Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication

Patent No. US11916893 (titled "Embedded Universal Integrated Circuit Card Supporting Two-Factor Authentication") was filed by Nix John A on Dec 10, 2021.

’893 is related to the field of wireless communication , specifically addressing the challenges of managing network access credentials in embedded universal integrated circuit cards (eUICCs). Traditional SIM cards are difficult to manage in machine-to-machine (M2M) applications due to remote locations and the need for hermetically sealed devices. eUICCs offer a software-based solution, but securely transferring network credentials remains a challenge, especially while maintaining compatibility with existing networks that rely on pre-shared secret keys.

The underlying idea behind ’893 is to enhance the security and flexibility of eUICCs by implementing a two-factor authentication scheme and a mechanism for mutually deriving a network key . The mobile device initially connects to the network using a first set of credentials, then authenticates the user or device using a second factor. After successful second-factor authentication, a symmetric key is provided, enabling the decryption of a second set of network credentials. This allows the mobile network operator (MNO) to retain control over the use of the second key, even if the eUICC profile is distributed outside of the MNO's direct control.

The claims of ’893 focus on a mobile device with an eUICC that is configured to communicate with a wireless network. The device includes a memory for storing the eUICC identity, a random number generator for creating an eUICC private key, and a radio for transmitting the eUICC identity and public key to a subscription manager. The eUICC itself is configured to derive a profile key using an elliptic curve Diffie-Hellman (ECDH) key exchange, decrypt portions of the eUICC profile using both the profile key and a symmetric key, and generate a response value for authenticating with the wireless network using a key K.

In practice, the invention allows a mobile device to connect to a wireless network using a first set of credentials, which might provide limited access. The user then authenticates using a second factor, such as entering credentials on a web page. Upon successful authentication, the MNO provides a symmetric key that unlocks the second set of network credentials, enabling full network access. This approach differs from prior solutions by adding a layer of security and control for the MNO, as the second set of credentials remains encrypted until the user is properly authenticated.

This approach also allows for the dynamic rotation of network keys without requiring physical intervention or the distribution of new eUICC profiles. The MNO and the mobile device can mutually derive a new key using a key derivation algorithm and a shared token. This enables the mobile device to disconnect from the network and reconnect using the newly derived key, enhancing security and reducing the costs associated with managing network access credentials.

How does this patent fit in bigger picture?

Technical landscape at the time

In the early 2010s when ’893 was filed, machine-to-machine (M2M) communication was an emerging field, at a time when wireless wide area networks were typically designed and optimized for mobile phones. Systems commonly relied on subscriber identity module (SIM) cards within 2G networks and a related universal integrated circuit card (UICC) for 3G and 4G networks, including LTE networks. The use of wireless technologies with M2M communications created new opportunities for the deployment of M2M modules in locations less suitable for fixed-wire Internet access, but hardware or software constraints made securely and electronically transferring a new set of MNO network access credentials (such as an IMSI and network key K) to a module in a secure and efficient manner non-trivial.

Novelty and Inventive Step

The examiner allowed the claims because the prior art, whether taken individually or in combination, failed to disclose or make obvious the following: receiving an eUICC profile from a subscription manager that includes network parameters, a key K, a subscriber identity, and a symmetric key; decrypting a first portion of the eUICC profile using a profile key; and decrypting a second portion of the eUICC profile using the symmetric key, where the second portion includes the key K and the subscriber identity.

Claims

This patent contains 17 claims, with claim 1 being the only independent claim. Independent claim 1 is directed to a mobile device configured for wireless network communication, focusing on the device's components and their interactions for secure profile management using an embedded universal integrated circuit card (eUICC). The dependent claims elaborate on and further define the elements and functionalities described in the independent claim, providing more specific details and alternative embodiments of the mobile device and its components.

Key Claim Terms New

Definitions of key terms used in the patent claims.

Term (Source)	Support for Specification	Interpretation
Ecdh key exchange (Claim 1)	“An ECDH key exchange in a step 303 could comprise the message received by a eUICC 107 including a common base point G. The base point G could also be sent from an eUICC 107 to eUICC subscription manager 109. The base point G for an ECDH key exchange in a step 303 could also be recorded with the eUICC in a step 301 above, and in this case the message at a step 303 received by an eUICC 107 could comprise a signal to initiate or use a key exchange for deriving the eUICC profile key 107b.”	A process where the eUICC derives a profile key using an elliptic curve Diffie Hellman key exchange with the eUICC private key and a subscription manager public key.
Embedded universal integrated circuit card (Claim 1)	“By using an eUICC, where the eUICC can support both (i) the authentication of a user by the MNO, and (ii) the secure decryption or derivation of the key K under control of the MNO, the value and usefulness of modules can be increased for a user and a mobile operator network. An eUICC can also comprise software and/or firmware components to “virtualize” the operation of a physical UICC, such that (i) the data normally recorded in a physical UICC can be recorded in a file with encryption, and (ii) the steps for using the data in the file can be processed by an eUICC.”	A virtualized UICC implemented in software and/or firmware, where data normally recorded in a physical UICC can be recorded in a file with encryption, and the steps for using the data in the file can be processed by the eUICC.
Profile key (Claim 1)	“An ECDH key exchange in a step 303 could comprise the message received by a eUICC 107 including a common base point G. The base point G could also be sent from an eUICC 107 to eUICC subscription manager 109. The base point G for an ECDH key exchange in a step 303 could also be recorded with the eUICC in a step 301 above, and in this case the message at a step 303 received by an eUICC 107 could comprise a signal to initiate or use a key exchange for deriving the eUICC profile key 107b.”	A key derived by the eUICC using an ECDH key exchange, used to decrypt a first portion of the eUICC profile.
Response value (Claim 1)	“Continuing with this first embodiment, the module can forward the RAND to the eUICC with the activated profile. The eUICC can input the first RAND and the first key K into a cryptographic algorithm in order to output a response RES value. The eUICC can return the RES value to the module, and the module could forward the RES to the wireless network. The wireless network can compare the received RES with a stored, expected RES (previously calculated using the same first RAND and first key K), and if the two RES values match then the module with the eUICC and profile can be authenticated by the network.”	A value generated by the eUICC for authentication of the mobile device with the wireless network using the key K.
Symmetric key (Claim 1)	“Continuing with this first embodiment, after successful authentication with the second factor, the mobile network operator can send a symmetric key to the module. The symmetric key can be encrypted with a key ciphering algorithm. Or, the symmetric key can be (i) plaintext at the application layer, and (ii) encrypted at the data-link layer using the encryption between the module and wireless network after the first authentication above with the first key K.”	A key received from a network application operating in the mobile device, used by the eUICC to decrypt a second portion of the eUICC profile.

Litigation Cases New

US Latest litigation cases involving this patent.

Case Number	Filing Date	Title
2:25-cv-00667	Jun 27, 2025	Network-1 Technologies, Inc. v. SAMSUNG ELECTRONICS CO., LTD. et al

Patent Family

File Wrapper

The dossier documents provide a comprehensive record of the patent's prosecution history - including filings, correspondence, and decisions made by patent offices - and are crucial for understanding the patent's legal journey and any challenges it may have faced during examination.

Get instant alerts for new documents

US11916893

NIX JOHN A

Application Number: US17547990
Filing Date: Dec 10, 2021
Status: Granted
Expiry Date: Dec 6, 2033
External Links: Slate, USPTO, Google Patents

IP Verse