[go: up one dir, main page]

WO2025196241A1 - Use of two or more esim profiles for storing and executing algorithms, cryptographic keys, and data - Google Patents

Use of two or more esim profiles for storing and executing algorithms, cryptographic keys, and data

Info

Publication number
WO2025196241A1
WO2025196241A1 PCT/EP2025/057732 EP2025057732W WO2025196241A1 WO 2025196241 A1 WO2025196241 A1 WO 2025196241A1 EP 2025057732 W EP2025057732 W EP 2025057732W WO 2025196241 A1 WO2025196241 A1 WO 2025196241A1
Authority
WO
WIPO (PCT)
Prior art keywords
esim
esim profile
profile
profiles
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2025/057732
Other languages
French (fr)
Inventor
Robert Kratz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
De Plasse Chun Hie
Shld X LLC
Original Assignee
De Plasse Chun Hie
Shld X LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by De Plasse Chun Hie, Shld X LLC filed Critical De Plasse Chun Hie
Publication of WO2025196241A1 publication Critical patent/WO2025196241A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/108Source integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • H04W12/43Security arrangements using identity modules using shared identity modules, e.g. SIM sharing

Definitions

  • the present invention relates to a device for storing information, programm code and applets on an eUlCC, specifically for storing computer programs and cryptographic keys in a separate eSIM profile, comprising executing a password generator, and/or storing data or information in said eSIM profile.
  • a Secure Element is a high-security microprocessor chip designed to store and process sensitive data securely. These chips are found in a variety of devices and applications, from smartphones and payment cards to identity documents and loT devices. When an SE is embedded within a chip, it is often referred to as an embedded Secure Element (eSE).
  • eSE embedded Secure Element
  • a Secure Element The primary function of a Secure Element is to protect digital keys and other confidential information. It is dedicated hardware, designed to resist various types of attacks, including physical tampering and software-based attacks. Unlike software-based security solutions, which run on the main processor of a device and can be vulnerable to malware and hacking, a Secure Element offers an isolated environment that physically and logically separates sensitive data and operations from other parts of the system.
  • One of the key features of a Secure Element is its ability to securely manage cryptographic keys. It can generate, store, and manage cryptographic keys used for various security functions, such as encryption, digital signatures, and authentication. These keys are protected within the SE’s secure environment and are inaccessible to external processes or users.
  • a Secure Element provides several benefits. First, it significantly enhances the security of stored data and executed operations, as it is more resistant to both physical and software-based attacks. Second, it enables secure authentication and transaction processing, which is especially important for applications in finance, mobile payments, and digital identity verification. Third, it aids in complying with data privacy and security regulations, providing a robust solution for data security.
  • the Secure Element provides an essential security component for connected devices. As loT devices increasingly collect and transmit sensitive data, it is crucial to protect that data.
  • a Secure Element can serve as a trusted anchor to ensure the integrity and confidentiality of transmitted information.
  • a Secure Element as referenced in this invention, can be viewed as a standalone microcomputer, equipped with its own processor and memory. It offers an isolated, secure environment, physically and logically separated from other components of the host device (such as a smartphone or payment card).
  • An eSIM embedded SIM
  • eSIM embedded SIM
  • the eSIM is soldered into the device and provides the same functionality as a traditional SIM card. This integration allows devices to be smaller and more resistant to environmental factors, as there is no need for additional slots or holders for SIM cards.
  • eSIM profiles are configurable profiles stored on an eSIM. Each profile contains the necessary information for authentication and service provisioning of a mobile network operator, similar to a traditional SIM card.
  • the main advantage of eSIM profiles is that they can be remotely activated, deactivated, or exchanged over the internet and/or mobile network, eliminating the need to physically swap SIM cards. This allows users to switch easily between mobile operators or activate additional data plans without replacing the physical SIM card.
  • the eSIM resides on a chip, fundamentally functioning as a Secure Element and referred to as an embedded Universal Integrated Circuit Card (eUlCC).
  • eUlCC embedded Universal Integrated Circuit Card
  • eUlCC inherently provides the same level of security as a Secure Element, ensuring that eSIM data retains its integrity and that communication with the mobile network is secure. This is critical for functions such as authentication within the mobile network.
  • SE, eSE, and eUlCC are used interchangeably to refer to the core function of securely storing data and algorithms in either a general (SE, eSE) or specialized (eUlCC) form.
  • a key issue is that an eSE is typically controlled by the manufacturer. Although an eSE is generally capable of storing all necessary programs and information, the manufacturer predefines which functions are available.
  • the objective of the present invention is to enable the user to locally store and encrypt data in a hardware-encrypted manner.
  • a device comprising: a. a processor module configured to execute operating system software and application software; b. a memory module coupled to the processor module, configured to store data and software applications; c. an embedded Universal Integrated Circuit Card (eUlCC) configured to store a plurality of embedded Subscriber Identity Module (eSIM) profiles; d. a communication interface coupled to the processor module, configured to support wireless and/or wired data transmission via multiple communication protocols; and e. a power supply mechanism configured to provide electrical power to the device; wherein
  • eUlCC embedded Universal Integrated Circuit Card
  • eSIM embedded Subscriber Identity Module
  • a first eSIM profile is configured to store authentication credentials associated with a Mobile Network Operator (MNO);
  • - at least one additional eSIM profile is configured to integrate program code that: - includes an algorithm for signing data using a private key; and/or
  • OTP one-time passwords
  • - includes an algorithm for generating and processing rolling codes
  • At least one additional eSIM profile is configured to provide a Supplementary Secure Domain (SSD), wherein program code is executed at least partially within one or more applets stored in the SSD wherein
  • SSD Supplementary Secure Domain
  • the one or more applets executed within the SSD comprise at least one of:
  • OTP one-time passwords
  • the processor module is responsible for executing both the operating system and application software. This allows the device to handle system operations and application tasks, providing a flexible platform for running various functionalities. It is advantageous as it ensures the device can support a range of use cases without requiring external computing resources.
  • eSIM profile have an additional functionality completely separate of storing telephone credentials for connecting to a mobile network.
  • An eSIM profile may be used either directly of by providing a SSD for executing program code and storing secure information like personal credentials, private keys, etc.
  • the memory module stores data and software applications. By coupling the memory to the processor, it ensures quick access to data and efficient processing. This feature is crucial for optimizing the performance of the device, allowing for smooth operation and realtime data handling.
  • the eUlCC stores multiple eSIM profiles, providing flexibility in managing multiple network profiles on a single device. This is particularly advantageous for users who may need to switch between different mobile network operators (MNOs) or for managing different secure functions in distinct profiles.
  • MNOs mobile network operators
  • the communication interface supports both wired and wireless data transmission across multiple protocols. This versatility ensures that the device can connect to various types of networks and devices, making it highly adaptable in different environments. The advantage is that it allows seamless communication regardless of the connection type.
  • the power supply mechanism ensures that the device receives sufficient electrical power to operate. It is essential for maintaining consistent performance, particularly for devices that may require prolonged operation without external power sources, ensuring reliability.
  • the eUlCC stores at least two eSIM profiles, with flexibility to store more. This setup enables the device to switch between different MNOs or network services and functionalities provided by the eSIM profiles according to the present invention.
  • the first eSIM profile stores authentication credentials for a Mobile Network Operator (MNO), ensuring secure access to mobile services. This is essential for maintaining privacy and security when connecting to a mobile network and the additional eSIM profile integrates program code for secure functions such as data signing, OTP generation, and rolling codes.
  • MNO Mobile Network Operator
  • This additional eSIM profile can also store secure data, offering enhanced security for sensitive information. It allows the device to perform advanced cryptographic operations without relying on external systems, providing an additional layer of security.
  • a Supplementary Secure Domain (SSD) in the additional eSIM Profile may be activated and accessable.
  • the SSD within the eSIM profile allows secure execution of applets. This enables the device to run sensitive operations, such as cryptographic algorithms and secure data storage, directly within the SSD of the eSIM profile. It is beneficial as it reduces the risk of data breaches by keeping sensitive operations within a trusted secure domain.
  • the applets executed within the SSD can include algorithms for signing data, generating OTPs, processing rolling codes, or managing secure data storage. This feature is advantageous as it provides a high level of security by ensuring these operations are carried out within a secure and isolated environment, preventing unauthorized access.
  • the integrated program code and/or an applet comprises an algorithm to generate public-/private keypairs, in particular algorithms comprising deriving a public-/private keypair performing the steps of hierarchical deterministic key derivation to generate a subordinate private key based on a master keypair.
  • Hierarchical deterministic key derivation allows for the generation of a set of related private and public keys from a single master keypair, which is the root key. This is done by applying a specific key derivation process where each new key is derived from the master keypair in a structured, predictable way.
  • This emobdiment may specifically refer to BIP 32 (Bitcoin Improvement Proposal 32), which defines the concept of hierarchical deterministic wallets, but is not limited to it.
  • BIP 32 a root seed phrase is used to generate a master private key, from which child private keys are derived in a hierarchical structure. These child keys can be used for various purposes, such as signing transactions or encrypting data, and the entire structure is deterministic, meaning the same seed phrase always produces the same set of keys.
  • BIP 39 is relevant here as it defines the seed phrase used to derive the master keypair, and BIP 44 standardizes the derivation path to allow for different cryptocurrencies or applications to be supported in a single wallet.
  • the root key or master keypair is derived from a “seed phrase,” a human- readable series of words (often 12 or 24 words) generated using a secure random process.
  • This seed phrase serves as a backup, allowing the restoration of the entire key hierarchy. This mechanism is widely adopted in cryptocurrency wallets for generating and recovering a wallet’s keys.
  • the general advantage of using hierarchical deterministic key derivation is that it simplifies key management. Instead of having to store or back up each key individually, the entire key hierarchy can be reconstructed from the single seed phrase. This enhances security and user convenience, especially for applications requiring secure, multiple keys or profiles, such as cryptocurrency wallets or secure multi-factor authentication systems.
  • At least two eSIM profiles are enabled at the same time, wherein in the first eSIM profile is activated and is preferably configured and adapted to establish a connection to a Mobile Network Operator (MNO), and the second eSIM profile is activated and comprises program code and/or provides a Supplementary Secure Domain (SSD) comprising applets, wherein an application of the mobile phone can communicate and interact with the program code and/or applets of the second eSIM profile.
  • MNO Mobile Network Operator
  • SSD Supplementary Secure Domain
  • the device is configured to allow the simultaneous activation of at least two eSIM profiles.
  • the first eSIM profile is responsible for establishing a connection to a Mobile Network Operator (MNO).
  • MNO Mobile Network Operator
  • This profile contains the standard telephony credentials and communication settings necessary for connecting to the network, enabling typical cellular services such as voice calls, text messages, and mobile data.
  • the second eSIM profile serves a different purpose. While it is activated concurrently with the first eSIM profile, its primary function is not to connect to the mobile network. Instead, it is configured to store program code or provide a Supplementary Secure Domain (SSD) that contains one or more applets. These applets may perform a variety of functions, such as cryptographic operations, secure data storage, or authentication services. Applications running on the mobile device can interact with the second eSIM profile’s program code or applets, thereby leveraging its functionality for tasks such as signing transactions, generating one-time passwords (OTPs), or storing sensitive information securely.
  • SSD Supplementary Secure Domain
  • the second eSIM profile provides preferably a Supplementary Secure Domain (SSD), which is a dedicated, isolated environment for executing sensitive operations such as cryptographic algorithms or secure data storage.
  • SSD Supplementary Secure Domain
  • the device By separating these secure operations from the primary mobile network functionalities, the device ensures that sensitive data —such as private keys, OTPs, or blockchain signing credentials — is securely isolated from potential network-related threats.
  • sensitive data such as private keys, OTPs, or blockchain signing credentials
  • Enabling at least two eSIM profiles simultaneously offers a high degree of flexibility and multi-functionality.
  • the first eSIM profile allows the device to maintain its connection to the mobile network (MNO), ensuring uninterrupted cellular service.
  • MNO mobile network
  • the second eSIM profile can execute specific, high-security functions without compromising the mobile network connection.
  • This dual-function capability is particularly beneficial for devices that require both connectivity and secure, cryptographic operations, such as for mobile banking, secure authentication, or digital wallets. The device can perform these tasks simultaneously without the need to switch profiles or connections, thus providing a seamless user experience.
  • the second eSIM profile does not comprise telephone credentials.
  • the integrated program code in the second eSIM profile or another eSIM profile and/or an applet stored in a SSD provided by an eSIM profile or another eSIM profile comprises an algorithm configured and adapted as a signing algorithm for a blockchain transaction.
  • the device is configured and adapted such that a program stored outside the eUlCC on the memory module sends a blockchain transaction to be signed to the second eSIM profile via an interface, and the transaction is signed using the private key stored on the eUlCC in the eSIM profile, after which the signed transaction is sent back to the external program.
  • a blockchain transaction typically involves seven steps:
  • the user initiates a transaction in the wallet by entering the recipient’s address, the amount to be transferred, and, if applicable, the transaction fee.
  • the wallet After the transaction details are entered, the wallet generates a digital signature. This is done by using the user’s private key. The signature guarantees that the transaction was authorized by the legitimate owner of the wallet and that the transaction details have not been tampered with.
  • the signed transaction is then sent from the wallet to the blockchain network, typically through a network node or blockchain service provider.
  • the transaction is received and validated by nodes in the blockchain network. This verification involves confirming the validity of the digital signature and ensuring that the sender has sufficient funds to complete the transaction.
  • Block Formation After verification, the transaction is added to a block along with other transactions. Miners or validators, depending on the consensus mechanism of the blockchain, work to validate the block and add it to the blockchain.
  • the solution according to the present invention is capble of replacing “cold wallets” with a solution within the eSIM profile having the same securitly level, in particular in case where there are no telefophe credentials included in the second eSIM profile and there is no remote access possiblitly.
  • the integrated program code in the second eSIM profile or another eSIM profile and/or an applet stored in a SSD provided by an eSIM profile or another eSim profile comprises an algorithm configured and adapted as a One-Time Password (OTP) generator algorithm in the form of an applet stored on the SSD and/or integrated in the additional eSIM profile(s), wherein the OTP operates on a time-based (TOTP) or event-based (HOTP) basis.
  • OTP One-Time Password
  • the present invention provides an eSIM profile or another eSIM profile with an integrated Supplementary Secure Domain (SSD), wherein the SSD comprises an algorithm configured as a One-Time Password (OTP) generator.
  • the OTP generator is implemented in the form of an applet stored on the SSD and/or integrated into one or more additional eSIM profiles.
  • the OTP is generated either on a time-based (TOTP) or event-based (HOTP) basis, in accordance with the established standards for OTP generation, such as those outlined in the RFC 6238 (for TOTP) and RFC 4226 (for HOTP).
  • TOTP time-based
  • HOTP event-based
  • the second eSIM profile or another eSIM profile is configured and adapted to store a representation of a digital ID.
  • Storing a digital ID or a representation of a digital ID within the eSIM profile offers several key advantages that can enhance security, facilitate access control, and support the seamless integration of blockchain and other advanced authentication mechanisms.
  • the digital ID can be stored in a protected and tamper-resistant manner, offering a higher level of security compared to traditional storage methods.
  • the eSIM provides a secure element that is resistant to tampering and unauthorized access. Storing the digital ID on the eSIM ensures that it is protected by hardware-based security features, such as secure storage, encryption, and access controls. This makes it significantly harder for attackers to extract or modify the digital ID, ensuring the integrity and confidentiality of user data.
  • the digital ID stored on the eSIM can be used for strong, two-factor authentication (2FA) or multi-factor authentication (MFA). This can include access to mobile apps, banking services, and other secure platforms, providing a frictionless user experience while maintaining a high level of security.
  • 2FA two-factor authentication
  • MFA multi-factor authentication
  • the digital ID stored on the eSIM can facilitate secure, privacy-preserving authentication within blockchainbased ecosystems.
  • the eSIM can act as a trusted hardware wallet for the digital ID, allowing for secure signing of blockchain transactions.
  • the digital ID can also be used for issuing, verifying, and managing credentials in a decentralized manner, ensuring that the user has control over their own identity while reducing the risk of identity theft or misuse.
  • the digital ID can be used to sign smart contracts or transactions securely.
  • the eSIM can store cryptographic keys or certificates that are used for signing transactions, thus ensuring that only the legitimate user can authorize critical actions.
  • the ability to store private keys securely on the eSIM enables trusted execution of blockchain-based contracts, reducing the risk of unauthorized or malicious actions on decentralized networks.
  • a program executed by the processor module communicates with the second eSIM profile and/or an additional eSIM profile(s) via an interface to send data to and/or receive data from the eSIM profile(s).
  • a list of eSIM profiles stored in the eUlCC is maintained by a program stored on the memory module, in particular including the interfaces of program codes and/or applets of said eSIM profiles, so that applications stored on the memory module can be routed to the correct eSIM profile for communication and data exchange.
  • the present invention provides a system for managing and interacting with multiple eSIM profiles stored on a device, such as an eUlCC, enabling seamless and efficient communication with various network and service providers.
  • the system includes a program executed by a processor module that communicates with one or more eSIM profiles via an interface to send and receive data, ensuring that the appropriate profile is selected based on the task or service being requested.
  • This dynamic management of eSIM profiles allows the device to optimize its functionality by automatically choosing the most suitable profile for a given operation, such as network connectivity, authentication, or secure transaction signing of other functions provided by one or more of the eSIM profiles.
  • request are not directed automatically to the right eSIM profile with the expected interface. Without a algorithm, such request are just not answered or randomly answered.
  • the device according to the present invention is designed to sequentially address multiple eSIM profiles until a response is obtained from one of the profiles, ensuring robust and uninterrupted service. If one profile is unavailable or unresponsive, the system automatically proceeds to the next profile.
  • the system maintains a list of eSIM profiles stored in the eUlCC and their respecitve interfaces, which is managed by a program stored on the memory module.
  • This list includes the interfaces, program codes, and applets of the eSIM profiles, enabling applications stored on the device to automatically route to the correct profile for communication and data exchange.
  • the system enhances security and efficiency, particularly in cases requiring secure operations such as OTP generation or cryptographic transactions. Furthermore, this automated routing eliminates the need for manual selection of profiles by the user, making the device more user-friendly and optimizing resource usage.
  • the device described in this invention enables the dynamic, efficient, and secure management of multiple eSIM profiles, improving device performance and user experience.
  • the invention enhances connectivity, security, and service continuity. This solution provides a significant advancement over conventional methods, offering greater flexibility and optimized operation for devices utilizing eSIM technology.
  • each eSIM profile is assigned with an issue eSIM profile key or issue certificate issued from a master key or certificate
  • each program is assigned with program key or certificate issued from said master key or master certificate to be allowed to interact with program code of said eSIM profile or applets saved in the SSD of said eSIM profile.
  • each eSIM profile is assigned a unique eSIM profile key or certificate, and each program is assigned a program key or certificate issued from a master key or master certificate, is crucial for ensuring secure and controlled access to the eSIM profiles and their associated program codes or applets, particularly those stored in the Secure Storage Domain (SSD) of the eSIM profile.
  • SSD Secure Storage Domain
  • the SSD of an eSIM profile may store sensitive data, such as cryptographic keys, user authentication credentials, or even application logic that directly interacts with mobile network operations. Ensuring that only specific, authorized programs can access this sensitive data protects it from being exposed to malicious apps or unauthorized parties. For example, in the context of secure transactions (e.g., OTP generation or digital signatures), improper access to the SSD could lead to vulnerabilities or unauthorized actions, such as transaction tampering or key theft.
  • the proposed system ensures that only programs with the proper credentials are granted access to such sensitive functionality, mitigating these risks.
  • the invention allows for fine-grained control over which programs can interact with which eSIM profiles and their associated applets. This flexibility is particularly useful in multi-tenant environments or scenarios where different apps, services, or network providers need specific access to certain eSIM profiles or applets. For instance, a banking app might need to interact with a secure eSIM profile for generating OTPs, while a messaging app may need to interact with a different eSIM profile for establishing network connectivity. By controlling access through unique keys or certificates, the system ensures that each app is only allowed to access the parts of the eSIM profile that it is authorized to interact with.
  • the key-based access control approach is compatible with existing public key infrastructure (PKI) and certificate-based security protocols, making it easy to integrate with widely adopted security standards and solutions.
  • PKI public key infrastructure
  • certificate-based security protocols making it easy to integrate with widely adopted security standards and solutions.
  • the use of certificates and keys ensures that the system is interoperable with other security frameworks, making it a flexible and future-proof solution.
  • the system By assigning specific keys or certificates to each eSIM profile and program, the system provides efficient authorization of access requests, ensuring that only authorized programs can interact with specific eSIM profiles and their SSDs. This also makes it easier to implement auditing and logging mechanisms to track access and identify potential security threats.
  • the present invention provides a surprising insight in that an eSIM profile can be used, preferably without telephone credentials, as a secure vault, or alternatively, a further eSIM profile containing telephone credentials can be used as a secure vault.
  • This configuration effectively decouples functionalities from the specific Mobile Network Operator (MNO) provider associated with the user, enabling both Business-to-Business (B2B) and personal use cases that are independent of a specific MNO contract.
  • MNO Mobile Network Operator
  • the invention discloses particularly useful scenarios and provides technical solutions for managing and utilizing multiple active eSIM profiles simultaneously. Until now, skilled persons have not considered this possibility, and there has been no prior art showing such use cases or methods for operating multiple active eSIM profiles concurrently.
  • the device may be, for example, a smartphone, a smartwatch, a tablet, a sensor, or other loT devices that are equipped with an eUlCC capable of storing eSIM profiles.
  • the invention provides a method for operating a device, in particular a device according to one oft he preceding claims, comprising:
  • processor module configured to execute operating system software and application software
  • eUlCC embedded Universal Integrated Circuit Card
  • eSIM embedded Subscriber Identity Module
  • the method comprises the steps of: storing at least two eSIM profiles on the eUlCC, storing authentication credentials associated with a Mobile Network Operator (MNO) in a first eSIM profile, integrating program code in at least one additional eSIM profile (7) to enable the execution of algorithms and/or providing a Supplementary Secure Domain (SSD) by at least one addition eSIM profile (7), wherein program code is executed at least partially within one or more applets stored in the SSD; the program code and/or the applets comprising:
  • OTP one-time passwords
  • At least two eSIM profiles are enabled simultaneously, wherein the first eSIM profile is configured to establish a connection with an MNO, and the second eSIM profile has integrated program code and/or is configured to provide a Supplementary Secure Domain (SSD) and enable communication between an external application and the program code or applets in the SSD.
  • SSD Supplementary Secure Domain
  • the second eSIM profile does not include telephone credentials, but is configured solely for program code execution and/or providing a SSD.
  • OTP one-time passwords
  • ot can be preferred addressing the second eSIM profile and/or additional eSIM profiles via a program executed by the processor module to send and receive data through an interface.
  • the present invention will be explained in more detail below with reference to an exemplary embodiment. It may be provided that the eSIM profile is designed and configured to store a signing algorithm for a blockchain transaction and/or the eSIM profile is designed and configured to generate a private key for a blockchain.
  • an aspect of the invention includes the generation of a private/public key pair, wherein a skilled person, within the meaning of the present invention, reads the public key whenever necessary.
  • the generated private keys are displayed to the user during or immediately after generation via an output device of the apparatus, such as a display of the device, using a wallet application, but are not stored outside of the eSIM profile respectively the eUlCC.
  • the private key is entered by the user via an input device and sent directly to the eSIM profile by the wallet application without being stored, where it is then saved.
  • a seed phrase also known as a “recovery phrase” or “mnemonic phrase,” is a series of words that serve as a master key to restore access to a cryptocurrency wallet. This seed phrase is typically generated during the initial setup of a wallet and is crucial for the security and recovery of the wallet.
  • the seed phrase consists of 12, 18, or 24 randomly generated words, which provide a user-friendly representation of a complex secret key.
  • the private key is derived.
  • the process of generating multiple private keys for different blockchains from a single seed phrase is known as a hierarchical deterministic (HD) wallet.
  • HD hierarchical deterministic
  • a tree structure of keys is derived from the original seed phrase. This process follows a standard known as BIP32 (Bitcoin Improvement Proposal 32).
  • BIP32 Bitcoin Improvement Proposal 32
  • Each derived key can be used for a different blockchain or for a different account purpose, with each key being unique and having its own address on the respective blockchain.
  • This method allows users to generate a variety of addresses and private keys for different cryptocurrencies from a single seed phrase. This significantly simplifies the management of various cryptocurrency wallets, as users only need to secure one seed phrase instead of memorizing multiple private keys.
  • seed phrase is broadly understood to mean that multiple private keys can be generated in the context of an HD wallet.
  • the seed phrase upon generation, must be displayable on an output device, such as the display of the apparatus, and/or transferable to another data processing device.
  • the private key and/or seed phrase is only stored in temporary storage, such as the device’s RAM, so that it remains permanently retrievable only in the secure element. By displaying it on an output device, such as the device’s display, the user can secure the individual words of the seed phrase or the numbers of the private key elsewhere, such as by writing them down manually.
  • a representation of a digital ID is stored on the eSIM, so that the private key can be uniquely linked to the digital ID.
  • a distribution plan is created, which stores fragments of the private key on various external storage modules, and the fragments can be combined by the user using a password, allowing the private key to be displayed.
  • Fig. 1 a strucutural overview of an eUlCC
  • Fig. 2 a structural overview of a mobile device and it's connections to networks
  • Figr. 3 a more detailed overview of a mobile device according to one example of the present invention.
  • Fig. 4 a flow diagram of a method according to the present invention.
  • FIG. 1 illustrates an eUlCC 1 that contains a set of general management functions 3, which handle tasks such as access rights and profile management.
  • Two distinct eSIM profiles 5, 7 are stored within the eUlCC.
  • the first profile 5 contains network credentials 11 required to establish a connection to a mobile network.
  • This non-telco profile 7 provides a supplementary security domain (SSD) 13, within which applets 17 are stored.
  • SSD supplementary security domain
  • the first eSIM profile 5 may also offer a supplementary security domain (SSD) 15, although in the illustrated example, this functionality is not activated.
  • SSD supplementary security domain
  • Figure 2 demonstrates the data flow as per the invention.
  • Data originating from a server 20, a personal computer 22, or another device 24 is processed by an application.
  • Critical data and program code are stored securely within the eUlCC 1 , as detailed in Figure 1 , rather than relying solely on the secure element managed by the OEM manufacturer of the device.
  • third-party access to hardware-based security is enabled for the first time on devices equipped with an eUlCC, by utilizing eSIM profiles. This opens up significant possibilities for accessing secure hardware in a device without needing control or permission from the OEM, allowing third-party applications or services to benefit from hardware-level security without requiring separate secure elements.
  • FIG. 3 shows an example of a device 30 according to the invention having a processor module 32 configured to execute operating system software and application software, a memory module 34 coupled to the processor module, configured to store data and software applications, an embedded Universal Integrated Circuit Card (eUlCC) 36 configured to store a plurality of embedded Subscriber Identity Module (eSIM) profiles, a communication interface 40 coupled to the processor module, configured to support wireless and/or wired data transmission via multiple communication protocols; and a power supply mechanism 42 configured to provide electrical power to the device.
  • the device itself may communicate with a mobile network 50.
  • Figure 4 shows a flow diagram of a method according to the present invention comprising providing a first eSIM profile 5 and a second eSIM profile 7 on an eUlCC in a step 100.
  • a step 110 provding authentication credentials in the first eSIM profile 5 for establishing a connection with an MNO and in a step 120 integrating program code in the second eSIM profile 7 for executing algorithms and managing secure data.
  • a step 130 Executing program code within applets stored in the SSD of the second eSIM profile 7 followed by Communicating with the second eSIM profile 7 via an external application or program, e.g. app 26 from figure 2.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a device and a method for operating a device with an embedded Universal Integrated Circuit Card (eUICC) storing multiple eSIM profiles. These profiles include a first eSIM for Mobile Network Operator (MNO) authentication and additional profiles that execute secure program code for tasks such as data signing, OTP generation, and blockchain transactions. The method enables communication between external programs and the eSIM profiles, supports hierarchical key derivation, and assigns keys or certificates to ensure secure interactions with program code or applets stored in a Supplementary Secure Domain (SSD). The profiles are sequentially addressed until the correct response is received.

Description

Kratz / de Plasse / SHLD-X May 20, 2025 KDP200023WO
Use of Two or More eSIM Profiles for Storing and Executing Algorithms, Cryptographic Keys, and Data
[0001] The present invention relates to a device for storing information, programm code and applets on an eUlCC, specifically for storing computer programs and cryptographic keys in a separate eSIM profile, comprising executing a password generator, and/or storing data or information in said eSIM profile.
[0002] A Secure Element (SE) is a high-security microprocessor chip designed to store and process sensitive data securely. These chips are found in a variety of devices and applications, from smartphones and payment cards to identity documents and loT devices. When an SE is embedded within a chip, it is often referred to as an embedded Secure Element (eSE).
[0003] The primary function of a Secure Element is to protect digital keys and other confidential information. It is dedicated hardware, designed to resist various types of attacks, including physical tampering and software-based attacks. Unlike software-based security solutions, which run on the main processor of a device and can be vulnerable to malware and hacking, a Secure Element offers an isolated environment that physically and logically separates sensitive data and operations from other parts of the system.
[0004] One of the key features of a Secure Element is its ability to securely manage cryptographic keys. It can generate, store, and manage cryptographic keys used for various security functions, such as encryption, digital signatures, and authentication. These keys are protected within the SE’s secure environment and are inaccessible to external processes or users.
[0005] Communication between the Secure Element and the rest of the system is conducted through carefully defined and secure interfaces. The SE ensures that only authorized applications and processes can access its services and stored data, typically enforced through strict authentication protocols and access control mechanisms. [0006] Another advantage of the Secure Element is its resilience to physical attacks. These chips are often designed to detect and respond to tampering attempts, such as erasing stored keys or disabling the chip to protect the data.
[0007] The use of a Secure Element provides several benefits. First, it significantly enhances the security of stored data and executed operations, as it is more resistant to both physical and software-based attacks. Second, it enables secure authentication and transaction processing, which is especially important for applications in finance, mobile payments, and digital identity verification. Third, it aids in complying with data privacy and security regulations, providing a robust solution for data security.
[0008] In the context of the Internet of Things (loT), the Secure Element provides an essential security component for connected devices. As loT devices increasingly collect and transmit sensitive data, it is crucial to protect that data. A Secure Element can serve as a trusted anchor to ensure the integrity and confidentiality of transmitted information.
[0009] A Secure Element, as referenced in this invention, can be viewed as a standalone microcomputer, equipped with its own processor and memory. It offers an isolated, secure environment, physically and logically separated from other components of the host device (such as a smartphone or payment card).
[0010] An eSIM (embedded SIM) is a SIM card embedded into a device. Unlike a physical SIM card, which must be manually inserted into a device and replaced as needed, the eSIM is soldered into the device and provides the same functionality as a traditional SIM card. This integration allows devices to be smaller and more resistant to environmental factors, as there is no need for additional slots or holders for SIM cards.
[0011] eSIM profiles are configurable profiles stored on an eSIM. Each profile contains the necessary information for authentication and service provisioning of a mobile network operator, similar to a traditional SIM card. The main advantage of eSIM profiles is that they can be remotely activated, deactivated, or exchanged over the internet and/or mobile network, eliminating the need to physically swap SIM cards. This allows users to switch easily between mobile operators or activate additional data plans without replacing the physical SIM card. [0012] The eSIM resides on a chip, fundamentally functioning as a Secure Element and referred to as an embedded Universal Integrated Circuit Card (eUlCC).
[0013] The use of the eUlCC inherently provides the same level of security as a Secure Element, ensuring that eSIM data retains its integrity and that communication with the mobile network is secure. This is critical for functions such as authentication within the mobile network.
[0014] For the purposes of the present invention — and as generally understood — the terms SE, eSE, and eUlCC are used interchangeably to refer to the core function of securely storing data and algorithms in either a general (SE, eSE) or specialized (eUlCC) form.
[0015] A key issue is that an eSE is typically controlled by the manufacturer. Although an eSE is generally capable of storing all necessary programs and information, the manufacturer predefines which functions are available.
[0016] The objective of the present invention is to enable the user to locally store and encrypt data in a hardware-encrypted manner.
[0017] This problem is solved by a device, comprising: a. a processor module configured to execute operating system software and application software; b. a memory module coupled to the processor module, configured to store data and software applications; c. an embedded Universal Integrated Circuit Card (eUlCC) configured to store a plurality of embedded Subscriber Identity Module (eSIM) profiles; d. a communication interface coupled to the processor module, configured to support wireless and/or wired data transmission via multiple communication protocols; and e. a power supply mechanism configured to provide electrical power to the device; wherein
- the eUlCC is configured to store at least two, and optionally n (where n = 2, 3, 4, 5, 6, 7, 8, 9, or more) eSIM profiles ;
- a first eSIM profile is configured to store authentication credentials associated with a Mobile Network Operator (MNO); and
- at least one additional eSIM profile is configured to integrate program code that: - includes an algorithm for signing data using a private key; and/or
- includes an algorithm for generating one-time passwords (OTP); and/or
- includes an algorithm for generating and processing rolling codes; and/or
- provides a secure storage area for data and respective communication interfaces; and/or
- at least one additional eSIM profile is configured to provide a Supplementary Secure Domain (SSD), wherein program code is executed at least partially within one or more applets stored in the SSD wherein
- the one or more applets executed within the SSD comprise at least one of:
- an algorithm for signing data using a private key;
- an algorithm for generating one-time passwords (OTP);
- an algorithm for generating and processing rolling codes; and/or
- an algorithm for secure data storage and management, as well as corresponding communication interfaces.
[0018] The processor module is responsible for executing both the operating system and application software. This allows the device to handle system operations and application tasks, providing a flexible platform for running various functionalities. It is advantageous as it ensures the device can support a range of use cases without requiring external computing resources.
[0019] The surprising finding of the present invention is that eSIM profile have an additional functionality completely separate of storing telephone credentials for connecting to a mobile network. An eSIM profile may be used either directly of by providing a SSD for executing program code and storing secure information like personal credentials, private keys, etc.
[0020] According to one embodiment of the present invention, the memory module stores data and software applications. By coupling the memory to the processor, it ensures quick access to data and efficient processing. This feature is crucial for optimizing the performance of the device, allowing for smooth operation and realtime data handling. [0021] According to one example of the present invention, the eUlCC stores multiple eSIM profiles, providing flexibility in managing multiple network profiles on a single device. This is particularly advantageous for users who may need to switch between different mobile network operators (MNOs) or for managing different secure functions in distinct profiles.
[0022] Furthermore, according to one embodiment of the present invention, the communication interface supports both wired and wireless data transmission across multiple protocols. This versatility ensures that the device can connect to various types of networks and devices, making it highly adaptable in different environments. The advantage is that it allows seamless communication regardless of the connection type.
[0023] Furthermore, it may be advatageous that the power supply mechanism ensures that the device receives sufficient electrical power to operate. It is essential for maintaining consistent performance, particularly for devices that may require prolonged operation without external power sources, ensuring reliability.
[0024] According to one embodiment of the present invention, the eUlCC stores at least two eSIM profiles, with flexibility to store more. This setup enables the device to switch between different MNOs or network services and functionalities provided by the eSIM profiles according to the present invention.
[0025] Thereby, it may be of advantage that the first eSIM profile stores authentication credentials for a Mobile Network Operator (MNO), ensuring secure access to mobile services. This is essential for maintaining privacy and security when connecting to a mobile network and the additional eSIM profile integrates program code for secure functions such as data signing, OTP generation, and rolling codes.
[0026] This additional eSIM profile can also store secure data, offering enhanced security for sensitive information. It allows the device to perform advanced cryptographic operations without relying on external systems, providing an additional layer of security.
[0027] To be able to store algorithms, data and private public keys according to the invention, a Supplementary Secure Domain (SSD) in the additional eSIM Profile may be activated and accessable. The SSD within the eSIM profile allows secure execution of applets. This enables the device to run sensitive operations, such as cryptographic algorithms and secure data storage, directly within the SSD of the eSIM profile. It is beneficial as it reduces the risk of data breaches by keeping sensitive operations within a trusted secure domain.
[0028] The applets executed within the SSD can include algorithms for signing data, generating OTPs, processing rolling codes, or managing secure data storage. This feature is advantageous as it provides a high level of security by ensuring these operations are carried out within a secure and isolated environment, preventing unauthorized access.
[0029] According to one embodiment of the present disclosurethe integrated program code and/or an applet comprises an algorithm to generate public-/private keypairs, in particular algorithms comprising deriving a public-/private keypair performing the steps of hierarchical deterministic key derivation to generate a subordinate private key based on a master keypair.
[0030] Public-/private keypairs are widely used. This specific embodiment of the present invention uses an algorithm which specifically uses hierarchical deterministic (HD) key derivation, which is a method widely used in modern cryptographic systems, particularly in blockchain applications and secure key management.
[0031] Hierarchical deterministic key derivation allows for the generation of a set of related private and public keys from a single master keypair, which is the root key. This is done by applying a specific key derivation process where each new key is derived from the master keypair in a structured, predictable way.
[0032] This emobdiment may specifically refer to BIP 32 (Bitcoin Improvement Proposal 32), which defines the concept of hierarchical deterministic wallets, but is not limited to it.
[0033] In BIP 32, a root seed phrase is used to generate a master private key, from which child private keys are derived in a hierarchical structure. These child keys can be used for various purposes, such as signing transactions or encrypting data, and the entire structure is deterministic, meaning the same seed phrase always produces the same set of keys. [0034] Additionally, BIP 39 is relevant here as it defines the seed phrase used to derive the master keypair, and BIP 44 standardizes the derivation path to allow for different cryptocurrencies or applications to be supported in a single wallet.
[0035] Typically, the root key or master keypair is derived from a “seed phrase,” a human- readable series of words (often 12 or 24 words) generated using a secure random process. This seed phrase serves as a backup, allowing the restoration of the entire key hierarchy. This mechanism is widely adopted in cryptocurrency wallets for generating and recovering a wallet’s keys.
[0036] The general advantage of using hierarchical deterministic key derivation is that it simplifies key management. Instead of having to store or back up each key individually, the entire key hierarchy can be reconstructed from the single seed phrase. This enhances security and user convenience, especially for applications requiring secure, multiple keys or profiles, such as cryptocurrency wallets or secure multi-factor authentication systems.
[0037] It may as well be preferred according to the present invention, that at least two eSIM profiles are enabled at the same time, wherein in the first eSIM profile is activated and is preferably configured and adapted to establish a connection to a Mobile Network Operator (MNO), and the second eSIM profile is activated and comprises program code and/or provides a Supplementary Secure Domain (SSD) comprising applets, wherein an application of the mobile phone can communicate and interact with the program code and/or applets of the second eSIM profile.
[0038] In accordance with this preferred emobidment, the device is configured to allow the simultaneous activation of at least two eSIM profiles. The first eSIM profile is responsible for establishing a connection to a Mobile Network Operator (MNO). This profile contains the standard telephony credentials and communication settings necessary for connecting to the network, enabling typical cellular services such as voice calls, text messages, and mobile data.
[0039] The second eSIM profile, on the other hand, serves a different purpose. While it is activated concurrently with the first eSIM profile, its primary function is not to connect to the mobile network. Instead, it is configured to store program code or provide a Supplementary Secure Domain (SSD) that contains one or more applets. These applets may perform a variety of functions, such as cryptographic operations, secure data storage, or authentication services. Applications running on the mobile device can interact with the second eSIM profile’s program code or applets, thereby leveraging its functionality for tasks such as signing transactions, generating one-time passwords (OTPs), or storing sensitive information securely.
[0040] The second eSIM profile provides preferably a Supplementary Secure Domain (SSD), which is a dedicated, isolated environment for executing sensitive operations such as cryptographic algorithms or secure data storage. By separating these secure operations from the primary mobile network functionalities, the device ensures that sensitive data — such as private keys, OTPs, or blockchain signing credentials — is securely isolated from potential network-related threats. This design significantly improves the security of mobile devices by protecting critical data and operations from unauthorized access, reducing the attack surface for cyber threats.
[0041] Enabling at least two eSIM profiles simultaneously offers a high degree of flexibility and multi-functionality. The first eSIM profile allows the device to maintain its connection to the mobile network (MNO), ensuring uninterrupted cellular service. Meanwhile, the second eSIM profile can execute specific, high-security functions without compromising the mobile network connection. This dual-function capability is particularly beneficial for devices that require both connectivity and secure, cryptographic operations, such as for mobile banking, secure authentication, or digital wallets. The device can perform these tasks simultaneously without the need to switch profiles or connections, thus providing a seamless user experience.
[0042] Thereby it may be preferred that the second eSIM profile does not comprise telephone credentials.
[0043] It may as well be of advantage that the integrated program code in the second eSIM profile or another eSIM profile and/or an applet stored in a SSD provided by an eSIM profile or another eSIM profile comprises an algorithm configured and adapted as a signing algorithm for a blockchain transaction.
[0044] Accoding to one embodiment, the device is configured and adapted such that a program stored outside the eUlCC on the memory module sends a blockchain transaction to be signed to the second eSIM profile via an interface, and the transaction is signed using the private key stored on the eUlCC in the eSIM profile, after which the signed transaction is sent back to the external program.
[0045] In a conventional cold wallet solution, the actual wallet is located on an online device, which requests and prepares the transaction. A blockchain transaction typically involves seven steps:
- Transaction Creation: The user initiates a transaction in the wallet by entering the recipient’s address, the amount to be transferred, and, if applicable, the transaction fee.
- Transaction Signing: After the transaction details are entered, the wallet generates a digital signature. This is done by using the user’s private key. The signature guarantees that the transaction was authorized by the legitimate owner of the wallet and that the transaction details have not been tampered with.
- Submission to the Network: The signed transaction is then sent from the wallet to the blockchain network, typically through a network node or blockchain service provider.
- Transaction Verification: The transaction is received and validated by nodes in the blockchain network. This verification involves confirming the validity of the digital signature and ensuring that the sender has sufficient funds to complete the transaction.
- Block Formation: After verification, the transaction is added to a block along with other transactions. Miners or validators, depending on the consensus mechanism of the blockchain, work to validate the block and add it to the blockchain.
- Block Validation and Addition to the Blockchain: Once a block is validated (e.g., by solving a cryptographic puzzle in a Proof-of-Work system), it is added to the blockchain. This confirms the transaction and makes it immutable in the blockchain ledger.
- Confirmation and Update: After the transaction is added to the blockchain, the wallet receives a confirmation that the transaction is complete. The wallet then updates the user’s balance accordingly. [0046] It is important to note that this process may vary depending on the type of blockchain and the wallet, particularly in terms of the specific mechanisms of transaction signing and verification, as well as the consensus process.
[0047] Only the “Transaction Signing” step is performed within the cold wallet. Precisely this step is now performed in the eSIM profile according to the present invention, while the remaining steps are partially or entirely executed by software located on the memory module of the device and/or even on a remote server.
[0048] As a result, the solution according to the present invention is capble of replacing “cold wallets” with a solution within the eSIM profile having the same securitly level, in particular in case where there are no telefophe credentials included in the second eSIM profile and there is no remote access possiblitly.
[0049] According to another emobidment of the present invention, the integrated program code in the second eSIM profile or another eSIM profile and/or an applet stored in a SSD provided by an eSIM profile or another eSim profile comprises an algorithm configured and adapted as a One-Time Password (OTP) generator algorithm in the form of an applet stored on the SSD and/or integrated in the additional eSIM profile(s), wherein the OTP operates on a time-based (TOTP) or event-based (HOTP) basis.
[0050] In one embodiment, the present invention provides an eSIM profile or another eSIM profile with an integrated Supplementary Secure Domain (SSD), wherein the SSD comprises an algorithm configured as a One-Time Password (OTP) generator. The OTP generator is implemented in the form of an applet stored on the SSD and/or integrated into one or more additional eSIM profiles. The OTP is generated either on a time-based (TOTP) or event-based (HOTP) basis, in accordance with the established standards for OTP generation, such as those outlined in the RFC 6238 (for TOTP) and RFC 4226 (for HOTP). These standards specify the cryptographic principles for OTP algorithms, ensuring secure, unpredictable, and one-time use passwords for authentication or transaction verification. The use of time or event-based OTP generation provides enhanced security for mobile devices by ensuring that each generated password is unique and short-lived, mitigating the risks of replay attacks and unauthorized access. [0051] According to a further embodiment of the present invention, the second eSIM profile or another eSIM profile is configured and adapted to store a representation of a digital ID.
[0052] Storing a digital ID or a representation of a digital ID within the eSIM profile offers several key advantages that can enhance security, facilitate access control, and support the seamless integration of blockchain and other advanced authentication mechanisms. By leveraging the eSIM’s secure environment, the digital ID can be stored in a protected and tamper-resistant manner, offering a higher level of security compared to traditional storage methods.
[0053] The eSIM provides a secure element that is resistant to tampering and unauthorized access. Storing the digital ID on the eSIM ensures that it is protected by hardware-based security features, such as secure storage, encryption, and access controls. This makes it significantly harder for attackers to extract or modify the digital ID, ensuring the integrity and confidentiality of user data.
[0054] The digital ID stored on the eSIM can be used for strong, two-factor authentication (2FA) or multi-factor authentication (MFA). This can include access to mobile apps, banking services, and other secure platforms, providing a frictionless user experience while maintaining a high level of security. The ability to authenticate directly from the eSIM, which is securely bound to the device, eliminates the risks associated with storing sensitive information in less secure locations.
[0055] With the rise of decentralized identity (DID) frameworks, the digital ID stored on the eSIM can facilitate secure, privacy-preserving authentication within blockchainbased ecosystems. The eSIM can act as a trusted hardware wallet for the digital ID, allowing for secure signing of blockchain transactions. The digital ID can also be used for issuing, verifying, and managing credentials in a decentralized manner, ensuring that the user has control over their own identity while reducing the risk of identity theft or misuse.
[0056] In blockchain applications, the digital ID can be used to sign smart contracts or transactions securely. The eSIM can store cryptographic keys or certificates that are used for signing transactions, thus ensuring that only the legitimate user can authorize critical actions. The ability to store private keys securely on the eSIM enables trusted execution of blockchain-based contracts, reducing the risk of unauthorized or malicious actions on decentralized networks.
[0057] According to one emobidmnet, a program executed by the processor module communicates with the second eSIM profile and/or an additional eSIM profile(s) via an interface to send data to and/or receive data from the eSIM profile(s).
[0058] Thereby, it may be preferred that at least initially, in particularly periodically, all eSIM profiles are addressed sequentially until one of the n-eSIM profiles provides the expected response.
[0059] According to a further embodiment, a list of eSIM profiles stored in the eUlCC is maintained by a program stored on the memory module, in particular including the interfaces of program codes and/or applets of said eSIM profiles, so that applications stored on the memory module can be routed to the correct eSIM profile for communication and data exchange.
The present invention provides a system for managing and interacting with multiple eSIM profiles stored on a device, such as an eUlCC, enabling seamless and efficient communication with various network and service providers. In particular, the system includes a program executed by a processor module that communicates with one or more eSIM profiles via an interface to send and receive data, ensuring that the appropriate profile is selected based on the task or service being requested. This dynamic management of eSIM profiles allows the device to optimize its functionality by automatically choosing the most suitable profile for a given operation, such as network connectivity, authentication, or secure transaction signing of other functions provided by one or more of the eSIM profiles.
[0060] If more than one eSIM profile is activated, request are not directed automatically to the right eSIM profile with the expected interface. Without a algorithm, such request are just not answered or randomly answered.
[0061] The device according to the present invention is designed to sequentially address multiple eSIM profiles until a response is obtained from one of the profiles, ensuring robust and uninterrupted service. If one profile is unavailable or unresponsive, the system automatically proceeds to the next profile.
[0062] Additionally, according to one embodiment, the system maintains a list of eSIM profiles stored in the eUlCC and their respecitve interfaces, which is managed by a program stored on the memory module. This list includes the interfaces, program codes, and applets of the eSIM profiles, enabling applications stored on the device to automatically route to the correct profile for communication and data exchange.
[0063] By ensuring that each application interacts with the correct profile for its specific task, the system enhances security and efficiency, particularly in cases requiring secure operations such as OTP generation or cryptographic transactions. Furthermore, this automated routing eliminates the need for manual selection of profiles by the user, making the device more user-friendly and optimizing resource usage.
[0064] In summary, the device described in this invention enables the dynamic, efficient, and secure management of multiple eSIM profiles, improving device performance and user experience. By allowing automatic switching between profiles, maintaining a list of profiles, and routing applications to the appropriate profile, the invention enhances connectivity, security, and service continuity. This solution provides a significant advancement over conventional methods, offering greater flexibility and optimized operation for devices utilizing eSIM technology.
[0065] Furthermore, according to one emobidment of the present invention, at least one, in particular each eSIM profile is assigned with an issue eSIM profile key or issue certificate issued from a master key or certificate, and each program is assigned with program key or certificate issued from said master key or master certificate to be allowed to interact with program code of said eSIM profile or applets saved in the SSD of said eSIM profile.
[0066] The implementation of a rights management system according to this embodiment of the presentn invention, wherein each eSIM profile is assigned a unique eSIM profile key or certificate, and each program is assigned a program key or certificate issued from a master key or master certificate, is crucial for ensuring secure and controlled access to the eSIM profiles and their associated program codes or applets, particularly those stored in the Secure Storage Domain (SSD) of the eSIM profile.
[0067] Limiting access to eSIM profiles and the sensitive data stored within them, such as program codes, applets, and cryptographic keys, is essential for maintaining the integrity and confidentiality of the mobile device. By assigning specific keys or certificates to both eSIM profiles and programs, the system ensures that only authorized programs are permitted to interact with the program code or applets stored within the eSIM profile. This prevents unauthorized applications from gaining access to critical mobile network functionality or executing potentially harmful operations that could compromise the device’s security.
[0068] The SSD of an eSIM profile may store sensitive data, such as cryptographic keys, user authentication credentials, or even application logic that directly interacts with mobile network operations. Ensuring that only specific, authorized programs can access this sensitive data protects it from being exposed to malicious apps or unauthorized parties. For example, in the context of secure transactions (e.g., OTP generation or digital signatures), improper access to the SSD could lead to vulnerabilities or unauthorized actions, such as transaction tampering or key theft. The proposed system ensures that only programs with the proper credentials are granted access to such sensitive functionality, mitigating these risks.
[0069] By implementing a key-based rights management system, the invention allows for fine-grained control over which programs can interact with which eSIM profiles and their associated applets. This flexibility is particularly useful in multi-tenant environments or scenarios where different apps, services, or network providers need specific access to certain eSIM profiles or applets. For instance, a banking app might need to interact with a secure eSIM profile for generating OTPs, while a messaging app may need to interact with a different eSIM profile for establishing network connectivity. By controlling access through unique keys or certificates, the system ensures that each app is only allowed to access the parts of the eSIM profile that it is authorized to interact with.
[0070] The use of a master key or certificate as the root of trust for issuing keys to both eSIM profiles and programs centralizes the management of access control and simplifies the system’s scalability. Each eSIM profile and program is tied to the master key, enabling streamlined updates and management of the keys. This hierarchical system makes it easier to maintain and update security protocols, such as issuing new keys or certificates when needed.
[0071] The key-based access control approach is compatible with existing public key infrastructure (PKI) and certificate-based security protocols, making it easy to integrate with widely adopted security standards and solutions. The use of certificates and keys ensures that the system is interoperable with other security frameworks, making it a flexible and future-proof solution.
[0072] By assigning specific keys or certificates to each eSIM profile and program, the system provides efficient authorization of access requests, ensuring that only authorized programs can interact with specific eSIM profiles and their SSDs. This also makes it easier to implement auditing and logging mechanisms to track access and identify potential security threats.
[0073] The present invention provides a surprising insight in that an eSIM profile can be used, preferably without telephone credentials, as a secure vault, or alternatively, a further eSIM profile containing telephone credentials can be used as a secure vault. This configuration effectively decouples functionalities from the specific Mobile Network Operator (MNO) provider associated with the user, enabling both Business-to-Business (B2B) and personal use cases that are independent of a specific MNO contract.
[0074] The invention discloses particularly useful scenarios and provides technical solutions for managing and utilizing multiple active eSIM profiles simultaneously. Until now, skilled persons have not considered this possibility, and there has been no prior art showing such use cases or methods for operating multiple active eSIM profiles concurrently.
[0075] According to the present invention, the device may be, for example, a smartphone, a smartwatch, a tablet, a sensor, or other loT devices that are equipped with an eUlCC capable of storing eSIM profiles.
[0076] As well, the invention provides a method for operating a device, in particular a device according to one oft he preceding claims, comprising:
- a processor module configured to execute operating system software and application software,
- a memory module coupled to the processor module,
- an embedded Universal Integrated Circuit Card (eUlCC) configured to store a plurality of embedded Subscriber Identity Module (eSIM) profiles,
- a communication interface coupled to the processor module,
- a power supply mechanism, wherein the method comprises the steps of: storing at least two eSIM profiles on the eUlCC, storing authentication credentials associated with a Mobile Network Operator (MNO) in a first eSIM profile, integrating program code in at least one additional eSIM profile (7) to enable the execution of algorithms and/or providing a Supplementary Secure Domain (SSD) by at least one addition eSIM profile (7), wherein program code is executed at least partially within one or more applets stored in the SSD; the program code and/or the applets comprising:
- an algorithm for signing data using a private key;
- an algorithm for generating one-time passwords (OTP);
- an algorithm for generating and processing rolling codes; and/or
- an algorithm for secure data storage and management, as well as corresponding communication interfaces; and communicating with the second eSIM profile via an external program stored outside the eUlCC.
[0077] According to one embodiment it may be of advantage generating a public/private keypair using hierarchical deterministic key derivation, wherein the public/private keypair is derived from a master keypair stored in the second eSIM profile.
[0078] According to a further embodiment, at least two eSIM profiles are enabled simultaneously, wherein the first eSIM profile is configured to establish a connection with an MNO, and the second eSIM profile has integrated program code and/or is configured to provide a Supplementary Secure Domain (SSD) and enable communication between an external application and the program code or applets in the SSD.
[0079] As well, it may be preferred that ensuring that the second eSIM profile does not include telephone credentials, but is configured solely for program code execution and/or providing a SSD.
[0080] According to one embodiment it is preferred signing a blockchain transaction using a signing algorithm stored in the second eSIM profile, wherein the transaction is received from an external program via the communication interface, signed in the eSIM profile, and the signed transaction is sent back to the external program. [0081] It may as well be of advantage generating one-time passwords (OTP) using an algorithm stored in the second eSIM profile, wherein the OTP is time-based (TOTP) or event-based (HOTP).
[0082] In addition, it coule be preferred storing a representation of a digital ID in the second eSIM profile or an additional eSIM profile.
[0083] Moreover, ot can be preferred addressing the second eSIM profile and/or additional eSIM profiles via a program executed by the processor module to send and receive data through an interface.
[0084] As well, it could be of advantage that all eSIM profiles are addressed sequentially until one of the n-eSIM profiles provides the expected response.
[0085] As well it could be preferred that maintaining a list of eSIM profiles stored on the eUlCC by a program stored on the memory module, wherein the list includes the interfaces of program code and applets of the eSIM profiles, enabling applications to route communications to the correct eSIM profile for data exchange.
[0086] Finally, it could be of advantage that the method comprise the following steps:
- assigning each eSIM profile an issued eSIM profile key or issued certificate derived from a master key or master certificate,
- assigning each program interacting with the eSIM profile(s) a program key or certificate, derived from the same master key or master certificate, to enable secure interaction with the program code or applets in the SSD of the eSIM profile.
[0087] The present invention will be explained in more detail below with reference to an exemplary embodiment. It may be provided that the eSIM profile is designed and configured to store a signing algorithm for a blockchain transaction and/or the eSIM profile is designed and configured to generate a private key for a blockchain.
[0088] In addition to signing blockchain transactions, an aspect of the invention includes the generation of a private/public key pair, wherein a skilled person, within the meaning of the present invention, reads the public key whenever necessary.
[0089] According to one embodiment of the present invention, it may be provided that the generated private keys are displayed to the user during or immediately after generation via an output device of the apparatus, such as a display of the device, using a wallet application, but are not stored outside of the eSIM profile respectively the eUlCC.
[0090] Furthermore, it may alternatively or additionally be provided that the private key is entered by the user via an input device and sent directly to the eSIM profile by the wallet application without being stored, where it is then saved.
[0091] A seed phrase, also known as a “recovery phrase” or “mnemonic phrase,” is a series of words that serve as a master key to restore access to a cryptocurrency wallet. This seed phrase is typically generated during the initial setup of a wallet and is crucial for the security and recovery of the wallet. The seed phrase consists of 12, 18, or 24 randomly generated words, which provide a user-friendly representation of a complex secret key.
[0092] From this seed phrase, the private key is derived. The process of generating multiple private keys for different blockchains from a single seed phrase is known as a hierarchical deterministic (HD) wallet. In an HD wallet, a tree structure of keys is derived from the original seed phrase. This process follows a standard known as BIP32 (Bitcoin Improvement Proposal 32). Each derived key can be used for a different blockchain or for a different account purpose, with each key being unique and having its own address on the respective blockchain.
[0093] This method allows users to generate a variety of addresses and private keys for different cryptocurrencies from a single seed phrase. This significantly simplifies the management of various cryptocurrency wallets, as users only need to secure one seed phrase instead of memorizing multiple private keys.
[0094] In the present invention, the term “seed phrase” is broadly understood to mean that multiple private keys can be generated in the context of an HD wallet.
[0095] For security reasons, it is undesirable for private keys to be read out from the eSIM profile respectively the eUlCC. Once transferred into or generated within the eSIM profile, they should not be extractable.
[0096] However, since the user or a software application must have access for backup purposes at least once, the seed phrase, upon generation, must be displayable on an output device, such as the display of the apparatus, and/or transferable to another data processing device. [0097] To prevent misuse, the private key and/or seed phrase is only stored in temporary storage, such as the device’s RAM, so that it remains permanently retrievable only in the secure element. By displaying it on an output device, such as the device’s display, the user can secure the individual words of the seed phrase or the numbers of the private key elsewhere, such as by writing them down manually.
[0098] Furthermore, according to the invention, it is provided that a representation of a digital ID is stored on the eSIM, so that the private key can be uniquely linked to the digital ID.
[0099] It is currently regulated that anonymous wallets will not be permitted in the future. This particularly includes the requirement that every wallet must be uniquely assigned to a specific person.
[00100] The subject matter of the present invention, therefore, regardless of whether algorithms are stored in a hot wallet, cold wallet, secure element, or the inventive eSIM, is that the parallel storage of a digital ID ensures the assignment to a person.
[00101] Digital IDs as such are known to those skilled in the art and do not require detailed explanation.
[00102] Furthermore, it may be provided that, when a private key is generated or entered by the wallet application, a distribution plan is created, which stores fragments of the private key on various external storage modules, and the fragments can be combined by the user using a password, allowing the private key to be displayed.
[00103] An embodiment is further explained with the help of the following figures:
Fig. 1 : a strucutural overview of an eUlCC;
Fig. 2: a structural overview of a mobile device and it's connections to networks; Figr. 3: a more detailed overview of a mobile device according to one example of the present invention; and
Fig. 4: a flow diagram of a method according to the present invention.
[00104] Figure 1 illustrates an eUlCC 1 that contains a set of general management functions 3, which handle tasks such as access rights and profile management. Two distinct eSIM profiles 5, 7 are stored within the eUlCC. The first profile 5 contains network credentials 11 required to establish a connection to a mobile network. The second eSIM profile 7, however, lacks telephone credentials and is referred to as a “non-telco” profile. This non-telco profile 7 provides a supplementary security domain (SSD) 13, within which applets 17 are stored. It is noteworthy that the first eSIM profile 5 may also offer a supplementary security domain (SSD) 15, although in the illustrated example, this functionality is not activated.
[00105] Figure 2 demonstrates the data flow as per the invention. Data originating from a server 20, a personal computer 22, or another device 24 is processed by an application. Critical data and program code are stored securely within the eUlCC 1 , as detailed in Figure 1 , rather than relying solely on the secure element managed by the OEM manufacturer of the device. With this invention, third-party access to hardware-based security is enabled for the first time on devices equipped with an eUlCC, by utilizing eSIM profiles. This opens up significant possibilities for accessing secure hardware in a device without needing control or permission from the OEM, allowing third-party applications or services to benefit from hardware-level security without requiring separate secure elements.
[00106] Figure 3 shows an example of a device 30 according to the invention having a processor module 32 configured to execute operating system software and application software, a memory module 34 coupled to the processor module, configured to store data and software applications, an embedded Universal Integrated Circuit Card (eUlCC) 36 configured to store a plurality of embedded Subscriber Identity Module (eSIM) profiles, a communication interface 40 coupled to the processor module, configured to support wireless and/or wired data transmission via multiple communication protocols; and a power supply mechanism 42 configured to provide electrical power to the device. The device itself may communicate with a mobile network 50.
[00107] Figure 4 shows a flow diagram of a method according to the present invention comprising providing a first eSIM profile 5 and a second eSIM profile 7 on an eUlCC in a step 100. In a step 110, provding authentication credentials in the first eSIM profile 5 for establishing a connection with an MNO and in a step 120 integrating program code in the second eSIM profile 7 for executing algorithms and managing secure data. [00108] Subsquent, in a step 130 Executing program code within applets stored in the SSD of the second eSIM profile 7 followed by Communicating with the second eSIM profile 7 via an external application or program, e.g. app 26 from figure 2.
[00109] The features of the invention disclosed in the foregoing description, the claims, and the drawings may be essential for implementing the invention in its various embodiments, both individually and in any desired combination.

Claims

Claims
1. Device (30), comprising: a. a processor module (32) configured to execute operating system software and application software; b. a memory module (34) coupled to the processor module, configured to store data and software applications; c. an embedded Universal Integrated Circuit Card (eUlCC) (36) configured to store a plurality of embedded Subscriber Identity Module (eSIM) profiles; d. a communication interface (40) coupled to the processor module, configured to support wireless and/or wired data transmission via multiple communication protocols; and e. a power supply mechanism (42) configured to provide electrical power to the device; wherein
- the eUlCC (36) is configured to store at least two, and optionally n (where n = 2, 3, 4, 5, 6, 7, 8, 9, or more) eSIM profiles (5, 7);
- a first eSIM (5) profile is configured to store authentication credentials associated with a Mobile Network Operator (MNO); and
- at least one additional eSIM (7) profile is configured to integrate program code that:
- includes an algorithm for signing data using a private key; and/or
- includes an algorithm for generating one-time passwords (OTP); and/or
- includes an algorithm for generating and processing rolling codes; and/or
- provides a secure storage area for data and respective communication interfaces; and/or
- at least one additional eSIM (7) profile is configured to provide a Supplementary Secure Domain (SSD) (13), wherein program code is executed at least partially within one or more applets stored in the SSD (13) wherein
- the one or more applets executed within the SSD (13) comprise at least one of:
- an algorithm for signing data using a private key;
- an algorithm for generating one-time passwords (OTP);
- an algorithm for generating and processing rolling codes; and/or - an algorithm for secure data storage and management, as well as corresponding communication interfaces.
2. Device (30) according to claim 1 , wherein the integrated program code and/or an applet comprises an algorithm to generate public-/private keypairs, in particular algorithms comprising deriving a public- /private keypair performing the steps of hierarchical deterministic key derivation to generate a subordinate private key based on a master keypair.
3. Device (30) according to claim 1 or claim 2 , wherein at least two eSIM profiles are enabled at the same time, wherein in the first eSIM profile (5) is activated and is preferably configured and adapted to establish a connection to a Mobile Network Operator (MNO) (50), and the second eSIM profile (7) is activated and comprises program code and/or provides a Supplementary Secure Domain (SSD) comprising applets, wherein an application of the mobile phone can communicate and interact with the program code and/or applets of the second eSIM profile (7).
4. Device according to one or more of the preceding claims, wherein the second eSIM profile (7) does not comprise telephone credentials.
5. Device according to one or more of the preceding claims, wherein the integrated program code in the second eSIM profile (7) or another eSIM profile and/or an applet stored in a SSD (13) provided by an eSIM profile (7) or another eSIM profile comprises an algorithm configured and adapted as a signing algorithm for a blockchain transaction.
6. Device according to claim 5, wherein the device is configured and adapted such that a program stored outside the eUlCC (36) on the memory module (34) sends a blockchain transaction to be signed to the second eSIM profile (7) via an interface, and the transaction is signed using the private key stored on the eUlCC in the eSIM profile (7), after which the signed transaction is sent back to the external program.
7. Device according to one or more of the preceding claims, wherein the the integrated program code in the second eSIM profile (7) or another eSIM profile and/or an applet stored in a SSD provided by an eSIM profile (7) or another eSIM profile comprises an algorithm configured and adapted as a One-Time Password (OTP) generator algorithm in the form of an applet stored on the SSD and/or integrated in the additional eSIM profile(s), wherein the OTP operates on a timebased (TOTP) or event-based (HOTP) basis.
8. Device according to one or more of the preceding claims, wherein the second eSIM profile (7) or another eSIM profile is configured and adapted to store a representation of a digital ID.
9. Device (30) according to one or more of the preceding claims, wherein a program executed by the processor module (32) communicates with the second eSIM profile (7) and/or an additional eSIM profile(s) via an interface to send data to and/or receive data from the eSIM profile(s).
10. Device (30) according to claim 9, wherein at least initially, in particularly periodically, all eSIM profiles are addressed sequentially by the program until one of the n-eSIM profiles provides the expected response.
11 . Device (30) according to claim 9 or 10, wherein a list of eSIM profiles (5,7) stored in the eUlCC (36) is maintained by a program stored on the memory module (34), in particular including the interfaces of program codes and/or applets of said eSIM profiles (5,7), so that applications stored on the memory module (34) can be routed to the correct eSIM profile for communication and data exchange.
12. Device (30) according to one or more of the preceding claims, wherein at least one, in particular each, eSIM profile (5,7) is assigned with an issue eSIM profile key (50) or issue certificate (52) issued from a master key (54) or certificate (56), and each program is assigned with program key (50') or certificate (52') issued from said master key (54) or master certificate (56) to be allowed to interact with program code of said eSIM profile (5,7) or applets saved in the SSD of said eSIM profile (5,7).
13. A method for operating a device (30), in particular a device according to one of the preceding claims, comprising:
- a processor module (32) configured to execute operating system software and application software,
- a memory module (34) coupled to the processor module,
- an embedded Universal Integrated Circuit Card (eUlCC) (36) configured to store a plurality of embedded Subscriber Identity Module (eSIM) profiles,
- a communication interface (40) coupled to the processor module,
- a power supply mechanism (42), wherein the method comprises the steps of: storing at least two eSIM profiles (5, 7) on the eUlCC (36), storing authentication credentials associated with a Mobile Network Operator (MNO) in a first eSIM profile (5), integrating program code in at least one additional eSIM profile (7) to enable the execution of algorithms and/or providing a Supplementary Secure Domain (SSD) by at least one addition eSIM profile (7), wherein program code is executed at least partially within one or more applets stored in the SSD; the program code and/or the applets comprising:
- an algorithm for signing data using a private key;
- an algorithm for generating one-time passwords (OTP);
- an algorithm for generating and processing rolling codes; and/or
- an algorithm for secure data storage and management, as well as corresponding communication interfaces; and communicating with the second eSIM profile (7) via an external program stored outside the eUlCC (36).
14. The method according to claim 17, further comprising: generating a public/private keypair using hierarchical deterministic key derivation, wherein the public/private keypair is derived from a master keypair stored in the second eSIM profile (7).
15. The method according to claim 13 or 14, wherein:
- at least two eSIM profiles (5, 7) are enabled simultaneously,
- the first eSIM profile (5) is configured to establish a connection with an MNO (50), and
- the second eSIM profile (7) has integrated program code and/or is configured to provide a Supplementary Secure Domain (SSD) and enable communication between an external application and the program code or applets in the SSD.
16. The method according to any of the claims 13 to 15, wherein: ensuring that the second eSIM profile (7) does not include telephone credentials, but is configured solely for program code execution and/or providing a SSD.
17. The method according to any of the claims 13 to 16, wherein: signing a blockchain transaction using a signing algorithm stored in the second eSIM profile (7), wherein the transaction is received from an external program via the communication interface (40), signed in the eSIM profile (7), and the signed transaction is sent back to the external program.
18. The method according to any of the claims 13 to 17, wherein: generating one-time passwords (OTP) using an algorithm stored in the second eSIM profile (7), wherein the OTP is time-based (TOTP) or event-based (HOTP).
19. The method according to any of the claims 13 to 18, wherein: storing a representation of a digital ID in the second eSIM profile (7) or an additional eSIM profile.
20. The method according to any of the claims 13 to 19, wherein: addressing the second eSIM profile (7) and/or additional eSIM profiles via a program executed by the processor module (32) to send and receive data through an interface.
21. The method according to any of the claims 13 to 20, wherein: all eSIM profiles are addressed sequentially until one of the n-eSIM profiles provides the expected response.
22. The method according to any of the claims 13 to 21 , wherein: maintaining a list of eSIM profiles (5, 7) stored on the eUlCC (36) by a program stored on the memory module (34), wherein the list includes the interfaces of program code and applets of the eSIM profiles (5, 7), enabling applications to route communications to the correct eSIM profile for data exchange.
23. The method according to any of the claims 13 to 21 , wherein:
- assigning each eSIM profile (5, 7) an issued eSIM profile key (50) or issued certificate (52) derived from a master key (54) or master certificate (56),
- assigning each program interacting with the eSIM profile(s) a program key (50’) or certificate (52’), derived from the same master key (54) or master certificate (56), to enable secure interaction with the program code or applets in the SSD of the eSIM profile (5, 7).
PCT/EP2025/057732 2024-03-20 2025-03-20 Use of two or more esim profiles for storing and executing algorithms, cryptographic keys, and data Pending WO2025196241A1 (en)

Applications Claiming Priority (8)

Application Number Priority Date Filing Date Title
DE102024107912 2024-03-20
DE102024107912.6 2024-03-20
DE102024107908.8 2024-03-20
DE102024107908 2024-03-20
DE102024130309 2024-10-18
DE102024130309.3 2024-10-18
DE102024132610 2024-11-08
DE102024132610.7 2024-11-08

Publications (1)

Publication Number Publication Date
WO2025196241A1 true WO2025196241A1 (en) 2025-09-25

Family

ID=95154256

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2025/057732 Pending WO2025196241A1 (en) 2024-03-20 2025-03-20 Use of two or more esim profiles for storing and executing algorithms, cryptographic keys, and data

Country Status (1)

Country Link
WO (1) WO2025196241A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022214806A1 (en) * 2021-04-09 2022-10-13 Vodafone Group Services Limited Blockchain micro transactions
US20220394443A1 (en) * 2021-06-06 2022-12-08 Apple Inc. SIM TOOLKIT SCHEDULING FOR MULTIPLE ENABLED eSIM PROFILES

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022214806A1 (en) * 2021-04-09 2022-10-13 Vodafone Group Services Limited Blockchain micro transactions
US20220394443A1 (en) * 2021-06-06 2022-12-08 Apple Inc. SIM TOOLKIT SCHEDULING FOR MULTIPLE ENABLED eSIM PROFILES

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
GSMA: "Common Implementation Guide to Using the SIM as a 'Root of Trust' to Secure IoT Applications", 3 December 2019 (2019-12-03), XP055693329, Retrieved from the Internet <URL:https://www.gsma.com/iot/wp-content/uploads/2019/12/IoT.04-v1-Common-Implementation-Guide.pdf> [retrieved on 20200508] *
KRISHNAN PRABHAKAR ET AL: "eSIM and blockchain integrated secure zero-touch provisioning for autonomous cellular-IoTs in 5G networks", COMPUTER COMMUNICATIONS, ELSEVIER SCIENCE PUBLISHERS BV, AMSTERDAM, NL, vol. 216, 6 January 2024 (2024-01-06), pages 324 - 345, XP087467609, ISSN: 0140-3664, [retrieved on 20240106], DOI: 10.1016/J.COMCOM.2023.12.023 *
RAO SIDDHARTH PRAKASH ET AL: "Authenticating Mobile Users to Public Internet Commodity Services Using SIM Technology", PROCEEDINGS OF THE 1964 19TH ACM NATIONAL CONFERENCE, ACMPUB27, NEW YORK, NY, USA, 29 May 2023 (2023-05-29), pages 151 - 162, XP059096374, ISBN: 978-1-4503-7306-7, DOI: 10.1145/3558482.3590181 *
SECURITY &STANDARDS ASSOCIATES: "Drafts for ISO 23220 Mobile eID systems (Wallets)", vol. TC ESI Electronic Signatures and Infrastructures, 13 September 2022 (2022-09-13), pages 1 - 52, XP014443757, Retrieved from the Internet <URL:ftp://docbox.etsi.org/ESI/ESI/05-CONTRIBUTIONS/2022/ESI(22)078035_Drafts_for_ISO_23220_Mobile_eID_systems__Wallets_.zip DIS 23220-1 clean v4. Generic system architectures.pdf> [retrieved on 20220913] *

Similar Documents

Publication Publication Date Title
EP2999189B1 (en) Network authentication method for secure electronic transactions
US9325708B2 (en) Secure access to data in a device
US20190281028A1 (en) System and method for decentralized authentication using a distributed transaction-based state machine
RU2515809C2 (en) Methods for facilitating secure self-initialisation of subscriber devices in communication system
CN101828357B (en) Credential provisioning method and device
EP2893484B1 (en) Method and system for verifying an access request
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
EP2063378B1 (en) Telecommunications device security
RU2445689C2 (en) Method to increase limitation of access to software
CA2969493C (en) System and method for enabling secure authentication
CN113474774A (en) System and method for approving a new validator
CN103119975B (en) User account recovers
KR20110110254A (en) Apparatus and method for providing authorized device access
GB2527189A (en) Method, apparatus, and system for generating transaction-signing one-time password
US10320774B2 (en) Method and system for issuing and using derived credentials
Theuermann et al. Mobile-only solution for server-based qualified electronic signatures
AU2024313338A1 (en) User authentication for operational technology (ot) assets
WO2025196241A1 (en) Use of two or more esim profiles for storing and executing algorithms, cryptographic keys, and data
Suoranta et al. Strong authentication with mobile phone
Oniga et al. Iot infrastructure secured by tls level authentication and pki identity system
CN111079109A (en) Local security authorization login method and system compatible with multiple browsers
Nosouhi et al. Towards Availability of Strong Authentication in Remote and Disruption-Prone Operational Technology Environments
Horsch et al. TrustID: Trustworthy identities for untrusted mobile devices
HK40060764A (en) System and method for endorsing a new authenticator
EP3698510A1 (en) Secure communication system and method for transmission of messages

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 25714485

Country of ref document: EP

Kind code of ref document: A1