JP2020150473A - Euicc and provisioning method for euicc - Google Patents

Abstract

To make an application for a profile before a change available for a profile after the change in the Embedded UICC (eUICC).SOLUTION: In an architecture 1 for remote provisioning, eUICC 2 sets a common area where mobile communication carrier MNOs can use in common to a non-volatile memory NVM and comprises of: an operating system having a common area API to access the common area; and a route security domain having a function to manage a profile security domain in which a profile 220 including the MNO security domain is stored. The route security domain has a function for generating the profile security domain in the NVM area that is not set as a common area. The MNO security domain has a function to install the MNO-related applications to the common area by using the common area API.SELECTED DRAWING: Figure 1

Description

The present invention relates to a technique for provisioning an eUICC (abbreviation for Embedded Universal Integrated Circuit Card) embedded inside a mobile device having a mobile communication function.

The UICC (Universal Integrated Circuit Card) installed inside a mobile device that has a mobile communication function is owned by a mobile communication operator (hereinafter referred to as MNO. MNO is an abbreviation for Mobile Network Operator). The information required to use the mobile communication system is provided. The conventional UICC is a card-type medium, and information related to a specific MNO is provisioned at the time of manufacturing. Therefore, in order to change the MNO, the card-type UICC installed inside the mobile device is changed. It is necessary to replace the information related to the MNO to another card-type UICC in which the information is provisioned.

When it is necessary to replace the card-type UICC installed inside the mobile device in order to change the MNO, the consumer obtains the card-type UICC in which the information related to the MNO to be changed is provisioned. There is a problem that consumers cannot easily change the MNO. In addition, from the standpoint of the MNO, there are disadvantages such as the cost of inventory management of the card-type UICC in which the company's information is provisioned.

In order to solve this problem, specifications related to eUICC (abbreviation of embedded UICC), which is an embedded UICC that supports remote provisioning by OTA (abbreviation of Over The Air), have been standardized (for example, non-patent documents). 1).

FIG. 10 is a diagram for explaining the architecture of eUICC6, and the architecture of eUICC6 illustrated in FIG. 10 is based on Non-Patent Document 1. Here, only the architecture of eUICC6 will be briefly described, and for details of the architecture of eUICC6, refer to documents such as Non-Patent Document 1.

As illustrated in FIG. 10, the eUICC 6 is an ISD-R60 (abbreviation of Issuer Security Domain Root) and ECASD62 (eUICC) as a security domain (SD: Security Domain) having a function of supporting secure communication using an encryption key. Controlling Authority Security Domain (abbreviation) and at least one ISD-P61 (Issuer Security Domain Profile) are stored in memory.

ISD-R60 and ECSAD62 are SDs issued to eUICC 6 during the manufacture of mobile devices. The ISD-R60 is the SD of the issuer that becomes the root of the SD stored in the eUICC 6, and has a function of generating the ISD-P61 and the like. The ECSAD 62 has a function of securely generating an encryption key used by the ISD-P61 generated by the ISD-R60. Further, the ISD-P61 is an SD of the issuer that stores the profile 610, which is data that aggregates information for using the mobile communication system operated by the MNO.

The profile 610 stored in the ISD-P61 includes at least the MNO SDs MNO-SD611, NAA614 (abbreviation of Network Access Application), POL1_612 (abbreviation of Policy 1) and file system 613, and in FIG. 11, SSD615 (Supplementary). Includes Security Domain) and application 616.

The profile MNO-SD611 has a function of constructing a secure channel with a provisioning system corresponding to MNO-SD611, a function of generating an SSD 615, and a function of deleting the SSD 615. POL1_612 includes a policy rule indicating permission to invalidate the profile, permission to delete the profile, and the like. The NAA 614 will be an application for using mobile communication systems, such as the USIM application standardized by ETSI TS 131 102. The file system 613 is the content disclosed in documents such as ETSI TS 102 221.

The eUICC 6 can store applications other than NAA614. This application can include an application 616 related to a service (for example, call control) provided by the MNO to the consumer, and is further provided to the consumer by a service provider (SP: Service Provider) having a business tie-up with the MNO. An application 616 related to a service (for example, M commerce) to be provided can be included. The application 616 related to the SP is stored in the profile in a state associated with the SSD 615 that becomes the SD of the SP that has a business alliance with the MNO.

In eUICC6, storage of a plurality of profiles 610 is permitted, but the number of profiles 610 that can be effectively set is limited to one, and the MNO corresponding to the profile 610 that is effectively set uses eUICC6. Become an available MNO. In FIG. 10, the profile 610a is shown by a solid line and the profile 610n is shown by a broken line, which indicates that the profile 610a is valid and the profile 610n is not. The profile 610 enabled by eUICC6 is changed by the consumer operation in the case of a mobile device for consumers (for example, smart device), and in the case of a mobile device related to IoT (for example, heavy equipment), the instruction of MNO. Is done by.

In this way, in the eUICC 6 that supports remote provisioning, the consumer and the like can change the profile 610, but if the profile 610 is changed, the application 616 included in the profile 610 before the change is also invalidated. Therefore, in the profile 610 before the change. Application 616 cannot be carried over to the modified profile 610. In particular, in the case of the application 616 related to the SP, the MNO installs the application 616 and the SP issues the application 616 to generate an instance. Therefore, the profile of the application 616 in the profile 610 before the change is changed to the profile after the change. Not being able to take over to 610 is a factor that does not easily change the MNO from the consumer side.

Patent Document 1 is an invention in which the application 616 in the profile 610 before the change can be taken over by the profile 610 after the change, and the data related to the application 616 can be transferred from the profile 610 before the change to the profile 610 after the change. It is disclosed in.

Special Table 2018-503313

Remote Provisioning Architecture for Embedded UICC Technical Specification Version 3.2 27 June 2017

According to Patent Document 1, the SD that performs the process of migrating the data related to the application from the profile before the change to the profile after the change is ISD-R, but the SD that installs the application is MNO-SD, so it is issued. The ISD-R may perform processing that exceeds the authority given to the person.

Therefore, an object of the present invention is to make it possible to use the application in the profile before the change in the profile after the change without migrating the data related to the application from the profile before the change to the profile after the change.

The first invention for solving the above-mentioned problems is an operating system in which a common area that can be commonly used by mobile communication operators is set in NVM and has a common area API for accessing the common area, and a mobile communication business. It is provided with a root security domain having a function of managing a profile security domain that stores a profile including a person security domain, and the root security domain has a function of generating the profile security domain in an NVM area that is not set in the common area. The mobile communication operator security domain is characterized in that it has a function of installing an application related to the mobile communication operator in the common area by using the common area API. It is an eUICC. According to the first invention described above, the common area is not included in the area in which the root security domain manages the profile security domain. Therefore, even if the root security domain invalidates or deletes the profile security domain, the application installed in the common area is not invalidated or deleted, and the application in the profile before the change can be used in the profile after the change.

Further, in the second invention, in the eUICC described in the first invention, the profile includes a security domain of a service provider having a business tie-up with a mobile communication operator, and the security domain of the service provider is the common area. It is characterized in that it has a function of writing the issue data of the application related to the service provider to the common area by using the API. According to the second invention described above, even if the root security domain invalidates or deletes the profile security domain, the instance of the application installed in the common area is not invalidated or deleted, and the application in the profile before the change is not invalidated or deleted. Instances can be used in the modified profile.

Further, the third invention sets a common area that can be commonly used by mobile communication operators in NVM, and provides an operating system having a common area API for accessing the common area and a mobile communication operator security domain. It is a method of provisioning an eUICC having a root security domain having a function of managing a profile security domain that stores a profile including the profile, and the profile security is provided in an NVM area where the root security domain is not set in the common area. The feature is that the step a for generating the domain and the step b for installing the application related to the mobile network operator in the common area by using the common area API are included. This is the eUICC provisioning method. The effect according to the third invention is the same as that of the first invention.

Further, in the fourth invention, in the eUICC provisioning method described in the third invention, the profile includes the security domain of the service provider having a business tie-up with the mobile communication operator, and the security domain of the service provider is the same. It is characterized by including step c of writing the issue data of the application related to the service provider to the common area by using the common area API. The effect according to the fourth invention is the same as that of the second invention.

As described above, according to the present invention described above, the application in the profile before the change can be used in the profile after the change without migrating the data related to the application from the profile before the change to the profile after the change.

The figure which briefly explains the architecture related to remote provisioning. Schematic diagram of eUICC. The figure explaining the structure of a profile. The figure explaining the memory map of NVM which eUICC has. The figure explaining the procedure of installing a profile. The figure explaining the memory map of NVM before installing a profile. The figure explaining the memory map of NVM after installing a profile. The figure explaining the publishing procedure of an application. The figure explaining the memory map of NVM after changing a profile. The figure explaining the architecture of eUICC.

From here, an embodiment according to the present invention will be described. The present embodiment is for facilitating the understanding of the present invention, and the present invention is not limited to the present embodiment. Unless otherwise specified, the drawings are schematic drawings drawn to facilitate understanding of the present invention.

FIG. 1 is a diagram for simply explaining the architecture 1 related to remote provisioning. The architecture 1 related to remote provisioning illustrated in FIG. 1 is an eUICC 2 incorporated in a mobile device 5, a provisioning system 3 for remote provisioning, and SP-TSM4, which is a server operated by SP (abbreviation of Service Provider). (Abbreviation for Trusted Service Manager) is included.

The mobile device 5 in which the eUICC2 is incorporated is a device that performs mobile communication, for example, a health device 5a compatible with wireless healthcare that performs mobile communication of health data such as body temperature, blood pressure, and heart rate to a predetermined server. , Not only smart devices 5b such as smartphones and smart watches, but also heavy devices 5c that perform mobile communication of work videos and the like to a predetermined server.

The provisioning system 3 provides profile 23, which is data that aggregates information for using a mobile communication system operated by a mobile communication operator (hereinafter referred to as MNO. MNO is an abbreviation for Mobile Network Operator). It is a system that executes provisioning to write to eUICC2 remotely. The provisioning system 3 illustrated in FIG. 1 includes an MNO-TSM30 which is an MNO server and an SM (abbreviation of Subscription Manager) corresponding to the MNO, and the SM corresponding to the MNO stores the profile 23 of the MNO. It includes SM-SR31 (abbreviation of Secure Routing) that constructs a secure channel between SM-DP32 (abbreviation of Data Preparation) and eUICC2 that is the target of remote provisioning.

FIG. 2 is a schematic configuration diagram of eUICC2. In eUICC2, the operating system 20 of eUICC2 (hereinafter referred to as OS; OS is an abbreviation of Operating System) that operates directly on the hardware 25, and the security domain that operates based on OS20 (hereinafter referred to as SD). SD includes ISD-R21, ECASD24 (abbreviation of eUICC Controlling Authority Security Domain) and at least one ISD-P22 as (abbreviation of Security Domain). ISD-R21 is an SD that functions as a root security domain according to the present invention, and is an abbreviation for Issuer Security Domain Root. Further, ISD-P22 is an SD that functions as a profile security domain according to the present invention, and is an abbreviation for Issuer Security Domain Profile.

In the hardware configuration shown in FIG. 2, the CPU 250 (abbreviation of Central Processing Unit), RAM 252 (abbreviation of Random Access Memory), ROM 251 (abbreviation of Read Only Memory), and NVM26 (abbreviation of Non-volatile memory) are connected to the CPU 250 (abbreviation of Central Processing Unit) via the bus. (Omitted), UART 255 (abbreviation for Universal Asynchronous Receiver / Transmitter), timer 254 and accelerator 253 are connected. The RAM 252 is a volatile memory that serves as the main memory of the eUICC 2, and the ROM 251 is an electrically non-rewritable non-volatile memory. The NVM 26 is an electrically rewritable non-volatile memory. The UART 255 is a circuit that controls communication with the mobile device 5 in which the eUICC 2 is incorporated, the timer 254 is a circuit that measures time, and the accelerator 253 is a circuit that increases the processing speed of cryptographic operations.

OS20 of eUICC2 is software that provides a runtime environment necessary for a computer program written in a specific programming language (for example, JAVA (registered trademark)) to execute.

The OS 20 provides an API (Application Program Interface) for using the hardware 25 for software that operates on the basis of the OS 20. The API provided by the OS 20 includes an API related to cryptographic operations using the accelerator 253, but FIG. 1 illustrates only the common area API 200, which is an API for accessing the common area 260 provided in the NVM 26. ing. The common area 260 is an area that can be used in common by the MNO, and the OS 20 allocates a part of the NVM 26 area to the common area 260.

An SD that operates on the basis of OS20 will be described. Since the ECASD24 illustrated in FIG. 1 is an SD that is not used in the description of the present invention, a detailed description of the ECASD24 is omitted here.

ISD-R21 is the SD of the issuer and is generated at the time of manufacturing eUICC2. The number of ISD-R21s that can be generated in eUICC2 is limited to one. The ISD-R21 has a function of constructing a secure channel with the provisioning system 3 and a function of managing the ISD-P22. The function of managing the ISD-P22 includes a function of generating or deleting the ISD-P22, a function of invalidating or enabling the state of the ISD-P22, and the like.

FIG. 3 is a diagram illustrating the structure of the profile 23. The ISD-P22 is an SD that stores the profile 23 of the MNO corresponding to the ISD-P22. As illustrated in FIG. 3, the profiles 23 stored in the ISD-P22 are MNO-SD230, NAA235 (abbreviation of Network Access Application), POL1233 (abbreviation of Network Access Application), file system 234 and SSD231 (Supplementary Security Domain). ) Is included, and in FIG. 3, application 232 is included.

The application 232 can include the application 232a related to the service provided by the MNO to the consumer, and further, a service provider having a business tie-up with the MNO (hereinafter referred to as SP. SP is an abbreviation for Service Provider). The application 232b related to the service provided to the consumer can be included. The application 232b related to the SP is stored in the profile 23 in a state associated with the SSD 231 that becomes the SD of the SP that has a business alliance with the MNO.

The application 232b of the SP is an application 232 corresponding to the service provided by the SP to the consumer. The service provided by the SP to the consumer generally changes depending on the mobile device 5 on which the eUICC 2 is mounted. When the mobile device 5 on which the eUICC 2 is mounted is a smart device 5b, this service is, for example, a ticket for M commerce or transportation.

To create an instance of application 232, it is necessary to install application 232 and issue application 232. In the present embodiment, the SD for installing the application 232 is the MNO-SD230, and the MNO-SD230 has a function of installing the application 232 included in the profile 23 in the common area 260 by using the common area API 200. .. Further, the SD that issues the application 232 is the SSD 231. The SSD 231 has a function of writing the issue data (for example, personal data) of the application 232 to the common area 260 by using the common area API 200.

FIG. 4 is a diagram illustrating a memory map of NVM26 included in eUICC2. The NVM 26 of the eUICC2 is divided into an OS used area 26a, which is an area used by the OS20, and an SD used area 26b, which is an area used by the SD, by the OS20, and the above-mentioned common area 260 is divided into the SD used area 26b. include.

A part of the program code of the OS 20 and the data of the OS 20 are stored in the OS used area 26a. Most of the program code of the OS 20 is stored in the ROM 251. ISD-R21, ECASD24 and ISD-P22 are stored in the SD used area 26b.

When the ISD-R21 generates the ISD-P22, the ISD-R21 generates a profile area 26c, which is an area for arranging the profile 23, in the SD used area 26b that is not set in the common area 260, and sets the profile 23 to this profile area. Install on 26c. The ISD-R21 is not authorized to use the common area 260 of the NVM 26, and the area to be deleted / invalidated by the ISD-P22 is limited to the profile area 26c. In FIG. 4, a profile area 26c corresponding to one ISD-P22 is generated in the NVM 26, and a profile 23 stored in the ISD-P22 is arranged in the profile area 26c.

As illustrated in FIG. 3, the profile 23 stored by the ISD-P22 includes the MNO-SD230, NAA235, POL1233, file system 234, SSD231 and application 232. The MNO-SD230 is an SD that functions as a mobile communication operator security domain according to the present invention.

The area for storing the MNO-SD230, NAA235, POL1233, the file system 234 and the SSD231 is always the profile area 26c, but in the present embodiment, the area for arranging the application 232 is not limited to the profile area 26c, and the application 232 is It can be arranged in the common area 260 by using the common area API 200 of the OS 20. Since the target area when ISD-R21 invalidates or deletes ISD-P22 is the profile area 26c, by arranging the application 232 in the common area 260, ISD-R21 invalidates or deletes ISD-P22. However, application 232 is not disabled or deleted.

In this way, if the common area 260 is provided in the NVM of the eUICC 2 so that the application 232 can be installed in the common area 260 by using the common area API 200 provided by the OS 20, the MNO is changed and the profile 23 is changed. Even if the application 232 is changed, the application 232 in the common area 260 in the state before the profile 23 is changed can be used in the changed profile 23 without reinstalling the application 232.

When the application 232 is installed in the common area 260, if the installation information of the application 232 is stored in the common area 260, the application 232 in the common area 260 can be accessed even if the profile 23 is changed.

From here, a method of provisioning eUICC2 will be described. FIG. 5 is a diagram illustrating an installation procedure of profile 23 in the provisioning method of eUICC2.

The steps included in the installation procedure of the profile 23 will be briefly described with reference to FIG. When the provisioning system 3 (becomes SM-SR31) receives a trigger related to the installation of profile 23 from an external device or the like (S1), it first constructs a secure channel with ISD-R21 of eUICC2 and installs it. The generation request of ISD-P22 storing the profile 23 to be the target of is transmitted to ISD-R21 (S2). The ISD-R21 of the eUICC2 that has received the generation request of the ISD-P22 generates the ISD-P22 in the NVM26 (S3). By generating the ISD-P22 in the NVM 26, the profile area 26c in which the profile 23 to be installed is arranged is secured in the NVM 26.

Next, the provisioning system 3 (which becomes SM-DP32) constructs a secure channel with the ISD-P22 generated in the eUICC 2 and transmits an installation request for the profile 23 to be stored in the ISD-P22 to the ISD-P22. (S4), the ISD-P22 installs the profile 23 in the profile area 26c by writing the profile 23 included in the installation request in the profile area 26c (S5).

Since the profile 23 is disabled at the time of installation, the provisioning system 3 (becomes SM-SR31) sends an activation request for the installed profile 23 to the ISD-R21 of the eUICC2 (S6). The ISD-R21 of the eUICC2 effectively sets the state of the ISD-P22 storing the installed profile 23 (S7), and the procedure of FIG. 5 ends.

FIG. 6 is a diagram for explaining the memory map of the NVM 26 before the profile 23 is installed, and FIG. 7 is a diagram for explaining the memory map of the NVM 26 after the profile 23 is installed. As illustrated in FIG. 6, before the profile 23 is installed, the ISD-P22 for storing the profile 23 is not generated in the NVM 26, and when the procedure of FIG. 5 is executed and the profile 23 is installed, the profile 23 is installed. ISD-P22 is generated in NVM26. Since the MNO-SD230 has the authority to install the application 232, the application 232 is not included in the profile 23 when the profile 23 is installed.

Next, the steps included in the issuing procedure of the application 232 will be briefly described. FIG. 8 is a diagram illustrating a procedure for issuing application 232 in the provisioning method of eUICC2.

When the profile 23 is installed in the eUICC 2, the mobile device 5 incorporating the eUICC 2 confirms the application 232 included in the installed profile 23 (S10). The mobile device 5 incorporating the eUICC 2 branches the processing of the application 232 according to the confirmation result (S11). If the application 232 used in the mobile device 5 is not included in this profile 23, a trigger related to the installation of the SP application 232 is transmitted to the SP-TSM4 corresponding to the application 232 (S12), and the profile 23 is sent. If this application 232 is included, this procedure ends (S11a). When the mobile device 5 incorporating the eUICC 2 is a smart device, the UI (UI: UI:) implemented in the smart device is used to confirm the application 232 included in the profile 23 and to send a trigger related to the installation of the application 232. User Interface) is used.

Upon receiving the trigger related to the installation of the application 232, the SP-TSM4 instructs the provisioning system 3 (here, the MNO-TSM30) to install the application 232 (S13). The provisioning system 3 (here, MNO-TSM30) establishes a secure channel with the MNO-SD230 included in the profile 23 (which becomes the installed profile 23) that is set to the valid state at this time. , The installation request of the application 232 is transmitted to the MNO-SD230 (S14), and the MNO-SD230 writes the application 232 received from the provisioning system 3 (here, the MNO-TSM30) to the NVM26 and installs the application 232 to the eUICC2. (S15). In this embodiment, the area in which the application 232 is arranged can be specified in the installation request of the application 232. When the area for arranging the application 232 is specified in the common area 260 in the installation request of the application 232, the MNO-SD230 installs the application 232 in the common area 260 by using the common area API 200 provided by the OS 20. .. By executing the steps so far, the application 232 is installed in the common area 260 as shown in FIG.

When the installation of the application 232 is completed, the MNO-SD230 notifies the provisioning system 3 (here, MNO-TSM30) of the completion of the installation of the application 232 (S16), and the provisioning system 3 (here, MNO-TSM30) is notified. Transfer the installation completion of application 232 to SP-TSM4 (S17). The SP-TSM4 constructs a secure channel with the SSD 231 included in the profile 23 set to the valid state at this time, and transmits a request for issuing the application 232 to the SSD 231 (S18). The SSD 231 issues the application 232 by writing the issuance data included in the issuance request of the application 232 received from the SP-TSM4 to the NVM 26 (S19), and the procedure of FIG. 8 ends. When the application 232 is installed in the common area 260, the SSD 231 writes the issue data included in the issue request of the application 232 to the common area 260, and an instance of the application 232 is generated in the common area 260.

FIG. 9 is a diagram illustrating a memory map of the NVM 26 after changing the profile 23. In FIG. 9, the profile 23a and the profile 23b are installed, and the profile 23b installed after the profile 23a is valid. Since the application 232 is installed in the common area 260 when the profile 23a is installed, the application 232 included in the profile 23a remains as it is even in the changed profile 23b without reinstalling the application 232. It can be used in the state of.

1 Architecture for remote provisioning 2 eUICC
20 operating system 20
21 ISD-R
22 ISD-P
23 Profile 230 MNO-SD
231 SSD
232 Application 26 NVM
260 Common Area 3 Provisioning System 30 MNO-TSM
31 SM-SR
32 SM-DP
4 SP-TSM
5 Mobile devices

Claims (4)

A common area that can be commonly used by mobile network operators is set in NVM, and an operating system that has a common area API for accessing the common area and profile security that stores a profile including the mobile network operator security domain. It has a root security domain that has the function of managing the domain.
The root security domain has a function of generating the profile security domain in an NVM area that is not set in the common area.
The mobile network operator security domain has a function of installing an application related to the mobile network operator in the common area by using the common area API.
The eUICC is characterized by that. The profile includes a security domain of a service provider that has a business tie-up with a mobile communication operator, and the security domain of the service provider uses the common area API to issue data of the application related to the service provider. The eUICC according to claim 1, wherein the eUICC has a function of writing the above-mentioned common area. A common area that can be commonly used by mobile network operators is set in NVM, and an operating system that has a common area API for accessing the common area and profile security that stores a profile including the mobile network operator security domain. A method of provisioning an eUICC with a root security domain that has the ability to manage domains.
Step a, in which the root security domain generates the profile security domain in an NVM area that is not set in the common area,
Step b in which the mobile network operator security domain installs an application related to the mobile network operator in the common area using the common area API.
An eUICC provisioning method comprising. The profile includes a security domain of a service provider that has a business tie-up with a mobile communication operator, and the security domain of the service provider uses the common area API to issue data of the application related to the service provider. The eUICC provisioning method according to claim 3, further comprising step c of writing the above in the common area.