WO2014030893A1 - Procédé de gestion de profil par module d'authentification d'abonné intégré dans un dispositif terminal, et dispositif d'authentification d'abonné l'utilisant - Google Patents

Procédé de gestion de profil par module d'authentification d'abonné intégré dans un dispositif terminal, et dispositif d'authentification d'abonné l'utilisant Download PDF

Info

Publication number
WO2014030893A1
WO2014030893A1 PCT/KR2013/007433 KR2013007433W WO2014030893A1 WO 2014030893 A1 WO2014030893 A1 WO 2014030893A1 KR 2013007433 W KR2013007433 W KR 2013007433W WO 2014030893 A1 WO2014030893 A1 WO 2014030893A1
Authority
WO
WIPO (PCT)
Prior art keywords
profile
profiles
managing
manager
data
Prior art date
Application number
PCT/KR2013/007433
Other languages
English (en)
Korean (ko)
Inventor
서명희
이진형
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020130057732A external-priority patent/KR102116269B1/ko
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Publication of WO2014030893A1 publication Critical patent/WO2014030893A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules

Definitions

  • the present invention relates to profile management in a subscriber authentication module, and more particularly, to a profile management method of a subscriber authentication module installed in a terminal device and a subscriber authentication device using the same.
  • a UICC Universal Integrated Circuit Card
  • the UICC may include NAA (Network Access Applications), which is an application for accessing various networks of operators such as a universal subscriber identity module (USIM) for WCDMA / LTE network access and a subscriber identity module (SIM) for GSM network access.
  • NAA Network Access Applications
  • USIM universal subscriber identity module
  • SIM subscriber identity module
  • eSIM embedded SIM
  • eUICC embedded SIM
  • eUICC provides network access authentication function similar to existing detachable UICC, but due to its physical structure, eUICC should be able to handle network access of multiple operators with one UICC, and there are many issues such as eUICC opening / distribution / subscriber information security. And it is necessary to prepare a plan for this.
  • international standardization bodies such as GSMA and ETSI are conducting standardization activities on relevant elements such as carriers, manufacturers and SIM vendors, as well as necessary elements including top-level structures.
  • WG working group
  • the external object must manage profile information and policy rules for all eUICCs and perform policy rules.
  • the rules we need to define the interworking interface between eUICC and external objects.
  • the information is managed by an external object such as a server, the actual eUICC The service may not be performed because synchronization with the state of the network is not performed.
  • the profile management and policy execution function may be provided by using the existing UICC platform.
  • modification of the platform specification is required to add the corresponding function to the platform.
  • platform-related specifications such as Global Platform (GP), ETSI, 3GPP, etc. This is a task that consumes more time and resources than specifying the function of eUICC.
  • An object of the present invention for overcoming the above-mentioned problems is to provide a profile management method of a subscriber authentication module that is installed in a terminal device.
  • Another object of the present invention to provide a subscriber authentication device using the profile management method.
  • a method for managing a profile in a subscriber authentication module installed in a terminal device includes installing one or more profiles and managing one or more installed profiles.
  • the one or more profiles are distinguished by unique identifiers.
  • Managing the installed one or more profiles may include registering the installed profile.
  • Managing the installed one or more profiles may include changing the state of the requested profile to an active or disabled state.
  • Managing the installed one or more profiles may include deleting the profile requested to be deleted.
  • one or more active profile of the one or more profiles may be present at any time.
  • the managing of the one or more installed profiles may include changing a policy rule according to whether a profile policy change request conforms to an existing rule.
  • Managing the one or more installed profiles may include providing information about profile related data requested for inquiry.
  • Managing the installed one or more profiles may also include changing the profile manager key requested to change.
  • Managing the installed one or more profiles may also include changing the profile to an initialized state.
  • a subscriber authentication device embedded in a terminal device includes a profile manager that manages one or more profiles and information on one or more profiles.
  • Subscriber authentication device is an eUICC.
  • the profile manager includes a profile information storage unit for storing one or more profile related information and a policy enforcement function unit for applying and managing the profile related policy.
  • the subscriber authentication device may further include an interface unit for communicating with an external object.
  • the external object may be a subscriber manager module or a terminal device.
  • the interface unit receives one or more profile related requests from the external object and returns a success or error message for the request to the external object.
  • the profile manager may change and manage one or more states of a corresponding profile and corresponding profile related information changed according to the profile related request.
  • the profile related request may include at least one of a profile registration request, a profile state change request, a profile deletion request, a profile policy change request, a profile related data inquiry request, and a profile manager key change request, and a profile one initialization request.
  • the one or more profile related information may include one or more of a profile list, a profile related network access application list, a profile state, and a profile type.
  • the one or more profiles are distinguished by a unique identifier, and the unique identifier of the profile may be set based on one or more information of a mobile country code and a mobile network code.
  • the present invention provides a secure profile management method that allows the external interworking device and the internal module to query profile information on the eUICC and the profile related policy of the eUICC and change the policy rule.
  • the present invention can clearly define the implementation on the eUICC of the PEF (Policy Enforcement Functions) defined in the existing ETSI requirements standard, through which the design and development of eUICC itself and external interworking devices can be standardized.
  • PEF Policy Enforcement Functions
  • FIG. 1 is a diagram illustrating a connection relationship between an eUICC and a peripheral external device according to an embodiment of the present invention.
  • FIG. 2 is a block diagram of an eUICC module according to an embodiment of the present invention.
  • FIG. 3 is a flowchart illustrating an operation of a profile management method for installing and registering a profile according to the present invention.
  • FIG. 4 is an operation flowchart according to an embodiment of a profile management method for changing a profile state to active according to the present invention.
  • FIG. 5 is a flowchart illustrating an operation of a profile management method for changing a profile state to disabled according to the present invention.
  • FIG. 6 is a flowchart illustrating an operation of deleting and managing a profile according to an embodiment of the present invention.
  • FIG. 7 is a flowchart illustrating a method of deleting and managing a profile according to an exemplary embodiment of the present invention.
  • FIG. 8 is a flowchart illustrating an operation of a profile management method for changing a profile policy according to the present invention.
  • FIG. 9 is an operation flowchart according to an embodiment of a method for querying profile related information according to the present invention.
  • FIG. 10 is an operation flowchart according to another embodiment of a method for querying profile related information according to the present invention.
  • FIG. 11 is a flowchart illustrating an operation of changing a key of a profile manager according to an exemplary embodiment of the present invention.
  • FIG. 12 is a flowchart illustrating a profile management method according to an embodiment of the present invention.
  • FIG. 13 illustrates an embodiment of a DELETE command configuration and related parameters.
  • FIG. 14 illustrates one embodiment of a GET STATUS command and associated parameter configuration.
  • 15 illustrates an embodiment of a SET STATUS command and associated parameter configuration.
  • eUICC embedded UICC
  • eSIM embedded SIM
  • the term 'terminal' refers to a mobile station (MS), a user equipment (UE), a user terminal (UT), a wireless terminal, an access terminal (AT), a terminal, a subscriber unit (Subscriber Unit). May be referred to as a subscriber station (SS), a wireless device, a wireless communication device, a wireless transmit / receive unit (WTRU), a mobile node, mobile or other terms.
  • SS subscriber station
  • WTRU wireless transmit / receive unit
  • Various embodiments of the terminal may be photographed such as a cellular telephone, a smart phone having a wireless communication function, a personal digital assistant (PDA) having a wireless communication function, a wireless modem, a portable computer having a wireless communication function, or a digital camera having a wireless communication function.
  • PDA personal digital assistant
  • the terminal may include a machine to machine (M2M) terminal, a machine type communication (MTC) terminal / device, but is not limited thereto.
  • M2M machine to machine
  • MTC machine type communication
  • each block or step described herein may represent a portion of a module, segment, or code that includes one or more executable instructions for executing a particular logical function (s).
  • a particular logical function s.
  • the functions noted in the blocks or steps may occur out of order. For example, it is also possible that two blocks or steps shown in succession are performed simultaneously, or that the blocks or steps are sometimes performed in the reverse order, depending on the function in question.
  • the profile management and profile related policy execution are performed by the eUICC itself, not an external object.
  • the present invention provides a block / module called a profile manager that manages profile information and profile related policy execution on the eUICC. Define.
  • the present invention also defines the functions and roles of the profile manager, and defines and applies specific data managed by the profile manager, an interworking interface with external modules, commands provided by the profile manager, and security matters of the profile manager. Through this, we propose embodiments for changing and applying the policy on the actual eUICC.
  • a profile according to the invention is a module comprising one or more network connection applications (including parameter data, file structures, etc. for network connection) and network connection credentials.
  • the profile can be accessed with a unique value (ID) on the eUICC, and the types of profile include a provisioning profile and an operator profile.
  • ID unique value
  • Provisioning profile when installed on eUICC to provide transport capability for eUICC and profile management between eUICC and Subscription Manager-Secure Routing (SM-SR).
  • SM-SR Subscription Manager-Secure Routing
  • An operator profile is a profile that includes one or more network connection applications and associated connection credentials.
  • a profile management and control method basic information about a profile, such as a profile list installed on an eUICC, a network access application (NAA) list matching a profile, a profile state, and a profile type, is managed.
  • NAA network access application
  • SM Subscriber Manager
  • the profile management and control method according to the present invention, even if several mobile network operator (MNO) profiles exist on the eUICC, only one profile is enabled at any given time (the corresponding profile is Control to be selectable).
  • MNO mobile network operator
  • eUICC can inherently load and install several profiles at the same time, but at any moment, the serving network operator's profile must be activated so that the network service of the provider operates normally. This is because performance and security issues should not occur.
  • the second reason is that when several carrier profiles are loaded in the eUICC, the device may want to provide one or several activated profiles according to the characteristics of the terminal and the requirements of the carrier / service provider. Because you have to be in control.
  • the capability of the eUICC and the corresponding profile or profile owner (MNO) Control this according to whether or not.
  • the present invention manages the information of the profiles installed to provide the same network access function as the existing removable USIM on the eUICC, an object (for example, to apply and control the profile-related policy (policy rules)) It defines the definition, function, related data, security matters, and interworking interface of the profile manager that provides an interface for interworking with the Subscribe Manager, and proposes how to change and apply the policy of the eUICC.
  • an object for example, to apply and control the profile-related policy (policy rules)
  • Policy rules policy
  • Profile manager according to the present invention, the profile list installed in the eUICC and the NAA list of the profile, the profile status, policy policy management and execution (policy enforcement), providing an external interface for profile management, security protocol support Module on eUICC.
  • the profile manager also includes a data object for managing all profiles installed on the eUICC in the profile information storage module, and manages various kinds of data defined below.
  • PLMNs Public Land Mobile Networks
  • the profile information of the profile manager may be managed in the form of a data object, and an embodiment of the data object definition may be confirmed through Table 1 below.
  • Table 1 shows an embodiment of profile information and policy data according to the present invention.
  • data and policy rules related to each profile can be managed in the profile itself.
  • it may be managed by a subscription manager (SM), a mobile network operator (MNO) system, etc.).
  • SM subscription manager
  • MNO mobile network operator
  • the method of obtaining / modifying data and policy rules related to each profile in the profile manager is a method of obtaining profile management data and information through the eUICC internal interworking interface between the profile manager and the profile and the external interlocked object through the external interface of the profile manager. Importing from can be used.
  • the method of obtaining / modifying data and policy rules related to the entire profile is obtained from the external interlocking object through the external interface of the profile manager according to the type of data and policy (maximum number of profiles that can be activated and public land mobile of the profiles that can be activated). Network) or a list of profile IDs), or a method obtained by the profile management unit itself at the time of profile installation / deletion / status change (number of currently active profiles, number of installed profiles, allowable memory size for all profiles on eUICC, etc.) This can be.
  • FIG. 1 is a diagram illustrating a connection relationship between an eUICC and a peripheral external device according to an embodiment of the present invention.
  • the eUICC 100 includes a mobile network operator-over the air (MNO-OTA) 200, an MNO core network 300, one or more subscription manger-secure routing (SM-SR) 410, one or more. It is connected with a subscription manger-data preparation (SM-DP) 420.
  • MNO-OTA mobile network operator-over the air
  • SM-SR subscription manger-secure routing
  • SM-DP subscription manger-data preparation
  • the MNO-OTA 200 and the MNO core network 300 are operated by an entity that provides a communication service to customers through a mobile network, that is, a mobile network operator, and communicate with a terminal. As shown in FIG. 1, the MNO-OTA 200 provides a profile content access credentials to the eUICC 100.
  • the SM-SR 410 plays a role of safely performing a function of directly managing a provider profile and a provisioning profile on the eUICC.
  • the SM-SR 410 is connected to the profile manager 130 in the eUICC for this purpose.
  • the profile manager 130 will be described in detail with reference to FIG. 2 below.
  • the SM-DP 420 also prepares the operator profile and the provisioning profiles to be securely provisioned on the eUICC, for example, encrypts the profile.
  • the SM-DP 420 is connected to the profile installation unit 140 in the eUICC for this purpose.
  • the profile installation unit 140 will be described in detail with reference to FIG. 2 below.
  • FIG. 2 is a block diagram of an eUICC module according to an embodiment of the present invention.
  • the components to be described below with reference to FIG. 2 may be defined by functions that each performs as components defined by functional divisions, not physical divisions.
  • Each of the components may be implemented in hardware and / or program code and a processing unit for performing each function, and the functions of two or more components may be included in one component and implemented.
  • the eUICC 100 includes a standard platform and API 120 such as a card operating system 110 and Java Cards.
  • the eUICC 100 may include a profile manager 130 and a profile installer 140 for profile installation and management.
  • the profile installation unit 140 has a key for installing a profile instance as a module for verifying, decrypting, and installing profile data.
  • a profile instance as a module for verifying, decrypting, and installing profile data.
  • the profile manager 130 may include a profile block management module 131, a profile information registry 132, and a profile related policy enforcement function 133. Can be.
  • the profile block management module 131 manages an encrypted data block when installing a profile, and has a key for performing profile installation, profile deletion, profile activation, profile deactivation, and the like.
  • the profile information storage module 132 manages the profile list installed in association with the profile installation unit 140, the NAA list of the corresponding profile, the profile state, and the profile type information.
  • the policy execution module 133 manages profile related policies and applies them.
  • the profile manager 130 confidentiality of the Application Protocol Data Unit (APDU) exchanged between the eUICC 100 and the external companion device through a secure channel. And integrity.
  • APDU Application Protocol Data Unit
  • the profile manager 130 also ensures the confidentiality and integrity of the command after generating a session key through external authentication before processing a command requiring security such as updating profile management data, changing a profile state, and deleting a profile.
  • the profile manager 130 supports remote management of profile management data change, profile state change, profile deletion, and the like through over-the-air (OTA).
  • OTA over-the-air
  • the key for the secure channel and the OTA function of the profile manager 130 is safely managed separately, and this key can be changed to a new key by the owner of the corresponding key, for example, through a PUT KEY command.
  • a feature of the present invention is the role of the profile information storage module 132 and the profile related policy execution module 133 among the detailed modules of the profile manager 130 in the eUICC structure, and the profile information storage module 132 and the profile related policy. It is deeply related to the security characteristics of the data managed by the execution module 133, an interworking interface with an external device, the profile information storage module 132, and the profile related policy execution module 133.
  • Specific operations for managing profile information and applying policies according to the present invention include operations such as profile installation and registration of profile information installed, profile state change, profile deletion, profile policy rule change, and profile related data inquiry.
  • each profile may be identified by a unique ID, and the profile ID may be regarded as including a Mobile Country Codes (MCC), a Mobile Network Codes (MCC) code, or a value that can be mapped to an MCC or an MNC. .
  • MCC Mobile Country Codes
  • MNC Mobile Network Codes
  • the operation for managing such profile information and applying a policy according to the present invention may be performed through an interworking interface between a terminal, a profile manager on an eUICC, and a profile on an eUICC.
  • FIG. 3 is a flowchart illustrating an operation of a profile management method for installing and registering a profile according to the present invention.
  • the profile installation is initiated by an INSTALL command input from the external companion device 500, and at the end of the installation, the profile 150 displays itself as a profile manager. 130) to register (REGISTER).
  • the registration message that the profile 150 transmits to the profile manager 130 to register the profile itself to the profile manager 130 after the installation is completed includes a profile ID, a profile type, and a NAA list. (NAAs list), profile initial status may be included as its parameters.
  • Detailed blocks such as the profile block management module 131 and the profile installation unit 140 of the profile manager 130 may be related to profile installation.
  • profile manager 130 If profile registration is successful, the profile manager 130 returns the success result to the profile. If registration fails, that is, if an error occurs, profile the corresponding result according to the reason for failure (for example, registration success but status setting error or registration failure). (150).
  • the profile 150 receiving the registration result value returns a failure message (Success) indicating a successful installation and registration or a failure message (status word) including a failure result code (status word) to the external companion device 400.
  • the external companion device 500 may be a terminal or a subscriber manager (SM) which is a subscription module.
  • the profile manager 130 performs the profile state change procedure described below.
  • the profile manager 130 registers only the installed profile information and does not perform a profile state change procedure separately.
  • FIG. 4 is an operation flowchart according to an embodiment of a profile management method for changing a profile state to active according to the present invention.
  • FIG. 4 illustrates an interworking protocol between an external companion device (eg, a terminal) 500, a profile manager 130 on the eUICC 100, and a profile 150 on the eUICC, in order to change the profile state to active.
  • an external companion device eg, a terminal
  • profile manager 130 on the eUICC 100 e.g., a profile manager 130 on the eUICC 100
  • a profile 150 on the eUICC e.g., a profile 150 on the eUICC
  • the external companion device 500 when the state of the profile 150 changes from inactive to active, supports a SET STATUS command supported by the profile manager 130 to change the state. Can be used.
  • the profile manager 130 may include a profile ID included in the SET STATUS command received from the external companion device 500 and state to be changed (for example, “enable” in the embodiment illustrated in FIG. 4). Acquire.
  • the PLMN (or profile ID) of the profile owner is “PLMN (or profile ID) list of the profiles that can be enabled from the data managed by the profile manager 130. Check whether it is included in the ”, or return an error if not included.
  • the profile manager 130 also checks the "maximum number of profiles that can be activated" among the managed data objects, and when the number of profiles currently active is smaller than the maximum number of profiles that can be activated, the SET STATUS internal interworking API (Application Programming Interface) Through change the state of the profile 150 to the active.
  • the SET STATUS internal interworking API Application Programming Interface
  • the profile 150 receiving the SET STATUS command from the profile manager 130 through the internal interworking API is activated through the ACTIVATE ADF (DF) which is one of the USIM file management commands. Change to the state.
  • DF ACTIVATE ADF
  • the NAA state change is performed in the profile, but the embodiment in which the NAA state change is performed by the profile manager according to the shape of the profile is also possible.
  • the profile manager 130 increases the number of profiles of the currently active state among the managed data objects by one.
  • FIG. 5 is a flowchart illustrating an operation of a profile management method for changing a profile state to disabled according to the present invention.
  • the external companion device 500 may use the SET STATUS command supported by the profile manager 130 to change the state.
  • the SET STATUS command includes a profile ID and status information to be changed as parameters.
  • the profile manager 130 receiving the SET STATUS command changes the state of the profile 150 to inactive through the SET STATUS internal interworking API.
  • Profile 150 changes the NAA state it manages to inactive, for example using DEACTIVATE ADF (DF), one of the USIM file management commands.
  • DF DEACTIVATE ADF
  • the NAA state change may be performed by the profile manager 130 according to the shape of the profile.
  • a result code (for example, “already disabled” or “general failure”) is sent to the external companion device 500. Returns an error containing).
  • the profile manager 130 checks the “profile state change notification tag” of the corresponding profile among the managed data objects to perform a method such as OTA (Over The Air) when notification is required.
  • the status change can be transmitted to the mobile communication network operator (MNO) of the profile.
  • MNO mobile communication network operator
  • the profile manager 130 may output a result code.
  • the eUICC may inform that there is data to be transmitted.
  • the profile manager 130 decreases the number of profiles of the currently active state among the managed data objects by one.
  • FIG. 6 is a flowchart illustrating an operation of deleting and managing a profile according to an embodiment of the present invention.
  • two cases of deregistration by the profile manager after the profile itself is deleted and deletion by the profile manager may be considered.
  • FIG. 6 illustrates a case where the registration of the profile manager 130 is canceled after the profile 150 itself is deleted.
  • the external companion device 500 may use the DELETE command to delete the profile itself.
  • the profile 150 requests the profile manager 130 to deregister the profile using the DEREGISTER API.
  • the profile manager 130 deletes the profile deregistration requested profile and the NAA from the management profile list.
  • the profile manager 130 returns a success result after correcting the relevant data and normal processing, and returns an error including a result code when an error occurs while deleting the profile information.
  • FIG. 7 is a flowchart illustrating a method of deleting and managing a profile according to an exemplary embodiment of the present invention.
  • the external companion device 500 requests the profile deletion, it may be considered that there are two cases in which the profile itself is deleted after the profile itself is deleted and the case where the profile is deleted through the profile manager.
  • FIG. 6 illustrates the case where the profile manager 130 performs the deregistration after deleting the requested profile from the profile itself
  • FIG. 7 illustrates the process of deleting the profile through the profile manager 130.
  • An embodiment of the interworking protocol is shown.
  • the DELETE command may be used among the interworking interfaces of the profile manager 130.
  • the external companion device 500 may transmit the profile ID to be deleted when the DELETE command is called to the profile manager 130 as a parameter.
  • the DELETE command should be possible only through authorized objects, and therefore requires mutual authentication between the eUICC 100 and the external interworking device 500 and, for example, secure messaging with encryption or signature attached to the session key. ) Can be executed by the DELETE command.
  • the profile manager 130 When the deletion of the profile information is normally processed, the profile manager 130 returns a success result to the external companion device 500. For example, if the profile has already been deleted (for example, profile not found), If an error occurs, return an error with the result code.
  • FIG. 8 is a flowchart illustrating an operation of a profile management method for changing a profile policy according to the present invention.
  • the external companion device 500 may use the STORE DATA command supported by the profile manager 130. At this time, the external companion device 500 includes a data object (DO) of the policy rule to be changed as a parameter in the STORE DATA command and transmits it to the profile manager 130.
  • DO data object
  • the profile manager 130 checks whether the change policy rule does not violate the existing rule (for example, if the maximum number of active profiles is smaller than the number of currently active profiles, the profile manager 130 is currently active to prevent violation of the change policy rules). Checks whether one or more of the profiles in the state need to be changed, etc.) and returns an error result if it is violated, and returns a success result if it is changed normally.
  • Profile-related data can be thought of as divided into data and policy rules managed by the profile information storage module 132 of the profile manager 130 and data and policy rules managed by the profile itself 150.
  • FIG. 9 is an operation flowchart according to an embodiment of a method for querying profile related information according to the present invention.
  • FIG. 9 illustrates an embodiment of an interworking protocol when the profile manager 130 inquires about profile and policy information managed by the profile manager 130.
  • the external companion device 500 may use a GET DATA command supported by the profile manager 130.
  • the GET DATA input to the profile manager 130 may include a tag of data to be queried by the external companion device 500.
  • the GET DATA command may not include additional parameters in the entire data search.
  • the profile manager 130 receiving the GET DATA command checks the validity of the parameter and returns the corresponding data information or the entire data object to the external companion device 500.
  • FIG. 10 is a flowchart illustrating a method of inquiring profile related information in accordance with another embodiment of the present invention.
  • FIG. 10 illustrates an embodiment of an interworking protocol when inquiring profile management data and policy information (eg, meta information such as profile type and state change policy) managed by the profile itself 150.
  • profile management data and policy information eg, meta information such as profile type and state change policy
  • the external companion device 500 may use a GET DATA command supported by the profile manager 130.
  • the GET DATA command may include a tag and a profile ID of data to be queried by the external companion device 500 as its parameters.
  • the profile manager 130 obtains current management data or policy information of the profile 150 using the GET DATA internal interworking API using the identifier of the corresponding data tag as a parameter.
  • the profile manager 130 may store management data or policy information received from the profile 150, if necessary, in the profile information storage module 132 described with reference to FIG. 2.
  • the profile manager 130 returns management data or policy information received from the profile 150 to the external companion device 500.
  • the management data and policy information of the profile can be obtained through the interworking protocol.
  • FIG. 11 is a flowchart illustrating an operation of changing a key of a profile manager according to an exemplary embodiment of the present invention.
  • FIG. 11 illustrates an embodiment of an interworking protocol when a key of the profile manager is changed.
  • the external companion device 500 may use a PUT KEY command to change a key managed by the profile manager 130.
  • the key managed by the profile manager 130 is a key used for secure messaging.
  • the external companion device 500 transmits new key data to be changed as a parameter of the PUT KEY command.
  • the external companion device 500 performs a process of mutual authentication through the key before changing with the profile manager 130 before calling the PUT KEY command for changing the key. If the authentication through the key before the change is normally performed and the parameter is valid, the profile manager 130 changes the key and returns the result to the external companion device 500.
  • FIG. 12 is a flowchart illustrating a profile management method according to an embodiment of the present invention.
  • the profile management method according to the present invention illustrated in FIG. 12 may be mainly performed by a subscriber authentication module installed in a terminal device, for example, an eUICC.
  • the profile management method according to the present invention may largely include installing one or more profiles (S1200) and managing installed one or more profiles (S1300).
  • one or more profiles may be distinguished by a unique identifier.
  • Managing the installed one or more profiles may include several detailed steps. Specifically, managing the one or more installed profiles includes registering a file to be installed (S1310), changing a profile state to active or inactive (S1321), deleting a requested profile (S1331), Changing the policy of the requested profile (S1341), changing the key of the requested profile manager (S1351), and providing information about the requested data (S1361).
  • Changing the profile state to active or inactive is performed when there is a profile state change request (S1320) previously, and deleting the requested profile (S1331) and previously deleting a profile (S1330) If it is present.
  • the policy rule is changed according to whether the profile policy change request is in accordance with the existing rule.
  • the step of changing the key of the profile manager (S1351) is performed only when a key change for the profile manager is requested (S1350).
  • Providing information on the requested data (S1361) is also performed only when there is a data inquiry request (S1360) for the data.
  • the profile management unit 130 looks at the interworking interface, that is, the command provided to exchange with the external companion device 150 for profile management.
  • Commands used for profile management according to the present invention can be summarized as follows.
  • General coding rules of the profile management command according to the present invention are in accordance with ISO / IEC 7816-4 and ETSI TS 102 221, Global Platform Specification, and in the present invention, the function and request parameters / data and response data of each command. Define for.
  • the SELECT command which is the first embodiment of the profile management command according to the present invention, is a command for the external companion device 100 to select the profile manager 130 and the profile 150.
  • File control information may be included as response data of the SELECT command, and the file control information may include an ID of the profile manager (or a profile), life cycle data, and the like.
  • the configuration of the request command and response command related to the SELECT command conforms to the global platform and the ETSI TS 102 221 standard.
  • the STORE DATA command which is a second embodiment of the profile management command according to the present invention, is a command for an external type device to issue or update management data and policy rules of the profile manager. If the length of data to be transmitted is large, it can be used by dividing into several STORE DATA commands.
  • TLV Tag Length Value
  • the configuration of the request and response commands related to the STORE DATA command follows the configuration of the STORE DATA command of the global platform.
  • the PUT KEY which is a third embodiment of the profile management command according to the present invention, is a command for issuing / adding / updating a key managed by the profile manager.
  • the PUT KEY command provides the ability to update an existing key or keys or add a new key or keys.
  • the configuration of the PUT KEY-related request command and response command may follow the configuration of the PUT KEY command of the global platform standard.
  • the GET DATA command which is a fourth embodiment of the profile management command according to the present invention, is used to import one data object or several data objects.
  • the GET DATA command supports the import of TLV data objects of the profile management data and policy data specified above.
  • the configuration of the request and response commands related to the GET DATA command may follow the configuration of the GET DATA command of the global platform.
  • the DELETE command which is a fifth embodiment of the profile management command according to the present invention, is used to delete an object such as a profile, a NAA of the profile, and a profile manager key.
  • the delete profile and profile related data (eg NAAs) command supports the TLV data object of the profile ID as the data field of the request command.
  • key-related data eg key version, key ID, etc.
  • object is supported as the value of the data field of the request command.
  • FIG. 13 illustrates an embodiment of a DELETE command configuration and related parameters.
  • the parameter configuration, data field, and response command configuration of the request command related to the DELETE command may follow the configuration of the DELETE command of the global platform standard.
  • the GET STATUS command which is a sixth embodiment of the profile management command according to the present invention, is used to obtain the life cycle status information of the profile manager and the profiles.
  • the GET STATUS command may set the type of the object (profile manager / profiles) to obtain status information with a reference control parameter (P1).
  • FIG. 14 illustrates one embodiment of a GET STATUS command and associated parameter configuration.
  • Search criteria can be set in the request command data field related to GET STATUS, and this value can support the application ID (tag '4F').
  • Command parameters, response data structures, etc. related to the GET STATUS command follow the configuration of the GET STATUS command of the global platform.
  • the SET STATUS command which is a seventh embodiment of the profile management command according to the present invention, is used to change the life cycle state of a profile.
  • the SET STATUS command can set Profile only / Profile and related application options as status type parameter P1, and the life cycle status of the profile, e.g. active, with status control parameter P2. You can set inactivity. You should be able to set the ID of the profile whose status you want to change with the data field of the request command.
  • 15 illustrates an embodiment of a SET STATUS command and associated parameter configuration.
  • the request command data fields and response data structures related to the SET STATUS command follow the configuration of the SET STATUS command of the global platform standard.
  • the INITIALIZE UPDATE command which is an eighth embodiment of the profile management command according to the present invention, is a command for transmitting session data between an eUICC and an external companion device during a secure channel initialization procedure.
  • INITIALIZE UPDATE Commands The configuration of request and response commands related to the INITIALIZE UPDATE command follows the configuration of the INITIALIZE UPDATE command of the Global Platform Specification.
  • the EXTERNAL AUTHENTICATE command which is a ninth embodiment of the profile management command according to the present invention, is a command used to authenticate an external interworking device during a secure channel initialization procedure and to determine a security level required for executing the next command. This command can be executed after the INITIALIZE UPDATE command is executed normally.
  • EXTERNAL AUTHENTICATE Command The configuration of request and response commands related to the command follows the configuration of the EXTERNAL AUTHENTICATE command of the global platform standard.
  • the profile management method according to the present invention including the above-described steps, operation sequences, and instructions may be implemented as computer-readable program code on a computer-readable recording medium.
  • Computer-readable recording media include all types of recording devices that store data that can be read by a computer system. For example, there are ROM, RAM, CD-ROM, DVD-ROM, Blu-ray, magnetic tape, floppy disk, optical data storage, and the like, and also include those implemented in the form of a carrier wave (eg, transmission over the Internet). .
  • the computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
  • the functional program code for carrying out the technical idea of the present invention can be easily inferred by programmers in the technical field to which the present invention belongs.
  • the present invention provides a secure profile management method that allows the external interworking device and the internal module to query profile information on the eUICC and the profile related policy of the eUICC and change the policy rule.

Abstract

L'invention porte sur un procédé de gestion d'un profil par un module d'authentification d'abonné intégré dans un dispositif terminal et sur un dispositif d'authentification d'abonné l'utilisant. Le procédé de gestion d'un profil par un module d'authentification d'abonné intégré dans un dispositif terminal consiste à installer un ou plusieurs profils et à gérer le ou les profils installés. Selon la présente invention, étant donné qu'il est possible de concevoir et de développer un module de gestion de profil sans changement dans une plateforme UICC typique, il est possible de développer et de commercialiser des eUICC par un fabricant de cartes eUICC, un fabricant de terminaux et une compagnie d'écosystème.
PCT/KR2013/007433 2012-08-20 2013-08-19 Procédé de gestion de profil par module d'authentification d'abonné intégré dans un dispositif terminal, et dispositif d'authentification d'abonné l'utilisant WO2014030893A1 (fr)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
KR20120090949 2012-08-20
KR10-2012-0090949 2012-08-20
KR10-2012-0099435 2012-09-07
KR20120099435 2012-09-07
KR1020130057732A KR102116269B1 (ko) 2012-08-20 2013-05-22 단말 장치에 내장되어 설치되는 가입자 인증 모듈의 프로파일 관리 방법 및 이를 이용하는 가입자 인증 장치
KR10-2013-0057732 2013-05-22

Publications (1)

Publication Number Publication Date
WO2014030893A1 true WO2014030893A1 (fr) 2014-02-27

Family

ID=50150146

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2013/007433 WO2014030893A1 (fr) 2012-08-20 2013-08-19 Procédé de gestion de profil par module d'authentification d'abonné intégré dans un dispositif terminal, et dispositif d'authentification d'abonné l'utilisant

Country Status (1)

Country Link
WO (1) WO2014030893A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015127889A1 (fr) * 2014-02-28 2015-09-03 华为终端有限公司 Procédé et dispositif de gestion d'association de profils
WO2017079177A1 (fr) * 2015-11-02 2017-05-11 Apple Inc. Appareil et procédés de notification d'installation d'un module électronique d'identification d'abonné (esim)
CN108476399A (zh) * 2015-12-28 2018-08-31 三星电子株式会社 用于在通信系统中发送和接收简档的方法和装置
EP3422751A4 (fr) * 2016-03-21 2019-01-02 Samsung Electronics Co., Ltd. Dispositif électronique et procédé de commande pour dispositif électronique
EP3429243A4 (fr) * 2016-04-12 2019-02-20 Huawei Technologies Co., Ltd. Procédé et dispositif de gestion à distance
RU2701871C2 (ru) * 2014-11-14 2019-10-02 Обертюр Текноложи Карта euicc для хранения коротких номеров абонентским профилем для уведомления абонентского сервера управления
US11140200B1 (en) 2017-12-29 2021-10-05 Juniper Networks, Inc. Distributing a network policy using connectivity fault management

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060063360A (ko) * 2004-12-07 2006-06-12 에스케이 텔레콤주식회사 이동 단말기의 유심 카드 변경에 따른 단말 정보 업데이트방법 및 그 시스템
KR20100019235A (ko) * 2008-08-08 2010-02-18 에스케이 텔레콤주식회사 단말기와 스마트 카드 간 인터페이스 시스템 및 그 방법, 그리고 이에 적용되는 스마트 카드
US20110130117A1 (en) * 2009-12-01 2011-06-02 James Fan Service Models for Roaming Mobile Device
KR20120029466A (ko) * 2009-06-08 2012-03-26 퀄컴 인코포레이티드 사용자 프로파일에 기초하여 가상 sim 서비스 계약들을 스위칭하기 위한 방법 및 장치
WO2012076425A1 (fr) * 2010-12-06 2012-06-14 Gemalto Sa Procédé pour acheminer à distance un profil d'abonnement complet à un uicc sur ip

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060063360A (ko) * 2004-12-07 2006-06-12 에스케이 텔레콤주식회사 이동 단말기의 유심 카드 변경에 따른 단말 정보 업데이트방법 및 그 시스템
KR20100019235A (ko) * 2008-08-08 2010-02-18 에스케이 텔레콤주식회사 단말기와 스마트 카드 간 인터페이스 시스템 및 그 방법, 그리고 이에 적용되는 스마트 카드
KR20120029466A (ko) * 2009-06-08 2012-03-26 퀄컴 인코포레이티드 사용자 프로파일에 기초하여 가상 sim 서비스 계약들을 스위칭하기 위한 방법 및 장치
US20110130117A1 (en) * 2009-12-01 2011-06-02 James Fan Service Models for Roaming Mobile Device
WO2012076425A1 (fr) * 2010-12-06 2012-06-14 Gemalto Sa Procédé pour acheminer à distance un profil d'abonnement complet à un uicc sur ip

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015127889A1 (fr) * 2014-02-28 2015-09-03 华为终端有限公司 Procédé et dispositif de gestion d'association de profils
RU2701871C2 (ru) * 2014-11-14 2019-10-02 Обертюр Текноложи Карта euicc для хранения коротких номеров абонентским профилем для уведомления абонентского сервера управления
WO2017079177A1 (fr) * 2015-11-02 2017-05-11 Apple Inc. Appareil et procédés de notification d'installation d'un module électronique d'identification d'abonné (esim)
US10057760B2 (en) 2015-11-02 2018-08-21 Apple Inc. Apparatus and methods for Electronic Subscriber Identity Module (ESIM) installation notification
CN108476399A (zh) * 2015-12-28 2018-08-31 三星电子株式会社 用于在通信系统中发送和接收简档的方法和装置
US10893408B2 (en) 2015-12-28 2021-01-12 Samsung Electronics Co., Ltd. Method and apparatus for transmitting and receiving profile in communication system
CN108476399B (zh) * 2015-12-28 2022-04-26 三星电子株式会社 用于在通信系统中发送和接收简档的方法和装置
EP3422751A4 (fr) * 2016-03-21 2019-01-02 Samsung Electronics Co., Ltd. Dispositif électronique et procédé de commande pour dispositif électronique
US11134372B2 (en) 2016-03-21 2021-09-28 Samsung Electronics Co., Ltd. Downloading profiles corresponding to subscriber identification modules in electronic device
EP3429243A4 (fr) * 2016-04-12 2019-02-20 Huawei Technologies Co., Ltd. Procédé et dispositif de gestion à distance
EP3800909A1 (fr) * 2016-04-12 2021-04-07 Huawei Technologies Co., Ltd. Procédé et dispositif de gestion à distance
US11076295B2 (en) 2016-04-12 2021-07-27 Huawei Technologies Co., Ltd. Remote management method, and device
EP4304222A1 (fr) * 2016-04-12 2024-01-10 Huawei Technologies Co., Ltd. Procédé et dispositif de gestion à distance
US11140200B1 (en) 2017-12-29 2021-10-05 Juniper Networks, Inc. Distributing a network policy using connectivity fault management

Similar Documents

Publication Publication Date Title
WO2014030893A1 (fr) Procédé de gestion de profil par module d'authentification d'abonné intégré dans un dispositif terminal, et dispositif d'authentification d'abonné l'utilisant
WO2016024695A1 (fr) Procédé et appareil de téléchargement de profil de dispositifs de groupe
WO2016003200A1 (fr) Procédé et appareil pour l'installation de profil pour carte de circuit integre universelle incorporee
WO2016167536A1 (fr) Procédé et appareil de gestion d'un profil d'un terminal dans un système de communication sans fil
WO2016163796A1 (fr) Procédé et appareil de téléchargement d'un profil dans un système de communication sans fil
WO2016153303A1 (fr) Procédé et appareil permettant l'installation d'un profil de terminal dans un système de communication sans fil
WO2016043534A2 (fr) Procédé de fourniture de service réseau, et dispositif électronique
WO2016153281A1 (fr) Procédé et appareil de téléchargement de profil dans un système de communication sans fil
WO2014077544A1 (fr) Procédé de configuration d'un profil de module d'authentification de souscripteur intégré et installé dans un dispositif de terminal, et appareil l'utilisant
WO2016080595A1 (fr) Procédé pour fournir un service à numéros multiples
EP3284274A1 (fr) Procédé et appareil de gestion d'un profil d'un terminal dans un système de communication sans fil
WO2016153323A1 (fr) Procédé et dispositif permettant d'utiliser un service de communication mobile grâce à un changement de terminal dans un système de communication mobile
WO2020032445A1 (fr) Dispositif électronique, dispositif électronique externe et procédé de gestion de modules d'identité de souscripteur intégré de dispositif électronique externe
WO2015016627A1 (fr) Procédé et dispositif permettant de connecter un seul dispositif ap parmi de multiples dispositifs ap dans le même réseau sur un terminal
WO2021066569A1 (fr) Procédé et appareil permettant la réinstallation d'un profil de sim dans un système de communication sans fil
WO2016195199A1 (fr) Procédé de traitement de requête par un canal d'interrogation dans un système de communication sans fil et appareil associé
WO2020226466A1 (fr) Procédé et appareil pour gérer et vérifier un certificat
WO2020032353A1 (fr) Dispositif électronique, dispositif électronique externe et procédé de gestion d'une esim de dispositif électronique externe
WO2022108357A1 (fr) Procédé et appareil de gestion de profils par prise en compte d'une euicc amovible prenant en charge de multiples profils activés
WO2019139247A1 (fr) Dispositif électronique de gestion de module d'identification d'abonné intégré et procédé associé
WO2022031148A1 (fr) Procédé et appareil pour installer et gérer de multiples profils esim
WO2014171711A1 (fr) Procédé pour favoriser la politique de restriction des changements de prestataires de services pour l'abonné dans les communications mobiles et appareil associé
WO2021162386A1 (fr) Dispositif électronique, et procédé de traitement de règle de politique de profil (ppr) de module d'identification d'abonné intégré au moyen d'un dispositif électronique
WO2020171475A1 (fr) Procédé de changement de dispositif et appareil de système de communication sans fil
WO2016133369A1 (fr) Procédé et appareil pour recevoir un profil par un terminal dans un système de communication mobile

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13830451

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 16/07/2015)

122 Ep: pct application non-entry in european phase

Ref document number: 13830451

Country of ref document: EP

Kind code of ref document: A1