Methods for loading a communication profile into a secure element, and secure element, profile management unit, and associated communication device
The method of suspending profile loading in secure elements using session keys and tokens ensures efficient, secure, and timely installation of communication profiles in communication devices, addressing time-consuming factory inefficiencies.
Patent Information
- Authority / Receiving Office
- FR · FR
- Patent Type
- Patents
- Current Assignee / Owner
- IDEMIA FRANCE SAS
- Filing Date
- 2023-11-27
- Publication Date
- 2026-06-26
Smart Images

Figure 00000026_0000 
Figure 00000027_0000 
Figure 00000028_0000
Abstract
Description
Title of the invention: Methods for loading a communication profile into a secure element, and secure element, profile management unit, and associated communication device. Technical field
[0001] The present invention relates to the field of eUICC (embedded Universal Integrated Circuit Card) type secure elements in which communication profiles are stored. In particular, the present invention relates to methods for loading a communication profile into a secure element, as well as to a secure element, a profile management unit, and an associated communication device. The present invention finds a particularly advantageous, though not limiting, application for loading and installing communication profiles into eUICC type secure elements integrated into communication devices using mobile telephone networks, such as telephones, connected objects, vehicles, etc. Previous technique
[0002] The invention relates in particular to the specific context of installing communication profiles in eUICC-type secure elements integrated into communication devices, for example, telecommunications terminals such as smartphones, smart electricity or water meters, and vehicles. eUICC-type secure elements are described in the GSMA SGP.02 standard entitled "Remote Provisioning Architecture for Embedded UICC," for example, in version 4.2.1 published in November 2021.
[0003] Secure elements of the eUICC type are permanently integrated into communication devices to replace removable physical SIM cards, traditionally used to authenticate a user with a mobile network operator. Secure elements of the eUICC type are configured to store one or more communication profiles and are reprogrammable. These secure elements allow, for example, a user to change operators without having to physically replace a SIM card.
[0004] As is known, a communication profile is a set of data that allows authentication with a communication network operator and communication on that network. Typically, a communication profile includes subscription data such as an IMSI (International Mobile Subscriber Identity), encryption keys, and authentication algorithm parameters specific to the associated operator. It may also including a file system, applications, and / or predetermined execution rules. Such communication profiles are notably defined in the aforementioned GSMA SGP.02 standard and the Trusted Connectivity Alliance standard entitled "eUICC Profile Package: Interoperable Format Test Specification", for example in its version 3.2.1 published in December 2022.
[0005] In the current state of the art, communication profiles are loaded and installed in secure elements by communication device manufacturers ("In-Factory Profile Loading"). The installation of a profile in an eUICC-type secure element is specifically defined by the aforementioned GSMA SGP.02 standard or by the GSMA SGP.22 standard entitled "RSP Technical Specification," for example, version 3.0 published in October 2022. A communication device manufacturer can, for example, have communication profiles pre-supplied by a profile delivery server (i.e., the SM-DP+ server in the aforementioned GSMA SGP.22 standard) and install these profiles at the factory in the secure elements integrated into the communication devices. The advantage of such an installation is that once the device leaves the factory, it is able to communicate on the network and access the operator's services.
[0006] However, installing a communication profile in a secure element equipping a communication device requires a particularly long time. In fact, according to the GSMA standard, a profile is sent to a secure element in the form of a plurality of profile elements defined according to the standard called ASN.1 and / or according to the aforementioned Trusted Connectivity Alliance standard, these profile elements being encrypted. The reception, decryption, and installation of the profile elements by the secure element are time-consuming operations. On the scale of thousands or millions of communication devices, the time required to install the communication profiles in the secure elements at the factory is such that it does not allow for efficient use of the manufacturer's resources and leads to a significant loss of productivity.
[0007] In conclusion, existing solutions for loading and installing communication profiles in factory settings within secure elements integrated into communication devices are not entirely satisfactory because they require excessive time. Description of the invention
[0008] The present invention aims to remedy all or part of the drawbacks of the prior art, in particular those previously described.
[0009] To this end, a method implemented by a secure element equipping a communication device is proposed, the method comprising, for a profile of communication, an initial phase of loading the profile into the secure element, including: - a reception, from a profile management unit of the communication device, of a public key from a profile provisioning server associated (uniquely) with the profile; - generation of session keys from the public key of the profile provisioning server associated with the profile; - Following receipt of a load suspension order from the profile management unit, a load suspension of the profile including: • a record, in a memory of the secure element, of the generated session keys; and • a sending, to the profile management unit, of a token signed from an encryption key of the secure element.
[0010] The proposed method implemented by the secure element is a method for loading at least one communication profile into the secure element.
[0011] Correspondingly, a method implemented by a profile management unit of a communication device is proposed, the method comprising, for a communication profile, a first phase of loading the profile into a secure element equipping the communication device comprising: - a recording, in a memory of the communication device, of encrypted elements of the profile provided by a profile provisioning server; - sending, to the secure element, a public key of the profile provisioning server associated (uniquely) with the profile; - a command to suspend loading, sent to the secure element; and - a record, in the memory of the communication device, of a token received from the secure element and signed by the secure element using an encryption key of the secure element.
[0012] The proposed method implemented by the profile management unit is a method for loading at least one communication profile into the secure element.
[0013] The present invention proposes loading an encrypted profile provided by a profile provisioning server (e.g., the SM-DP+ server) into the memory of the communication device and initiating the loading of the profile into the secure element. Then, the profile loading is suspended (i.e., paused) so that: on the one hand, the communication device includes in memory the encrypted elements of the profile as well as the token signed by the secure element; and on the other hand, the element secure includes in memory the session keys associated with the profile and allowing decryption of that profile.
[0014] In this way, the proposed solution not only allows an encrypted profile to be loaded into the memory of the communication device, but also cryptographically links the profile stored in the communication device to the secure element intended to receive that profile. In particular, the secure element generates the session keys using the public key of the profile provisioning server associated with that profile, and then stores these keys. This ensures that the secure element is involved in loading that profile. Furthermore, the communication device stores both the encrypted elements of the profile and the token signed by the secure element, the signature of the token proving the secure element's involvement in loading that profile.
[0015] Following the suspension of profile loading, the communication device has all the information necessary to complete the profile installation in the secure element. In other words, the communication device does not require any additional information, particularly from the network, to complete the profile installation. The present invention thus makes it possible, similarly to the prior art solutions described above, to provide factory-installed communication devices capable of accessing an operator's services.
[0016] In contrast to these solutions, the present invention significantly reduces the time required to load a communication profile into a secure element of a communication device at the factory, thereby increasing the productivity of a communication device manufacturer's production line. In fact, the proposed solution allows the loading and installation of the profile into the secure element to be deferred to a later stage, for example, once the communication device has been deployed. This allows these time-consuming operations for a manufacturer to be moved out of the factory while maintaining the same level of security.
[0017] Thus, the present invention makes it possible to provide in minimal time communication devices capable of accessing the services of an operator, while ensuring that each communication profile is effectively linked to the secure element intended to install this profile.
[0018] According to a particular implementation method, the suspension of the profile loading is triggered following the generation, by the secure element, of the session keys and before a reception, by the secure element, of encrypted elements of the profile.
[0019] According to this implementation, the loading of the profile into the secure element is suspended following the generation of session keys by the secure element using the public key of the profile provisioning server associated with that profile. This allows Ensure that the secure element has been cryptographically involved in loading the profile. Furthermore, the loading process is suspended before the encrypted profile elements are loaded and installed in the secure element—that is, before the time-consuming operations for a manufacturer.
[0020] This method of implementation is particularly advantageous in that it minimizes the loading time of the profile produced at the factory by a manufacturer of communication devices, while ensuring that the profile recorded in the communication device is cryptographically linked to the secure element intended to install this profile.
[0021] According to a particular implementation method, the token signed by the secure element is sent to the profile provisioning server or a third-party server.
[0022] Sending the token allows a third party, for example the network operator associated with the communication profile, to be notified that the profile has been loaded into a communication device. The signature of the token by the secure element further proves to the third party that the profile has been loaded into the communication device containing the secure element specifically intended to receive that profile.
[0023] According to a particular embodiment, the process implemented by the secure element includes a second profile loading phase comprising, following receipt of a reload command from the profile management unit: - a receipt, from the profile management unit, of the token and encrypted elements of the profile; and - decrypting the encrypted elements of the profile from the recorded session keys and installing the decrypted elements of the profile into the memory of the secure element.
[0024] Correspondingly, according to a particular embodiment, the process implemented by the profile management unit includes a second profile loading phase comprising: - sending a reloading command to the secure element; and - sending the token and encrypted elements of the profile to the secure element.
[0025] It is proposed here to perform a second loading phase to complete the installation of the profile in the secure element and activate it. Following this second loading phase, the communication device can then access the services of the network operator associated with the profile.
[0026] It should be noted that the exchange of the token between the communication device and the secure element helps to ensure the security of the proposed solution for loading a profile into the secure element. Indeed, the secure element can verify the signature of the token and therefore its prior involvement during the first phase of profile loading. This also allows verification that the encrypted profile elements, provided by the management unit and intended for installation, are indeed associated with the registered session keys.
[0027] Furthermore, no limitation is attached to the time interval between the first and second charging phases, nor to the operations performed by the device between them. In particular, the second charging phase can be carried out following the deployment of the communication device, i.e., outside the manufacturer's factory.
[0028] As indicated above, once profile loading is suspended, the communication device has all the information necessary to complete the profile installation. The communication device could, for example, complete the profile loading while offline (i.e., not connected to the network).
[0029] According to a particular embodiment, the second loading phase (i.e., sending the load resumption command) is triggered by: a power-up (i.e., a start-up or "power-up") of the communication device; a network access request from the communication device; an activation command obtained via a user interface; an activation command issued by a third-party server; or a change in an operating mode of the communication device (e.g., exiting a factory mode).
[0030] This implementation method allows precise control of the resumption of the loading of the communication profile in the secure element and therefore the activation of the profile.
[0031] According to a particular embodiment, the method comprises, following the first charging phase and before the second charging phase, a power-down (i.e., a shutdown or "power-down") and a power-up (i.e., a start or "power-up") of the communication device. Furthermore, the second charging phase (i.e., sending the resumption charging command) can be triggered by: the power-up of the communication device; or by a network access request following the power-up.
[0032] This method of implementation makes it possible in particular to defer the installation of the communication profile and its activation to a later stage, for example when the communication device is deployed in the field, i.e. outside the manufacturer's factory.
[0033] According to a particular implementation method, another token signed by the secure element is sent to the profile provisioning server following the installation of the decrypted profile elements or to a third-party server.
[0034] This implementation method allows the profile provisioning server (i.e. the SM-DP+ server), and in particular the network operator associated with the communication profile, to be notified that the installation of the communication profile in the secure element has been completed and that this profile is activated.
[0035] According to a particular embodiment, the process implemented by the secure element includes, for another communication profile (distinct from the profile mentioned above), a said first loading phase of the other profile, and may further include a said second loading phase of the other profile.
[0036] Accordingly, according to one implementation method, the process implemented by the management unit includes a said first phase of loading the other profile, and may further include a said second phase of loading the other profile.
[0037] Thus, the process implemented by the secure element and the process implemented by the profile management unit can respectively include, for each profile of a plurality of profiles, a said first phase and a said second phase of profile loading.
[0038] This method of implementation is particularly advantageous in that it allows a plurality of communication profiles to be loaded into the communication device.
[0039] According to a particular implementation mode, the load suspension command and the public key of the profile provisioning server are included in the same message.
[0040] According to this implementation, the management unit signals to the secure element at the beginning of the profile loading process that the profile loading will be suspended. This minimizes the number of messages exchanged between the management unit and the secure element. Consequently, this implementation minimizes the duration of the initial loading phase.
[0041] Alternatively, the load suspension command can be contained in a dedicated message sent by the management unit to the secure element, thus allowing precise control over the profile load suspension. For example, the load suspension command can be issued by the profile management unit in response to a message from the secure element indicating that the session keys have been generated.
[0042] According to one aspect of the invention, a method implemented by the communication device for loading at least one communication profile into a secure element equipping the communication device is also proposed, this method comprising: the steps of the method implemented by the secure element according to the invention; and the steps of the method implemented by the profile management unit according to the invention.
[0043] According to one aspect of the invention, a secure element is proposed comprising: - a receiving module, from a profile management unit of a communication device, of a public key from a profile provisioning server associated (uniquely) with the profile; - a module for generating session keys from the public key of the profile provisioning server associated with the profile; - a module for suspending a load from the profile following receipt of a load suspension command from the profile management unit, the suspension module comprising: • a recording module, in a memory of the secure element of the generated session keys; and • a module for sending, to the profile management unit, a token signed from an encryption key of the secure element.
[0044] The safety element can be configured to implement each of the implementation modes of the process according to the invention. In particular, for each step of a process according to the invention, the proposed safety element can include a corresponding module configured to implement said step.
[0045] Correspondingly, a communication profile management unit for a communication device is proposed, comprising: - a recording module, in a memory of the communication device, of encrypted elements of the profile provided by a profile provision server; - a sending module, to a secure element equipping the communication device, of a public key of the profile provisioning server associated (uniquely) with the profile; - a module for sending a load suspension command to the secure element; and - a recording module, in the memory of the communication device, for a token received from the secure element and signed by the secure element using an encryption key of the secure element.
[0046] The profile management unit can be configured to implement each of the implementation modes of the method according to the invention. In particular, for each step of a method according to the invention, the proposed profile management unit can include a corresponding module configured to implement said step.
[0047] According to one aspect of the invention, a communication device is proposed comprising a secure element according to the invention and / or a profile management unit according to the invention.
[0048] According to one aspect of the invention, a computer program is proposed comprising instructions for executing the steps of a process according to the invention, when said program is executed by at least one processor.
[0049] More specifically, a first computer program is proposed comprising instructions for executing the steps of a process implemented by an element secure, when said program is executed by at least one processor. A second computer program is also proposed, comprising instructions for executing the steps of a process implemented by a profile management unit according to the invention, when said program is executed by at least one processor. Furthermore, a set of computer programs comprising the first and second computer programs is proposed.
[0050] In the context of the invention, a computer program may consist of one or more sub-parts stored in the same memory or in separate memories. The program may use any programming language and may be in the form of source code, object code, or code intermediate between source code and object code, such as in a partially compiled form, or in any other desirable form.
[0051] According to one aspect of the invention, a data carrier readable by a processor or a computer is proposed and on which is recorded a computer program according to the invention or a set of computer programs according to the invention.
[0052] The information carrier can be any entity or device capable of storing the program. For example, the carrier can include a storage means, such as non-volatile memory or ROM, for example, a CD-ROM or a microelectronic circuit ROM. Alternatively, the information carrier can be a transmissible medium such as an electrical or optical signal, which can be transmitted via an electrical or optical cable, by radio, by a telecommunications network, by a computer network, or by other means. The program according to the invention can, in particular, be uploaded to a computer network. Alternatively, the information carrier can be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the process in question.
[0053] The proposed secure element, profile management unit, communication device, computer program, and information carrier have the advantages described above in connection with the processes implemented by the secure element and the profile management unit. Brief description of the drawings
[0054] Other features and advantages of the present invention will become apparent from the description provided below, illustrating embodiments of the invention given by way of example and without limitation, with reference to the accompanying drawings:
[0055] Fig. 1 (Fig. 1) represents an example of the hardware architecture of a communication device equipped with a secure element according to one embodiment of the invention;
[0056] Figures 2A, 2B, and 2C represent a communication device equipped with a secure element during different stages of a process implemented by the secure element and a process implemented by a profile management unit of the communication device according to an embodiment of the invention; and
[0057] Fig. 3A and Fig. 3B represent, in flowchart form, steps of a process implemented by a secure element equipping a communication device and of a process implemented by a profile management unit of the communication device according to an implementation method of the invention. Description of the implementation methods
[0058] The present invention applies, in particular, to the installation of a communication profile in a secure eUICC-type element integrated into a communication device. The following description of the invention will refer to this particular context, which is given only by way of illustration and is not intended to limit the invention.
[0059] We introduce below, with reference to [Fig. 1], the architecture of the communication device equipped with a secure element, as an example. We then describe, with reference to Figures 2A-2C and 3A-3B, an implementation method of a process carried out by the secure element of the communication device, and of a process carried out by a profile management unit of a communication device. These two processes also constitute a method for loading at least one communication profile into a secure element equipping a communication device.
[0060] The secure element can be configured for the implementation of the aforementioned method. A profile management unit will also be described, configured for the implementation of the other method.
[0061] Fig. 1 represents an example of the hardware architecture of a communication device equipped with a secure element according to an embodiment of the invention.
[0062] The APP communication device comprises, according to the embodiment illustrated in [Fig. 1]: a secure element SE; a non-volatile memory MEM_APP; and a processing unit or processor PROC_APP. The APP device can, for example be a mobile phone, a tablet, a personal computer, a sensor equipped with a communication module, or any other communication device.
[0063] More specifically, the APP device has the hardware architecture of a computer. The MEM_APP memory constitutes an information storage medium according to the invention, readable by the PROC_APP processor, on which a computer program PROG_APP is stored according to one aspect of the invention. The PROG_APP program includes instructions for carrying out steps of a process implemented by an LPA profile management unit (shown in Figures 2A-2C) of the APP device, when the PROG_APP program is executed by the PROC_APP processor. Furthermore, the PROG_APP program specifically defines an LPA profile management unit and the associated functional modules, which rely on or control the hardware elements of the APP device.
[0064] It should be emphasized that, for each of the steps or operations described below and implemented by the LPA profile management unit, the latter may include a corresponding module configured to implement said step or operation.
[0065] As illustrated in [Fig. 1], the APP device has a COM_APP communication module configured to communicate with the secure element SE. The COM_APP communication module is further configured to communicate, via a communication network R (e.g., a mobile phone network), with other communication devices (not shown in [Fig. 1]), such as servers. There are no limitations on the nature of the communication interfaces between the APP device and the communication network R.
[0066] The secure element SE comprises, according to the embodiment illustrated by [Fig.1]: a non-volatile memory MEM_SE; and a processing unit or processor PROC_SE.
[0067] The secure element SE is fitted to the APP communication device. It can be permanently integrated into this device, for example by soldering. Hereinafter, we consider the secure element SE to be an eUICC type element according to the aforementioned GSMA SGP.02 or GSMA SGP.22 standard. It should nevertheless be noted that the invention applies to any type of secure element, including secure elements other than eUICC elements that also allow for the secure storage of profiles.
[0068] In the context of the invention, a secure element is an electronic device (e.g., a circuit) configured to process and store data securely, that is, in accordance with the security rules and requirements established by the trusted authorities. More specifically, a secure element implements an operating system, protected against unauthorized access, and configured to execute a set of computer programs and to store confidential data.
[0069] As illustrated in [Fig. 1], the MEM_SE memory of the secure element SE is intended to store at least one communication profile P. The MEM_SE memory includes in particular one or more secure domains (commonly denoted ISD-P, not shown) respectively intended to contain a communication profile P. We detail below the loading of the communication profile P into the MEM_SE memory of the secure element SE with reference to Figures 2A-2C and 3A-3B.
[0070] More specifically, the secure element SE has the hardware architecture of a computer. The MEM_SE memory associated with the secure element SE constitutes an information storage medium conforming to one aspect of the invention, readable by the PROC_SE processor, on which a computer program PROG_SE conforming to the invention is stored. The PROG_SE program includes instructions for carrying out steps of a process implemented by the secure element SE equipping the APP device, when the PROG_SE program is executed by the PROC_SE processor. Furthermore, the PROG_SE program defines the functional modules of the secure element SE, which rely on or control the hardware elements of the latter.
[0071] Note that, for each of the steps or operations described below and implemented by the secure element SE, the latter may include a corresponding module configured to implement said step or operation.
[0072] As illustrated in [Fig. 1], the secure element SE has a COM_SE communication module configured to communicate with the APP communication device. Communications between the secure element SE and the APP device can, for example, comply with ISO 7816, and more specifically with ISO 7816-3 (published in November 2006) and ISO 7816-4 (published in May 2020).
[0073] Having presented the architectures of the communication device APP and the secure element SE, we now describe the proposed method for loading a communication profile P into the MEM_SE memory of the secure element SE.
[0074] Fig. 2A, Fig. 2B, and Fig. 2C represent a communication device equipped with a secure element during different stages of a process implemented by the secure element and a process implemented by a profile management unit of the communication device according to an implementation mode of the invention.
[0075] As previously stated, the present invention allows a communication profile P to be loaded into the secure element SE of the APP device introduced with reference to [Fig. 1],
[0076] The present invention aims in particular to reduce the time required for a manufacturer to load a profile in a secure element of a communication device at the factory (“In-Factory Profile Loading” in English).
[0077] To do this, the present invention proposes to load the BPP installation package (i.e. an installation package, or "Bound Profile Package" in English) of the profile P into the APP device at the factory and to initiate the loading of the profile P. Then, the loading of the profile P is suspended (i.e. paused) so that the profile stored in the APP device is cryptographically linked to the secure element SE intended to receive this profile.
[0078] Following the suspension of profile loading, the APP device has all the information necessary to complete the installation of profile P in the secure element SE. The proposed solution makes it possible to move the loading and installation of profile P in the secure element SE off-site, thus eliminating time-consuming operations for the manufacturer, while maintaining the same level of security.
[0079] Therefore, the proposed method includes: a first loading phase illustrated by [Fig.3A] (for example, carried out in the factory); and a second loading phase illustrated by [Fig.3B] (for example, carried out once the APP device has been deployed in the field).
[0080] We describe below the proposed method with reference to Figures 3A and 3B. In addition, we also describe Figures 2A, 2B, and 2C, which respectively represent the APP communication device: before the first loading phase S100; between the first loading phase S100 and the second loading phase S200; and following the second loading phase S200.
[0081] It is important to note that the proposed method for loading the profile P into the secure element SE is implemented by the APP device and includes: the steps of a process implemented by the secure element SE equipping the APP device; and the steps of a process implemented by a profile management unit LPA of the APP device.
[0082] The proposed method can implement all or part of the steps of the sub-procedure for installing a profile conforming to the GSMA SGP.22 standard. The following description of the invention will refer to this installation sub-procedure by way of illustrative and non-limiting example, the invention obviously applying to other procedures for installing a profile in a secure element.
[0083] Furthermore, we describe below an example of an implementation of the invention in which the Local Profile Assistant (i.e., the "Local Profile Assistant" in the GSMA SGP.22 standard) is implemented by the LPA profile management unit of the APP communication device. However, the invention is not limited to this example, and it also applies to embodiments in which the Local Profile Assistant module is implemented by the SE secure element.
[0084] Figures [Fig. 3A] and [Fig. 3B] represent, in flowchart form, steps in a process implemented by a safety element equipping a device communication and a method implemented by a profile management unit of the communication device according to an implementation method of the invention.
[0085] We describe below steps involving data exchange between different entities, including the FCT_SRV server, the LPA profile management unit, and the SE secure element. Each of these data exchange steps is implemented by the two communicating entities. For the sake of brevity, we describe these data exchange steps from the perspective of only one entity (e.g., the sender); however, the other entity (e.g., the receiver) also implements a corresponding step. For example, a data sending step by the LPA profile management unit will correspond to a data receiving step by the SE secure element.Similarly, we use below a single reference sign to designate such a data exchange step implemented by the two entities communicating with each other (for example, a single reference sign can be used to designate both the sending by the LPA profile management unit, and the receiving by the SE secure element).
[0086] Figure 3A illustrates the first phase S100 of loading the communication profile P into the secure element SE. As illustrated by this figure, the first loading phase S100 includes all or part of the steps SI 10 to S190 described below.
[0087] As illustrated in [Fig. 2A], prior to implementation of the proposed method, a factory FCT_SRV server includes a BPP installation package for the P profile provided by an SM-DP+ profile delivery server. The BPP installation package includes, in particular, a PK.DP public key from the SM-DP+ server and xPE encrypted elements associated with the P profile.
[0088] At step SI 10, the factory server FCT_SRV sends the BPP installation package to the APP device, which then saves it to its non-volatile memory MEM_APP. In other words, the FCT_SRV server loads the BPP installation package into the APP device.
[0089] Note that, during the first S100 loading phase, the FCT_SRV factory server is not necessarily connected to the SM-DP+ server (i.e., connection-free mode). The BPP installation package for profile P can be pre-generated by the SM-DP+ server and provided to the FCT_SRV factory server.
[0090] Alternatively, an embodiment could be envisaged in which the APP device receives the BPP installation package directly from the SM-DP+ server.
[0091] At step S120, the profile management unit LPA sends a CMD_LBPP initialization command for loading profile P to the secure element SE. The CMD_LBPP command includes initialization data, notably the key The public PK.DP key of the SM-DP+ profile provisioning server. In particular, the public PK.DP key of the SM-DP+ server is a one-time use key associated with the P profile.
[0092] During this step, the LPA profile management unit performs, for example, step [1] of the profile installation sub-procedure as specified in the GSMA SGP.22 standard.
[0093] At step S130, the secure element SE initiates the loading of profile P. The secure element thus generates S-ENC and S-MAC session keys associated with profile P from the PK.DP public key of the SM-DP+ server. This step, and in particular the generation of session keys, ensures that the secure element SE is involved in loading profile P.
[0094] The S-ENC, S-MAC session keys are generated, for example, as follows. An elliptic curve key negotiation algorithm is used to establish a shared secret between the secure element SE and the SM-DP+ server. The S-ENC, S-MAC session keys are then derived from the shared secret using the X9.63 key derivation function with the SHA-256 hash function.
[0095] In addition, the secure element SE can verify the received initialization data and thus the authenticity and integrity of the communication profile P intended to be installed. This step also verifies that the communication interface between the profile management unit LPA and the secure element SE is operational (i.e., functional).
[0096] During this step, the secure element SE performs, for example, step [2] of the profile installation sub-procedure as specified in the GSMA SGP.22 standard.
[0097] At step S140, the profile management unit LPA sends, to the secure element SE, a load suspension command CMD_SSP signaling the secure element SE to suspend the loading of profile P.
[0098] Figure 3A illustrates an embodiment in which the CMD_SSP command is included in a dedicated message sent by the LPA management unit to the SE secure element. In particular, the CMD_SSP command can be issued by the LPA profile management unit in response to a message from the SE secure element indicating that the S-ENC, S-MAC session keys have been generated (message not shown in Figure 3A).
[0099] Alternatively, the CMD_SSP load suspension command could be included in the CMD_LBPP load initialization command sent at step S120. Although, in this alternative, the CMD_SSP command is received as soon as the P profile load initialization, it should be emphasized that the CMD_SSP command instructs the secure element SE to suspend the load after the generation of the S-ENC, S-MAC session keys.
[0100] Figures 3A-3B illustrate, by way of example, an embodiment in which the loading of the P profile is suspended following the generation of the S-ENC and S-MAC session keys and before the installation of PE profile elements by the secure SE element. This embodiment is described in particular because it minimizes the loading time of the P profile performed at the factory by the manufacturer, while ensuring that the P profile stored in the APP communication device is linked to the secure SE element intended to install the P profile.
[0101] However, within the framework of the invention, embodiments could also be envisaged in which the suspension of loading would take place during a later stage of loading the profile P. For example, the loading of the profile P could be suspended following the installation of part of the profile elements PE in the secure element SE.
[0102] At step S150, following receipt of the suspension command CMD_SSP, the secure element SE stores the context data associated with the loading of profile P in its non-volatile memory MEM_SE. Storing this context data allows the loading of profile P to continue later. In particular, the secure element SE stores the session keys S-ENC and S-MAC.
[0103] At step S160, the secure element SE sends, to the profile management unit LPA, a first signed PTK token and suspends the loading of the profile P.
[0104] The secure element SE can, in particular, obtain the first PTK token by generating a nonce (i.e., a random number) and signing it using an encryption key. To sign the nonce, the secure element SE can, for example, use a private key associated with the secure element SE, or an encryption key derived from its unique identifier (i.e., the EID for "eUICC Identifier"), and any hash function (e.g., SHA-256).
[0105] The first PTK token signals to the LPA profile management unit that the secure element SE suspends the loading of profile P. Furthermore, the signature of the first PTK token by the secure element SE proves the involvement of the secure element SE in the loading of profile P.
[0106] At step S170, the LPA profile management unit records, in the non-volatile memory MEM_APP of the APP device, the first PTK token received from the secure element SE.
[0107] At step S180, the LPA profile management unit sends the first PTK token signed by the SE secure element to the factory server FCT_SRV.
[0108] The factory server FCT_SRV can, at step S181, send the first token to the SM-DP+ server, thereby signaling to the network operator that the P profile has been partially loaded into the secure element SE. The signing of the first PTK token by the secure element SE further proves that the P profile has been loaded into the APP device equipped with the secure element SE actually intended to receive this profile P (i.e. the target secure element of this profile).
[0109] Alternatively, the LPA profile management unit could send the first PTK token directly to the SM-DP+ server, or to a network operator server.
[0110] At step S190, the APP communication device is switched off, which also switches off the SE safety element. As detailed below, switching off the APP device is optional and described as a non-limiting example.
[0111] As illustrated by the embodiment in [Fig. 2B], at the end of the first loading phase S100, the APP communication device includes in memory: the BPP installation package including the xPE encrypted elements of profile P; and the first PTK token signed by the secure element SE. The secure element SE itself includes in memory the context data associated with the loading of profile P, including the S-ENC and S-MAC session keys associated with profile P and enabling the decryption of the xPE encrypted elements.
[0112] Thus, the APP device has, at the end of the first loading phase S100, all the information to complete the installation of the profile P in the secure element SE.
[0113] Figure 3B illustrates the second S200 loading phase of the communication profile P into the secure element SE. As illustrated by this figure, the second S200 loading phase includes all or part of the steps S210 to S280 described below.
[0114] At step S210, the APP communication device is powered on (i.e. started), which causes the SE safety element to be powered on.
[0115] Figures 3A-3B represent, by way of non-limiting example, an embodiment in which the APP device is stopped and then restarted between the first phase S100 and the second phase S200 of loading the P profile. This embodiment is described in particular to illustrate a deployment of the APP communication device in the field, i.e. that the APP device has left the manufacturer's factory and is for example supplied to a user.
[0116] However, within the scope of the invention, embodiments could also be envisaged in which the APP communication device is kept powered (i.e. remains on) between the first S100 and the second charging phase S200.
[0117] In general, there are no limitations on the operations performed by the APP device between the first phase S100 and the second phase S200 of loading the profile P. Similarly, there are no limitations on the duration between the first S100 and the second loading phase S200. By way of example, the device APP communication could perform, in a manner similar to the process described above, a first phase of loading another communication profile into the secure element SE.
[0118] At step S220, the LPA profile management unit sends a CMD_RSM load resume command to the SE secure element, signaling the SE secure element to resume loading the communication profile P. This CMD_RSM command triggers the completion of the installation of profile P in the SE secure element and therefore the sending of the remaining packets of the BPP installation package.
[0119] Fig. 3B illustrates an embodiment in which the sending of the CMD_RSM load resumption command is triggered by the power-up of the APP device.
[0120] Alternatively, the reloading command CMD_RSM could be triggered by a network access request from the APP device. Also, reloading the P profile could be triggered by an activation command obtained via a user interface, or an activation command issued by a third-party server (e.g., following pre-activation of the profile over the Internet). A change in the operating mode of the communication device (e.g., exiting "In-Factory Profile Provisioning" mode) could further trigger reloading the P profile.
[0121] At step S230, the secure element SE obtains (i.e., reads from memory) the context data associated with the loading of profile P, and recorded in the non-volatile memory MEM_SE during the suspension of the loading of profile P. In particular, the secure element SE obtains the recorded session keys S-ENC, S-MAC.
[0122] At step S240, the LPA profile management unit sends the first PTK token to the SE secure element.
[0123] The secure element SE then checks the signature of the first PTK token, and therefore its prior involvement in the first phase S100 of loading the profile P. If (and only if) the result of this check is positive (i.e. valid signature), the process continues to the step S260 and the loading of the profile P continues; otherwise (i.e. invalid signature), the process ends.
[0124] At step S25 0, the LPA profile management unit sends the remaining packets of the BPP installation package of profile P to the secure element SE. In particular, the LPA profile management unit sends the encrypted xPE elements of profile P to the secure element SE.
[0125] It should be noted that the transmissions of the CMD_RSM command, the first PTK token, and the xPE encrypted elements can be carried out simultaneously or in separate messages.
[0126] At step S26 0, the secure element SE decrypts the received xPE encrypted elements using the S-ENC, S-MAC session keys.
[0127] At step S27 0, the secure element SE installs the decrypted PE elements of profile P into the MEM_SE memory of the secure element SE. The PE elements of profile P are thus stored in a secure ISD-P domain of the secure element SE.
[0128] During steps S250-S270, the LPA profile management unit and the SE secure element perform, for example, steps [3] to [6] of the profile installation sub-procedure as specified in GSMA standard SGP.22.
[0129] At step S28 0, the secure element SE sends a second PIR token signed by the secure element SE to the profile management unit LPA, for example using a private key associated with the secure element SE. The second PIR token indicates that the installation of the P profile in the secure element SE is complete.
[0130] The LPA profile management unit can send, at step S281, the second PIR token to the SM-DP+ server, which allows the network operator to be notified that the installation of the communication profile P in the secure element SE has been completed.
[0131] As illustrated in [Fig. 2C], at the end of the second loading phase S200, the communication profile P, consisting of the (decrypted) PE elements of the profile, is installed in the secure element SE. Following this second phase S200, the APP device can then access the services of the network operator associated with the profile P. The APP communication device includes in its memory the second PIR token signed by the secure element SE.
[0132] It should be noted that the order in which the steps of a process implemented by a secure element equipping a communication device or the steps of a process implemented by a profile management unit of the communication device are linked, in particular with reference to the attached drawings, constitutes only one example of an embodiment without any limiting character, variants being possible.
[0133] A person skilled in the art will understand that the embodiments and variants described above are merely non-limiting examples of implementation of the invention. In particular, a person skilled in the art may consider any adaptation or combination of the embodiments and variants described above to meet a specific need.
[0134] The term module can refer to a software component, a hardware component, or a set of hardware and software components. A software component itself corresponds to one or more computer programs or subprograms, or more generally to any element of a program capable of implementing a function or set of functions as described for the modules concerned. Similarly, a hardware component corresponds to any element of a hardware assembly capable of implementing a function or set of functions for the module in question.
Claims
1. Demands A method implemented by a secure element (SE) equipping a communication device (APP), the method comprising, for a communication profile (P), a first phase (S 100) of loading the profile (P) into the secure element (SE) comprising: - a reception (S 120), from a profile management unit (LPA) of the communication device (APP), of a public key (PK.DP) from a profile delivery server (SM-DP+) associated with the profile (P); - a generation (S 130) of session keys (S-ENC, S-MAC) from the public key (PK.DP) of the profile provisioning server (SM-DP+) associated with the profile (P); - following the receipt (S 140) of a load suspension command (CMD_SSP) from the profile management unit (LPA), a suspension (S150-S160) of the profile (P) load including: • a record (S150), in a memory (MEM_SE) of the secure element (SE), of the generated session keys (S-ENC, S-MAC); and • a transmission (S 160), to the Profile Management Unit (LPA), of a token (PTK) signed using an encryption key from the secure element (SE); and a second phase (S200) of loading the profile (P) outside the factory, including, following the receipt (S220) of a reloading order (CMD_RSM) from the profile management unit (LPA): - a reception (S240, S250), from the profile management unit (LPA), of the token (PTK) and encrypted profile elements (xPE); and - a decryption (S260) of the encrypted elements (xPE) of the profile (P) from the recorded session keys (S-ENC, S-MAC) and an installation (S270) of the decrypted elements of the profile (P) in the memory (MEM_SE) of the secure element (SE).
2. A method according to claim 1, wherein the token (PTK) signed by the secure element (SE) is sent (S 180) to the profile delivery server (SM-DP+) or a third-party server (FCT_SRV).
3. A method according to any one of claims 1 and 2, wherein the second loading phase (S200) is triggered by: a power-up (S210) of the communication device (APP); a network access request of the communication device (APP); an activation command obtained via a user interface; an activation command issued by a third-party server; or a change in an operating mode of the communication device (APP).
4. A method according to any one of claims 1 to 3, comprising, following the first loading phase (S 100) and before the second loading phase (S200), a power-off (S 190) and a power-up (S210) of the communication device (APP), the second loading phase is triggered by: the power-up (S210) of the communication device (APP); or by a network access request following the power-up (S210).
5. A method according to any one of claims 1 to 4, comprising, for another communication profile, a said first phase (S 100) of loading the other profile.
6. A method according to any one of claims 1 to 5, wherein the load suspension command (CMD_SSP) and the public key (PK.DP) of the profile provisioning server (SM-DP+) are included in the same message (CMD_LBPP).
7. Method implemented by a profile management unit (LPA) of a communication device (APP), the method comprising, for a communication profile (P), a first phase (S 100) of loading the profile (P) into a secure element (SE) equipping the communication device (APP) comprising: - a recording (SI 10), in a memory of the communication device (MEM_APP), of encrypted elements of the profile (P) provided by a profile provisioning server (SM-DP+);
8. - a transmission (S 120), to the secure element (SE), of a key public (PK.DP) of the profile delivery server (SM-DP+) associated with the profile (P); - a dispatch (S 140), to the secure element (SE), of a load suspend command (CMD_SSP); and - a recording (S 170), in the device's memory communication (APP), a token (PTK) received from the secure element (SE) and signed by the secure element (SE) using an encryption key of the secure element (SE); and a second phase (S200) of loading the profile (P) outside the factory comprising: - a transmission (S220), to the secure element (SE), of a load resumption command (CMD_RSM); and - a transmission (S240, S250), to the secure element (SE), of the token (PTK) and encrypted elements (xPE) of the profile (P). Elément sécurisé (SE) comprenant : - a receiving module (S 120), from a profile management unit (LPA) of a communication device (APP), of a public key (PK.DP) of a profile delivery server (SM-DP+) associated with the profile (P); - a module for generating session keys (S-ENC, S-MAC) from the public key (PK.DP) of the profile provisioning server (SM-DP+) associated with the profile (P); - a suspension module (S150-S160) for a profile load (P) following the receipt (S140) of a load suspension command (CMD_SSP) from the profile management unit (LPA), the suspension module comprising: • a recording module (S150), in a memory (MEM_SE) of the secure element (SE), of the generated session keys (S-ENC, S-MAC); and
9. • a sending module (S 160), to the profile management unit (LPA), of a token (PTK) signed from an encryption key of the secure element (SE); - a resume module (S200) for loading the profile (P), following the receipt (S220) of a resume loading command (CMD_RSM) from the profile management unit (LPA), the resume module comprising: • a receiving module (S240, S250), from the profile management unit (LPA), the token (PTK), and encrypted profile elements (xPE); and • a decryption module (S260) for the encrypted elements (xPE) of the profile (P) from the recorded session keys (S-ENC, S-MAC) and; • an installation module (S270) of the decrypted elements of the profile (P) in the memory (MEM_SE) of the secure element (SE). Communication Profile Management Unit (LPA) of a communication device (APP) and comprising: - a recording module (SI 10), in a memory of the communication device (MEM_APP), of encrypted elements of the profile (P) provided by a profile provision server (SM-DP+); - a sending module (S 120), to a secure element (SE) equipping the communication device (APP), of a public key (PK.DP) of the profile provisioning server (SM-DP+) associated with the profile (P); - a sending module (S 140), to the secure element (SE), of a load suspension command (CMD_SSP); - a recording module (S 170), in the memory of the communication device (APP), of a token (PTK) received from the secure element (SE) and signed by the secure element (SE) from an encryption key of the secure element (SE), following the receipt, by the secure element (SE) of the load suspension command (CMD_SSP); - a sending module (S220), to the secure element (SE), of a load resumption command (CMD_RSM); and - a sending module (S240, S250), to the secure element (SE), of the token (PTK) and encrypted elements (xPE) of the profile (P).
10. Communication device (APP) comprising a secure element (SE) according to claim 8 and / or a profile management unit (LPA) according to claim 9.
11. Computer program (PROG_SE, PROG_APP) comprising instructions for carrying out the steps of a process according to any one of claims 1 to 6 when the program is executed by at least one processor (PROC_SE), or for carrying out the steps of a process according to claim 7 when said program is executed by at least one processor (PROC_APP).
12. Information carrier (MEM_SE, MEM_APP) readable by a processor (PROC_SE, PROC_APP) on which a computer program (PROG_SE, PROG_APP) according to claim 11 is stored.