates an account for the user. The server also provides a service associated with the account.

Meta rsp interface platform for esim profile distribution

A user device may receive a list of remote SIM provisioning (RSP) platforms that are designated by a mobile network operator (MNO) to distribute eSIM profiles of a partner MNO of the MNO, in which the partner MNO provides telecommunication services in a geographical area. The user device may obtain one or more service features of individual RSP platforms in the list of RSP platforms from a meta RSP interface (MRI) platform when the user device is in the geographical area. Subsequently, the user device may determine a number of service parameters that are met by the one or more service features of the individual RSP platforms. In response to identifying a single RSP platform as meeting a highest number of service parameters, the user device may request a download of an eSIM profile from the single RSP platform to access the telecommunication services of the partner MNO.

Ehn venue-specific application provisioning

In order to leverage an enterprise-hosted network (EHN) associated with an entity, a communication technique may dynamically customize an application on a portable electronic device. In particular, the portable electronic device may discover and then may connect to the EHN using a quarantine zone that restricts access to the EHN. After providing valid credentials to establish a level of trust with the EHN, the portable electronic device may receive a request for authentication and authorization information. In response to the request, the portable electronic device may provide a credential to the EHN. Next, the portable electronic device may receive provisioning information that customizes the application on the portable electronic device to a venue associated with the entity. The provisioning information may include a connection setting associated with the application on the portable electronic device, which allows the portable electronic device to connect to the EHN outside of the quarantine zone.

SYSTEM AND METHOD FOR PROVIDING NETWORK SUPPORT SERVICES AND PREMISES GATEWAY SUPPORT INFRASTRUCTURE

A service management system communicates via wide area network with gateway devices located at respective user premises. The service management system remotely manages delivery of application services, which can be voice controlled, by a gateway, e.g. by selectively activating/deactivating service logic modules in the gateway. The service management system also may selectively provide secure communications and exchange of information among gateway devices and among associated endpoint devices. An exemplary service management system includes a router connected to the network and one or more computer platforms, for implementing management functions. Examples of the functions include a connection manager for controlling system communications with the gateway devices, an authentication manager for authenticating each gateway device and controlling the connection manager and a subscription manager for managing applications services and/or features offered by the gateway devices. A service manager, controlled by the subscription manager, distributes service specific configuration data to authenticated gateway devices. 119-. (canceled)20. A computing system for performing operations for managing voice-controlled services at a user premises , the computing system comprising:at least one processor;{'claim-text': ['receiving, via gateway device connected to a wide area network, configuration data for at least a portion of the voice-controlled services;', 'storing the configuration data;', 'sending, via the wide area network, a request for a streaming service to stream media, at the user premises, wherein the request corresponds to the at least a portion of the voice-controlled services;', 'communicating with one or more endpoint devices over a communication interface for implementing a user interface for the streaming service; and', 'after a verification that the request conforms with policy and/or usage rules associated with the streaming service based on subscription ...

Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication

A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone. 1. A mobile device for communicating with a wireless network , the mobile device comprising:a memory configured to store an embedded universal integrated circuit card (eUICC) identity;a random number generator configured to generate a random number for an eUICC private key corresponding to an eUICC public key; a. transmit, to a subscription manager, the eUICC identity and the eUICC public key; and', 'b. receive, from the subscription manager, i) an eUICC profile comprising network parameters, a key K, and a subscriber identity and ii) a symmetric key; and, 'a radio configured to a. derive a profile key using an elliptic curve Diffie Hellman (ECDH) key exchange with the eUICC private key and a subscription manager public key;', 'b. decrypt a first portion of the eUICC profile using the profile key;', 'c. receive the symmetric key from a network application operating in the mobile device;', 'd. decrypt a second portion of the eUICC profile using the symmetric key, the second portion comprising the key K and the subscriber identity, wherein the first portion and the second portion are distinct; and', 'e. generate a ...

Method for detecting that a secure element has been temporarily disconnected from a device, and corresponding device

A method for detecting that a removable secure element has been temporarily disconnected from a first device includes: Providing by the secure element to the first device a first Temporal Global Identity; Entering the first device in the sleeping mode; If the secure element is inserted and used by a second device during the sleeping mode of the first device, replacing in the secure element the first Temporal Global Identity by a second Temporal Global Identity and providing the second Temporal Global Identity to the second device; When getting out from the sleeping mode by the first device, reading by the first device the Temporal Global Identity stored in the secure element; If the Temporal Global Identity read is not the same than the stored Temporal Global Identity, sending to an MNO server a message to indicate that the secure element has been used by another device. 1. A method for detecting at the level of a first device and at the level of a MNO server that a removable secure element has been temporarily disconnected from said first device with which said removable element is cooperating , said first device entering during a lap of time in a sleeping mode , said method comprising:A—Providing by said secure element to said first device a Temporal Global Identity, called first Temporal Global Identity, on demand by said first device, before said first device enters in said sleeping mode and storing said first Temporal Global Identity in a memory of said first device;B—Entering said first device in said sleeping mode;C—If said secure element is inserted and used by a second device during the sleeping mode of said first device, said use consisting in an action different from a reading of said first Temporal Global Identity, replacing in said secure element said first Temporal Global Identity by a second Temporal Global Identity different from said first Temporal Global Identity, providing said second Temporal Global Identity to said second device and storing said ...

Local Applications and Local Application Distribution

Concepts and technologies are disclosed herein for local applications and local application distribution. According to one aspect of the concepts and technologies disclosed herein, an application authority system can receive a local application for distribution to a local router. The application authority system can perform an application approval process to approve the local application for distribution to the local router. The application authority system can cause the local application to be distributed to the local router. The local router can receive the local application and can distribute the local application to one or more devices via a local network.

Configuring a computing device to automatically obtain data in response to a predetermined event

An operating system of a computing device is configured to monitor for occurrence of an event. In response to determining that the event has occurred, data associated with the event is obtained from the computing device. An address associated with an account of the computing device is determined, and the data associated with the event is sent to the address.

Apparatus and methods for electronic subscriber identity module (esim) installation and interoperability

Methods and apparatus for managing processing of electronic Subscriber Identity Modules (eSIM) data at a mobile device are disclosed. An eSIM management entity of an embedded Universal Integrated Circuit Card (eUICC) in the mobile device obtains an encrypted eSIM package, decrypts the eSIM package to obtain eSIM contents formatted generically and not specifically tailored to requirements of the eUICC. In some embodiments, the eSIM contents are formatted based on an abstract syntax notation (ASN) distinguished encoding rules (DER) format. The eSIM management entity parses the formatted eSIM contents to retrieve individual eSIM components and installs each eSIM component for the eSIM in an eSIM security domain on the eUICC. In some embodiments, the eSIM management entity acts as a local, personalization server to provide local Trusted Service Manager (TSM) server functionality for eSIM installation that transforms “generically formatted” eSIM contents into eSIM components that match specific requirements of the eUICC.

Device validation, distress indication, and remediation

A wireless communications device may be configured to perform integrity checking and interrogation with a network entity to isolate a portion of a failed component on the wireless network device for remediation. Once an integrity failure is determined on a component of the device, the device may identify a functionality associated with the component and indicate the failed functionality to the network entity. Both the wireless network device and the network entity may identify the failed functionality and/or failed component using a component-to-functionality map. After receiving an indication of an integrity failure at the device, the network entity may determine that one or more additional iterations of integrity checking may be performed at the device to narrow the scope of the integrity failure on the failed component. Once the integrity failure is isolated, the network entity may remediate a portion of the failed component on the wireless communications device.

Methods, Procedures and Framework to Provision an eSIM and Make It Multi-SIM Capable Using Primary Account Information

Some embodiments relate to methods for provisioning a secondary wireless device with an eSIM for wireless communication and activating multi-SIM functionality between the secondary wireless device and a primary wireless device having a subscribed SIM. The primary wireless device may act as a proxy in obtaining the eSIM for the secondary wireless device. The primary wireless device may then provide, to the cellular network, identifiers of the SIMs of the primary and secondary wireless devices. The primary wireless device may then request initiation of multi-SIM functionality for the two SIMs, and receive an indication that the multi-SIM functionality has been initiated. As an example, the multi-SIM functionality may be implemented by mapping the SIM of the primary wireless device and the SIM of the secondary wireless device (e.g., the provisioned eSIM) to the same Mobile Directory Number (MDN).

SYSTEM AND METHOD FOR CONNECTING A Wi-Fi PRODUCT TO A Wi-Fi NETWORK

Disclosed is a method and system for connecting a Wi-Fi product to an available Wi-Fi network using a Bluetooth connection. The method includes connecting, the Wi-Fi product to an electronic device through the Bluetooth connection, inputting, an authentication credentials related to the available Wi-Fi network over the electronic device by a user, where the input of the authentication credentials is facilitated by an application residing on a memory medium of the electronic device, sending, by the electronic device, the authentication credentials to Bluetooth module of the Wi-Fi product, sending, by the Bluetooth module, the authentication credentials to a Wi-Fi module configured in the at least one Wi-Fi product and communicatively linked with the Bluetooth module, and registering, the authentication credentials with the available Wi-Fi network for connecting the Wi-Fi module to the available Wi-Fi network.