SE2251044A1 - Methods, apparatuses, and a network for providing connectivity to a wireless device - Google Patents

Methods, apparatuses, and a network for providing connectivity to a wireless device

Info

Publication number
SE2251044A1
SE2251044A1 SE2251044A SE2251044A SE2251044A1 SE 2251044 A1 SE2251044 A1 SE 2251044A1 SE 2251044 A SE2251044 A SE 2251044A SE 2251044 A SE2251044 A SE 2251044A SE 2251044 A1 SE2251044 A1 SE 2251044A1
Authority
SE
Sweden
Prior art keywords
network
sim
wireless device
identity
subscription
Prior art date
Application number
SE2251044A
Inventor
Nabil Benjelloun
Original Assignee
Atlastica Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Atlastica Ab filed Critical Atlastica Ab
Priority to SE2251044A priority Critical patent/SE2251044A1/en
Priority to PCT/EP2023/074155 priority patent/WO2024052271A1/en
Publication of SE2251044A1 publication Critical patent/SE2251044A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments herein relate to methods, apparatuses, and a network for providing temporary connectivity to a wireless device (120) equipped with a SIM for enabling in-field provisioning of permanent subscriptions to the device in a network. The method comprises: the device (120), autonomously selecting a subscription identity from one or more pools; the device (120) requesting attachment to a network (130, 140), the network (130, 140) providing, to the device (120), temporarily connectivity to the network (130, 140); the device (120), gathering information from the SIM (110), the device (120) and the network (130, 140), and encrypting the gathered information; the device (120) sending the encrypted information to a server (160), the server (160) attempting to decrypt the received information using one or more decryption keys; If decryption is successful and the SIM is identified; the server (160) selecting an application server (170), and sharing the decrypted information with it, and the server (160) allowing the device (120) access during a pre-determined time period or for a duration of a session.

Description

TECHNICAL FIELD The present disclosure relates generally to the field ofdata communications, and more particularly to a network or a wireless communications network, methods, and apparatuses for providing temporary connectivity to a wireless device equipped with a subscriber identity module (SIM), for enabling in-field provisioning of permanent subscriptions to the wireless device in a wireless communications network.
BACKGROUND Communications devices, also known as wireless devices or User Equipments (UEs) such as mobile phones, smart phones, or personal computers (such as laptops) allow a subscriber to attach to a network and communicate with other devices. Furthermore, a growth area is that of machine-to-machine (M2M) communication or lnternet-of-Things (loT), in which communications are sent between different devices without human intervention. Example of the use of M2M communication include the provision of sensor networks, surveillance equipment, vehicle fleet management, vending machines, monitoring manufacturing and so on. lt is predicted that there will be billions of M2M devices.
When a wireless device wishes to attach to an existing third generation partnership project (3GPP) mobile access network, it must register with the network and be authenticated. Registration and authentication are handled using information contained in a Subscriber ldentity Module (SIM) or Universal Subscriber ldentity Module (USIM) at the device. Each device is uniquely identified by an International Mobile Subscriber ldentity (lMSl) that is stored at the SIM/USIM.
With the introduction of M2M and loT, the population of networks becomes much more complex. Machine's behavior may at first appear predictable as they can act as programmed, but an unforeseen bug in a software update or a sudden loss of connectivity affecting a large population can inadvertently trigger the M2M/loT devices to generate an oven/vhelming amount of signalling, all aimed at the cellular operator's core infrastructure, also affecting signally and transit infrastructure between the cellular network operators.
One such event is the so called signalling storm, where a large number of M2M/loT devices for some reason become synchronized and repeatedly attempts to connect to the network for access at the same time, over and over again, effectively creating a large scale distributed denial of service attack which may severely affect the networks' functionality. SE1900209 A1 mitigation to such an event where the origin is a conscious attack. ln detail, in SE 1900209 A1, a Applicant's publicly available patent application describes a method performed by a server node function (a Gatekeeper) is described. ln the method, the Gatekeeper in coordination with a subscriber identity component in a wireless device, is used to identify and separate legitimate attempts to register to a network from fraudulent with the intent of securing access to the network for the legitimate wireless device(s). The Gatekeeper registers a new attempt to register to the network using a unique subscriber identity (e.g., IMSI). The Gatekeeper then determines whether or not a potential attack using the same unique subscriber identity has occurred, and instructs the Legitimate subscriber identity component to execute an algorithm generating a new set of authentication parameters. The Legitimate wireless device then performs a new attempt to register to the network using the newly generated set of authentication parameters.
Another of Applicant's publicly available patent application SE2030172 A1 describes a method solving a problem in a scenario where a network operator is faced with significantly increased load on its authentication servers(s). The method is applied to network attach requests being received at the home network from external subscription using external networks, where the Gatekeeper is capable of effectively distribute the requests over a set of internal subscription resources contained in a set of authentication servers in a way that allows the network to manage the traffic peak by reducing the load any single element is required to handle.
There are however unsolved problems being a challenge that the embodiments of the present invention address or solve. For example, a problem exists when deploying subscription resources in a non-uniquely assigned, pooled manner, leading to the issue of how one can appropriately allocate authentication parameters to a randomly selected subscription identity or subscription resource from the pool. Another problem solved by the embodiments of the present invention is how to provide and/or increase security in a wireless communications network when a wireless device requests attachment to a cellular network using a subscription identity that is randomly 2 selected by the wireless device, and also how the network allows or restricts such a request in a secure manner without jeopardizing security in the wireless network for wireless devices that already are attached to the network and/or wireless devices desiring to attach to the same network.
The embodiments of the present invention also fill a gap between traditional cellular connectivity and Over-The-Top (OTT) authentication/identification_ Where OTT cares only about the user/subscriber/wireless device and cellular connectivity is just a path, the present invention focuses in some embodiments in identifying the connection, the wireless device, and SIM that the user uses to connect, being capable of isolating it completely in case it fails to authenticate.
There is therefore a need for methods, apparatuses, and a (wireless communications) network for providing temporary connectivity to a wireless device equipped with a SIM for enabling in-field provisioning of permanent subscriptions to the wireless device in a wireless communications network.
SUMMARY lt is an object of embodiments herein to provide a solution to the above discussed problem(s).
According to an aspect of embodiments herein, there is provided a method in a network for providing connectivity to a wireless device equipped with a (SIM), the method comprising: - the wireless device, by means of the SIM, autonomously selecting a subscription identity from one or more pools of subscription identities; - the wireless device requesting attachment to a cellular network using the selected subscription identity; - the cellular network providing, to the wireless device, temporarily connectivity to the cellular network; - the wireless device, by means of the SIM, gathering information from the SIM, the wireless device, and the cellular network, and encrypting the gathered information; -the wireless device sending the encrypted information to a network server, -the network server attempting to decrypt the received encrypted information using one or more decryption keys. lf decryption of the received encrypted information is successful and the SIM is identified; the method further comprises the network server selecting an application server, and sharing the decrypted information with the application server; and the network server allowing the wireless device access or to communicate with the selected application server during a pre-determined time period or for a duration of a session.
There is also provide embodiments of the method in the network, according to any one of claims 2-4. There is also provided a network according to any one of claims 11-14.
According to another aspect of embodiments herein, there is also provided a method in a network server in a network for providing connectivity to a wireless device equipped with a SIM, where the method is performed as defined in method claims 5-7.
A network server is also provided comprising a processor and a memory containing instructions executable by the processor, whereby the network server is operative to perform any one of the subject-matter of method claims 5-7.
According to yet another aspect of embodiments herein, there is provided a method performed by a wireless device equipped with a SIM, according to any one of method claims 8-10.
According to yet another aspect of embodiments herein, there is provided wireless device equipped with a SIM, the wireless device comprising a processor and a memory containing instructions executable by the processor, whereby the wireless device is operative to perform any one of the subject-matter of method claims 8-10.
An advantage of embodiments of the present invention is to allow a user or a wireless device(e.g., corporate entity issuing massive amounts of devices using shared cellular connectivity) to be absolutely certain of the SIM or eSIM a specific user/device/UE is using. This in turn enables the same to emulate end user activity to fully automate preparation, provisioning and download of a permanent subscription profile.
Another advantage of the embodiments herein is that following identification and authentication, the present invention allows to share the temporary address where the identified device/UE/SIM currently can be reached with an external endpoint so that it can initiate contact.
Yet another advantage of the present invention is to identify the wireless device used, information which can be shared with a device management platform forfirmware upgrade queries. Since the ce||u|ar connectivity medium is shared and time limited the present invention can interact with a device management platform to allocate an extended time slot in case an upgrade is required. ln addition, pending identification and authentication of the SIM, enables to allow the teaching of the present invention so that the user (e.g., corporate entity issuing massive amounts ofdevices using shared ce||u|ar connectivity) to restrict service useability to only a few select endpoints, thereby effectively isolating the device.
Additional advantages achieved by the embodiments of the present invention will become apparent from the following detailed description when considered in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS Example of embodiments herein are described in more detail with reference to attached drawings in which: Figure 1 illustrates a simplified example of an overview of a network wherein some exemplary embodiments herein may be applied.
Figure 2 illustrates an example of an overview the network wherein embodiments herein may be employed.
Figure 3 illustrates a flowchart of a method performed in the network according to some embodiments herein.
Figure4 illustrates a flowchart of a method performed in a server according to some embodiments herein.
Figure 5 illustrates a flowchart of a method performed in a wireless device according to some embodiments herein.
Figure 6 illustrates a simplified block diagram of a serve according to some embodiments herein.
Figure? illustrates a simplified block diagram of a wireless device according to some embodiments herein.
Figure 8A-8B illustrate four network diagrams similar to Figure 1, wherein OTT may be applied.
DETAILED DESCRIPTION ln the following, a detailed description of the exemplary embodiments is presented in conjunction with the drawings to enable easier understanding of the solutions(s) described herein.
Referring to Figure 1, there is illustrated a simplified example of an overview of a network 100 wherein some exemplary embodiments herein may be applied. As shown the network node 100 comprises the following entities: 110: SIM A SIM-card can be identified uniquely by its ICCID. ICCID stands for Integrated Circuit Card Identification Number. lt is a unique 18-22 digit code that includes a SIM card's country, home network, and identification information. The ICCID may be printed on the back of a SIM card, but sometimes it is included in the packaging materials instead.
A subscription ID is typically identified by its International Mobile Subscriber Identity (IMSI). lt is a unique number that Mobile Network Operators (MNOs) use to recognize individual subscribers, and it is a key component of a SIM profile.
MSI numbers are usually 15 digits, and they have three distinct parts: 1. The first set of digits is the Mobile Country Code (MCC), which defines the country a subscriber primarily operates within. This is either two or three digits. 2. The second set of digits is the Mobile Network Code (MNC), which identifies the specific MNO a subscriber is associated with. This is between one and three digits. 3. The final set of digits is the Mobile Subscription Identification Number, which is unique to the subscriber. (This is typically nine or ten digits.) lt should be noted that an IMSI is not the same as an Integrated Circuit Card Identification (ICCID) number. While they are both parts of the SIM profile, an IMSI identifies the subscriber, whereas the ICCID identifies the SIM card itself. Multiple SIM cards will have the same IMSI if they're associated with the same subscriber, but they will each have a unique ICCID. 120: Device (Consumer or M2M or any suitable wireless device) A device can be identified uniquely by its IMEI number (International Mobile Equipment Identity). The IMEI is a serial number that the manufacturer assigns to cellular devices. Just as people have their own ID (|Dentity)number and every car has a vehicle number, every cellular device with a SIM card can be precisely identified by a so-called IMEI. The IMEI usually a15-digit number and is guaranteed to be globally unique, meaning dual SIM devices have two IMEI numbers due to their two SIM card slots. 130: Visited cellular network A visited network usually has a visited network identity (MCC/MNC).
The network identifier specifies which external network the gateway connects to, and the operator identifier indicates which MNO the gateway is associated with. The operator identifier includes two parts: the Mobile Network Code (MNC) and the Mobile Country Code (MCC). The MNC is unique to the carrier, and the MCC is based on the region a carrier operates. Usually, the MNC and MCC are usually three digits. lt should be noted that by visited cellular network it is not necessarily meant a network to which the wireless roams. lt could be a visited network in the same country but belonging to another operator or that it is the same operator but having different networks within the same country or a visited network in another country. 140: Home network HLR/HSS (Home Location Register/ Home Subscriber Server) A Home Location Register (HLR) is a database that contains subscriber information such as the International Mobile Subscriber Identity (IMSI) , the phone number associated with the subscriber (the MSISDN), their account status, and their last known location. Home Location Registers are a component of 2G and 3G mobile networks. Every cellular carrier that facilitates telecommunications on one of these networks maintains its own HLR. Instead of an HLR, 4G networks have a Home Subscriber Server (HSS). ln 5G networks, Unified Database Management (UDM) performs these functions. 150: Home network Packet Data Network Gateway (PGW) and/or Serving gateway (SGW) The SGW routes incoming and outgoing Internet Protocol (IP) packets for improved system collaboration and serves as an anchor for the UE/wireless device when it moves from one radio network node (e.g., bae station, eNodeB, eNB, gNB etc.) to another. PGW is a network node that connects e.g., an Evolved packet Core (EPC) (in case of LTE) to external IP networks. What the PGW does is that it routes packets to and from external IP networks. EPC is a framework for 7 providing converged voice and data on a 4G Long-Term Evolution (LTE) network. 2G and 3G network architectures process and switch voice and data through two separate sub- domains: circuit-switched (CS) for voice and packet-switched (PS) for data. Evolved Packet Core unifies voice and data on an Internet Protocol (IP ) service architecture and voice is treated as just another IP application. This allows operators to deploy and operate one packet network for 2G, 3G, WLAN, WiMax, LTE and fixed access (Ethernet, DSL, cable and fiber). ln 5G mobile network, the EPC is known as the 5GC (5G Core) The 5GC establishes reliable, secure connectivity to the network for end users and provides access to its services. The core domain handles a wide variety of essential functions in the mobile network, such as connectivity and mobility management, authentication and authorization, subscriber data management and policy management, among others. 5G Core network functions are completely softvvare-based and designed as cloud-native, meaning that they're agnostic to the underlying cloud infrastructure, allowing higher deployment agility and flexibility. 160: Home network EPX An EPX (EnterWorks Process Exchange), according to embodiments of the present invention is a server side endpoint configured to receive an information package from SIM-cards using a service. The EPX is configured to hold decryption keys for all SIM deployed and uses these to decrypt the contents of the Information package. EPX is, if decryption is successful and the SIM could be identified, also responsible for selection of the appropriate Application server 170 (which may be one of many servers 170 as shown in Figure 1) is used for the identified SIM and for restricting and unrestricting of communication towards said Application server 170 at the right time or as a consequence of a specific event as well as rejecting any and all external communication if the SIM could not be identified. 170: Application server (for example SM-DP/SM-SR (Subscription Manager - Data Preparation I Subscription Manager - Secure Routing).
A Subscription Manager Data Preparation (SM-DP) is an entity which operators use to securely encrypt their operator credentials ready for over the air installation within the SIM.
A Subscription Manager Secure Routing (SM-SR) is an entity that is configured to securely deliver the encrypted operator credentials to the SIM and then, once the credentials are installed, remotely manages the SIM thereafter (enable, disable and delete the credentials as necessary during the product's lifetime).
According to an embodiment of the present invention, there is provided an encrypted package that can be sent by a software component (of the invention on the SIM) to the server side endpoint (EPX), The package may contain for example a SIM ID (ICCID), a Device ID (IMEI), a (the temporary bootstrap) Subscription ID (IMSI) and a Visited network (MCC/MNC). The encrypted package may also include additional information. More details on encryption and the use of one or more of the information/identities will be explained when describing some exemplary embodiments of the present invention.
According to exemplary embodiments of the present invention, when using shared cellular subscriptions with the purpose of providing temporary or intermittent connectivity one of the key challenges is to identify the actual user, wireless device or SIM currently using a certain cellular subscription as well as determine its entitlements and access rights. ln a traditional setup this is trivial as the device address is linked to exactly one subscription which is linked to exactly one SIM, the relation between :: is always 1:1:1 and the connection can be made in the control plane already, but when using shared cellular subscriptions, the Subscription ID is not permanently linked to anyone or anything. This means that the relation between the three changes to 1:any:1, which translates to it being impossible to discover the SIM ID from the Device address in the control plane without further assistance.
A problem with when using shared cellular subscriptions, is that: ln the control plane it is not possible to: - Authenticate the device (as 'the wireless device') - Identify the device - Decide the appropriate end point for the device - Understand if the wireless device is allowed to access certain end-points or not - Provide the 'delivery address' of the wireless device to end-point applications (i.e., "how can end-point applications reach the wireless device") Contemplating at in-field provisioning of permanent subscriptions (Remote Subscription Provisioning or RSP) as an example. ln a traditional setup, the SIM 110 (e.g., SIM A) would be provisioned with a subscription (Subscription B) at production. Subscription B would be permanently associated with an MSISDN (e.g., MSISDN X) in the Home network SDM (Subscriber Data Management) 140. When connecting to a visited network 130, the Application server 170 would look at the originating MSISDN and conclude that the SIM 110 is indeed SIM A 9 since no-one else is configured to use MSISDN X. Furthermore, it can be sure that it will reach SIM A and only SIM A when using this address when the permanent connectivity profile has been selected and is ready to be provisioned. An MSISDN is usually the phone number one uses to connect with a specific mobile user on a network. Any time one calls or texts someone, one is using the MSISDN to reach them, and they use your MSISDN to identify one.
In the scenario the present invention envisions, where temporary cellular connectivity is provided using shared cellular subscriptions, many SIM-cards are provisioned with the same pool of subscriptions or subscription identities (in the order of hundreds of thousands of SIM and tens of thousands of subscriptions), where any SIM 110 may pick any subscription to use for temporary cellular access. It should be noted that without the present invention in place the Application server 170 would not be able to, in a secure manner, identify the SIM 110 originating the request to be provisioned with a permanent subscription by only looking at the MSISDN or IP-address it presents as these addresses can be associated with any SIM in the deployment. ln the prior art it could be allowed that the Application server 170 performs identification of the SIM on an application level where it interacts with an application running on the device 120, but it fails to direct requests to the appropriate Application server 170 while restricting access to other Application servers 170 used by other SIM in the deployment. This means that to achieve the performance, shared subscriptions can offer without the present invention in place, the whole deployment would have to have access to all Application servers 170 as it is not possible to know which will be accessed by whom as identification is only possible after the Application server 170 has been accessed.
According to some embodiments of the present invention, there is provided a method in network 100 for providing connectivity to a wireless device equipped with a SIM. This is done to ensure a positive, time or event limited, identification of a specific SIM 110 in a deployment where all SIM are configured to use any subscription from one or more pools of subscriptions. The method and apparatus connects the SIM ID, the ICCID, and the Device address without referencing the subscription used to temporarily connect to the cellular network (or visited network)130 using a multi-stage authentication method which combines the high performance and effectiveness of using shared subscriptions for temporary cellular connectivity with the positive identification possibilities of a static, linear, allocation method. To the Application server 170, the outcome and advantage of using the present invention in combination with shared subscriptions for temporary connectivity is identical to that of using statically, or uniquely, allocated cellular subscriptions resulting in a much more efficient use of resources while ensuring the same result and customer expenence.
Furthermore, the present invention allows for separation and subnetting of Application servers 170 within a deployment of shared cellular subscriptions so that only users or wireless devices with legitimate right to access a certain Application server 170 will be able to since the method offers an early stage identification of the user, SIM 110 and/or wireless device 120 and is thus able to apply the identity's entitlements and access rights instantly. lt should be emphasized that without the present invention in place a decision would have to be made to either allow all SIMs in the deployment to access any Application server 170 or have the volume of shared cellular subscriptions divided between the various users of the service. As in all applications of a shared medium or resource there are great benefits of allocating a larger mass (i.e., trucking gain) to the service rather than using several smaller masses even if the total mass is the same. Thus, the restriction of connectivity described in the present invention is important so that not all Devices 120 are able to converse with all Application servers 170 while allowing many customers to share the same pool of resources (subscription identities), by applying the customers' specific access rights and entitlements to their associated SIM.
When a device 120 using e.g., services has connected to a cellular network 130 (or visited network) using a shared subscription its connection is restricted by the Home network PGW 150 so that it can only communicate with specific endpoints within network 100. An application or information package on the SIM 110 gathers information from the SIM 110, device 120 and network 130, packages this in an encrypted transmission and shares this with a server function 160 (EPX). The contents of the package may be SIM identity (ICCID), device identity (IMEI), Visited network identity (MCC/MNC) and more.
At the EPX 160, the package's sender is verified by decryption of the Information package using decryption keys specific to the SIM 110, where successful decryption means positive identification. Further, once identified, the contents of the Information package are shared with a pre-determined Application server 170 where, for example, permanent connectivity profile provisioning can be prepared. With a trusted party applying the teaching of the embodiments herein according to the present invention, said Application server 170 will then have a reliable 11 identification of the SIM 110 based on an address that is readily available to it, i.e. MSISDN or IP- address.
The EPX 160 may also instruct the Home network PGW 150 to release the restrictions it has applied on the SIM's 110 connection so that it can communicate with the specific Application server 170 or servers pre-configured for this specific SIM 110. The authentication and identification is limited in time and based on various factors the session will be terminated, restrictions re-applied and authentication deemed no longer valid with the purpose of allowing a new wireless device to use the shared cellular subscription for temporary connectivity. Such factors can expire by means of a timer, notification from the Application server 170 that the SIM 110 has completed its process or a trigger from the Home network PGW 150 that the SIM 110 has terminated its data session.
For example, a SIM 110 may be part of a deployment where every SIM is configured to autonomously select a subscription from one or more pools of subscriptions or subscription identities at random. Selecting e.g., subscription A, the Device 120 is allowed to connect to a visited cellular network 130. When a data session is established the Home network PGW 150 restricts the session's connectivity so that it can only reach endpoints internal to the home network, more specifically the server function (EPX) 160. The application on SIM 110 then communicates identification parameters to a server function of server160 that authenticates and identifies the distinct SIM 110 in the deployment and informs the associated Application server 170 of its identity and addresses where it can be reached. lt also instructs the Home network PGW 160 to allow the SIM 110 to communicate with the specific Application server 170 for the duration of the session.
Hence, the present invention solves the technical problem of positive identification and authentication of a device/UE/SIM when the wireless device uses a shared cellular connectivity solution and as such, with a shared cellular connectivity identity, cannot be identified as traditionally would by the (fixed and dedicated) subscription identity (IMSI). Furthermore, when the wireless device/UE/SIM, using a shared cellular connectivity solution, is identified, and authenticated the current invention can be applied to: o Put/set/configure the wireless device/UE/SIM on hold before allowing further access o Allow unrestricted access 12 o Allow access to select endpoints o Allow access for a specific period of time o Allow access until certain event(s) occur/are registered o Deny access, permanently or temporarily o Inform an external endpoint of the address where the device/UE/SIM can be reached (IP or MSISDN) o Inform an external endpoint of the device identity (IMEI) with which the SIM/user is currently associated o Anyone on their own or a combination of two or more Hence, the present invention is capable of applying one or more of the activities mentioned above to voice, Short Message Service (SMS) and data services, etc., for a solution based on cellular connectivity at the earliest possible moment. A device restricted by the present invention is completely isolated until the apparatus(es) described herein releases the restriction, for a specific period of time, until a specific set of events occur or permanently.
Referring now to Figure 2, there is illustrated another example of network 100 with some detailed components (entities), and wherein embodiments herein may be applied.
As shown, there is a Device equipped with a SIM, a Gatekeeper Proxy, a PGW, one or more HLRs, a Back-END. Different identities are shown such as IMSI, OPC, Kl, ICCID, OTA (Over The Air) keys, etc. Arrows show examples of actions that may be performed in relation to Figure 2.
Kl and OPC are keys on the SIM card (defined in the third generation partnership project technical specification 3GPP TS 35.205). Ki is a Subscriber Authentication Key (128 bit). OP is an Operator Code - usually the same for all SlMs from a single operator. OPc is a Derived operator code unique for each SIM. They are also keys that can be calculated / derived by the AuC. Kl is a random Key (generated by SIM vendor on behalf of operator) and OPc ("OP calculated") is the result of Kl and OP (OP is an operator vector/ master key) through a 3GPP algorithm. Typically, the operator defines OP and also K4 Transport key. OP and K4 are given to the SIM vendor and AUC vendor. SIM vendor use OP with Kl per SIM (IMSI) for OPc and K4 to transport to encrypt Kl into EKI (encrypted Kl). AuC vendor takes SIM output file from SIM vendor that contains EKI and IMSI. Use K4 to decrypt EKI into Kl and then OP together with Kl to calculate OPc. 13 An exemplary usage of the present invention may be to provide temporary connectivity to enable in-field provisioning of permanent subscriptions to cellular devices, as previously described. For example, a node may be placed between the subscriber and an authentication server in the home network, such node may be the Gatekeeper-Proxy. Subscription resources are pooled in the home network, internal subscription resources or subscription identities. The pooled internal subscription resources are not dedicated to any one external subscription resource. An internal subscription resources may be associated with one authentication parameter set. An internal subscription resource may exist in multiple authentication servers. Each authentication server may host a different set of authentication parameters for a specific subscription resource. Subscription resources may be pooled in the software component on SIM (in e.g., an applet), external subscription resources. The pool of external subscription resources may be associated with a pool of authentication parameter sets not pre-associated with any particular subscription resource. The pooled external subscription resources are not necessarily uniquely allocated. Any SIM with the applet (or software component) in the deployment may pick/select any external subscription resource out of the pools. An algorithm/method may be used to select an external subscription resource and a set of authentication parameters to use together with said resource. An algorithm/method may be used to decide which internal/external resource that fits together. An apparatus in the network may comprise the applet and the gatekeeper in combination. The purpose of the apparatus is to ensure that only one subscriber claims a specific pooled resource pair at any given time (exclusivity). Exclusivity means uninterrupted connectivity for the subscriber using the resource, i.e., the apparatus may be capable of protecting it from interference from other subscribers seeking to use the same resource. The gatekeeper is capable of acting on behalf of the authentication server in the home network. The gatekeeper may communicate with the applet on the SIM the subscriber is using to access the network. The gatekeeper may control exclusivity by rejecting further requests to use an occupied subscription resource if a) a timer has not yet expired or b) (in combination with a) if the subscriber using the resource has not yet terminated its data session. The gatekeeper may use standard cellular network communication control messages to reject the requests. The applet interprets these rejects as instructions to select a different external subscription resource from the pool. A secondary node, interfacing with the first and the home network, the BACKEND. An exemplary purpose of the BACKEND is to restrict data access until the SIM has been properly identified and authenticated. Authentication of the SIM is separate from cellular network authentication using the subscription resource. Once the SIM is authenticated using the subscription resource the applet will communicate with the BACKEND and exchange key information, IMSI, IMEI, ICCID, Location, Network availability. The BACKEND 14 may then use the information shared by the applet to release locks on the core network to allow the SIM to communicate with the intended endpoint.
Adaptive and synchronized dynamic allocation of authentication parameters for shared cellular subscription deployments According to an exemplary embodiment, in order to gain access to a cellular network, be it the home network or a visited network, the cellular device will ask/request for the SIM for access credentials to use. The first piece of information is the IMSI, a unique identifier of a subscription that is used by the network to request further authentication information from the home network's authentication server. These authentication parameters are then used to challenge the device in a cryptographic process where the network provides a set of numbers to the wireless device, who then asks the SIM to use said set of numbers to generate a new set in a known cryptographic process with private keys. The result is then sent to the network who compares it with results sent from the home network. lfthe two match the device is considered authenticated and is allowed SCCGSS.
When provisioning pools in the size of tens of thousands of subscription resources one does not want to provision an equal amount of authentication parameters since that could give an attacker a data set of sufficient size to challenge the cryptographic integrity of the home network's authentication server entirely. It also not appropriate to provision only one set for any IMSI to use since it would then be trivial to clone credentials and disrupt service.
To avoid these issues, one may provide a small set of authentication parameters combined with an algorithm to decide which subscription resource works together with which authentication parameter. An algorithm would be mirrored in the home network, (ref. Frequency Hopping Spread Spectrum/Adaptive Frequency Hopping (FHSS) ensuring that the components of the apparatus are always in sync. The process is envisioned for example as follows (note that the present invention is not restricted to this process): Select IMSI, find appropriate Kl/OPC on SIM, try attach, if rejected try again with a different IMSI. The server side: Gatekeeper picks up IMSI and other parameters, finds appropriate internal subscription resource, and may send challenge accordingly.
Positive identification and authentication of SIM and device while connecting using shared cellular subscription (multi-stage cellular authentication According to an exemplary embodiment, if the cellular subscriptions are not uniquely allocated, it may not be possible to identify the SIM or device using only this piece of information. Since provisioning of a permanent subscription profile is associated with ownership and chargeability a 100% positive identification is required before proceeding with the process. ln the present invention we propose to use a multi-stage cellular authentication method which combines the high performance of non-linear bootstrap with the positive identification possibilities of a strict authentication process. ln the first stage the SIM attaches to a cellular network using a randomly drawn subscription resource from a pool of resources made available to it. When given access, the application on SIM will communicate with the server side BACKEND, sharing additional information that may not be transferred as part of the cellular authentication sequence, more specifically the IMSI, Location, ICCID, EID and IMEI combined. The BACKEND is then able to identify the end user by combining the information shared by the application on SIM and the data provisioned to it in the shape of the output files coming from the SIM manufacturing process.
When the wireless device has attached to a cellular network using the shared subscription it may be held in a walled off area in the core network, allowed to initiate a data session but only to endpoints internal within the home network. This allows the applet to communicate the information required for the second authentication stage. When the BACKEND has used this information to confirm the unique identity of the SIM/Device, the lock on the walled garden is released and the wireless device is free to communicate with whatever external endpoint or application server is requested.
The positive identification of the SIM/Device is then shared with the provisioning server associated with said SIM together with its dedicated IP-address and other addressing parameters like MSISDN so that the provisioning server can perform its business logic routine with secured information as foundation for its decisions. lt should be noted that in a cellular connectivity setup the address (MSISDN or IP) is assigned by the core network serving the device with connectivity. Since the address is permanently associated with the subscription but the subscription is not permanently associated with the 16 device when using shared Subscriptions, one may use the functionality described in the present invention to identify the device and/or SIM and pick up the address at which it can currently be reached, i.e., what subscription it has been allowed to use for temporary connectivity. This information (i.e., the address) can then be shared with an external system in case such a system would like to initiate a connection for exchange of data, settings, or software update. lfthe address information is not available to the external system only the wireless device can initiate a connection which makes it very difficult for the external system to involve all parties required to make decisions about what needs to be sent back down to the device before it disconnects. ln the following, exemplary embodiments of the present invention are presented as a flow on how the present invention may be employed as presented in the appended claims. Note that the present invention is not restricted to only the subject-matter of the claims. lnstead, may features and embodiments provided earlier may be used and added to the claims for further exemplifying how embodiments may be employed as previously described.
Referring to Figure 3, there is illustrated a flowchart of a method performed in network 100 according to some embodiments herein. As shown the method, in a network 100 for providing connectivity to a wireless device 120 equipped with a SIM 110, comprises: (301) the wireless device 120, by means of the SIM 110, autonomously selecting a subscription identity from one or more pools of subscription identities; (302) the wireless device 120 requesting attachment to a cellular network 130, 140 using the selected subscription identity; (303) the cellular network 130, 140 providing, to the wireless device 120, temporarily connectivity to the cellular network 130, 140; (304)the wireless device 120, by means of the SIM, gathering information from the SIM 110, the wireless device 120 and the cellular network 130, 140, and encrypting the gathered information; (305) the wireless device 120 sending the encrypted information to a network server 160, (306) the network server 160 attempting to decrypt the received encrypted information using one or more decryption keys; - lf decryption of the received encrypted information is successful and the SIM is identified; the network server 160 selecting an application server 170, and sharing the decrypted information with the application server 170; and 17 - (307) the network server 160 allowing the wireless device 120 access or to communicate with the selected application server 170 during a pre-determined time period or for a duration of a session. By a session is meant a service e.g., surfing the internet, browsing, SMS, data service, etc.
According to an embodiment, the method comprises, the network server 160 instructing the cellular network 130, 140 to release restriction ofthe temporary connectivity to the cellular network for allowing the wireless device 120 access or to communicate with the selected application server 170.
According to an embodiment, the one or more pools of subscription identities are shared among a plurality of wireless devices or among a plurality of SIMs; and selecting the subscription identity is performed randomly by the SIM.
According to an embodiment, the gathered information includes a SIM identity (ICCID), a mobile device identity (IMEI), the selected subscription identity (IMSI) and a network identity (MCC/MNC).
Referring to Figure 4, there is illustrated a flowchart of a method performed by a network server 160 for providing connectivity to the wireless device 120 equipped with a SIM 110, the method comprising: (401) receiving, from the wireless device 120, encrypted information including information from the SIM 110, the wireless device 120 and a cellular network 130, 140; wherein the wireless device 120 has autonomously selected a subscription identity from one or more pools of subscription identities, and wherein the wireless device 120 is temporarily allowed to connect to the cellular network 130, 140; (402) attempting to decrypt the received encrypted information using one or more decryption keys; - lf decryption of the received encrypted information is successful and the SIM is identified; selecting an application server 170, and sharing the decrypted information with the application server 170; and (403) allowing the wireless device 120 access or to communicate with the selected application server 170 during a pre-determined time period or for a duration of a session.
According to an embodiment, the method according further comprises, instructing the cellular network 130, 140 to release restriction of the temporary connectivity to the cellular network for 18 allowing the wireless device 120 access or to communicate with the selected application server 170.
According to an embodiment and as previously described, decrypted information includes a SIM identity (ICCID), a mobile device identity (IMEI), the selected subscription identity (IMSI) and a network identity (MCC/MNC).
Referring to Figure 5, there is illustrated a flowchart ofa method performed by the wireless device 120 equipped with a SIM 110, the method comprising: (501) autonomously selecting, by means of the SIM, a subscription identity from one or more pools of subscription identities; (502) requesting attachment to a cellular network 130, 140 using the selected subscription identity; (503) temporarily connecting to the cellular network 130, 140; (504) gathering, by means of the SIM, information from the SIM 110, the wireless device 120 and the cellular network (30, 140), and encrypting the gathered information; (505) sending the encrypted information to a network server 160, and - lf decryption of the transmitted encrypted information is successful by the network server (160) and the SIM is identified; (506) acquiring permission from the network server 160 to access or to communicate with an application server 170, selected by the network server 160, during a pre-determined time period or for a duration of a session.
As previously described, the one or more pools of subscription identities are shared among a plurality of wireless devices or among a plurality of SlMs; and selecting the subscription identity is performed randomly by the SIM. Further, the gathered information includes a SIM identity (ICCID), a mobile device identity (IMEI), the selected subscription identity (IMSI) and a network identity (MCC/MNC).
To perform the method or procedure steps/actions described in connected with Figure 3, there is also provided a network 100 for providing connectivity to the wireless device 120 equipped with a SIM 110. ln the network 100, (according to any one of claims 11-14), the wireless device 120, by means of the SIM 110, is configured to autonomously select a subscription identity from one or more pools of subscription identities. the wireless device 120 is configured to request 19 attachment to a cellular network 130, 140 using the selected subscription identity. The cellular network 130, 140 is configured to provide, to the wireless device 120, temporarily connectivity to the cellular network 130, 140. The wireless device 120, by means of the SIM, is configured to gather information from the SIM 110. The wireless device 120 and the cellular network 130, 140, and is configured to encrypting the gathered information. The wireless device 120 is configured to send the encrypted information to a network server 160 which is configured to attempting to decrypt the received encrypted information using one or more decryption keys. lf decryption of the received encrypted information is successful and the SIM is identified; the network server 160 is configured to select an application server 170, and is further configured to share the decrypted information with the application server 170; and the network server 160 is configured to allow the wireless device 120 access or to communicate with the selected application server 170 during a pre-determined time period or for a duration of a session.
To perform the method or procedure steps/actions described in connection with Figure 4 above relating to the network server 160, a network server is provided as depicted in Figure 6. The network server 160 comprises a processing circuit or a processing module or a processor or means 161, a receiver circuit or receiver module 162; a transmitter circuit or transmitter circuit 163; a memory module 164 and a transceiver circuit or transceiver module 165 which may include the transmitter circuit 163 and the receiver circuit 162. The network server 160 is configured to perform the subject-matter previously described in relation to the actions performed by network server 160.
The processing module/circuit 161 includes a processor, microprocessor, an application specific integrated circuit (ASIC), field programmable gate array (FPGA), or the like, and may be referred to as the "processor 161." The processor 161 controls the operation of the network server 160 and its components. Memory (circuit or module) 164 includes a random access memory (RAM), a read only memory (ROM), and/or another type of memory to store data and instructions that may be used by processor 161. ln general, it will be understood that the network server/node 160 in one or more embodiments includes fixed or programmed circuitry that is configured to carry out the operations in any of the embodiments disclosed herein. ln at least one such example, the network server 160 includes a microprocessor, microcontroller, DSP, ASIC, FPGA, or other processing circuitry that is configured to execute computer program instructions from a computer program stored in a non-transitory computer-readable medium that is in, or is accessible to the processing circuitry. Here, "non-transitory" does not necessarily mean permanent or unchanging storage, and may include storage in working or volatile memory, but the term does connote storage of at least some persistence. The execution of the program instructions specially adapts or configures the processing circuitry to carry out the network server/node 160 operations disclosed herein. Further, it will be appreciated that the network server/node 160 may comprise additional components not shown in Figure 6. The network server 160 is operative to perform any one of the subject-matter of method claims 5-7 and also the actions described in this invention. Examples of a server are also illustrated. lt should be noted that the embodiments herein are applicable in any server capable in implementing and executing the subject-matter of the embodiments herein related to a network server.
There is also provided a computer program comprising instructions which when executed on at least one processor of the network server/node 160 according to embodiments herein, cause the at least one processor to carry out the method described above. Also, a carrier containing the computer program is provided, wherein the carrier is one ofa computer readable storage medium; an electronic signal, optical signal, or a radio signal.
To perform the method or procedure steps/actions described in connection with Figure 5 above relating to the wireless device 120, a wireless device 120 is provided as depicted in Figure 7. The wireless device 120 comprises a processing circuit or a processing module or a processor or means 171, a receiver circuit or receiver module 172; a transmitter circuit or transmitter circuit 173; a memory module 174 and a transceiver circuit or transceiver module 175 which may include the transmitter circuit 173 and the receiver circuit 172. The wireless device 120 is configured to perform the subject-matter previously described in relation to the actions performed by wireless device 120.
The processing module/circuit 171 includes a processor, microprocessor, an application specific integrated circuit (ASIC), field programmable gate array (FPGA), or the like, and may be referred to as the "processor 171." The processor 171 controls the operation of the wireless device 170 and its components. Memory (circuit or module) 174 includes a random access memory (RAM), a read only memory (ROM), and/or another type of memory to store data and instructions that may be used by processor 171. ln general, it will be understood that the wireless device 170 in one or more embodiments includes fixed or programmed circuitry that is configured to carry out the operations in any of the embodiments disclosed herein. 21 ln at least one such example, the wireless device 120 includes a microprocessor, microcontroller, DSP, ASIC, FPGA, or other processing circuitry that is configured to execute computer program instructions from a computer program stored in a non-transitory computer-readable medium that is in, or is accessible to the processing circuitry. Here, "non-transitory" does not necessarily mean permanent or unchanging storage, and may include storage in working or volatile memory, but the term does connote storage of at least some persistence. The execution of the program instructions specially adapts or configures the processing circuitry to carry out the operations disclosed herein. Further, it will be appreciated that the wireless device 120 may comprise additional components not shown in Figure 7. The wireless device 120 is operative to perform any one of the subject-matter of method claims 8-10. The Wireless device 120 is shown as a smart phone (UE) or a laptop or it can be any UE or wireless device that is capable in implementing the teaching of the present invention.
There is also provided a computer program comprising instructions which when executed on at least one processor of the wireless device 120 according to embodiments herein, cause the at least one processor to carry out the method describe above. Also, a carrier containing the computer program is provided, wherein the carrier is one ofa computer readable storage medium; an electronic signal, optical signal, or a radio signal.
As previously mentioned, an advantage of embodiments of the present invention is to allow a user or a wireless device (e.g., a corporate entity issuing massive amounts of devices using shared cellular connectivity) to be absolutely certain of the SIM or eSIM a specific user/device/UE is using. This in turn enables the same to emulate end user activity to fully automate preparation, provisioning and download of a permanent subscription profile. eSiM refers to an Embedded Subscriber Identity Module or an Embedded Universal Integrated Circuit Card (eUlCC). An eUlCC is a component of a SIM card which allows a user to change operators Overt-the-Air (OTA), whereas an embedded SIM (eSIM) is an actual SIM card that gets soldered directly into a cellular or wireless device. Another advantage of the embodiments herein is that following identification and authentication the present invention allows to share the temporary address where the identified device/UE/SIM currently can be reached with an external endpoint so that it can initiate contact. 22 Yet another advantage of the present invention is to identify the wireless device used, information which can be shared with a device management platform forfirmware upgrade queries. Since the ce||u|ar connectivity medium is shared and time limited, the teaching of the present invention can be used to interact with a device management platform to allocate an extended time slot in case an upgrade is required. Further, pending identification and authentication of the SIM, the present invention allows the user (corporate entity issuing massive amounts of devices using shared ce||u|ar connectivity) to restrict service useability to only a few select endpoints, effectively isolating the device.
As previously described, to gain access to a ce||u|ar network, be it the home network or a visited network, the ce||u|ar device will ask the SIM for access credentials to use. The first piece of information is the IMSI, a unique identifier of a subscription that is used by the network to request The authentication parameters sent back from the authentication server are then used by the visited further authentication information from the home network's authentication server. network to challenge the device in a cryptographic process where the network provides a set of numbers to the device, who then asks the SIM to use said set of numbers to generate a new set in a known cryptographic process with private keys. The result is then sent to the network who compares it with results sent from the home network. lfthe two match the device is considered authenticated and is allowed access.
Also previously described, bootstrapping large numbers of devices using shared ce||u|ar subscriptions, there is an unsolved challenge that the current invention seeks to address. When deploying subscription resources in a non-uniquely assigned, pooled, manner, "how can you appropriately allocate authentication parameters to a randomly selected subscription resource from a pool?".
When provisioning pools in the size of tens of thousands of subscription resources you do not want to provision an equal amount of authentication parameters since that could give an attacker a data set of sufficient size to challenge the cryptographic integrity of the home network's authentication server entirely. lt is also not appropriate to provision only one set for any IMSI to use since it would then be trivial to clone credentials and disrupt service.
To avoid these issues, it is suggested to provide a relatively small set of authentication parameters combined with an algorithm to decide which subscription resource works together with which 23 authentication parameter. The algorithm would be mirrored in the home network ensuring that the components of the apparatus are always in sync, similar to how FHSS algorithms work in wireless communications where two communicating terminals change frequency through which they communicate in a synchronized manner allowing them to avoid disturbances caused byjamming. ln the area relevant to the present invention this can be translated into certain sets of authentication parameters being exposed and rendered unavailable to the legitimate users, where the present invention would be used to avoid these sets and continue service undisrupted.
Also, and as previously described an OTT (Over The Top) authentication mechanic is provided to ensure positive identification of the SIM and device even if the subscription used to connect can be used by anyone in the swarm (community). To do this one receives the connected device in a reception of sorts, only allowing it to communicate with a certain internal endpoint. Here one receives further information from the application on SIM that makes it possible to securely identify the SIM/Device for provisioning purposes. OTT authentication provides a key benefit that an entity deploying a cellular service using shared subscriptions to enable in-field provisioning of permanent subscriptions positively can identify the SIM and wireless device for secure decision making when selecting the permanent subscription to use. OTT services may be viewed as e nieans of providing or delivering strearriirig services (eg, (television end fiim content or video, etc.) over the internet at the request and to suit the requirements of an individual consumer/user. The term itself stands for "over-the-top", which implies that a content provider is going over the top of existing internet services. OTT authentication refers to the process or action of verifying the identity of a user. Through the use of various authentication methods, content providers can verify that the right viewer is trying to access their content. OTT authentication, as previously mentioned, may be advantageously used is some embodiments ofthe present invention to ensure positive identification of the SIM and device even if the subscription used to connect can be used by anyone in the swarm (community).
Referring to Figures 8A-8D, four examples of network diagrams (similar to Figure 1) are presented wherein OTT may be applied. Figure 8A shows OTT authentication and access management (provisioning). The gatekeeper of Figure 2 is part of the home network 140 in Figures 8A-8D. Figure 8B illustrates profile download after successful OTT authentication. Figure 8C depicts Access management (de-provisioning) after a successful profile download; and Figure 8D shows OTT authentication with rejection. 24 Throughout this disclosure, the word "comprise" or "comprising" has been used in a non-limiting sense, i.e., meaning "consist at least of". Although specific terms may be employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation. ln particular, it should be noted that although terminology from 3GG network based has been used in this disclosure to exemplify the invention, this should not be seen as limiting the scope of the invention to only the aforementioned system. Other wireless systems, including 3GPP 3G, 3GPP LTE-A (or LTE-Advanced), 3GPP 5G, 3GPP 6G, UMTS and WiMax, WiFi may also benefit from exploiting the ideas covered within this disclosure.

Claims (16)

1. A method in a network (100) for providing connectivity to a wireless device (120) equipped with a subscriber identity module, SIM, (110), the method comprising: - (301) the wireless device (120), by means of the SIM (110), autonomously selecting a subscription identity from one or more pools of subscription identities; - (302) the wireless device (120) requesting attachment to a cellular network (130, 140) using the selected subscription identity; - (303) the cellular network (130, 140) providing, to the wireless device (120), temporarily connectivity to the cellular network (130, 140); - (304) the wireless device (120), by means of the SIM, gathering information from the SIM (110), the wireless device (120) and the cellular network (130, 140), and encrypting the gathered information; - (305) the wireless device (120) sending the encrypted information to a network server (160), - (306) the network server (160) attempting to decrypt the received encrypted information using one or more decryption keys; - lf decryption of the received encrypted information is successful and the SIM is identified; the network server (160) selecting an application server (170), and sharing the decrypted information with the application server (170); and - (307) the network server (160) allowing the wireless device (120) access or to communicate with the selected application server (170) during a pre-determined time period or for a duration of a session.
2. The method according to claim 1 further comprising, the network server (160) instructing the cellular network (130, 140) to release restriction of the temporary connectivity to the cellular network for allowing the wireless device (120) access or to communicate with the selected application server (170).
3. The method according to claim 1 or claim 2, wherein, the one or more pools of subscription identities are shared among a plurality of wireless devices or among a plurality of SlMs; and selecting the subscription identity is performed randomly by the SIM.
4. The method according to any one of claims 1-3, wherein the gathered information includes a SIM identity (ICCID), a mobile device identity (IMEI), the selected subscription identity (IMSI) and a network identity (MCC/MNC).
5. A method performed by a network server (160) in a network (100) for providing connectivity to a wireless device (120) equipped with a subscriber identity module, SIM, (110), the method comprising: - (401) receiving, from the wireless device (120), encrypted information including information from the SIM (110), the wireless device (120) and a cellular network (130, 140); wherein the wireless device (120) has autonomously selected a subscription identity from one or more pools of subscription identities, and wherein the wireless device (120) is temporarily allowed to connect to the cellular network (130, 140); - (402) attempting to decrypt the received encrypted information using one or more decryption keys; - lf decryption of the received encrypted information is successful and the SIM is identified; selecting an application server (170), and sharing the decrypted information with the application server (170); and - (403) allowing the wireless device (120) access or to communicate with the selected application server (170) during a pre-determined time period or for a duration of a session.
6. The method according to 5 further comprising, instructing the cellular network (130, 140) to release restriction of the temporary connectivity to the cellular network for allowing the wireless device (120) access or to communicate with the selected application server (170).
7. The method according to claim 5 or claim 6, wherein the decrypted information includes a SIM identity (ICCID), a mobile device identity (IMEI), the selected subscription identity (IMSI) and a network identity (MCC/MNC).
8. A method performed by a wireless device (120) equipped with a subscriber identity module, SIM, (110), the method comprising: - (501) autonomously selecting, by means of the SIM, a subscription identity from one or more pools of subscription identities;- (502) requesting attachment to a cellular network (130, 140) using the selected subscription identity; - (503) temporarily connecting to the cellular network (130, 140); - (504) gathering, by means of the SIM, information from the SIM (110), the wireless device (120) and the cellular network (130, 140), and encrypting the gathered information; - (505) sending the encrypted information to a network server (160), and - lf decryption of the transmitted encrypted information is successful by the network server (160) and the SIM is identified; - (506) acquiring permission from the network server (160) to access or to communicate with an application server (170), selected by the network server (160), during a pre-determined time period or for a duration of a session.
9. The method according to claim 8, wherein, the one or more pools of subscription identities are shared among a plurality of wireless devices or among a plurality of SlMs; and selecting the subscription identity is performed randomly by the SIM.
10. The method according to claim 8 or claim 9, wherein the gathered information includes a SIM identity (ICCID), a mobile device identity (IMEI), the selected subscription identity (IMSI) and a network identity (MCC/MNC).
11. A network (100) for providing connectivity to a wireless device (120) equipped with a subscriber identity module, SIM, (110), wherein in the network (100): - the wireless device (120), by means of the SIM (110), is configured to autonomously select a subscription identity from one or more pools of subscription identities; - the wireless device (120) is configured to request attachment to a cellular network (130, 140) using the selected subscription identity; -the cellular network (130, 140) is configured to provide, to the wireless device (120), temporarily connectivity to the cellular network (130, 140); -the wireless device (120), by means of the SIM, is configured to gather information from the SIM (110), the wireless device (120) and the cellular network (130, 140), and is further configured to encrypt the gathered information; - the wireless device (120) is further configured to send the encrypted information to a network server (160),-the network server (160) is configured to attempt to decrypt the received encrypted information using one or more decryption keys; - lf decryption of the received encrypted information is successful and the SIM is identified; the network server (160) is configured to select an application server (170), and configured to share the decrypted information with the application server (170); and - the network server (160) is configured to allow the wireless device (120) access or to communicate with the selected application server (170) during a pre-determined time period or for a duration of a session.
12. The network (100) according to claim 11, wherein the network server (160) is configured to instruct the cellular network (130, 140) to release restriction of the temporary connectivity to the cellular network for allowing the wireless device (120) access or to communicate with the selected application server (170).
13. The network (100) according to claim 11 or claim 12 , wherein the one or more pools of subscription identities are shared among a plurality of wireless devices or among a plurality of SlMs; and selecting the subscription identity is performed randomly by the SIM.
14. The network (100) according to any one of claims 11-13, wherein the gathered information includes a SIM identity (ICCID), a mobile device identity (IMEI), the selected subscription identity (IMSI) and a network identity (MCC/MNC).
15. A network server (160) comprising a memory (164) and a hardware processor (161) executing instructions from the memory (164), wherein the network server (160) is configured to perform any one of method claims 5-
16. A wireless device (120) comprising a memory (174) and a hardware processor (171) executing instructions from the memory (174), wherein the wireless device (120) is configured to perform any one of method claims 8- 29
SE2251044A 2022-09-08 2022-09-08 Methods, apparatuses, and a network for providing connectivity to a wireless device SE2251044A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
SE2251044A SE2251044A1 (en) 2022-09-08 2022-09-08 Methods, apparatuses, and a network for providing connectivity to a wireless device
PCT/EP2023/074155 WO2024052271A1 (en) 2022-09-08 2023-09-04 Methods, apparatuses, and a network for providing connectivity to a wireless device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
SE2251044A SE2251044A1 (en) 2022-09-08 2022-09-08 Methods, apparatuses, and a network for providing connectivity to a wireless device

Publications (1)

Publication Number Publication Date
SE2251044A1 true SE2251044A1 (en) 2024-03-09

Family

ID=87974173

Family Applications (1)

Application Number Title Priority Date Filing Date
SE2251044A SE2251044A1 (en) 2022-09-08 2022-09-08 Methods, apparatuses, and a network for providing connectivity to a wireless device

Country Status (2)

Country Link
SE (1) SE2251044A1 (en)
WO (1) WO2024052271A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120322410A1 (en) * 2011-06-17 2012-12-20 Sony Europe Limited Mobile communications
US20160174069A1 (en) * 2014-12-16 2016-06-16 Microsoft Technology Licensing, Llc Subscriber identification module pooling
US20160192179A1 (en) * 2013-08-09 2016-06-30 Giesecke & Devrient Gmbh Methods and Devices for Performing a Mobile Network Switch
WO2020096814A1 (en) * 2018-11-09 2020-05-14 Microsoft Technology Licensing, Llc Provisional device registration
US20200169868A1 (en) * 2017-05-10 2020-05-28 Telefonaktiebolaget Lm Ericsson (Publ) Initial network connectivity for a terminal device
US20200204982A1 (en) * 2018-12-19 2020-06-25 Qualcomm Incorporated Modem-assisted network attach procedure without default sim profile
US20200236529A1 (en) * 2017-09-15 2020-07-23 Thales Dis France Sa A method for allocating temporarily a subscription to a credential container

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3664486A1 (en) * 2018-12-03 2020-06-10 Thales Dis France SA Method and apparatuses for ensuring secure attachment in size constrained authentication protocols
SE1900209A1 (en) 2019-12-05 2021-06-06 Zdg Labs Ab Method, Subscriber identity component and Gatekeeper for providing mitigation and management of Denial of Service attacks on wireless communication systems'network registration process
SE2030172A1 (en) 2020-05-26 2021-11-27 Atlastica Ab Method and a network function for flow control and mitigation of critical loads in congested cellular network authentication
US20220131847A1 (en) * 2020-10-26 2022-04-28 Micron Technology, Inc. Subscription Sharing among a Group of Endpoints having Memory Devices Secured for Reliable Identity Validation

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120322410A1 (en) * 2011-06-17 2012-12-20 Sony Europe Limited Mobile communications
US20160192179A1 (en) * 2013-08-09 2016-06-30 Giesecke & Devrient Gmbh Methods and Devices for Performing a Mobile Network Switch
US20160174069A1 (en) * 2014-12-16 2016-06-16 Microsoft Technology Licensing, Llc Subscriber identification module pooling
US20200169868A1 (en) * 2017-05-10 2020-05-28 Telefonaktiebolaget Lm Ericsson (Publ) Initial network connectivity for a terminal device
US20200236529A1 (en) * 2017-09-15 2020-07-23 Thales Dis France Sa A method for allocating temporarily a subscription to a credential container
WO2020096814A1 (en) * 2018-11-09 2020-05-14 Microsoft Technology Licensing, Llc Provisional device registration
US20200204982A1 (en) * 2018-12-19 2020-06-25 Qualcomm Incorporated Modem-assisted network attach procedure without default sim profile

Also Published As

Publication number Publication date
WO2024052271A1 (en) 2024-03-14

Similar Documents

Publication Publication Date Title
US11683087B2 (en) Cloud based access solution for enterprise deployment
EP3449648B1 (en) Method and apparatus for accessing cellular network for sim profile
US11588790B2 (en) Secure network enrollment
CN110235423B (en) Secondary authentication of user equipment
CN108476405B (en) Communication system for communication in a communication network with subnetworks
CN108432295B (en) Method for establishing roaming connections
KR102046159B1 (en) Security and information supporting method and system for using policy control in re-subscription or adding subscription to mobile network operator in mobile telecommunication system environment
EP3295650B1 (en) Admission of a session to a virtual network service
US11805409B2 (en) System and method for deriving a profile for a target endpoint device
US10129235B2 (en) Key hierarchy for network slicing
CN106576242B (en) User equipment identification valid for heterogeneous networks
US10721616B2 (en) Subscription information download method, related device, and system
JP7047921B2 (en) Communication device, first network device, method of communication device, and method of first network device
EP4247115A2 (en) Method and device for activating 5g user
EP2750349A1 (en) Method and device for secure network access
CN115516887A (en) Loading devices in independent non-public networks
WO2020257986A1 (en) Dynamic allocation of network slice-specific credentials
SE2251044A1 (en) Methods, apparatuses, and a network for providing connectivity to a wireless device
CN104640111A (en) Network access processing method, device and system
WO2014035851A2 (en) Provisioning of a service provider network interface
KR20210040776A (en) Method and apparatus for activating 5g user in 5g system
CN114270901A (en) Method for configuring radio connection
WO2014025829A2 (en) Systems and methods for connecting to local services from wan and lan
WO2022174399A1 (en) User equipment authentication and authorization procedure for edge data network
KR20230156685A (en) Method, device, and system for core network device reallocation in a wireless network