KR20140051018A - Method and apparatus for managing an embedded subscriber identity module in a communication system - Google Patents

Method and apparatus for managing an embedded subscriber identity module in a communication system Download PDF

Info

Publication number
KR20140051018A
KR20140051018A KR1020120117565A KR20120117565A KR20140051018A KR 20140051018 A KR20140051018 A KR 20140051018A KR 1020120117565 A KR1020120117565 A KR 1020120117565A KR 20120117565 A KR20120117565 A KR 20120117565A KR 20140051018 A KR20140051018 A KR 20140051018A
Authority
KR
South Korea
Prior art keywords
profile
sim
mno
built
communication
Prior art date
Application number
KR1020120117565A
Other languages
Korean (ko)
Inventor
서경주
Original Assignee
삼성전자주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 삼성전자주식회사 filed Critical 삼성전자주식회사
Priority to KR1020120117565A priority Critical patent/KR20140051018A/en
Publication of KR20140051018A publication Critical patent/KR20140051018A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephone Function (AREA)

Abstract

A method of managing an embedded SIM in a communication system in accordance with an embodiment of the present invention includes the steps of a device including a built-in SIM using a first profile of a first MNO requesting a profile change to a second profile of a second MNO To the communication system, and receives the second profile of the second MNO verified by the communication system. Also, according to another embodiment of the present invention, a method for managing a built-in SIM in a communication system includes the steps of: allocating a built-in SIM identifier from a built-in SIM provider; performing a join request for communication with the MNO using the allocated built- Receive a profile for the MNO from the SM system, and communicate with the MNO via such a profile.

Figure P1020120117565

Description

[0001] METHOD AND APPARATUS FOR MANAGING AN INTEGRATED SUBSCRIBER ID MODULE IN A COMMUNICATION SYSTEM [0002]

The present invention relates to a method and apparatus for managing a subscriber identity module (SIM) in a communication system, and more particularly, to a method and apparatus for managing a built-in subscriber identity module (SIM).

In general, a SIM is used for user identification in a device capable of communicating. The device may be a variety of devices such as a mobile communication terminal, a terminal for performing machine type communication, various Consumer Devices having a communication function, and a vending machine.

On the other hand, there is a debate about embedded SIM (eSIM), which is capable of setting initial information of a SIM or changing a provider so that it is different from a general SIM. However, due to weakness due to security exposure of information related to the service provider, information related to the service provider, and other difficulties in operating under the existing communication system structure focused on the operator, security is difficult to use when using the built-in SIM, .

The present invention provides a method and apparatus for efficiently managing a built-in SIM in a communication system.

The present invention also provides a method and apparatus for facilitating carrier change of a device in a communication system using a built-in SIM.

The present invention also provides a method and apparatus for easily setting initial information of a built-in SIM in a communication system using a built-in SIM.

The present invention also provides an efficient security management method and apparatus in a communication system using a built-in SIM.

A method of managing an embedded SIM in a communication system in accordance with an embodiment of the present invention includes the steps of a device including a built-in SIM using a first profile of a first MNO requesting a profile change to a second profile of a second MNO To the communication system, and receiving a second profile of the second MNO that is verified by the communication system.

A method of managing a built-in SIM in a communication system according to another embodiment of the present invention includes the steps of: receiving a built-in SIM identifier from a built-in SIM provider; receiving a subscription request for communication with the MNO using the allocated built- And receiving a profile for the MNO from the SM system, and communicating with the MNO in effect via the received profile.

1 is a diagram illustrating an example of a communication system using a built-in SIM according to an embodiment of the present invention;
FIG. 2A and FIG. 2B are flowcharts showing specific procedures of a method of managing a built-in SIM in a communication system according to an embodiment of the present invention;
3 is a diagram illustrating an example of a communication system using a built-in SIM according to another embodiment of the present invention;
4A and 4B are flowcharts illustrating specific procedures of a method for managing a built-in SIM in a communication system according to another embodiment of the present invention.

The operation principle of the preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

The present invention proposes an effective built-in SIM management method for changing a communication service provider, changing related information according to the communication carrier, or security information to a device using the built-in SIM.

Embodiments of the present invention can be applied to an EUTRAN (Universal Terrestrial Radio Access Network) or a Universal Terrestrial Radio Access Network (UTRAN) / GERAN (GSM / EDGE Radio) scheme proposed by the 3rd Generation Partnership Project (3GPP) Access Network (GERAN) system, and 3GPP Evolved Packet System (EPS) system called Long Term Evolution (LTE) system, as well as various wired and wireless communication systems using built-in SIM. The present invention can be applied to embodiments of the present invention to be described later in the communication of information related to a service provider and / or security related information including a change of a service provider in communication between a device using a built-in SIM and a service provider have.

1 is a diagram illustrating an example of a communication system using a built-in SIM according to an embodiment of the present invention. The system of FIG. 1 describes, for example, an EUTRAN based on a 3GPP EPS system as an example, and this method can be used in other similar communication systems.

Referring to FIG. 1, the device 100 using the built-in SIM 110 at the time of performing communication may be various devices having a communication function as described in the background art as well as a mobile communication terminal.

In FIG. 1, the embedded SIM 110 includes a profile manager 111, profile installers 113a and 113b, and profiles 115a and 115b. For the sake of convenience of explanation, the profile installer and the profile are included. In the present invention, the number of profile installers and profiles is not limited to the above two, It corresponds to the number of companies. However, depending on how the embedded SIM is operated, the profile installer may correspond to the number of profiles, that is, the number of carriers that support it, or one, or more than one. That is, an embodiment in which a plurality of profiles are created using one profile installer will also be possible. The profile manager 111 performs routing and management functions of the profiles 115a and 115b in the embedded SIM 110. [ The profile installers 113a and 113b decrypt the encryption of the profiles 115a and 115b in the built-in SIM 110 and install the profile.

The profiles 115a and 115b include a network identifier, a security key, and the like necessary for performing a communication function with a communication service provider. Here, the network identifier may use at least one of International Mobile Subscriber Identity (IMSI) and Mobile Station International Subscriber Directory Number (MSISDN) well known in the communication system, and the security key may include an authentication center AUC: authentication center), and a security key K corresponding to a master key stored in a built-in SIM or the like. The profile includes an operator profile and a provisioning profile.

In order to set the profiles 115a and 115b required for the built-in SIM 110, a communication service provider or the like must receive subscription request information (or customer information) from the customer 10. The subscription request information may be input through a subscription application portal site or the like or may be directly input through a user interface of the device 100 having a communication function. The device 100 includes a control unit (or a processor) for controlling the operation of the device 100 and a communication interface (not shown) for transmitting and receiving information necessary for management of the built-in SIM 110 in the communication system of FIG. . This subscription request may, for example, be triggered by device 100 by a machine to machine (M2M) service provider so that device 100 may begin the process of provisioning information to embedded SIM 110 have. That is, in this case, the built-in SIM 110 may have a provisioning profile or the like so that a process of receiving a profile by accessing a specific SM through a network of a specific communication provider can be performed.

1, a subscription manager (SM) 200 provides data to the embedded SIM 110 necessary for a device 100 to subscribe to a network of a communication provider in a communication system and manages the necessary data . The subscription manager 200 includes a subscription manager-secure routing part (SM-SR) 210, a subscription manager-data preparation part (SM-DP) 230). The SM-SR 210 processes the routing of the profile, and the SM-DP 230 processes the encryption of the profile. Also, when there is a request to change the profile from the device 100, the SM-DP 230 can process the verification of whether the profile to be newly changed is a profile corresponding to a new MNO. The SM-SR 210 and the SM-DP 230 may be implemented in one SM entity 200 as shown in FIG. 1 according to an operational scenario. The SM-SR 210 and the SM- ) May be implemented as functionally separated entities, respectively. When the SM-SR 210 and the SM-DP 230 are configured as separate entities, the SM-DP 230 is connected to the communication carrier network, the SM-SR 210 is a built-in SIM provider, Authority, or a coalition of telecommunications carriers. In particular, when the SM-DP 230 is in the communication provider network, information such as a profile (e.g., IMSI, security key, etc.) corresponding to the own network can be constructed as a separate database You can build a secure profile procedure. Even if the SM-SR 210 and the SM-DP 230 are configured as a single entity, the SM-SR 210 and the SM-DP 230 can be operated by a common database have. In another embodiment, the SM-SR 210 and the SM-DP 230 constitute different databases, and the database to which the SM-SR 210 accesses stores only minimal information for routing such as profile identifiers , And the database inquired by the SM-DP 230 can store information such as a profile identifier, profile detail information such as IMSI, MSISDN, and the like.

On the other hand, according to another embodiment, the data base stored by the SM-DP 230 can be stored and managed for each communication service provider, so that the SM-DP 230 can have the same effect as that of the communication service provider. In addition, when the SM-DP 230 and the SM-SR 210 are configured as separate entities, the SM-SR 210 transmits a DP-access-credential to communicate with the SM- and a secure channel is set between the SM-SR 210 and the SM-DP 230 to enable secure communication.

In yet another embodiment, the SM-DP 230 may be implemented to be separate from the SM-SR 210 and included in the MNO.

The device 100 transmits relevant data for accessing a mobile network operator (MNO A, MNO B) (300a, 300b) of the carrier through the subscription management of the SM 200, Values are set in the profiles 115a and 115b of the built-in SIM 110 so that they can be connected to the MNO (i.e., MNO A, MNO B) 300a and 300b. The MNOs 300a and 300b manage MNO information through the MNO network units 310a and 310b and the communication network (for example, OTA (over the air)), which are responsible for registering and terminating the device 100, And MNO OMA units 350a and 350b that are responsible for MNO OTA units 330a and 330b and device management (e.g., OMA DM). In the embodiment of FIG. 1, MNO (MNO A, MNO B) 300a and 300b mean a communication service provider. In the embodiment of the present invention, the number of communication service providers is assumed to be two. The SM 200 can be implemented as a server that performs communication in a network, and MNOs (MNO A and MNO B) 300a and 300b are blocks, respectively, of systems including networks of different carriers .

In the system of FIG. 1, network entities such as the device 100, the SM 200, and the MNOs 300a and 300b communicate with each other based on a protocol used in mobile communication and Internet communication, 110). For example, when the device 100 is trying to change a provider to perform communication through another communication provider while performing communication through the communication service provider, Security related information can be changed and set up and operated. A specific embodiment of the present invention will be described with reference to FIGS. 2A and 2B.

2A and 2B are flowcharts illustrating a method of managing a built-in SIM in a communication system according to an embodiment of the present invention. In the embodiment of FIG. 2, it is assumed that there are two communication carriers (MNO A and MNO B) as in the example of FIG.

Referring to FIG. 2A, it is assumed that the device 100 performs communication through the MNO A 300a of the communication company with the profile information stored in the embedded SIM 110 in step 201. The profile includes a network identifier, a security key K, and the like necessary for performing a communication function through the MNO 300a or 300b of the corresponding communication provider, and the identifier and the security key are the same as those illustrated in the description of FIG. Identifiers and security keys can be used.

The profile includes an operator profile and a provisioning profile. The provider profile includes a remote file or performs an application management process. In addition, the profile content manager 111 in the embedded SIM 110 manages the content of the profile, and the profile content manager 111 is responsible for the OTA-related processing of the MNO. Therefore, the OTA security key, MSISDN, do.

The provisioning profile includes a network access application associated with a network access credential, such as, for example, at least one IMSI, K security key, And provides the transport capability for profile management between the SM-SRs 210 of the SM 200 and for management of the embedded SIM 110. Therefore, using the IMSI of the provisioning profile and the security key K, the built-in SIM can access the SM through the provisioned provider network even in an initial state in which a specific provider is not determined. The profile may include pin information used for identification in a profile ID, security key, OTA service, etc., a certificate used for verifying the other party, that is, a certificate to be used in verification of the profile, security and / Information regarding parameters related to the communication algorithm, application, and algorithm capability of the communication carrier (i.e., security and / or communication algorithm supported by the communication carrier). In addition, the profile may include profile type information indicating whether the profile is an operator profile or a provisioning profile.

Although not shown in FIG. 2A, MNO A 300a and MNO B 300b can communicate with MN 200 B in order to process the MNO profile of the changed carrier when there is a change in the carrier of the device 100 ), Respectively, in advance. It is assumed that a secure connection is established between the SM 200 and the MNO A 300a and between the SM 200 and the MNO B 300b in advance. The method of managing the profile in the SM 200 with respect to the profile transmission between the MNOs 300a and 300b and the SM 200 can be implemented in various cases as will be described below.

In the case where the customer 10 wants to change the communication company from MNO A 300a to MNO B 300b in step 203 (that is, process 203-1 or 203-2), MNO B 300b transmits, (Or customer information) including an identifier (eSIM ID) of the built-in SIM 110 of the mobile terminal 100. For example, the subscription request information for the MNO B (300b) is transmitted through the MNO's network, the Internet through the wireless LAN, the Bluetooth, etc., (Case 1), or the customer 100 can access the portal site (not shown) of the MNO B 300b using a web browser or a general purpose computer (not shown) of the device 100 (Case 2). ≪ / RTI >

In step 205, the MNO B 300b transmits a profile ID of the MNO B 300b in response to a join request for communication from the device 100, A response message including the internal SIM identifier (ID), the SM identifier (SM ID) or the SM address of the device 100 that transmitted the request, for example, the IP address of the SM, Lt; / RTI > In FIG. 2A, step 205-1 is a case of transmitting a response message to the device 100 that has transmitted a join request in response to the step 203-1 (case 1) (Case 2), the customer 10 transmits the response message through the portal site to which the subscription request is made. In FIG. 2A, it is assumed that the process of step 205-2 is connected to the corresponding portal site through the device 100 for the sake of convenience. This subscription request may be triggered by the M2M service provider as a device so that the device 100 may begin the process of provisioning information to the embedded SIM 110. [

In step 207, the embedded SIM 110 and the SM 200 of the device 100 perform a mutual authentication process for security. The mutual authentication is performed by a mutual authentication method using a secret key in the embedded SIM 110 and a public key of the SM 200 or a mutual authentication between the embedded SIM 110 and the SM 200 And a method of authenticating via the Internet.

After performing the mutual authentication in step 207, the embedded SIM 110 transmits a profile ID of the MNO B 300b to communicate with the corresponding built-in SIM identifier (ID) in step 209, To the SM 200, a profile change request message including at least one of a profile change indication indicating the change (or request) of the change of the internal SIM 110 and a capability of the embedded SIM 110. [ Upon receiving the profile change request message in step 211, the SM 200 transmits a built-in SIM identifier (ID), a profile identifier (ID), and a profile change indication to the SM-SR 210 .

In another embodiment, the steps 209 and 211 may be performed in a single process according to how profile data related to the MNO is managed in the SM 200. In step 213, the SM-SR 210 receives the information included in the profile change request message and transmits a built-in SIM ID, a profile ID, and a profile change indication to the SM- .

The SM-DP 230 then verifies the received profile. The verification of the profile may be performed in two ways as shown in FIG. 2A. The first method is to verify whether the SM-DP 230 is a profile ID belonging to the corresponding MNO (case 1) as in step 215-1. In the second method, the SM-DP 230 transmits the profile ID and the built-in SIM ID, which are necessary for profile verification, to the corresponding MNO (MNO B 300b in the embodiment of FIG. 2) , The MNO B 300b verifies whether the profile ID is a Profile ID belonging to the MNO (step b), and transmits a response message indicating the verification result to the SM-DP 230 (Case 2) In the case 2, the MNO can verify that the corresponding profile ID is allocated to the corresponding embedded SIM. It is also possible that the SM-SR 210 or the SM-DP 230 receives the response message indicating the verification result from the MN-B 300b).

Whether to transmit the information necessary for the verification in the profile verification process in the SM-DP 230, in the SM-SR 210 or in the SM 200, The configuration can be different depending on how you manage it.

In step 217, the SM-DP 230 encrypts the corresponding profile so that the corresponding profile can be generated in the corresponding embedded SIM 110 with the secured profile being secured, To the SM-SR 210, an encrypted profile.

Referring to FIG. 2B, in operation 221, the SM-SR 210 transmits the encrypted profile to the profile manager 111 of the embedded SIM 110. In step 223, the encrypted profile is transferred from the profile manager 111 to the profile installer B 113b that processes the profile of the MNO B 300b. In step 225, the profile installer B 113b transfers the encrypted profile to the MNO B 300b, And decrypts the corresponding profile of the user.

In the above, the profile installer credential is assigned to the profile installer by the provider of the built-in SIM. The profile installer credential may include information such as a private key of the built-in SIM, and enables the encryption / decryption of the profile information. Also, this secret key is used for decrypting the profile information. In this case, the SM can encrypt and decrypt the profile information with the public key, and can decrypt the encrypted profile information by using the built-in SIM. As another embodiment, the profile installer credential may be configured such that the embedded SIM has a public key of the CA, and from the implicit certificate sent by the profile sender, SM-DP, with this CA public key, The public key of the sender, that is, SM-DP, can be derived to verify that the built-in SIM has come to the legitimate sender when it receives the digital signature and digital signature related algorithm information. Another embodiment is that the profile installer credential is a secret credential that is shared between the embedded SIM and the SM-DP, authenticates the SM-DP as a legitimate sender in the embedded SIM through an implicit certificate or the like as in the above embodiment, It is possible to generate the credentials necessary for the SM-DP and the built-in SIM to transmit to the SM-DP, to share the secret information, and then to send the encrypted profile information to the SM-DP.

In the case where the profile installer is implemented differently according to profiles or groups of profiles corresponding to MNOs, the profile installers 113a and 113b respectively store the profile installer credentials corresponding to the SM-DP 230 , And the profile installer credential must be updated by a trusted certificate authority.

Or the profile installer credential pre-configured from the beginning when the profile installer corresponding to each MNO is discriminated, the profile installer credential is connected to the SM-DP 230 and the embedded SIM 110 ) Of the profile installers 113a and 113b may check the indexes or the like and use a credential in SM and built-in SIM mutual authentication. Although not shown in yet another embodiment, the profile installer is unique to the embedded SIM 110 and its profile installer credentials are unique so that the SM-DP and profile installer communicate with each other using a unique profile installer credential It is also possible to do.

 In step 227, the profile installer B 113b installs the decrypted profile B 115b. Although not shown, the embedded SIM 110 then performs a communication process such as registration request, connection, and location update to the MNO and the MNO network, or communicates with the OTA entity of the MNO over the air (wireless transmission technology) And transmits the system program module, firmware, and the like remotely. Or OMA-related entities to perform functions related to Open Mobile Alliance (OMA) Device Management (DM).

In step 229, the profile installer B 113b notifies the profile manager 111 that the installation of the profile B 115b is successful. In step 231, the profile manager 111 informs the communication service provider (for example MNO B in this embodiment) to which the profile is to be subscribed via the SM 200 that the profile installation is successful. In step 233, the SM 200 instructs the profile manager 111 to change the profile to the profile B 115b corresponding to the MNO B 300b. Meanwhile, in another embodiment, the steps 231 to 233 for notifying that the installation is successful and receiving the profile change command may not be performed.

Then, in step 235, the profile manager 111 can instruct the profile installer B 113b to activate (activate) the profile B 115b of the communication carrier to be newly subscribed. Then, in step 237, the profile installer B (113b) activates the profile B (115b). In step 239, the profile installer B 113b informs the profile manager 111 of the successful activation of the profile when the activation of the profile of the communication carrier to be subscribed is successful. Step 239 can be selectively performed.

The profile manager 111 instructs the previous profile installer A 113a to disable (inactivate) the profile A 115a of the communication carrier (MNO A, for example) that was previously communicating in step 241. [ In step 243, the profile installer A 113a instructs the previous service provider A (115a) to perform the process of unregistering with the communication service provider (i.e., MNO B). In step 245, the previous profile A 115a performs a registration deregistration with a communication carrier that has previously performed communication, and sets the cause value to profile inactive.

Such a profile deactivation cause value can be set for reasons such as change of a communication carrier. If the unregistration procedure is successfully performed, the previous profile A 115a notifies the profile installer A 113a that the deactivation has succeeded, as in step 247. [ In step 249, the profile installer A 113a informs the profile manager 111 that the deactivation of the previous profile is successful. In step 251, the profile manager 111 transmits profile change success information to the SM-SR 210 to instruct the communication service provider (i.e., MNO A) performing the previous communication to instruct the profile deactivation . In step 253, the SM-SR 210 informs the communication service provider (i.e., MNO A) that the previous communication has been performed, to deactivate the profile. In step 255, the device 100 performs communication using the new communication service provider (i.e., MNO B) and the newly installed profile B 115b.

According to the embodiment of the present invention, when communication with a communication provider is performed, the device performing communication may be provided with a built-in SIM An identifier, security information, and the like for performing communication in the communication service provider network. Also, the communication service provider can change the communication service provider to the built-in SIM by changing and setting the corresponding information from each related network entity or the like. Therefore, it is possible to securely perform the communication, and it is possible to solve the related security problem in changing the information of the communication carrier.

In addition, according to the embodiment of the present invention described above, it is possible to identify a user like a conventional SIM in a built-in SIM and to change a communication carrier during a product life cycle without being restricted to one communication carrier, SIM reuse is possible.

Further, according to the embodiment of the present invention, information and security information related to communication are securely changed and set in the built-in SIM in various communication systems that can use the built-in SIM, thereby enhancing the efficiency and security of communication.

Hereinafter, another embodiment of the present invention will be described in which a procedure and management method related to initial information setting and information setting of the built-in SIM in a device using the built-in SIM, and a security method are provided. Other embodiments of the present invention can also be applied to various wired / wireless communication systems that can use the built-in SIM as well as the EPS system, UTRAN, GERAN based on 3GPP.

3 is a diagram illustrating an example of a communication system using a built-in SIM according to another embodiment of the present invention. The embodiment of FIG. 3 illustrates a communication environment for initialization related to communication and / or security of an embedded SIM (eSIM), for example, in a 3GPP-based EPS system.

The present embodiment may also be a device 500 using the built-in SIM 510 at the time of performing a communication, as well as a mobile communication terminal and various devices having a communication function described in the background art. In the embodiment of FIG. 3, the embedded SIM 510 includes a profile manager 511, a profile installer 513, and a profile 515. The profile installer 513 performs a function of installing the profile 515 in the built-in SIM 110. The profile manager 511 performs the routing and management functions of the profile 515.

The profile 515 includes a network identifier, a security key, and the like necessary for performing a communication function with a communication service provider. The network identifier, the security key, and the like described in the embodiment of FIG. 1 can be equally used in the embodiment of FIG. Since the basic structure of the profile 515 is the same as that described with reference to FIG. 2A, a detailed description thereof will be omitted.

In the embodiment of FIG. 3, only one profile installer and the number of profiles are shown, but a profile installer and a profile may be provided corresponding to the number of available carriers as in the embodiment of FIG. And the subscription request information (or customer information) for setting the profile 515 necessary for the built-in SIM 510 may be provided in the same manner as the embodiment of FIG.

3, the embedded SIM 510 is produced and distributed through an embedded SIM (eSIM) supplier 400 and is provided to a device vendor 40 in the form of a device with an embedded SIM 510. [ It is also distributed by. This embedded SIM (eSIM) supplier 400 can communicate the security related keys and related data required for the embedded SIM 510 and also provides the necessary security for the subscription manager (SM) Related keys and associated data.

In FIG. 3, the SM 500 includes a subscription manager-secure routing part (SM-SR) 510, a subscription manager-data provisioner part (SM-DP: subscription manager-data preparation part) 530. Since the basic functions are the same, a detailed description will be omitted.

The MNO 700 is connected to the MNO network 710, the MNO OTA 730, and the MNO OMA 700 via the connection-related data and the secret key. 750, and the basic operation of each element of the MNO 700 is the same as that of the embodiment of FIG. 1, so a detailed description thereof will be omitted.

The device 500 performing communication in the system of FIG. 3 may be configured to initially set a network identifier, security information, etc. (hereinafter, "initial information") for performing communication with the embedded SIM 510, 3, the present invention can establish the above information. In another embodiment of the present invention, a concrete procedure for solving the related security problem in the process of setting the initial information to the embedded SIM 510 is proposed.

4A and 4B are flowcharts illustrating a specific procedure of a method of managing a built-in SIM in a communication system according to another embodiment of the present invention, which illustrates communication and security procedures for initial information setting of the embedded SIM 510 .

Referring to FIG. 4A, in step 401, the embedded SIM provider 400 assigns the embedded SIM identifier to the embedded SIM 510. Such an embedded SIM identifier is an identifier that can be uniquely identified, and can be uniquely identified using a conventional ICC-ID (Integrated Circuit Card ID). The ICC-ID is an identifier that can uniquely identify the SIM internationally. In step 403, the allocated SIM ID is transmitted to the SM 600.

In step 405, the embedded SIM provider 400 assigns a profile installer credential to the profile installer 513. The profile installer credential may include information such as the private key of the embedded SIM 510 and enables the encryption of the profile information to be decrypted. This secret key is also used to decrypt the profile information. In other words, this process is similar to the description of step 225, so the description will be referred to. In step 409, the embedded SIM provider 400 also assigns the profile management credential or the IP address of the SM-SR 610 to be initially connected to the SM-SR 610 to the profile manager 511. The profile management credentials are the credentials that the profile manager 511 needs to communicate with the SM-SR 610.

 In step 407, the built-in SIM provider 400 transmits SM-DP security information to the SM-DP 630. The SM-DP security information may include information such as a public key of the embedded SIM 510, and the public key is used for encrypting the profile information. In yet another embodiment, the SM-DP 630 may send an implicit certificate, including its own public key, a digital signature. In step 411, the embedded SIM provider 400 also delivers the SM-SR security information to the SM-SR 610.

4, operations 403, 407, and 411 may be performed in parallel, or operations 401, 405, and 409 may be performed first, or operations 403, 407, , Operation 411 may be performed first. That is, the order of each operation may be modified in various forms.

In step 413, the MNO 700 may transmit the profiles to the SM 600. Therefore, a secure connection must be established between the SM 600 and the MNO 700 in advance. Although not shown, the MNO 700 may send profiles to the SM-SR 610 or SM-DP 630 of the SM 600, which may manage the profiles in the SM 600, And can be implemented in different ways depending on whether or not it is possible.

For example, the SM (600) suggests the following two methods for managing profiles. The first method is to provide SM 600 with a profile related database (not shown) and manage the database. In this case, the SM-DP 630 or the SM-SR 610 can query (query) the database when the profile-related data is needed. For example, the SM-DP 630 may inquire the database, encrypt the relevant profile data, and transmit the encrypted profile data to the SM-SR 610.

In the second method of managing the profile in the SM 600, data related to the profile-related database are separately stored in the SM-DP 630 and the SM-SR 610, respectively, It is a method to inquire when necessary. In the case of the second scheme, data required in each database can be inquired and used according to the required functions, and it can be used when the SM-DP 630 and the SM-SR 610 are separated and operated. That is, the operation of the SM-SR 610, the SM-DP 630, and the SM 600 may differ depending on which of the two schemes is used.

Meanwhile, the subscription request and response for communication with the MNO in steps 415-1 through 419 of FIG. 4A and the mutual authentication operation are the same as those in steps 203-1 and 203-2 through 207 in FIG. 2A, .

Such a subscription request may be triggered by the M2M service provider as a device to initiate the process of provisioning the device to the embedded SIM. In this case, the built-in SIM has a provisioning profile and the like, and it is possible to perform a process of receiving a profile by connecting to a specific SM through a network of a specific carrier.

In step 417-1 and step 417-2, which are responses to the subscription request, the MNO 700 transmits a profile ID, an SM identifier SM or an address 600 address, for example an IP address of the SM, an embedded SIM identifier, and so on.

In the present embodiment, the configuration of the profile identifier is, for example, as follows. The profile identifier includes a telecom identifier, a country code, a network code, a production date and month, a switch configuration code, a SIM number, and a check digit 19 digit, and the profile identifier operates like a new SIM, so that the virtual built-in SIM category information is added to distinguish the built-in SIM information from the built-in SIM, do. In other words, in the built-in SIM information, information such as a communication company, a country code, a network code, and the like is used to identify the built-in SIM, for example, ICCID. Information such as a communication company, a country code, There may be a way to configure the carrier, country code, and network code information actually assigned to the information (field). That is, there may be a method of combining the built-in SIM information (for example, ICCID) and the built-in SIM category information (for example, a carrier, a country code, a network code information, etc.) . As another example, in addition to the built-in SIM information, category information, that is, a category field or a category indicator indicating that the SIM is a built-in SIM, is concatenated with a carrier, country code, network code information, It can be generated so as to know that the SIM is a profile type rather than a built-in SIM.

 In another embodiment, instead of leaving the communication company, the country code, and the network code empty at the time of the internal SIM assignment, a unique identifier such as a built-in SIM is assigned to the built-in SIM category information so as to uniquely distinguish the built- Country, network information, etc., after profile allocation, profile, carrier, country, network information, etc., so that the built-in SIM identifier is merely a built-in SIM and the profile identifier is the actual communication carrier, country, network code There may be a way to provide information.

In another embodiment, the profile identifier in the built-in SIM identifier can be configured by concatenating identifiers uniquely assigned to each communication provider. In another embodiment, when the profile is managed by utilizing the MSISDN, the MSISDN can be used as the profile identifier. As in the above embodiments, the profile identifier or the built-in SIM identifier in the present invention may be configured in various forms.

After the mutual authentication operation is performed in step 419, the device 500 transmits information related to the built-in SIM identifier (ID), profile ID (profile ID), and capability of the embedded SIM to the SM 600 in step 421 send. Here, the capability related information of the built-in SIM includes an algorithm that the built-in SIM can support, a card application toolkit (CAT) for supporting the management of the embedded SIM, an OTA capability, capacity, memory usage, and the like.

In step 423, the SM 423 transfers the internal SIM identifier and the PROFILE ID to the SM-SR 610. In step 425, the SM-SR 610 transmits the internal SIM identifier and the profile identifier to the SM- . In another embodiment, steps 423 and 425 may be performed in a single process according to how profile related data is managed in the SM 600 in the SM 200.

Referring to FIG. 4B, in step 427-1 or 427-2, it is verified whether the profile ID belongs to the corresponding MNO. The verification operation is the same as the description of steps 215-1 and 215-2 in the embodiment of FIG. 2B, and a detailed description thereof will be omitted.

Thereafter, in the embodiment of FIG. 4B, the SM-DP performs encryption on the profile, transmits the encrypted profile to the device 500, decrypts the encrypted profile in the device 500, and installs the profile To 439 are the same as those in steps 217 to 227 in the embodiment of FIG. 2B, and therefore detailed description thereof will be omitted. When the profile for the MNO is set in the built-in SIM according to the above procedure, the built-in SIM informs the SM-SR 610 that the profile installation is successful, and the SM-SR 610 informs the SMO- The SM-SR 610 informs the SM-DP 610 that the profile has been successfully installed in the embedded SIM, or if the SM-DP 630 is implemented as a separate network entity, 630 informs the built-in SIM that the profile has been successfully installed and the IMSI 700 notifies the HLR (Home Location Register) / HSS (Home Subscriber Server) (not shown) Or an MSISDN (Mobile Station International Subscriber Directory Number), and also stores information such as an ICCID, a profile identifier, an IMSI, and a security key K, which are internal SIM identifiers, in an AUC (authentication center) of the corresponding provider. The device 500 performs communication using the built-in SIM 510 and the MNO 700 according to steps 441 to 445.

Therefore, according to another embodiment of the present invention, in initial setting of an identifier, security information, and the like for performing communication with a built-in SIM, the device performing communication performs a communication Information can be set up and provided, and related security problems can be solved by setting the initial information of the built-in SIM.

According to another embodiment of the present invention, since the initial information of the built-in SIM can be easily set, it is not limited to a single communication service provider, and it is possible to change the service provider during the lifecycle of the device, Can be reused.

While the present invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not limited to the disclosed embodiments, but is capable of various modifications within the scope of the invention. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be determined by the scope of the appended claims, and equivalents thereof.

Claims (4)

A method for managing an embedded SIM in a communication system,
Sending a request to a communication system for a device including a built-in SIM using a first profile of a first MNO to change a profile to a second profile of a second MNO; And
And receiving a second profile of the second MNO that is verified from the communication system.
The method according to claim 1,
And wherein the second profile of the second MNO is encrypted and transmitted in the communication system.
A method for managing an embedded SIM in a communication system,
Receiving a built-in SIM identifier from an embedded SIM provider; And
And performing a subscription request for communication with the MNO using the assigned internal SIM identifier and receiving a verified profile for the MNO from the communication system.
The method of claim 3,
Receiving a profile installer credential including a secret key from the built-in SIM provider; And
And decrypting the received profile using the assigned profile installer credential.
KR1020120117565A 2012-10-22 2012-10-22 Method and apparatus for managing an embedded subscriber identity module in a communication system KR20140051018A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120117565A KR20140051018A (en) 2012-10-22 2012-10-22 Method and apparatus for managing an embedded subscriber identity module in a communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120117565A KR20140051018A (en) 2012-10-22 2012-10-22 Method and apparatus for managing an embedded subscriber identity module in a communication system

Publications (1)

Publication Number Publication Date
KR20140051018A true KR20140051018A (en) 2014-04-30

Family

ID=50655917

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120117565A KR20140051018A (en) 2012-10-22 2012-10-22 Method and apparatus for managing an embedded subscriber identity module in a communication system

Country Status (1)

Country Link
KR (1) KR20140051018A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160010237A (en) * 2014-07-19 2016-01-27 삼성전자주식회사 apparatus and method for operating of subscriber identification module
KR20180115242A (en) * 2016-02-18 2018-10-22 주식회사 프리피아 system and method of joining mobile communication, system of authenticating user
US10939279B2 (en) 2015-03-25 2021-03-02 Samsung Electronics Co., Ltd. Method and apparatus for downloading profile in wireless communication system
CN114978698A (en) * 2022-05-24 2022-08-30 中国联合网络通信集团有限公司 Network access method, target terminal, certificate management network element and verification network element

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160010237A (en) * 2014-07-19 2016-01-27 삼성전자주식회사 apparatus and method for operating of subscriber identification module
WO2016013811A1 (en) * 2014-07-19 2016-01-28 Samsung Electronics Co., Ltd. Subscriber identification module management method and electronic device supporting the same
US9577692B2 (en) 2014-07-19 2017-02-21 Samsung Electronics Co., Ltd Subscriber identification module management method and electronic device supporting the same
US10939279B2 (en) 2015-03-25 2021-03-02 Samsung Electronics Co., Ltd. Method and apparatus for downloading profile in wireless communication system
KR20180115242A (en) * 2016-02-18 2018-10-22 주식회사 프리피아 system and method of joining mobile communication, system of authenticating user
CN114978698A (en) * 2022-05-24 2022-08-30 中国联合网络通信集团有限公司 Network access method, target terminal, certificate management network element and verification network element
CN114978698B (en) * 2022-05-24 2023-07-28 中国联合网络通信集团有限公司 Network access method, target terminal, credential management network element and verification network element

Similar Documents

Publication Publication Date Title
CN111052777B (en) Method and apparatus for supporting inter-device profile transfer in a wireless communication system
US10623944B2 (en) Method and apparatus for profile download of group devices
US9807605B2 (en) Method and device for switching subscription manager-secure routing device
JP6641029B2 (en) Key distribution and authentication method and system, and device
KR102502503B1 (en) Profile providing method and device
KR102046159B1 (en) Security and information supporting method and system for using policy control in re-subscription or adding subscription to mobile network operator in mobile telecommunication system environment
EP2676398B1 (en) Wireless device, registration server and method for provisioning of wireless devices
CN105706390B (en) Method and apparatus for performing device-to-device communication in a wireless communication network
US10003965B2 (en) Subscriber profile transfer method, subscriber profile transfer system, and user equipment
EP2731382B1 (en) Method for setting terminal in mobile communication system
US8578153B2 (en) Method and arrangement for provisioning and managing a device
JP6033291B2 (en) Service access authentication method and system
US20200367049A1 (en) APPARATUS AND METHOD FOR ACCESS CONTROL ON eSIM
US8001379B2 (en) Credential generation system and method for communications devices and device management servers
WO2020035150A1 (en) Handling of subscription profiles for a set of wireless devices
KR20150051568A (en) Security supporting method and system for proximity based service device to device discovery and communication in mobile telecommunication system environment
KR102546972B1 (en) Apparatus, method for handling execptions in remote profile management
KR20140051018A (en) Method and apparatus for managing an embedded subscriber identity module in a communication system
KR20090121520A (en) A method for transmitting provisioning data between provisioning server and mobile terminal, and a mobile terminal and a provisioning server for the same method
CN113286290B (en) Method and device for downloading configuration files of group equipment
WO2023134844A1 (en) Establishment of network connection for a communication device
KR20210147822A (en) Method and apparatus to transfer network access information between devices in mobile communication system

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination