BERARD XAVIER (FR)
GACHON DENIS (FR)
MERRIEN LIONEL (CA)
BERARD XAVIER (FR)
GACHON DENIS (FR)
| WO2004021296A1 | 2004-03-11 |
| EP2076071A1 | 2009-07-01 | |||
| US20080261561A1 | 2008-10-23 | |||
| SE2008050380W | 2008-04-02 | |||
| US20050266883A1 | 2005-12-01 |
| Claims 1. Method for transmitting a Sim application of a first terminal to a second terminal, said Sim application being stored in a secure element included in the first terminal, the access to said Sim application being locked by a Pin code, wherein it consists in: i - exporting said Sim application from said first terminal to a distant site, by including said Pin code as well as a remote loading code; ii - ask to the user of said second terminal to enter said remote loading code in said second terminal; iii- in the event the remote loading code entered by said user matches the remote loading code that has been exported, authorizing the installation of said Sim application in a secure element of said second terminal, and otherwise, do not install said Sim application in said secure element of said second terminal. 2. Method according to claim 1 , wherein the match of said remote loading codes is checked at the level of said distant site and said match launches the downloading of said Sim application to the secure element of said second terminal and said installation. 3. Method according to claim 1 , wherein the match of said remote loading codes is checked at the level of said second terminal, after said Sim application has been downloaded to said secure element of said second terminal, said match launching the installation of said Sim application in the secure element of said second terminal. 4. Method according to any of the claims 1 to 3, wherein said remote loading code is ciphered. 5. Method according to any of the claims 1 to 4, wherein said remote loading code is a pass phrase. 6. Method according to any of the claims 1 to 5, wherein said terminal is a machine. |
The present invention concerns a method for transmitting a Sim application of a first terminal to a second terminal.
A Sim application is typically installed in a secure element like a UlCC. The secure element is installed, fixedly or not, in a terminal, like for example a mobile phone. In some cases, the terminals are constituted by machines that communicate with other machines for M2M (Machine to Machine) applications.
A UlCC (Universal Integrated Circuit Card) can be in the format of a smart card, or may be in any other format such as for example but not limited to a packaged chip as described in PCT/SE2008/050380, or any other format. It can be used in mobile terminals in GSM and UMTS networks for instance. The UlCC ensures network authentication, integrity and security of all kinds of personal data.
In a GSM network, the UlCC contains mainly a SIM application and in a UMTS network it is the USIM application. A UlCC may contain several other applications, making it possible for the same smart card to give access to both GSM and UMTS networks, and also provide storage of a phone book and other applications. It is also possible to access a GSM network using an USIM application and it is possible to access UMTS networks using a SIM application with mobile terminals prepared for this. With the UMTS release 5 and later stage network like LTE, a new application, the IP multimedia Services Identity Module (ISIM) is required for services in the IMS (IP Multimedia Subsystem). The telephone book is a separate application and not part of either subscription information module.
In a CDMA network, the UlCC contains a CSIM application, in addition to 3GPP USIM and SIM applications. A card with all three features is called a removable user identity card, or R-UIM. Thus, the R-UIM card can be inserted into CDMA, GSM, or UMTS handsets, and will work in all three cases.
In 2G networks, the SIM card and SIM application were bound together, so that "SIM card" could mean the physical card, or any physical card with the SIM application.
The UlCC smart card consists of a CPU, ROM, RAM, EEPROM and I/O circuits. Early versions consisted of the whole full-size (85 * 54 mm, ISO/IEC 7810 ID-1 ) smart card. Soon the race for smaller telephones called for a smaller version of the card.
Since the card slot is standardized, a subscriber can easily move their wireless account and phone number from one handset to another. This will also transfer their phone book and text messages. Similarly, usually a subscriber can change carriers by inserting a new carrier's UlCC card into their existing handset. However, it is not always possible because some carriers (e.g. in U.S.) SIM-LOCK the phones that they sell, thus preventing competitor carriers' cards being used.
The integration of the ETSI framework and the Application management framework of Global Platform is standardized in the UlCC configuration.
UICCs are standardized by 3GPP and ETSI.
A UlCC can normally be removed from a mobile terminal, for example when the user wants to change his mobile terminal. After having inserted his UlCC in his new terminal, the user will still have access to his applications, contacts and credentials (network operator).
It is also known to solder or weld the UlCC in a terminal, in order to get it dependent of this terminal. This is done in M2M (Machine to Machine) applications. The same objective is reached when a chip (a secure element) containing the SIM or USIM applications and files is contained in the terminal. The chip is for example soldered to the mother-board of the terminal or machine and constitutes an UlCC.
Some of the further disclosed improvements apply to such soldered UICCs or to such chips containing the same applications than the chips comprised in UICCs. A parallel can be done for UICCs that are not totally linked to devices but that are removable with difficulty because they are not intended to be removed, located in terminals that are distant or deeply integrated in machines. A special form factor of the UlCC (very small for example and therefore not easy to handle) can also be a reason to consider it as in fact integrated in a terminal. The same applies when a UlCC is integrated in a machine that is not intended to be opened.
In the next description, welded UICCs or chips containing or designed to contain the same applications than UICCs will generally be called embedded UICCs or embedded secure elements (in contrast to removable UICCs or removable secure elements). This will also apply to UICCs or secure elements that are removable with difficulty.
The present invention concerns the authentication of the end user of a terminal during SIM application transfer, in a given context, an entire Sim application (meaning personal data, file system, Java applications like bank applications for example, and secrets) is stored in an embedded UlCC comprised in a first terminal (for example soldered in a first mobile phone) and a user wishes to transfer this entire Sim application in another embedded UlCC comprised in a second terminal (for example constituted by a second mobile terminal). This can happen when a user changes his mobile phone but does not want to lose the applications, contacts and personal data such as photographs, videos or songs stored in the UlCC of his first mobile phone. Such a problem does not occur when the Sim application is stored in a Sim card that can be removed from a mobile phone and inserted in another one since when a secure element like a UICC is soldered onto the mobile phone, it is not possible to physically change the secure element, containing the SIM application, from a mobile phone to another one.
The general process to achieve this operation of transfer of the Sim application could normally be the following:
- The secure element packages the installed SIM in a way it can be reinstalled on another secure element. This packaging must be secured, meaning, ciphered in order than only the targeted secure element is able to read it, and signed in order to ensure that the package comes from the initial secure element;
- The packaged SIM is uploaded to a secure vault on the cloud (Internet). This operation may be required in the case the targeted secure element is not known at the packaging time;
- The packaged SIM is downloaded to the targeted new secure element;
- The targeted secure element performs security checking and then can install the downloaded packaged SIM.
The result is that the initial complete Sim has been transferred in another secure element, with the whole user environment.
A similar method is disclosed in US2005/0266883 from Nokia Corporation.
When initiating the initial transfer from initial secure element up to the secure vault, we can imagine that the end user is entering a PIN code to authenticate himself and confirm the operation. But a problem occurs when it is desired to transfer the packaged SIM again from secure vault to the targeted secure element: How to be sure that the request is coming from the same end user? There is no possibility to enter again the PIN code as it is part of the SIM application and it is necessary to be sure of the identity of the end user before installing the SIM in the targeted new secure element. This problem could lead to the fact that the subscription carried with the SIM could be installed and reused by another user.
In order to avoid this problem, it could be possible to first install the SIM in the targeted secure element and then to request for PIN authentication. However, the drawback is that installation of the Sim has been made and the authentication is not strong since, for a PIN code on 4 digits, after maximum 10.000 trials, a dishonest person could find the correct PIN code and use the Sim application of another user (and consequently his subscription).
The present invention has the purpose to solve this problem. In this respect, the present invention proposes a method for transmitting a Sim application of a first terminal to a second terminal, the Sim application being stored in a secure element included in the first terminal, the access to the Sim application being locked by a Pin code. According to this invention, the method consists in:
i - exporting the Sim application from the first terminal to a distant site, by including the Pin code as well as a remote loading code;
ii - ask to the user of the second terminal to enter the remote loading code in the second terminal;
iii- in the event the remote loading code entered by the user matches the remote loading code that has been exported, authorizing the installation of the Sim application in a secure element of the second terminal, and otherwise, do not install the Sim application in the secure element of the second terminal.
Advantageously, the match of the remote loading codes is checked at the level of the distant site and the match launches the downloading of the Sim application to the secure element of the second terminal and the installation.
Alternatively, the match of the remote loading codes is checked at the level of the second terminal, after the Sim application has been downloaded to the secure element of the second terminal, the match launching the installation of the Sim application in the secure element of the second terminal.
The remote loading code is preferably ciphered.
In a preferred embodiment, the remote loading code is a pass phrase.
Other features of the improvement will emerge from a reading of the following description of a preferred embodiment given by way of non-limiting illustrative example.
The present invention proposes to request the end-user to enter a remote loading code in addition to the PIN code to confirm the export of the SIM application to a distant site (the secure vault). The remote loading code can for example be a pass phrase.
This pass phrase is ciphered and included in the secure packaged SIM that is uploaded to the secure vault on the cloud. Thus, the secure vault stores the packaged Sim (the subscription comprised in the secure element, the PIN code, the environment, the authentication secrets, the applicative keys (Security Domain), the different keys of the different applications, the PKI keys, the different applications (NFC, bank,...), the ISD (Issuer Security Domain), the file system,...) and the remote loading code in a unique package that can be later downloaded to a new secure element. Before installing this package to the new secure element, the user of the second terminal comprising the secure element is asked to enter the remote loading code in the second terminal.
If the remote loading code entered by said user matches the remote loading code that has been exported, the installation of the Sim application in the secure element of the second terminal is authorized. Otherwise, the installation is not done.
Two different ways of operating can be used: the first one consists in checking the match of the remote loading codes at the level of the secure vault. If the codes match, the Sim application is downloaded to the secure element and then executed.
The second one consists in checking the match of the remote loading codes at the level of the second terminal, after having downloaded the Sim application in the secure element of the second terminal. If the codes match, the Sim application is installed in the secure element of the second terminal.
After having been installed, the Sim application can be launched by the user by entering his PIN code.
In a preferred embodiment, the remote loading code is enciphered. In the first embodiment, the secure vault un-ciphers the pass phrase contained in the packaged SIM. In the second embodiment, the secure element does this un-ciphering.
The invention permits to enhance the overall security of transfer of the Sim application since it ensures that the SIM application is exported and imported by the same end-user.
The end-user is typically the owner of a terminal, like for example a mobile phone. In M2M applications, the end-user is the installer, for example the electrical installer of an electrical machine.