KR20130027097A - Subscription changing method for embedded uicc using trusted subscription manager and embedded uicc architecture therefor - Google Patents

Abstract

PURPOSE: A subscription change method using a reliable SM(Subscription Manager) in e-UICC(embedded Universal Integrated Circuit Card) environment and an e-UICC device thereof are provided to allow an e-UICC to store SM-SR access information and MNO identification information for real opening in a first subscription profile. CONSTITUTION: An e-UICC device includes a protection profile. The protection profile decodes an MNO profile, an SM-SR key, and an MNO key. The e-UICC device stores SM-SR authentication information and MNO authentication information. The SM-SR authentication information authenticates the change of the MNO profile. The MNO authentication information authenticates additional service management of an MNO after opening. [Reference numerals] (AA) Key for decoding an MNO3 Profile; (BB) Key for decoding MNO3, SM-SR2; (CC) Key of SM-SR2; (DD) Key of MNO3; (EE) Access information of SM-SR2(OTAkey); (FF) Identification Key of MNO3

Description

Subscription Changing Method for Embedded UICC using Trusted Subscription Manager and Embedded UICC Architecture therefor}

The present invention relates to a method for changing a subscription (MNO change) using a reliable SM in an embedded UICC environment and an embedded UICC device or architecture.

A UICC (Universal Integrated Circuit Card) is a smart card inserted in a terminal and can be used as a module for user authentication. The UICC may store the user's personal information and the carrier information of the mobile communication carrier to which the user subscribes. For example, the UICC may include an International Mobile Subscriber Identity (IMSI) for identifying a user. The UICC is also called a Subscriber Identity Module (SIM) card in the case of the Global System for Mobile communications (GSM) scheme, and a Universal Subscriber Identity Module (USIM) card in the case of the Wideband Code Division Multiple Access (WCDMA) scheme.

When the user mounts the UICC on the user's terminal, the user is automatically authenticated using the information stored in the UICC so that the user can conveniently use the terminal. In addition, when the user replaces the terminal, the user can easily replace the terminal by mounting the UICC removed from the existing terminal to a new terminal.

When a terminal requiring miniaturization, for example, a machine to machine (Machine to Machine, M2M) communication, is manufactured with a structure capable of detaching and removing the UICC, miniaturization of the terminal becomes difficult. Thus, a built-in UICC (Embedded UICC) structure, which is a non-removable UICC, has been proposed. The embedded UICC shall record the user information using the corresponding UICC in the form of IMSI.

The existing UICC can be attached to / detached from the terminal, and the user can open the terminal without being concerned with the type of terminal or the mobile communication provider. However, the IMSI in the built-in UICC can be allocated only when a terminal manufactured from the manufacturing of the terminal is used only for a specific mobile communication provider. Both mobile operators and terminal manufacturers ordering terminals have no choice but to pay attention to product inventory, which leads to a problem that product prices rise. The user is inconvenient that the mobile communication company can not be changed with respect to the terminal. Therefore, even in the case of the built-in UICC, a method by which the user can open the terminal without being bound to the mobile communication service provider is required.

Meanwhile, recently, due to the introduction of the built-in UICC, there is a need to update subscriber information of various mobile communication providers to the UICC from a remote place, and accordingly, a subscription management device (Subscription Manager; Profile Manager (hereinafter referred to as 'PM') is under discussion.

These SMs are mainly discussed as being responsible for information management on the embedded UICC, information management on various telecommunication carriers, authentication on remote carriers, and remote information changes. It has not been determined yet.

The present invention provides a subscription change method and a built-in UICC device using a reliable SM in the built-in UICC environment.

Another object of the present invention is to provide a method for managing an embedded UICC in an environment in which an SM is separately implemented by SM-SR (Secure Routing) and SM-DP (Data Preparation).

Another object of the present invention is to decrypt the MNO profile for one or more MNOs and to SM-SR keys and MNOs inside an eUICC, in an environment where SMs are implemented separately in Secure Routing (SM-SR) and Data Preparation (SM-DP). It provides a method of using a protection profile that can decrypt a key.

It is still another object of the present invention to provide a SM-SR connection information for requesting the actual opening of the SM-SR and the corresponding SM-SR in an environment in which the SM is implemented by the SM-SR (Secure Routing) and the SM-DP (Data Preparation). It provides a method of storing / managing MNO identification information (MNO identification key) having a relationship as a first subscription profile.

Another object of the present invention is an internal architecture of the eUICC, the SM-SR authentication information (SM-SR key) for authenticating the change of the MNO profile, etc., and the MNO authentication information for authenticating additional service management of a specific MNO after opening. Provides a way to store / manage (MNO key).

Another object of the present invention is an internal architecture of the eUICC, the SM-SR authentication information (SM-SR key) for authenticating the change of the MNO profile, etc., and the MNO authentication information for authenticating additional service management of a specific MNO after opening. It stores / manages (MNO key) and provides a method to safely use it to change MNO and use additional services.

In one embodiment of the present invention, in an environment in which SM is implemented by separate routing with SM-SR (Secure Routing) and SM-DP (SM), the decryption of the MNO profile and the SM-SR key for one or more MNOs in the eUICC and It provides a method of using a protection profile that can decrypt the MNO key.

According to another embodiment of the present invention, the eUICC stores / receives an SM-SR connection information for requesting an actual opening and MNO identification information (MNO identification key) having a relationship with the SM-SR as a first subscription profile. It is to provide a way to manage.

Another embodiment of the present invention is an internal architecture of the eUICC, the SM-SR authentication information (SM-SR key) for authenticating the change of the MNO profile, etc., and the MNO authentication for authenticating the additional service management of a specific MNO after opening. Provides a way to store / manage information (MNO keys).

Another embodiment of the present invention is an internal architecture of the eUICC, the SM-SR authentication information (SM-SR key) for authenticating the change of the MNO profile, etc., and the MNO authentication for authenticating the additional service management of a specific MNO after opening. Provides a method of storing / managing information (MNO key) and using it to safely change MNO and use additional services.

1 illustrates an overall service architecture including an eSIM (eUICC) to which the present invention is applied.
Figure 2 illustrates one embodiment of a provisioning process of a first subscription in the overall system to which the present invention is applied.
Figure 3 illustrates one embodiment of a subscription change or MNO change process in the overall system to which the present invention is applied.
4 to 7 respectively show a pre-opening request (FIG. 4) and pre-opening connection information when MNO changes (subscription changes) through the same SM-SR (SM-SR 1) according to one embodiment of the present invention. EUICCC internal structure and signal flow in the injection (Fig. 5), the process of receiving the key information after the actual opening request (Fig. 6) and the provisioning process (Fig. 7).
8 to 11 illustrate a pre-opening request (Fig. 8) and pre-opening connection information in case of MNO change (subscription change) through another SM-SR (SM-SR 2) according to one embodiment of the present invention, respectively. 9 illustrates an eUICCC internal structure and signal flow during injection (FIG. 9), a process of receiving key information after an actual opening request (FIG. 10), and a provisioning process (FIG. 11).

Hereinafter, some embodiments of the present invention will be described in detail with reference to exemplary drawings. In adding reference numerals to the components of each drawing, it should be noted that the same reference numerals are assigned to the same components as much as possible even though they are shown in different drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.

Since the M2M (Machine-to-Machine) terminal actively discussed in GSMA should be small in size, if a UICC is used, a module for mounting a UICC must be separately inserted in the M2M terminal. Therefore, The miniaturization of the M2M terminal becomes difficult.

Therefore, an embedded UICC structure that is not detachable from the UICC is being discussed.In this case, the embedded UICC mounted on the M2M terminal includes information on a mobile network operator (hereinafter referred to as 'MNO') that uses the corresponding UICC. Must be stored in the UICC in the form of an International Mobile Subscriber Identity (IMSI).

However, since the terminal manufactured from the time of manufacturing the M2M terminal can be assigned IMSI in the built-in UICC only if the premise that the terminal is used only in a specific MNO is established, both the M2M terminal or the MNO ordering the UICC or the M2M manufacturer manufacturing the M2M terminal have a lot of product inventory. There is a problem that the allocation of nerves and product prices will rise, which is a serious obstacle to the expansion of M2M terminals.

Unlike the conventional removable SIM, eSIM or eUICC, which is an embedded SIM (Embedded SIM) that is integrally mounted on the terminal, has many issues regarding opening authority, additional service business initiative, and subscriber information security due to the physical structure difference. . In particular, since UICC is soldered to the board, Remote Provisioning Management on software is required to handle the existing subscription opening and authorization subscription change. For this purpose, the role of the subscription manager (SM) is expected to be required, and this SM is expected to maintain a trust relationship with existing MNOs or to be operated by MNOs themselves. Accordingly, the present invention proposes a subscription procedure according to the role of the SM and an eUICC structure therefor.

Existing USIM opening procedures generally exchange information such as IMSI, authentication key, and subscriber change for provisioning with input / output file through contract or trust relationship between USIM vendor and MNO. In this case, it was possible because the SIM card could be attached / removed and the Subscription Manager (TSM) for remote management was not needed, such as the environment of eUICC. However, the eUICC environment is expected to be released with the UISM card embedded in the board, and the provisioning information is updated remotely or a new entity such as SM (Subscription Manager) is expected to be added. In addition, depending on the trust level of the SM, the roles may vary, and accordingly, the eUICC architecture may be diversified. In particular, when a subscriber changes MNOs, the form of maintaining multiple MNOs profiles in the eUICC also occurs.

Depending on how MSMs and trusts are owned and operated by MNOs, the procedures for opening and subscribing to eUICC can be diversified as well as the MNO and eUICC architecture.

First, if SM's trust is designed low when handling subscriber's MNO change request, the existing USIM structure can be changed because MNO credentials are directly managed by MNO operation server.

Second, it can affect the MNO change process of existing subscribers. (MNOs legacy servers need to be changed.)

Third, when changing MNO in eUICC environment, it should be possible to take a structure that does not affect the additional service area of new MNOs that want to change.

Fourth, if there is no need to maintain multiple MNO profiles in eUICC.

Fifth, the use of USIM memory should be minimized when the subscription MNO is changed many times.

Sixth, the network service and the supplementary service of the previous MNO should be available even during the subscription MNO change process.

Seventh, when the MNO is changed, when the MNO profile is updated, it may be updated from the provisioned state of the previous MNO to the provisioned state of the MNO to be changed.

In order to solve the issues and problems of the prior art, the eUICC subscription procedure and the eUICC architecture and functions are suggested by minimizing the change of the existing eUICC architecture using the structure of the MNOs and the strongly trusted SM.

In the following, an example of an overall system structure to which the present invention can be applied and an MNO change process using the same will be described below with reference to FIGS.

As such, unlike the conventional removable SIM, the built-in SIM (hereinafter, referred to as eSIM or eUICC) that is integrally mounted on the terminal has many issues regarding the authority to open, additional service business initiative, and subscriber information security due to the physical structure difference. Are present. To this end, the GSMA and ETSI international standardization organizations have been carrying out standardization activities on relevant elements such as operators, manufacturers, SIM vendors and other necessary elements including the top-level structure. As eSIM is discussed through standardization organizations, the center of the issue is SM called Subscription Manager, which issues operator information (Operator Credential, MNO Credential, Profile, eUICC Profile, Profile Package, etc.) to eSIM and handles the process of changing subscriptions. It refers to the entity or function / role that plays an overall management role for eSIM. In recent GSMA, the role of SM has been proposed as SM-DP (Data Preparation), which plays a role of generating provider information, and SM-SR (Secure Routing), which carries direct carrier information to eSIM. And does not mention the technical method of actual issuance. Accordingly, the present invention proposes a method of managing eSIM by utilizing a dynamic cryptographic key (public key, etc.) generation in the SM role separation environment of the GSMA.

In this specification, eSIM and eUICC are used as an equivalent concept.

The eSIM attaches the IC chip to the terminal circuit board in the terminal manufacturing stage and then inserts the SIM type data (activation information, supplementary service information, etc.) in the form of software into OTA (Over the Air) or offline (technology based connection such as USB to PC) Is a new concept of SIM technology. IC chips used in eSIM generally support hardware based CCP (Crypto Co-Processor) to provide hardware-based public key generation, and APIs that can be utilized based on applications (eg applets) , Java Card Platform, etc.). The Java Card Platform (Java Card Platform) is one of the platforms that can provide multi-applications and services on smart cards and so on.

Because SIM has limited memory space and security reasons, it should not be possible for anyone to mount an application in SIM. Therefore, besides the platform for mounting an application, a SIM service management platform is required for loading and managing the SIM application. The SIM service management platform issues data to the SIM memory area through authentication and security through the management key. The global platform (GlobalPlatform) and Remote File Management (RFM) and Remote Application Management (EASI TS 102.226) Service management platform.

SM, which is one of the important elements in eSIM environment, eSIM remotely issues communication and supplementary service data through management keys (UICC OTA Key, GP ISD Key, etc.).

In GSMA, the roles of SM are classified as SM-DP and SM-SR. SM-DP securely builds operator information (IMSI, K, OPc, additional service application, additional service data, etc.) and makes it into a credential package. SM-SR is created by SM-DP. A credential package is downloaded securely to eSIM via SIM remote management technologies such as over-the-air (OTA) or GP Secure Communication Protocol (GP SCP). In addition, the GSMA proposes a structure called “Circle of Trust” in the figure below to establish an end-to-end trust relationship between MNO and eSIM by overlapping trust relationships between similar entities. Suggested the concept of In other words, MNO is SM1, SM1 is SM4, SM4 is a concept that forms a trust relationship with the eSIM, through which the MNO and eSIM forms a trust relationship.

Before describing the present invention, the terms used in this specification will be described first.

MNO (Mobile Network Operator) means a mobile communication service provider and means an entity that provides a communication service to a customer through a mobile network.

A subscription manager (SM) is a subscription management device and performs a management function of a built-in UICC.

eUICC Supplier means a person who supplies embedded UICC module and embedded software (firmware and operating system, etc.).

Device Vendor means the supplier of the device, in particular the supplier of the device, which includes the wireless modem function via the mobile network driven by the MNO and, consequently, in the form of a UICC (or eUICC).

Provisioning refers to the process of loading a profile into the built-in UICC, and the provisioning profile refers to the profile used by the device to connect to the communication network for the purpose of provisioning other provisioning profiles and operation profiles.

Subscription means a commercial relationship for providing a service between a subscriber and a wireless communication service provider.

1 illustrates an overall service architecture including an eSIM (eUICC) to which the present invention is applied.

The whole system will be described as follows.

If a scenario is required where subscription information is stored and communicated, it should be done under the approval of the MNO and under the control of the MNO. There must be only one active profile on a single eUICC at a given time, which means that the active profile is added to a single HLR at a specific time.

The MNO and eUICC must be able to decode the MNO Credentials information. The only exception to this could be a third party, such as a SIM vendor, commissioned from a particular MNO. However, this is not a general function of a third party to do so.

The subscription can not be switched within the eUICC outside the operator policy control. The user must be aware of any changes in the MNO content and its activation subscription, be able to avoid security risks, and have a level of security sufficient to counter the current UICC model.

The MNO credential may mean a subscription credential including K, algorithm, algorithm parameters, supplementary service application, supplementary service data, and the like.

The delivery of the MNO credentials must be done in a secure manner from end to end. Transmissions can be made in successive stages without breaking the security chain, and all steps in the transport chain must be done with the recognition and approval of the MNO. No entity in the transport chain should be able to clearly see the MNO credential, but the only exception could be a third entity, such as a SIM vendor, delegated from a particular MNO. However, this is not a general function of a third party to do so.

Operators must have full control over their credentials, and the operator must have strong supervisory and control over SM operations.

The SM function must be provided by the MNO or a third party, if provided by a third party, and if there is a commercial relationship between the SM and the MNO.

SM does not have any direct relationship with MNO subscribers for subscription management. The MNO has to have a relationship with the subscriber and should be an entry point for joining the customer, but this is not intended to be a match for the contractual relationship that the M2M service provider (the M2M service provider is the MNO subscriber) can have with his or her customer.

While the MNO is being swapped, the donor and receiver operators may or may not have a prior agreement with each other. There must be a mechanism to approve the pre-contract. The policy control function of the donor operator can define the removal condition of its own credential, and the policy control function (PCF) can implement this function.

The architecture introduces a function defined as SM, and the main role of SM is to prepare a package containing MNO credentials and deliver it to the eUICC. The SM function may be provided directly by the MNO, or the MNO may contract with a third party to obtain the SM service.

The role of the SM can be divided into two sub functions such as SM-SR and SM-DP.

In practice, these SM-SR, SM-DP functions may be provided by other entities or by the same entity. Therefore, it is necessary to clearly demarcate the functions of SM-DP and SM-SR, and to define an interface between these entities.

SM-DP is responsible for the safe preparation of the package to be delivered to eUICC, and works with SM-SR for actual transmission. The key functions of the SM-DP are 1) managing the functional characteristics and certification levels of the eUICC, and 2) one or more of the MNO credentials (e.g., IMSI, K, supplementary service applications, supplementary service data). Some of them potentially managed by the MNO), 3) the ability to compute the OTA package for download by the SM-SR, and so on. Could be.

If the SM-DP function is provided by a third party, the security and trust relationship becomes very important. In addition to real-time provisioning, SM-DP can have a significant amount of background processing, and the requirements for performance, scalability and reliability are expected to be important.

SM-SR is responsible for securely routing and delivering the credit package to the corresponding eUICC. The core functions of SM-SR are: 1) to manage OTA communication with eUICC over ciphered VPN; and 2) to manage end-to-end up to eUICC with other SM-SR 3) the function of managing the eUICC data used for the SM-SR OTA communication provided by the eUICC supplier, and 4) the function of protecting the communication with the eUICC by filtering only the allowed entities (Firewall function).

The SM-SR database is provided by eUICC vendors and vendors (such as M2M endpoints) and potentially MNOs, and can be used by the MNO through the SM-SR mesh network.

The circle of trust enables end-to-end security links during provisioning profile delivery, while the SM-SR shares trust circles for secured dks routing and eUICC discovery of the provisioning profile. The MNO may be linked with the SM-SR and SM-DP entities in the trust circle and may provide this functionality on its own. In order to avoid illegal use of eUICC (illegal use of cloning, criminal use, denial of service, illegal MNO context change, etc.) without compromising the contractual and legal obligations of the MNO in connection with the customer, eUICC and MNO Credential A secure end-to-end link between the two is required.

2 is an overall flowchart of a provisioning process of a first subscription to which the present invention is applied.

In the provisioning process, the eUICC sends an activation request including device identification information (IMEI, etc.) and eUICC identification information (eICCid, etc.) to the MNO (Step 1). Then, between the MNO and the eUICC, the eUICC status request and technical capability control are performed. Perform the request (step 2).

In step 3, the MNO verifies the eUICC identity between the SM-SR and the device (eUICC).

In step 4, the MNO creates a new eUICC profile for the MNO through the SM-DP, encrypts the profile with a specific encryption key, and forwards it to the MNO (primary encryption, step 4).

Next, when the MNO sends the first encrypted eUICC profile to the SM-SR and requests the second encryption, the SM-SR secondly encrypts the eUICC profile using the stored eUICC management key and delivers it to the MNO. (Step 5)

The MNO then sends a Double Ciphered eUICC profile to the eUICC (step 6).

In step 7, the SM-SR database is updated according to the status request and the response between the eUICC and the SM-SR that have finished provisioning.

Each of these steps will be described again.

In step 1, eUICC identification information (eICCid, etc.) is public data and must be integrated and protected inside the eUICC.

In step 2-3, the status request and technical feasibility control provide proof of the eUICC identity (trusted eUICC) and verify the eligibility of the eUICC characteristics for the MNO service.

In step 4 ~ 6, double encryption mechanism is used for eUICC profile creation and transmission. That is, the generation profile linked to the eUICC by the SM-DP is encrypted by an encryption mechanism that can only be read by the target eUICC, and the SM-SR encrypts the creation profile with an eUICC management key to authenticate and protect the eUICC during delivery.

In step 7, the SM-SR database may be updated at the end of the subscription installation.

3 is an overall flowchart of a subscription change or MNO change process to which the present invention is applied.

In general, the provisioning process of FIG. 2 is similar to the provisioning process of FIG. 2 (that is, after the change, the new MNO corresponds to the MNO of FIG. 2), except that the new MNO negotiates and transfers rights to the donor MNO before and after profile generation for the new MNO. (Step 4-1)

That is, the difference between the MNO change process of FIG. 3 and the provisioning process of FIG. 2 is that, using a provisioning or operation active profile, an activation request is sent to a donor MNO OTA bearer, and the new MNO is either new OTA or OTI. To request a path from the SM-SR to download the profile.

The negotiation and rights transfer phase (step 4-1) is a process in which a new MNO asks a previous MNO (donor MNO) whether the corresponding eUICC is justified, and transfers rights (information) due to the MNO change.

That is, in step 4-1, a new MNO (Receiving MNO) requests authentication of the donor MNO for subscription switching, and this authentication may be provided by a policy control function.

The SMA separation environment proposed by the GSMA secures business leadership along with appropriate flexibility (SM-SR solves the part that all MNOs should interwork with each MNO) in an eSIM environment where SM can lose all business initiatives. The -DP role is generally expected to be performed by the MNO, and has the advantage that it can be accompanied by the establishment of the carrier information of communication and supplementary services through the SM-DP. However, since there is no detailed eSIM management plan based on this structure, there are difficulties in securing the security of each provider information and defining the issuance flow when introducing the eSIM system.

Accordingly, the present invention proposes a method for securely managing an eSIM by using dynamic public key generation in the SM role separation environment proposed by the GSMA. In detail, the basic opening structure, the third party movement structure and the process plan are presented.

The basic superstructure of the present invention is based on the eSIM structure of FIG. In this specification, the SMs shown in the figure may be a single SM entity or SM entities of “Circle of Trust”.

4 to 7 illustrate a case of changing MNO (from MNO 1 to MNO 2) using the same SM-SR1 according to one embodiment of the present invention.

The entire system to which the present invention is applied is shown in the right figure of FIGS.

That is, each sector is formed in a strong trust relationship by the MNO (s), and a dotted line in FIG. 4 indicates a strong trust relationship.

SM-SR (Subscription Manager-Secure Routing) is operated by MNOs directly or in strong MNOs network with MNOs in the form of TSM. There is also a trust relationship between SM-SRs, and SM-SRs can have multiple MNOs and relationships. SM-SR is the subject that handles actual subscription request and loads MNO profile into eUICC as OTA.

SM-DP (Subscription Manager-Data Preparation) is operated either directly by MNOs or in a strong trust relationship within the MNOs network in the form of MNOs and TSM (but preferably recommended by MNOs). Creates, stores, and manages MNO Profiles.

The MNO only needs to add the additional interface part linked with the SM-SR and SM-DP to the existing MNO server.

In the embodiment of the present invention, a protection profile is newly defined and is not necessarily limited to these terms, and may be expressed in other terms as long as the following functions are performed.

The protection profile is a profile implemented inside the eUICC, and defines a protection profile used by MNOs to perform the functions of the SM. These protection files can be used by MNOs in common (preferably by using a common agreement for official certification functions by preventing fragmentation of MNO-specific functions) or by not agreeing the functions separately for each MNO. Can be.

Integrity, Confidentiality, and Authenticity should be applied to the protection profile of the present invention, and decrypt and authenticate the encrypted MNO profile. Also, in order to guarantee Integrity & Authentication, it decrypts and authenticates encrypted key values (SM-SR key, MNO key), and for this, public key / secret key / Password method can be used (Atuenticity guarantee). , MAC (Message Authentication Code), MDC (Manipulation Detection Code), etc. available (Integrity guaranteed).

As data defined in one embodiment of the present invention, there is an SM-SR key. The SM-SR key is a key that can be authenticated when performing profile load, change, and delete through the actual OTA, and is not necessarily limited to these terms. The key as authentication information may be expressed in other terms.

In addition, there is an MNO key as data defined in an embodiment of the present invention. An MNO key is an authentication key for each MNO to use for an MNO service. The MNO key is not necessarily limited to these terms. If the MNO key is used as authentication information when the MNO uses an existing service such as an additional service of the MNO, it may be expressed in another term.

The MNO identification key means a key as MNO identification information managed by the SM-SR through the MNO relationship (identification role for a certain MNO).

In addition, the First Subscription Profile manages the SM-SR access information for requesting the actual opening and the identification key of the MNO having a relationship with the SM-SR.

4 to 11, the present invention provides an MNO in a different SM-SR from a subscriber changing an MNO in the same SM-SR in an SM environment having a strong trusted relationship with the MNOs (FIGS. 4 to 7). How to change the subscription between them (Figs. 8-11) and eUICC architecture accordingly will be described.

As in step 1 of FIG. 4, the terminal receives the network service of the MNO1 and makes a "pre-opening request" with the eUICC basic information to the MNO2 in order to change to the MNO2 through a network / offline / online (private line). (MNO1-> MNO2 change)

In step 2 of FIG. 5, the MNO2 processes the following information to the eUICC through network / offline / online (dedicated line).

Provides access information of trusted SM-SR1 (or directly / co-operated SM-SR1) to First Subscription Profile (in case of the same SM-SR1 information as before, it can not be updated) and “MNO2 identification key ”To the First Subscription Profile. The Protection Profile then performs the following steps:

1) Create a key to decrypt the encrypted MNO2 Profile that will be provided to OTA in the future “actual subscription request” and deliver the encryption key to MNO2.

2) Generate key for decrypting key of SM-SR1 and transfer the corresponding encryption key to SM-SR1.

3) Generate key to decrypt MNO2's key, and pass the corresponding encryption key to MNO1

In step 3 of FIG. 5, MNO2 informs SM-SR1 of eUICC basic information and MNO2 identification key received at the “pre-subscription request”, and SM-SR1 maps the information.

In addition, in step 3 of FIG. 5, MNO2 additionally stores an encryption key for use in generating an MNO2 profile in SM-DP2.

In step 4 of FIG. 6, the "actual opening request" is attempted by the SM-SR1 using the following information.

1) Basic information when requesting pre-registration, 2) Identification key of MNO2, 3) Connection information of SM-SR1

Then, in step 5 of FIG. 6, SM-SR1 checks the matching of the mapping (basic information at the time of pre-subscription request, identification key of MNO1), and then “MNO2 encrypted key” and “SM-SR1” previously distributed from MNO1. To the eUICC. At this time, the Protection Profile decrypts the “encrypted key of MNO2” and “encrypted key of SM-SR1”. (In step 2 of FIG. 5, the protection profile of the eUICC generates and manages a decryption key capable of decrypting the SM-SR key and the MNO key.)

At this time, the “key of MNO2” is not used in the state of adding key set version only. (It can be used to manage additional services of MNO2 in the future.) Also, “key of SM-SR1” will not be updated if the same key exists. Can also be used for MNO profile management (subscription, subscription change, etc.)

Next, in step 6 of FIG. 6, the SM-SR1 notifies the MNO2 of providing the “encrypted key of the MNO2”.

FIG. 7 is a provisioning process. In step 7 of FIG. 7, when MNO2 requests SM-DP2 to create an MNO2 profile, SM-DP2 encrypts the MNO2 profile with the security key received during the “pre-opening procedure” and delivers it to MNO2.

In step 8 of FIG. 7, the SM-SR1 receives an “encrypted MNO2 profile” from the MNO2.

In step 9, the SM-SR1 delivers it to the eUICC through the OTA, and the SM-SR1 and the eUICC perform the following operations.

9-1) SM-SR1 informs MNO1 that the subscriber has changed subscription to MNO2, and MNO1 deletes the MNO1 profile for the corresponding eUICC of SM-DP1.

9-2) eUICC deletes MNO1 profile by using “key of SM-SR1”.

9-3) “MNO1 key” of eUICC is updated to “MNO2 key”.

9-4) eUICC decrypts the “encrypted MNO2 profile” through the Protection Profile and loads and installs the MNO2 profile.

8 to 11 illustrate a pre-opening request (FIG. 8) and a preliminary example in case of changing MNO (change from MNO1 to MNO3) through another SM-SR (SM-SR 2) according to one embodiment of the present invention. 9 illustrates an eUICCC internal structure and signal flow in opening access information injection (FIG. 9), a process of receiving key information after an actual opening request (FIG. 10), and a provisioning process (FIG. 11).

First, in step 1 of FIG. 8, the terminal receiving the network service of the MNO1 makes a "pre-opening request" with the eUICC basic information to the MNO3 to change to the MNO3 through a network / offline / online (dedicated line). (MNO1-> MNO3 change)

Then, in step 2 of FIG. 9, the MNO3 provides the eUICC with access information of the trusted SM-SR2 to the First Subscription Profile (updates the previous information) and provides the “MNO3's identification key” to the First Subscription Profile. .

The protection profile of the eUICC then performs the following actions:

1) Create a key to decrypt the encrypted MNO3 Profile that will be provided to OTA in the future “actual subscription request” and deliver the encryption key to MNO3.

2) Generate key for decrypting key of SM-SR2 and transfer the corresponding encryption key to SM-SR2.

3) Generate key to decrypt MNO3's key, and pass the corresponding encryption key to MNO3

Next, in step 3 of FIG. 9, MNO3 informs SM-SR2 of the eUICC basic information and MNO3 identification key received at the “pre-subscription request” and SM-SR2 maps the following information.

Next, MNO3 stores the encryption key in SM-DP3 for use in creating MNO3 profile.

Next, in step 4 of FIG. 10, for the "actual opening request", the terminal 1) SM- by using the 1) pre-registration request ", basic information, 2) identification key of MNO3, and 3) access information of SM-SR2. Try to SR2.

Then, as shown in step 5 of FIG. 10, SM-SR2 checks the mapping (basic information at the time of "pre-registration request", identification key of MNO3) and confirms the "encrypted key of MNO3" and "distributed from MNO3 in advance". Provide SM-SR2 encrypted key ”to eUICC. At this time, “MNO3's key” is not used yet with only key set version added. (It can be used to manage additional services of MNO3 in the future.) In addition, "key of SM-SR2" adds key set version (used after last update of "key of SM-SR1"). Only used for MNO profile management. (Subscription, subscription change, etc.)

Next, in step 6 of FIG. 10, the SM-SR2 notifies the MNO3 of providing the “encrypted key of the MNO3”.

In step 7 of the provisioning process of FIG. 11, MNO3 requests SM-DP3 to create an MNO3 profile. SM-DP3 encrypts the MNO3 profile with the security key received during the “pre-opening procedure” and delivers it to MNO3. In step 8, SM-SR2 receives the “encrypted MNO3 profile” from MNO3.

Next, in step 9, the SM-SR2 delivers information required for the eUICC through the OTA, and the eUICC and the SM-SR2 process the following operations.

1) SM-SR2 informs SM-SR1 that the subscriber has changed subscription to MNO3, and MNO1 deletes the MNO1 profile for the corresponding eUICC of SM-DP1.

2) eUICC updates “Key of SM-SR1” to “Key of SM-SR2”.

3) eUICC deletes MNO1 profile using “key of SM-SR2”.

4) The “key of MNO1” of eUICC is updated to “key of MNO3”.

5) eUICC loads and installs MNO4 profile after decrypting “encrypted MNO3 profile” through Protection Profile.

As described above, the SM-SR key is defined as information that can be authenticated when defining the protection profile in eUICC, changing the MNO profile, and the like, and separately defining the MNO key used as an authentication means for MNO supplementary services. At the same time, when changing the MNO, eUICC authenticates with the SM-SR key and then overwrites the MNO profile.After changing the MNO profile, the MNO key can be used to access additional services of the MNO. Update.

Thus, by solving the above-mentioned problems, it is not necessary to maintain multiple MNO profiles in the eUICC, minimizing the use of USIM memory when changing the subscription MNO several times, and network and supplementary services of the previous MNO during the subscription MNO change process. When the MNO is changed, when the MNO profile is updated, the MNO can be updated to the provisioned state of the MNO to be changed from the provisioned state of the previous MNO.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The protection scope of the present invention should be interpreted by the following claims, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of the present invention.

Claims (1)

An embedded UICC (eUICC) device used in a communication system in which a subscription manager (SM) is divided into secure routing (SM-SR) and data preparation (SM-DP).
The eUICC device includes a protection profile capable of decrypting an MNO profile for one or more telecommunication service providers (MNO) and a SM-SR key and an MNO key.
And the eUICC device stores SM-SR authentication information for authenticating the change of the MNO profile and MNO authentication information for authenticating additional service management of a specific MNO after opening.

Images