KR102007706B1 - User Equipment with Embedded UICC, Service Providing Method by MNO System and Subscription Manager linked with the User Equipment - Google Patents

User Equipment with Embedded UICC, Service Providing Method by MNO System and Subscription Manager linked with the User Equipment Download PDF

Info

Publication number
KR102007706B1
KR102007706B1 KR1020120075959A KR20120075959A KR102007706B1 KR 102007706 B1 KR102007706 B1 KR 102007706B1 KR 1020120075959 A KR1020120075959 A KR 1020120075959A KR 20120075959 A KR20120075959 A KR 20120075959A KR 102007706 B1 KR102007706 B1 KR 102007706B1
Authority
KR
South Korea
Prior art keywords
information
euicc
mno
identification information
terminal
Prior art date
Application number
KR1020120075959A
Other languages
Korean (ko)
Other versions
KR20130009659A (en
Inventor
이형진
이승열
이정형
김관래
박철현
이진형
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Publication of KR20130009659A publication Critical patent/KR20130009659A/en
Application granted granted Critical
Publication of KR102007706B1 publication Critical patent/KR102007706B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present invention provides a mobile communication service provider and a UICC manufacturing business using credential information (for example, Ki (Subscriber Key) and OPc (Operator Constant), etc.) used to change information of an embedded UICC (eUICC). By encrypting with a separate transmission key value that only the user knows, the authority of the SM is partially restricted, and the order of the terminal is made by using the virtual identification information (Virtual IMSI, Virtual IMEI, etc.) distinguished from the real subscriber information. It is to provide a way to carry out procedures such as closing, closing, and reopening.

Description

A terminal having a built-in VIC, and a method of providing a service of the MNO system and the SM linked thereto {User Equipment with Embedded UICC, Service Providing Method by MNO System and Subscription Manager linked with the User Equipment}

The present invention relates to a terminal having a built-in UICC, and a service providing method of an MNO system and an SM linked thereto.

A UICC (Universal Integrated Circuit Card) is a smart card that can be inserted into a terminal and used as a module for user authentication. The UICC may store the personal information of the user and the operator information on the mobile communication provider to which the user subscribes. For example, the UICC may include an International Mobile Subscriber Identity (IMSI) for identifying a user. The UICC is also called a Subscriber Identity Module (SIM) card in the case of the Global System for Mobile communications (GSM) scheme, and a Universal Subscriber Identity Module (USIM) card in the case of the Wideband Code Division Multiple Access (WCDMA) scheme.

When the user mounts the UICC on the user's terminal, the user is automatically authenticated using the information stored in the UICC so that the user can conveniently use the terminal. In addition, when the user replaces the terminal, the user can easily replace the terminal by mounting the UICC removed from the existing terminal to a new terminal.

Terminals requiring miniaturization, for example, terminals for machine-to-machine (M2M) communication, have difficulty in miniaturization of terminals when manufactured in a structure capable of detachable UICC. Thus, an embedded UICC (Embedded UICC) structure has been proposed, which is a removable UICC. In the built-in UICC, user information using the UICC should be recorded in IMSI format.

The existing UICC can be attached to or detached from the terminal, and the user can open the terminal regardless of the type of terminal or the mobile communication provider. However, from the time of manufacturing the terminal, the manufactured terminal can be assigned an IMSI in the embedded UICC only when the premise that the terminal is used only for a specific mobile communication provider is satisfied. Both mobile operators and terminal manufacturers ordering terminals have no choice but to pay attention to product inventory, which leads to a problem that product prices rise. The user is inconvenient to change the mobile operator for the terminal. Therefore, even in the case of the built-in UICC, a method for allowing a user to open the terminal regardless of the mobile communication provider is required.

Meanwhile, recently, due to the introduction of the built-in UICC, there is a need to update subscriber information of various mobile communication providers from the remote to the UICC. Accordingly, a subscription management device (hereinafter referred to as "SM") for subscriber information management is provided. Is being discussed.

These SMs are mainly discussed as being responsible for information management on the embedded UICC, information management on various telecommunication carriers, authentication on remote carriers, and remote information changes. It has not been determined yet.

An object of the present invention is to provide an apparatus and method for a built-in UICC that can be opened, terminated, re-opening of the terminal can be universally executed without dependence on the mobile communication provider.

Another object of the present invention is to define the function of the SM in the entire communication system using the built-in UICC.

Another object of the present invention is to provide a method for encrypting and transmitting authentication key information by using a separate transmission key value known only to mobile communication providers and UICC manufacturers in the process of opening or terminating the terminal.

It is another object of the present invention to provide only credential information (for example, Ki (Subscriber Key) and OPc (Operator Constant), etc., which are used as an authentication key) for changing information of the UICC. By encrypting with a known separate transmission key value, it is to provide a technique for partially restricting the authority of the SM.

In addition, another object of the present invention is to perform a procedure such as ordering, opening, closing, reopening, etc. of the terminal using virtual identification information (Virtual IMSI, Virtual IMEI, etc.) distinguished from actual subscriber identification information (Real Subscription Information). It is to provide a way to.

An embodiment of the present invention is an MNO system for providing a communication service to a terminal in conjunction with a subscription manager (SM) and an eUICC-containing terminal, wherein a transmission key index is assigned and each transmission key index has a unique transmission key value having a predetermined length. Transmission key management unit for storing and managing the assigned transmission key table, and encrypted authentication key information (Ki (Encrypted), Opc (Encrypted)) received from the outside (SM or donor MNO) during the eUICC ordering process and MNO change process MNO including a credential information decoding unit for decoding the information into a corresponding transmission key value, and an OTA management unit for generating an OTA message instructing conversion between the virtual identification information of the eUICC and the actual identification information in a service subscription and termination procedure, and transmitting the generated OTA message to the terminal. Provide a system.

According to another embodiment of the present invention, after receiving an OTA message from an embedded Universal Integrated Circuit Card (eUICC) and an MNO system during a subscription process, the virtual identification information stored in the eUICC is converted into actual identification information, and service cancellation or Provided with a terminal including an eUICC management unit for receiving the OTA message in the eUICC initialization procedure and converts the actual identification information into virtual identification information.

Another embodiment of the present invention is a method of providing a service of a subscription manager (SM) that manages the eUICC in association with one or more MNO systems and a terminal including an eUICC, which is transmitted from an MUI system ordering an eUICC during an order and supply process of an eUICC. Receiving the first ordering information (Input File 1) including the key index (TKI-1), generating the second ordering information (Input File 2) by allocating virtual identification information for each eUICC, and then providing the eUICC supply system. Or output information including credential information encrypted by a transmission key value corresponding to the transmission key index from an eUICC supply system or a device vendor system, from a device vendor. ) Provides a service providing method of the SM comprising the step of receiving and transmitting to the corresponding MNO system.

Another embodiment of the present invention is a method of providing a service of a subscription manager (SM) that manages the eUICC in association with at least one MNO system and a terminal including an eUICC, and in a temporary opening process, receives a subscription request from a MNO system to a specific eUICC. It provides a method for providing a service of the SM comprising the step of receiving the mapping information of the virtual identification information and the actual identification information, and mapping the virtual identification information and the actual identification information for the corresponding eUICC.

Another embodiment of the present invention is a service providing method of a SM (Subscription Manager) for managing the eUICC in conjunction with one or more MNO system and eUICC terminal, in the process of location registration and opening through the virtual identification information, the virtual from the terminal Receiving a location registration request message including identification information, extracting actual identification information corresponding to the virtual identification information, and transmitting a message including the extracted actual identification information to a corresponding MNO system; Provides a method of providing a service of a containing SM.

Another embodiment of the present invention is a method of providing a service of a subscription manager (SM) that manages the eUICC in association with at least one MNO system and a terminal including an eUICC, and during the MNO change process, whether the corresponding eUICC can be opened from a new MNO system; Receiving a query message, transmitting an open response message including donor MNO information to the new MNO system, and transmitting defined between the old MNO and the new MNO from the new MNO system; The present invention provides a service providing method of an SM including receiving a credential information request message including a key index and transmitting the credential information request message to an MNO system before a change of an eUICC.

Another embodiment of the present invention is a service providing method by an MNO system that provides a communication service to a terminal in conjunction with a subscription manager (SM) and an eUICC-containing terminal, and in the opening process, virtual identification information of a specific eUICC from the SM. Receiving an OTA transmission request message containing a; and generating an OTA message for changing the virtual identification information of the eUICC to the actual identification information, and encrypting the OTA message with an authentication key, the terminal including the corresponding eUICC or It provides a service providing method of the MNO system comprising the step of transmitting to.

Another embodiment of the present invention is a service providing method by an MNO system that provides a communication service to a terminal in conjunction with a subscription manager (SM) and an eUICC, and includes actual identification information in a process of canceling or canceling a subscription. Receiving a cancellation request message, generating an OTA message for initializing by changing the actual identification information stored in the eUICC of the termination request terminal to virtual identification information, and transmitting the generated OTA message to the corresponding terminal; A service providing method of an MNO system including transmitting a cancellation information registration request message to an SM is provided.

Another embodiment of the present invention is a method of providing a service of a subscription manager (SM) that manages the eUICC in association with one or more MNO systems and an eUICC-containing terminal, wherein the SM is an eUICC provider system in an order and supply process of an eUICC. Or receiving first ordering information (Input File 1) including transmission key index (TKI-1) information from an eUICC-equipped terminal provider system, and assigning virtual identification information to each eUICC to generate second ordering information (Input File 1). 2) generating and providing the information from the eUICC provider system or the eUICC-equipped terminal provider system, and the credential information encrypted by the transmission key value corresponding to the transmission key index from the eUICC provider system or the eUICC-equipped terminal provider system. It provides a service providing method of the SM comprising the step of receiving the output information (Output File) including.

Another embodiment of the present invention is a method of providing a service of a subscription manager (SM) that manages the eUICC in association with at least one MNO system and a terminal including an eUICC, in which a service is released by the SM in a service cancellation or subscription cancellation process. Receiving an eUICC initialization request message including actual identification information of an eUICC from an MNO system, generating and transmitting an eUICC initialization OTA message for initializing the eUICC to a terminal, and a termination information registration request signal from the MNO system; After receiving the, the service providing method of the SM comprising the step of updating and managing the information of the corresponding eUICC to the terminated state.

Another embodiment of the present invention is a method of providing a service of a subscription manager (SM) that manages the eUICC in association with at least one MNO system and a terminal including an eUICC, wherein the SM changes the corresponding eUICC from a new MNO system. Receiving an openness query message of a; and Sending an openable response message containing information indicating the availability of the eUICC to a new MNO system, Defined between the new MNO and itself from the new MNO system Receiving an authentication key information request message including the transmitted transmission key index value, extracting a transmission key value corresponding to the transmission key index value, encrypting the credential information using the authentication key request response message; Providing a service providing method of the SM including the step of transmitting to the new MNO system All.

1 illustrates a UICC ordering procedure according to the prior art.
Figure 2 shows the opening and closing process according to the prior art.
3 shows an example of a mapping table of a transport key index TKI and a transport key value TKV used in the present invention.
Figure 4 shows the flow of the eUICC ordering and supply process according to an embodiment of the present invention.
5 is a flowchart illustrating a closing opening process according to an embodiment of the present invention.
6 illustrates a process of registering a location and changing actual identification information through virtual identification information according to an embodiment of the present invention.
7 is a flowchart illustrating a service termination or opening termination process of a terminal according to an embodiment of the present invention.
8 is a flowchart illustrating an MNO change process according to an embodiment of the present invention.
9 is a block diagram illustrating an internal configuration of an MNO system according to an embodiment of the present invention.
10 illustrates an eUICC ordering and supplying process according to a second embodiment of the present invention.
11 is a flowchart of a service termination or opening termination process according to the second embodiment of the present invention.
12 is a flowchart of an MNO change process according to a second embodiment of the present invention.
13 to 15 illustrate examples of mapping tables of a transport key index (TKI) and a transport key value (TKV) used in the second embodiment of the present invention, and are managed by SM, eUICC provider, and MNO, respectively. This is an example of a table.

Hereinafter, some embodiments of the present invention will be described in detail through exemplary drawings. In adding reference numerals to the components of each drawing, it should be noted that the same reference numerals are assigned to the same components as much as possible even though they are shown in different drawings. In addition, in describing the present invention, when it is determined that the detailed description of the related well-known configuration or function may obscure the gist of the present invention, the detailed description thereof will be omitted.

M2M (Machine-to-Machine) terminal, which is actively discussed in the current GSMA, should be small in size. In the case of using the existing UICC, a module for attaching the UICC to the M2M terminal must be separately inserted. If the M2M terminal is manufactured, it is difficult to miniaturize the M2M terminal.

Therefore, an embedded UICC structure that is not detachable from the UICC is being discussed.In this case, the embedded UICC mounted on the M2M terminal includes information on a mobile network operator (hereinafter referred to as 'MNO') that uses the corresponding UICC. Must be stored in the UICC in the form of an International Mobile Subscriber Identity (IMSI).

However, since the terminal manufactured from the time of manufacturing the M2M terminal can be assigned IMSI in the built-in UICC only if the premise that the terminal is used only in a specific MNO is established, both the M2M terminal or the MNO ordering the UICC or the M2M manufacturer manufacturing the M2M terminal have a lot of product inventory. There is a problem that the allocation of nerves and product prices will rise, which is a serious obstacle to the expansion of M2M terminals.

On the other hand, if there is no built-in UICC and SM, a specific MNO describes a number of procedures according to the current technology that is dedicated to the management of ordering, opening, etc. of the UICC as follows.

1 shows a UICC ordering procedure according to the prior art, which is made between a UICC manufacturing system and an MNO.

First, if the MNO needs to order UICC for the operator, it generates UICC ordering information (INPUT FILE). The MNO registers the ordering information (INPUT FILE) in the UICC ordering / delivery system, and instructs the UICC manufacturer to connect to the ordering system to check the ordering information to manufacture and deliver the UICC.

Next, the UICC manufacturer manufactures the UICC based on the UICC ordering information (INPUT FILE) received from the MNO, encrypts the unique information (ICCID / IMSI / Ki / OPC, etc.) of the manufactured UICC, and outputs the output file (OUTPUT FILE). ) And upload the corresponding output file to MNO's UICC ordering / delivery system.

On the other hand, when the output file (OUTPUT FILE) generated by the UICC manufacturer is loaded into the UICC ordering system of the MNO, and delivers the information to the MNO business computer network, and also transmits the information to the MNO's OTA server.

Here, the information included in the order information (Input File) and the output file (Output File) may be as follows.

The main parameters included in the ordering information include ordering quantity, card (UICC) profile information, card specification information, 3GOp for encryption, transport_key for encryption, ICCID start number (ex: 898230011101602413), IMSI start number ( For example, 450081020012345).

The main parameters included in the output file include the number of UICC ordering requests, the number of UICC manufactured, whether the individual information and recorded information of the manufactured UICC are encrypted, ICCID (ex: 898230011101602413), IMSI (ex: 450081020012345), encrypted USIM_Ki (32 Digit Hexa value), encrypted USIM_Opc (which may be a 32-digit Hexa value), and the like.

In the above description, IMSI means International Mobile Subscriber Identity, Ki (Subscriber Key) and OPc (Operator Constant) as Authentication Key, and ICCID is Integrated Circuit Card Identity. Means.

Figure 2 shows the opening and closing process according to the prior art.

This opening and closing is made between the customer (terminal), MNO distributor system, MNO sales network, MNO HLR (Home Location Register), MNO AuC (Authentication Center), the detailed procedure is as follows.

The customer (terminal) decides to use the service of the MNO and purchases the MNO's UICC (the purchased UICC stores the IMSI of the MNO). After determining the customer's number, the distributor sends the opening request using the ICCID, the ID of the UICC purchased by the customer, and the number determined by the customer through the MNO sales network.

The MNO business computer network provides IMSI and authentication keys that are mapped to the ICCID of the UICC purchased by the customer to related equipment such as MNO HLR / AuC. This is called provisioning.

Once provisioning is complete, the customer is placed in an open state.

After the formal opening is carried out in the following process.

When the temporary opening is completed, for the final opening, the specific information of the UICC is changed through the UICC card reader of the dealer or through the above process, the specific information of the UICC is changed in the OTA (Over The Air) method.

When the customer installs the UICC on the mobile equipment to receive the OTA and turns on the power, the authentication and location registration process is performed through MNO AuC / HLR using the IMSI stored in the UICC. In this case, the OTA transmission request of the distributor is transmitted to the OTA server via the MNO business computer network, and the OTA server generates an OTA message using the UICC information (OUTPUT FILE information) that is held and delivers it to the customer. Of course, in this case, the UICC information may not be stored in the OTA server, but may be implemented in the form of receiving information by querying the MNO business computer network.

According to various requirements of the MNO during the OTA process, when there is no specific information of the UICC, it may be informed that the terminal screen needs to be opened.

On the other hand, service cancellation or subscription can be performed by the following process.

When the customer decides to terminate the service, the dismissal request is forwarded to the MNO sales network, including the customer's ICCID and customer number. The MNO business network checks the customer's information and sends an order to the relevant equipment to delete the subscriber's information or change the status to revoked. Upon receipt of a response from all relevant equipment, the termination is complete.

On the other hand, as described above, due to the recent introduction of the built-in UICC, there is a need to update the subscriber information of various mobile communication providers from the remote to the UICC, according to the subscription management device (Subscription Manager; 'Is discussed.

Before describing the present invention, terms first used in the present specification will be described.

A mobile network operator (MNO) refers to a mobile communication operator, and refers to an entity that provides a communication service to a customer through a mobile network.

A subscription manager (SM) is a subscription management device and performs a management function of a built-in UICC.

eUICC Supplier means a person who supplies embedded UICC module and embedded software (firmware and operating system, etc.).

Ordering information 1 or input file 1 means input information or ordering information exchanged between MNO and SM, and output file 1 means output information exchanged between MNO and SM.

Ordering information 2 or Input File 2 means input information or ordering information exchanged between the eUICC provider and SM, and output file 2 means output information exchanged between the eUICC provider and SM.

TKI means transport key index, and TKV means transport key value. In particular, TKI-1 and TKV-1 mean transport key index and transport key value defined between MNO and SM. TKI-2 and TKV-2 mean a transport key index and a transport key value defined between MNOs.

The virtual identification information may include a virtual IMSI and / or a virtual MSISDN (Mobile Subscriber ISDN Number), which is a virtual IMSI generated by the SM and all MNOs and international SS7 carriers are virtual IMSI around the system. Insert / MSISDN. The virtual MSISDN means a virtual MSISDN generated by the SM.

The actual IMSI means the actual IMSI after completing the subscription procedure of the M2M terminal having the built-in UICC, and is defined according to the policy of the MNO. The actual MSISDN means the actual MSISDN after completing the subscription procedure of the M2M terminal having the built-in UICC, and is defined according to the user's selection.

Device Vendor includes a device's provider, in particular a wireless modem function via a mobile network driven by the MNO, and consequently means a supplier of a device requiring a UICC (or eUICC) form.

Provisioning refers to the process of loading a profile into the built-in UICC, and the provisioning profile refers to the profile used by the device to connect to the communication network for the purpose of provisioning other provisioning profiles and operation profiles.

Subscription means a commercial relationship for providing a service between a subscriber and a wireless communication service provider.

According to an embodiment of the present invention, the MNO and the eUICC provider manages a transmission key value (TKV) and a transmission key index (TKI) information capable of encrypting credential information such as an authentication key. It includes a configuration for transmitting only the corresponding transport key index in accordance with the request in the process of ordering / supply and opening, MNO change, and the like.

Specifically, the SM receives first ordering information (Input File 1) including the transmission key index (TKI-1) from the MNO system that ordered the embedded UICC during the ordering and supply of the embedded UICC, Generating virtual order information (Input File 2) by assigning virtual identification information for each built-in UICC and providing it to the eUICC supply system or device provider (M2M Device Vendor), and the eUICC supply system or device provider (M2M Device Vendor) And receiving an output file including the credential information encrypted by the transmission key value corresponding to the transmission key index from the system and delivering the output file to the corresponding MNO system.

As an example of the credential information encrypted by the transmission key value, it may be a subscriber key (Ki), an operator constant (OPc), or the like, which is an authentication key.

In addition, the SM may receive mapping information of virtual identification information (virtual IMSI, etc.) and actual identification information (actual IMSI, etc.) with respect to a specific eUICC from the MNO system receiving a subscription request of the terminal in the provisional opening process; The virtual identification information (virtual IMSI, etc.) and the actual identification information (actual IMSI, etc.) may be mapped and stored.

The SM may further include receiving a location registration request message including the virtual identification information from the terminal in the location registration and opening process through the virtual identification information, extracting actual identification information corresponding to the virtual identification information; And transmitting a message including the extracted actual identification information to a corresponding MNO system. In addition, the SM may include transmitting a location registration completion notification to the corresponding MNO system after location registration through the virtual identification information.

In the opening process, the MNO system receives an OTA transmission request message including the virtual identification information of a specific eUICC from the SM, and generates an OTA message for changing the virtual identification information of the eUICC into the actual identification information. And encrypting the OTA message with an authentication key and transmitting the encrypted OTA message to a corresponding eUICC or a terminal including the same.

Meanwhile, in the process of service termination or subscription termination, the MNO system receives a termination request message including actual identification information, and an OTA message for initializing the virtual identification information by changing the actual identification information stored in the eUICC of the termination request terminal. Generating and transmitting to the terminal, and transmitting a cancellation information registration request message including the information of the eUICC to the SM. The SM receiving the termination information registration request message from the MNO system manages the corresponding eUICC or the terminal in the terminated state, that is, the initialized state. In this case, the virtual identification information for the corresponding eUICC is still managed, but the actual identification information before the termination Is after deleting.

In addition, during the MNO change process, the SM receives an eUICC openness query message from the new MNO system, and transmits an openable response message including the MNO information before the change to the new MNO system; Receiving a credential information request message including a transmission key index defined between the old MNO and the new MNO from an MNO system, and transmitting the credential information request message to the MNO system before the change of the corresponding eUICC; It may include. In addition, during the MNO change process, the MNO system before the change may encrypt the credential information using the transmission key value corresponding to the transmission key index included in the credential information request message and transmit the encrypted information to the new MNO system.

3 shows an example of a mapping table of a transport key index TKI and a transport key value TKV used in the present invention.

The transport key index and transport key value mapping table is shared between the MNO and the eUICC provider. The transport key index is assigned to each MNO or eUICC provider, and each transport key index is assigned a unique transport key value of a certain length.

In particular, the mapping table managed by each MNO defines transport key indexes and transport key values for each MNO and eUICC provider other than itself, and the mapping table managed by each eUICC provider provides each MNO for all MNOs dealing with it. The transport key index and transport key value are defined for each.

The upper table of FIG. 3 shows an example of a transport key index and a transport key value mapping table managed by MNO1. A transport key index of 1 to 1000 and a unique transport key value corresponding thereto are defined for MNO2, and eUICC is defined. For the provider 1 and the eUICC provider 2, the transport key index and the corresponding transport key value are defined in the same format.

The lower table of FIG. 3 shows an example of a transport key index and transport key value mapping table managed by eUICC provider 1, and defines a transport key index from 1 to 1000 and a corresponding transport key value corresponding to MNO1 and MNO2. It is. (The mapping table managed by the eUICC provider does not need to define transport key information for other eUICC providers.)

These MKI and eUICC providers create and manage the mapping table of the transport key index (TKI) and transport key value (TKV), and correspond to the transport key index when there is a request from the SM during the eUICC ordering process and MNO change. It is used to encrypt the authentication key (Ki, Opc, etc.) with the transmission key value and transmit it to the SM or new MNO system. The detailed process is described separately below.

Figure 4 shows the flow of the eUICC ordering and supply process according to an embodiment of the present invention.

The eUICC ordering and supplying process is performed between the eUICC provider system or the M2M terminal vendor system, the MNO system and the SM.

First, after the MNO system decides to purchase an eUICC or M2M terminal, the MNO system registers the ordering information with the corresponding eUICC provider system, and uploads the first ordering information (Input File 1) to the SM. (S410) A first transmission to the SM In addition to the eUICC provider information, the order information includes transport key index information for the corresponding eUICC provider managed by the MNO.

Next, the SM generates second order information (Input File 2) including virtual identification information on the eUICC based on the first order information and transmits the second order information (Input File 2) to the eUICC provider system. (S420, 430) The purchase quantity, the MNO information of the place of purchase, and the virtual identification information allocated by the SM may be included, and the transmission key index information (transmission key index corresponding to the corresponding MNO and eUICC provider) transmitted by the MNO may be included.

After receiving the second ordering information, the eUICC provider system generates an output file and transmits it to the SM after manufacture of the eUICC. (S440, 450) The output file is encrypted with a transmission key value corresponding to the corresponding transmission key index. Credential information may be included, and as an example of the credential information, Ki (Encrypted), which is encrypted Ki, or Opc (Encrypted), which is an encrypted Opc value, may be used.

On the other hand, the SM can deliver the output file received from the eUICC provider system back to the MNO system, and the SM manages the output file.

The MNO system that has received the output file from the SM already has a known transport key value (the transport key index and transport key value mapping table for the eUICC provider is already known. After decrypting the authentication key information such as Ki, Opc, etc., the eUICC information is stored and managed in the DB.

Hereinafter, the information included in the first and second ordering information (Input File1, 2) and the output file will be described.

In addition to the transmission key index information (for example, 901, etc.), which is a feature of the present invention, the first ordering information (Input File 1) includes purchase quantity, purchaser MNO information, M2M terminal specification information, M2M device supplier information, 3GOp information, and the like. It may include, but is not limited to.

In addition, the second ordering information (Input File 2) includes IMEI start information (Start IMEI), start information of virtual IMSI, start information of virtual MSISDN as transmission key index information and virtual identification information, which are features of the present invention. (Start Virtual MSISDN) and the like. In addition, the second order information may include all the information included in the first order information as it is.

Meanwhile, the output file includes the USIM Ki value encrypted with the corresponding transmission key value, the encrypted USIM Opc value, etc. together with the virtual identification information such as IMEI information, virtual IMSI information, and virtual MSISDN information for each eUICC as shown below. This includes.

Figure 112012055732357-pat00001

5 is a flowchart illustrating a closing opening process according to an embodiment of the present invention.

The MNO system receives the M2M terminal opening request from the user, and registers the opening request information in the associated equipment by using the output file information in the DB (S510). The M2M terminal opening information may include actual identification information (actual MSISDN, etc.) and a product unique number.

After the MNO system goes through the subscriber creation request and response process (S520) via the internal home location register (HLR) and the authentication center (AuC), the mapping information of the virtual identification information (virtual IMSI) and the actual identification information (real IMSI) Create and transmit to SM (S530)

Then, the SM maps and stores the virtual identification information (virtual IMSI) and the actual identification information (real IMSI) for the corresponding eUICC or M2M terminal (S540), and transmits a response signal thereto to the MNO system (S550).

Through this, the opening and closing of the corresponding eUICC or M2M terminal is completed.

6 illustrates a process of registering a location and changing actual identification information through virtual identification information according to an embodiment of the present invention.

The process of FIG. 6 may be a provisioning process in the sense of loading a profile into an eUICC.

When the power is turned on in the terminal where the temporary opening is completed, a location registration request to the SM via an arbitrary MNO SGSN (Packet Switching Support Node) and / or STP (Signal Transfer Point) (MAP-SAI) This is transmitted (S610). The location registration request message of S610 is a message for requesting location registration by using virtual identification information, and may include virtual IMSI information.

After receiving the location registration request message, the SM converts the virtual identification information (virtual IMSI) into the actual identification information (real IMSI) using the managed information and transmits the location registration request message back to the MNO system (S620, 630). ).

The MNO system (in particular, MNO AuC) performs an authentication procedure and a location registration process for the terminal between the terminal or any MNO SGSN. (S640) Meanwhile, the MNO system (particularly, MNO AuC) is the terminal or any In the location registration process between the MNO SGSN, a MAP-UGL message, a MAP-ISD message including virtual identification information (virtual IMSI), and a response signal thereof may be used.

In addition, the authentication and location registration process in the S640 is preferably performed via the SM. More specifically, authentication and location registration (MAP-UGL request including virtual IMSI) is performed using virtual identification information between any MNO SGSN and SM, and location registration is performed using actual identification information between SM and MNO system. Can be performed (such as a MAP-UGL request with actual IMSI).

When the location registration using the virtual IMSI is completed, the SM notifies the corresponding MNO system of the location registration completion, and transmits an OTA message transmission request including the virtual IMSI information to the corresponding MNO system (S650). In addition to the identification information, actual identification information (actual IMSI), arbitrary MNO SGSN gateway information serving as an OTA transmission path, and the like may be included.

The MNO system (especially the MNO OTA server) receiving the OTA message transmission request from the SM receives the virtual identification information (virtual IMSI, virtual MSISDN, etc.) of the eUICC so that the corresponding eUICC or the terminal can receive the service from the MNO. An OTA message that can be changed to an actual IMSI, an actual MSISDN, etc.) is generated and transmitted to the corresponding terminal (via the MNO SGSN gateway) (S660). The OTA message may be encrypted by using a known authentication key (Ki, Opc, etc.) by decrypting the transmission key value.

The MAP-MT FWD SM message may be used to transmit the OTA message, and the message may include, but is not limited to, virtual IMSI, OTA TPDU information, and actual identification information (real IMSI, real MSISDN).

Receiving the OTA message, the eUICC or the terminal decrypts the OTA message by using an already known authentication key and updates the virtual identification information (virtual IMSI, virtual MSISDN) inside the eUICC with the actual identification information (real IMSI, real MSISDN). (S670)

When this process is completed, the terminal proceeds to register the location using the actual identification information (actual IMSI) after rebooting, and this process may be performed in the same manner as in the conventional method, and thus a detailed description thereof will be omitted.

In addition, when the step S670 is completed, the SM updates and manages the information of the corresponding eUICC while the virtual identification information of the corresponding terminal or the eUICC is changed to the actual identification information and the opening is completed in the corresponding MNO.

7 is a flowchart illustrating a service termination or opening termination process of a terminal according to an embodiment of the present invention.

After the MNO CCBS system (Customer Care and Billing System) receives the service cancellation request from the terminal or the user (S710), check whether the service can be released (subsidies contract completion, fee overdue, etc.) and if the service can be released MNO The eUICC initialization request message for transmitting the OTA message for initializing the eUICC is transmitted to the OTA server (S720). The eUICC initialization request message may include virtual identification information (virtual IMSI, virtual MSISDN), actual identification information (real IMSI, MSISDN), and the like.

The MNO OTA server internally performs authentication through a home location register or an authentication center, and then generates and transmits an eUICC initialization OTA message for initializing the eUICC to the terminal. (S730) Of course, the eUICC initialization OTA message is generated by the terminal and the MNO. You can encrypt with a known authentication key (Ki, Opc).

After decoding the received eUICC initialization OTA message, the terminal proceeds with the initialization by updating the actual identification information (IMSI, MSISDN) stored in the eUICC back to the virtual identification information (S740). Of course, the initialization completion response can be sent to the MNO side after the initialization.

When the termination is completed, the MNO system deletes the internal subscriber information (actual IMSI, etc.), and then generates a cancellation information registration request that the service of the corresponding terminal is terminated and the eUICC is initialized, and transmits it to the SM (S750).

After receiving the cancellation information registration request, the SM updates and manages the information of the corresponding eUICC to the canceled state (S760). At this time, the SM retains only the virtual identification information of the corresponding eUICC, and in some cases, the actual identification information may be deleted. have.

8 is a flowchart illustrating an MNO change process according to an embodiment of the present invention.

It is assumed that the communication service provider of the corresponding terminal or eUICC is changed from MNO1 to MNO2.

The new MNO2 system receives a service subscription request (which is a service subscription request according to the change from MNO1 to MNO2) from the terminal or the user. At this time, it may include eUICC or product specific information of the terminal. After confirming that the corresponding eUICC or the terminal is not in the DB, the MNO2 system generates an openable query message for inquiring whether the terminal is an openable terminal and transmits the generated query message to the SM (S810). The product unique number of the eUICC may be included.

Since the SM knows that the corresponding eUICC or the UE is terminated from the MNO1 in the service termination procedure of FIG. 7, the SM checks the DB and generates an openable response message and transmits the generated response message to the MNO2 system (S820). The openable response message includes information on the previous MNO1 together with information indicating whether the corresponding terminal can be used.

The MNO2 system extracts the transport key index of the corresponding MNO1 from the transport key index / transport key value table managed by the MNO2 according to the previous MNO information included in the response message, and then generates an authentication key information request message and transmits it to the SM. S830) The authentication key information request message may include a transmission key index value defined between MNO1-MNO2 and a product unique number of the corresponding terminal or eUICC.

SM transmits the authentication key information request message to the previous operator MNO1 system (S840). The MNO1 system, which is a donor MNO, extracts a transmission key value corresponding to the corresponding transmission key index, and uses the same as the authentication key. After encrypting the sensitive information, the authentication key request response message is transmitted to the MNO2 system, which is a new service provider. (S850) The authentication key request response message, together with the virtual identification information of the corresponding eUICC, is encrypted with the transmission key value Ki (Encrypted). ) And / or Opc (Encrypted) information.

Since the MNO2 system that has received the authentication key request response message already knows the corresponding transmission key value, it can use the same to decrypt the authentication key.

Subsequent subscription process may proceed in the same manner as the corresponding process (S520 ~ S550) of FIG. That is, the MNO2 system performs a subscriber creation request and response process through an internal home location register (HLR) and an authentication center (AuC), and then maps mapping information of virtual identification information (virtual IMSI) and actual identification information (real IMSI). Create and send to SM. Then, the SM may be performed by mapping and storing virtual identification information (virtual IMSI) and actual identification information (real IMSI) for the corresponding eUICC or M2M terminal, and transmitting a response signal to the MNO system. .

9 is a block diagram illustrating an internal configuration of an MNO system according to an embodiment of the present invention.

The MNO system 900 according to an embodiment of the present invention includes a transmission key manager 910 for storing / managing a transmission key table, a credential information decoder 920, an OTA manager 930, and the like.

The transport key manager 910 stores / manages a transport key table. The transport key table is assigned a transport key index for each MNO or eUICC provider, and a unique transport key value having a predetermined length is assigned to each transport key index. It means a table. When the transmission key manager receives the transmission key index value, the transmission key manager extracts a transmission key value corresponding to the transmission key index value from the table and transmits the transmission key index value to the credential information decoder 920.

The credential information decoding unit 920 decrypts the encrypted authentication key information (Ki (Encrypted), Opc (Encrypted)) received from the outside (SM or donor MNO) during the eUICC ordering and MNO change process to the corresponding transmission key value. Perform the function.

The OTA management unit 930 generates an OTA message for updating the eUICC's virtual identification information (virtual IMSI virtual MSISDN) with the actual identification information in the opening procedure and transmits it to the terminal, and updates the actual identification information with the virtual identification information in the service termination procedure. Generates an OTA message to transmit to the terminal (eUICC).

In addition, although not shown, the terminal according to an embodiment of the present invention may include an eUICC and an eUICC manager responsible for converting between virtual identification information and actual identification information according to an OTA message.

Hereinafter, an eUICC issuance, termination and MNO change method according to a second embodiment of the present invention will be described.

10 illustrates an eUICC ordering and supplying process according to a second embodiment of the present invention.

The eUICC ordering and supplying process according to the second embodiment of the present invention is performed between the eUICC supplier system or the eUICC loaded terminal (M2M terminal, etc.) vendor system and the SM.

First, the eUICC provider determines the supply of the eUICC or the eUICC-mounted terminal, and then uploads the first ordering information (Input File 1) to the SM (S1010). The first order information transmitted to the SM includes transmission key index information for the corresponding eUICC provider managed by the SM in addition to the eUICC provider information.

Next, the SM generates second ordering information (Input File 2) including virtual identification information for the eUICC based on the first ordering information and transmits the second ordering information (Input File 2) to the eUICC provider system (S1020). The second order information may include supply quantity and virtual identification information allocated by the SM, and may include transmission key index information (transmission key index corresponding to the SM and the eUICC provider).

After receiving the second ordering information, the eUICC provider system generates an output file after the manufacture of the eUICC and transmits it to the SM (S1030 and S1040). The output file may include credential information encrypted with a transport key value corresponding to the corresponding transport key index, and as an example of the credential information, Ki (Encrypted), which is an encrypted Ki), or Opc (Encrypted), which is an encrypted Opc value, and the like. This can be

SM already has a transport key value (the transport key index and transport key value mapping table for that eUICC provider, and since the transport key index has already been sent, the corresponding transport key value can be known). After decrypting the authentication key information such as the eUICC information is stored and managed in the DB (S1050).

Hereinafter, information included in the first and second ordering information (Input Files 1 and 2) and the output file (Output File) will be described.

The first order information (Input File 1) may include supply quantity, M2M terminal specification information, M2M device provider information, etc., in addition to the transmission key index information (for example, 901), which is a feature of the present invention. It is not.

In addition, the second ordering information (Input File 2) includes the start key IMSI (Start Virtual IMSI), start information of the virtual MSISDN (Start Virtual MSISDN) and the like as the transmission key index information and the virtual identification information that is a feature of the present invention can do. In addition, the second order information may include all the information included in the first order information as it is.

Meanwhile, the output file includes the USIM Ki value encrypted with the corresponding transmission key value and the encrypted USIM Opc value together with the virtual identification information such as IMEI information, virtual IMSI information, virtual MSISDN information, etc. for each M2M terminal as shown below. Etc. are included. The first embodiment differs from the first embodiment in that the output file includes information on the MNO holding the transmission key. In the second embodiment, the eUICC provider generates the output file regardless of the specific MNO. No information about this MNO is included.

<Example of Output File in Second Embodiment>

IMEI (Not-encrypted) = 123456789012345

Virtual IMSI (Not-encrypted) = 999011020012345

Virtual MSISDN (Not-encrypted) = 99123456789

USIM_Ki (Encrypted) = 32 Hexa (0 ~ F)

USIM_Opc (Encrypted) = 32 Hexa (0 ~ F)

M2M Device Serial Number (Not-encrypted): 123465679012345

… .

IMEI (Not-encrypted) = 123456789112345

Virtual IMSI (Not-encrypted) = 999011020112345

Virtual MSISDN Not-encrypted = 99123556789

USIM_Ki (Encrypted) = 32 Hexa (0 ~ F)

USIM_Opc (Encrypted) = 32 Hexa (0 ~ F)

M2M Device Serial Number (Not-encrypted): 123465679112345

Using the eUICC issuing process according to the second embodiment of the present invention as described above, when compared with the first embodiment, the SM encrypts the authentication key (Ki, OPc) with the TKV shared between the eUICC provider and the SM and interprets it. By managing the authentication key, an eUICC issuance and security information management can be performed independently from a specific MNO.

11 is a flowchart of a service termination or opening termination process according to the second embodiment of the present invention.

First, after the MNO CCBS system (Customer Care and Billing System) receives the service termination request from the terminal or the user (S1105), check whether the service can be released (subsidies contract completion, fee overdue, etc.) (S1110), If the service can be released, an eUICC initialization request message for transmitting an OTA message for initializing the eUICC is generated and transmitted to the SM (S1115). The eUICC initialization request message may include actual identification information (real IMSI, real MSISDN) and the like.

The SM generates an eUICC initialization OTA message for initializing the eUICC and transmits it to the terminal (S1120, S1125). Of course, the eUICC initialization OTA message may be encrypted with an authentication key (Ki, Opc) known to the terminal and the SM, the initialization OTA message may include virtual identification information (virtual IMSI, virtual MSISDN).

After decoding the received eUICC initialization OTA message, the terminal or the eUICC proceeds with the initialization by updating the actual identification information (IMSI, MSISDN) stored in the eUICC back to the virtual identification information (S1130). In this case, the updated virtual identification information may be different from the virtual identification information previously set so that the canceling MNO does not know. That is, the identification information stored when the first eUICC is issued is the first virtual identification information, and the virtual identification information updated by replacing the actual identification information in the cancellation process of FIG. 11 may be second virtual identification information different from the first virtual identification information. Is there.

Next, when the SM receives the OTA message transmission response from the terminal as a success (S1135), and the SM notifies the OTA transmission response signal to the MNO CCBS (S1140), the MNO CCBS includes the actual IMSI and the authentication key in the MNO system. A request for deletion of subscriber information related to the terminal is requested (S1145). The subscriber deletion request signal at step S1145 may include actual identification information of the corresponding eUICC.

Then, the MNO system deletes internal subscriber information (actual IMSI, etc.) and transmits a subscriber deletion request response signal to the MNO CCBS (S1150). Then, the MNO CCBS generates a cancellation information registration request signal indicating that the service of the terminal is terminated and the eUICC has been initialized and transmitted to the SM (S1155). The cancellation information registration request signal includes a product unique number and termination information of the MNO1. can do.

After receiving the cancellation information registration request, the SM updates and manages information of the corresponding eUICC to the canceled state (S1160). At this time, the SM may retain only the virtual identification information and the authentication key of the corresponding eUICC, and may delete the actual identification information of the canceled MNO (that is, MNO1 which is the donor MNO).

Using the service cancellation process according to the second embodiment of the present invention as described above, compared to the first embodiment, the subject that can be changed to the virtual identification information (virtual IMSI, virtual MSISDN) even after the service is canceled, SM, Donor MNO terminated service does not know the updated virtual identification information has an effect that can be enhanced.

12 is a flowchart of an MNO change process according to a second embodiment of the present invention.

It is assumed that the communication service provider of the corresponding terminal or eUICC is changed from MNO1 to MNO2.

The new MNO2 system receives a service subscription request (which is a service subscription request according to a change from MNO1 to MNO2) or an MNO change request from a terminal or a user (S1205). At this time, it may include eUICC or product specific information of the terminal. The MNO2 system checks that the corresponding eUICC or the terminal is a terminal that is not in its DB (S1210), and then generates an openable query message for inquiring whether the terminal is an openable terminal and transmits it to the SM (S1215). At this time, the opening possible query message may include the product unique number of the corresponding terminal or eUICC.

Since the SM knows that the corresponding eUICC or the UE is terminated from the MNO1 in the service termination procedure of FIG. 11, the SM checks the DB and generates an openable response message and transmits the generated response message to the MNO2 system (S1220). The opening response message includes information indicating whether the corresponding terminal can be used.

The MNO2 system extracts the transmission key index of the corresponding SM from the transmission key index / transmission key value table managed by the MNO2 system (S1225), and then generates an authentication key information request message and transmits it to the SM (S1230). The authentication key information request message may include a transmission key index value defined between MNO2-SM and a product unique number of the corresponding terminal or eUICC.

The SM extracts a transmission key value corresponding to the corresponding transmission key index, encrypts credential information such as an authentication key using the transmission key value (S1235), and transmits the authentication key request response message to the MNO2 system, which is a new operator (S1240). The authentication key request response message may include Ki (Encrypted) and / or Opc (Encrypted) information, which is authentication key information encrypted with a transmission key value, along with the virtual identification information of the corresponding eUICC.

Since the MNO2 system that has received the authentication key request response message already knows the corresponding transmission key value, the MNO2 system can decrypt the authentication key using it (S1245).

Subsequently, the procedure for joining to MNO2 may be performed in the same manner as the corresponding processes (S520 to S550) of FIG. 5 regarding the opening and closing, and a description thereof will be omitted to avoid duplication.

When the service cancellation process according to the second embodiment of the present invention is used as described above, the donor MNO1 is the authentication key, as compared with the first embodiment, the subject handing the authentication key to the new MNO becomes SM when the MNO is changed. It can reduce the burden of continuing to manage the management, and there is an effect that the management of the virtual identification information and authentication key can be unified into the SM.

13 to 15 illustrate examples of mapping tables of a transport key index (TKI) and a transport key value (TKV) used in the second embodiment of the present invention, and are managed by SM, eUICC provider, and MNO, respectively. This is an example of a table.

The transport key index and transport key value mapping table used in the second embodiment of the present invention are shared between the eUICC provider and the SM and between the SM and the MNO. Each eUICC provider, each MNO, or SM is assigned a transport key index. Each transport key index is assigned a unique transport key value of a certain length.

13 illustrates an example of a transport key index and transport key value mapping table managed by the SM, and a transport key index of 1 to 1000 and a unique transport key value corresponding thereto are defined for MNO1 and MNO2. For the eUICC provider 1 and the eUICC provider 2, the transport key index and the corresponding transport key value are defined in the same format.

14 illustrates an example of a transport key index and a transport key value mapping table managed by an eUICC provider system (eUICC provider 1). A transmission key index of 1 to 1000 and its unique transmission corresponding to the SM are shown. The key value is defined.

15 shows an example of a transport key index and a transport key value mapping table managed by an MNO system (MNO1 system), and a transport key index of 1 to 1000 and a unique transport key value corresponding thereto are represented for the SM. It is defined.

The mapping table of the transport key index (TKI) and transport key value (TKV) is generated by the SM and managed by the SM, each MNO, and the eUICC provider, and the transport key value corresponding to the transport key index when the eUICC is ordered and the MNO is changed. It is used to encrypt authentication keys (Ki, Opc, etc.) and send them to SM or new MNO system.

In particular, SM-managed mapping tables define transport key indexes and transport key values for each MNO and eUICC provider, and SM-managed mapping tables for each MNO and eUICC for all MNO and eUICC providers managed by SM. The transport key index and transport key value are defined for each provider.

According to the present invention, since the SM managing the eUICC does not manage the transmission key information, it is impossible to decrypt the encrypted authentication key (Ki / Opc) transmitted and received between MNOs, which may occur when the SM has the authentication key. Can overcome.

In addition, the MNO can be controlled to provide the mobility of the M2M terminal through the agreement between the reliable MNO, and the authentication keys (Ki, Opc) stored in the terminal or eUICC are shared with each other between the MNO with the opening history, The MNO with the opening history can further increase security by not knowing which MNO the terminal is in use. (I.e. only SM knows to which MNO the terminal is opened)

The above description is merely illustrative of the technical idea of the present invention, and those skilled in the art to which the present invention pertains may make various modifications and changes without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention but to describe the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The protection scope of the present invention should be interpreted by the following claims, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of the present invention.

Claims (21)

A mobile network operator (MNO) system that provides a communication service to a terminal in conjunction with a subscription manager (SM) and an eUICC terminal,
A transmission key manager for storing and managing a transmission key table to which a transmission key index is assigned and each transmission key index is assigned a unique transmission key value of a predetermined length;
a credential information decoder which decrypts the encrypted authentication key information received from the outside in the eUICC ordering process or the MNO changing process into a corresponding transmission key value; And
MNO system comprising an OTA management unit for generating an OTA message instructing the conversion between the virtual identification information and the actual identification information of the eUICC to the terminal in the service subscription and termination procedure. The method of claim 1,
The virtual identification information and the actual identification information MNO system, characterized in that at least one of IMSI (International Mobile Subscriber Identity) and MSISDN (Mobile Subscriber ISDN Number). The method of claim 1,
The OTA management unit generates an OTA message to update the virtual identification information of the eUICC to the actual identification information in the opening procedure, and transmits the OTA message to the terminal, and generates an OTA message to update the actual identification information to the virtual identification information in the service termination procedure. eUICC) MNO system characterized in that the transmission. A terminal receiving a communication service in connection with a subscription manager (SM) and a mobile network operator (MNO) system,
An embedded Universal Integrated Circuit Card (UICC); And
After receiving the OTA message from the MNO system in the joining process, convert the virtual identification information stored in the eUICC into actual identification information, and after receiving the OTA message in the service termination or eUICC initialization procedure, converts the actual identification information into virtual identification information. Including eUICC management unit,
Opening or terminating the terminal is performed using encryption of credential information using a transmission key value shared between the MNO system and a built-in UICC provider. The method of claim 4, wherein
The virtual identification information and the actual identification information terminal, characterized in that at least one of IMSI (International Mobile Subscriber Identity) and MSISDN (Mobile Subscriber ISDN Number). The method of claim 4, wherein
The credential information includes at least one of Ki (Subscriber Key) and OPc (Operator Constant), which is an authentication key. A service providing method of a SM (Subscription Manager) for managing the eUICC in conjunction with at least one mobile network operator (MNO) system and the terminal including the eUICC,
In ordering and supplying eUICC,
receiving first ordering information (Input File 1) including a transmission key index (TKI-1) from the MNO system that placed the eUICC;
Allocating virtual identification information for each eUICC, generating second order information (Input File 2), and providing the same to a device provider;
Receiving an output file including credential information encrypted by a transmission key value corresponding to the transmission key index from the device provider, storing and managing the credential information, or transmitting the credential information to a corresponding MNO system; Including, the service providing method of the SM. The method of claim 7, wherein
The credential information encrypted by the transmission key value is one or more of Ki (Subscriber Key) and OPc (Operator Constant), which is an authentication key. The method of claim 7, wherein
The identification information is a service providing method of the SM, characterized in that one or more of IMSI (International Mobile Subscriber Identity) and MSISDN (Mobile Subscriber ISDN Number). The method of claim 7, wherein
The first order information (Input File 1) is a service providing method of the SM, characterized in that the transmission key index information, the purchase quantity, the purchase destination MNO information, M2M terminal specification information, M2M device provider information. The method of claim 7, wherein
The second ordering information (Input File 2) includes IMEI start information (Start IMEI), start virtual IMSI information (Start Virtual IMSI), and start information (Start Virtual MSISDN) of virtual MSISDN as transmission key index information and virtual identification information. SM service providing method comprising a. The method of claim 7, wherein
The output information (Output File) is a service providing method of the SM, characterized in that including the IMEI information, the virtual IMSI information, the virtual MSISDN information, the authentication key value encrypted with the corresponding transmission key value for the eUICC. The method of claim 7, wherein
Receiving mapping information of virtual identification information and actual identification information for a specific eUICC from an MNO system receiving a subscription request of a terminal; And
And mapping and storing the virtual identification information and the actual identification information for the corresponding eUICC. The method of claim 7, wherein
Receiving a location registration request message including virtual identification information from a terminal;
Extracting actual identification information corresponding to the virtual identification information; And
And transmitting the message including the extracted actual identification information to a corresponding MNO system. The method of claim 7, wherein
During the MNO change process,
Receiving whether the eUICC can open the query message from the new MNO system;
Transmitting an opening response message including donor MNO (MNO) information to the new MNO system;
Receiving from the new MNO system a credential information request message including a transmission key index defined between the old MNO and the new MNO;
And transmitting the credential information request message to the MNO system prior to the change of the eUICC. The method of claim 7, wherein
The SM,
Receiving an eUICC initialization request message including actual identification information of the eUICC from an MNO system whose service is released;
generating and transmitting an eUICC initialization OTA message for initializing the eUICC to the terminal; And
Receiving a cancellation information registration request signal from the MNO system, and updating the information of the corresponding eUICC to the canceled state, the service providing method of the SM further. The method of claim 7, wherein
In the MNO change process, the SM,
Receiving whether the eUICC can open the query message from the new MNO system;
Transmitting an opening response message including information indicating whether the corresponding eUICC is available to the new MNO system;
Receiving an authentication key information request message including a transmission key index value defined between the new MNO and itself from the new MNO system; And
And extracting a transmission key value corresponding to the transmission key index, encrypting the credential information using the transmission key value, and transmitting the encryption key value to the new MNO system as an authentication key request response message. A service providing method by a mobile network operator (MNO) system that provides a communication service to a terminal in conjunction with a subscription manager (SM) and an eUICC,
Storing a transmission key table to which a transmission key index is assigned and each transmission key index is assigned a unique transmission key value of a predetermined length;
Decrypting the encrypted authentication key information received from the external device in the eUICC ordering process or the MNO change process to the corresponding transmission key value: And
And generating and transmitting an OTA message indicating a conversion between the virtual identification information of the eUICC and the actual identification information to the terminal during a service subscription process of the terminal or service termination of the terminal. The method of claim 18,
Receiving, from the SM, an OTA transmission request message including virtual identification information of a specific eUICC requiring opening;
Generating an OTA message for changing the virtual identification information of the eUICC into the actual identification information; And
Encrypting the OTA message with an authentication key and transmitting the encrypted OTA message to a corresponding eUICC or a terminal including the same. The method of claim 18,
In the service cancellation process of the terminal, the step of generating an OTA message indicating conversion between the virtual identification information and the actual identification information of the eUICC and transmitting to the terminal,
Receiving a cancellation request message including actual identification information of the terminal;
Generating an OTA message for initializing by changing the actual identification information stored in the eUICC of the termination request terminal to the virtual identification information and transmitting the generated OTA message to the corresponding terminal; And
And transmitting a cancellation information registration request message including information of the corresponding eUICC to the SM. The method of claim 18,
And the external device is an SM or a donor MNO.
KR1020120075959A 2011-07-14 2012-07-12 User Equipment with Embedded UICC, Service Providing Method by MNO System and Subscription Manager linked with the User Equipment KR102007706B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR20110069738 2011-07-14
KR1020110069738 2011-07-14

Publications (2)

Publication Number Publication Date
KR20130009659A KR20130009659A (en) 2013-01-23
KR102007706B1 true KR102007706B1 (en) 2019-08-06

Family

ID=47839352

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120075959A KR102007706B1 (en) 2011-07-14 2012-07-12 User Equipment with Embedded UICC, Service Providing Method by MNO System and Subscription Manager linked with the User Equipment

Country Status (1)

Country Link
KR (1) KR102007706B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20220115256A (en) 2021-02-10 2022-08-17 주식회사 엘지유플러스 Method of initializing subscriber identity module and user terminal initializing subscriber identity module

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9036820B2 (en) * 2013-09-11 2015-05-19 At&T Intellectual Property I, Lp System and methods for UICC-based secure communication
US9240994B2 (en) 2013-10-28 2016-01-19 At&T Intellectual Property I, Lp Apparatus and method for securely managing the accessibility to content and applications
WO2015190895A1 (en) 2014-06-13 2015-12-17 Samsung Electronics Co., Ltd. Method and device for selective communication service in communication system
WO2016133369A1 (en) * 2015-02-17 2016-08-25 삼성전자 주식회사 Method and apparatus for receiving profile by terminal in mobile communication system
KR102333395B1 (en) 2015-02-17 2021-12-03 삼성전자 주식회사 Method and apparatus for receiving profile information at a terminal in a wireless communication system
KR102014108B1 (en) * 2018-03-30 2019-08-26 에스케이 텔레콤주식회사 Method and RSP Server Apparatus for Providing SIM Profile to eUICC Device
KR102606083B1 (en) * 2021-11-26 2023-11-24 주식회사 엘지유플러스 The method and apparatus for managing imei of user equipment supporting a plurality of uicc

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100625672B1 (en) 2005-08-01 2006-09-18 에스케이 텔레콤주식회사 Method for wireless subscription transaction in mobile communication network
US20060246949A1 (en) 2005-04-29 2006-11-02 Jasper Systems Self provisioning of wireless terminals in wireless networks
US20090191857A1 (en) 2008-01-30 2009-07-30 Nokia Siemens Networks Oy Universal subscriber identity module provisioning for machine-to-machine communications

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101234194B1 (en) * 2006-08-28 2013-02-18 삼성전자주식회사 Apparatus and method for downloading of sim data in mobile communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060246949A1 (en) 2005-04-29 2006-11-02 Jasper Systems Self provisioning of wireless terminals in wireless networks
KR100625672B1 (en) 2005-08-01 2006-09-18 에스케이 텔레콤주식회사 Method for wireless subscription transaction in mobile communication network
US20090191857A1 (en) 2008-01-30 2009-07-30 Nokia Siemens Networks Oy Universal subscriber identity module provisioning for machine-to-machine communications

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20220115256A (en) 2021-02-10 2022-08-17 주식회사 엘지유플러스 Method of initializing subscriber identity module and user terminal initializing subscriber identity module

Also Published As

Publication number Publication date
KR20130009659A (en) 2013-01-23

Similar Documents

Publication Publication Date Title
KR102007706B1 (en) User Equipment with Embedded UICC, Service Providing Method by MNO System and Subscription Manager linked with the User Equipment
CN111052777B (en) Method and apparatus for supporting inter-device profile transfer in a wireless communication system
US10694369B2 (en) Profile management method, embedded UICC, and device provided with the embedded UICC
US10334443B2 (en) Method for configuring profile of subscriber authenticating module embedded and installed in terminal device, and apparatus using same
KR102333395B1 (en) Method and apparatus for receiving profile information at a terminal in a wireless communication system
US9831903B1 (en) Update of a trusted name list
CA2913456C (en) Communication control apparatus, authentication device, central control apparatus and communication system
JP5978273B2 (en) Service sharing system and apparatus
US10142917B2 (en) Electronic subscriber identity module (eSIM) assignment for carrier channel devices
KR20130026958A (en) Method for verification of embedded uicc using euicc certificate, method for provisioning and mno switching, euicc, mno system and recording medium for the same
CN104604275B (en) Smart card personalization is carried out using the local key that generates
KR20160003992A (en) METHOD AND APPARATUS FOR PROFILE DOWNLOAD FOR eUICC
JP6009071B2 (en) Method and device for remote smart card personalization
WO2008150145A2 (en) System and method for controlling wireless network access information in using removable external modem
US11871227B2 (en) Device changing method and apparatus of wireless communication system
KR101937487B1 (en) User Equipment with Embedded UICC, Activating Method of User Equipment, Terminating Method of User Equipment, User Equipment Managing Server, User Equipment Ordering Method of User Equipment Managing Server, and User Equipment Activating Method of User Equipment Managing Server
KR101846995B1 (en) Method for Transmitting Information using Public Key Encryption in eUICC System
CN104247479B (en) The personalization of smart card
WO2019229188A1 (en) Subscriber access to wireless networks
KR102012340B1 (en) Method and Enbedded UICC for Providing Policy Control Function
KR102271597B1 (en) Server and method for remote device management based on Network

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant