Designers and producers of devices keep track of manufactured devices with SKU (stock keeping unit) numbers, identifiers or codes. A SKU represents a distinct type of item for sale. A SKU also represents attributes of a product, such as description, color, and size. When a business takes an inventory, it counts the quantity it has of each item associated with a given SKU. Within a group of devices with the same SKU, each item has a unique identifier. Examples of unique device identifiers used in the manufacture and use of wireless devices are serial numbers and international mobile equipment identifiers (IMEIs).
Aspects of remote SIM provisioning include the downloading, installing, enabling, disabling, switching and deleting of a profile on an electronic universal integrated circuit card (eUICC). An eUICC is a secure element for hosting profiles. A unique identifier of an eUICC is an EID (eUICC-ID) which can also be referred to as a secure element identifier. A profile is a combination of mobile network operator (MNO) data and applications provisioned on an eUICC in a device for the purposes of providing services by the MNO, also referred to as a cellular carrier, a telecommunications carrier, or a carrier herein. A profile can contain one or more secure data used to prove identity and thus verify contract rights to services. During assembly of a device, the eUICC can be inserted into the device. A manufacturer of the device will associate the device with a SKU.
A profile can be identified by a unique number called an ICCID (Integrated Circuit Card Identifier). Profile management can include a combination of local and remote management operations such as enable profile, disable profile, delete profile, and query profiles present on an eUICC. An MNO provides access capability and communication services to its subscribers through a mobile network infrastructure. In some cases, the device is user equipment used in conjunction with an eUICC to connect to a mobile network. In a machine-to-machine (M2M) environment, a device may not be associated with a user and may have no user interface. An end user is a person using a (consumer or enterprise) device. An enabled profile can include files and/or applications which are selectable over an eUICC-device interface. A device belonging to an end user thus needs a profile in order to make the device functional with a given MNO or carrier.
A function which provides profile packages is known as a subscription manager data preparation (SM-DP, or SM-DP+) or as an eSIM delivery server. An eSIM delivery server may also be referred to as a profile provider. An eSIM is an electronic SIM. An eSIM is an example of a profile. A profile package can be a personalized profile using an interoperable description format that is transmitted to an eUICC as the basis for loading and installing a profile. A bound profile package (BPP) is a profile encrypted with an encryption key based on an identity (or credentials, such as a public key—private key pair) of the eUICC in to which the profile is to be installed. Profile data which is unique to a subscriber, e.g., a phone number or an International Mobile Subscriber Identity (IMSI), are examples of personalization data. The eSIM delivery server communicates over an interface with an eUICC. Certificates used for authentication and confidentiality purposes can be generated by a trusted certificate issuer. Thus, a device can cooperate with an eSIM delivery server to make the device functional for the end user with a given carrier.
A technical specification related to remote provisioning and management of eUICCs in devices is outlined in GSM Association document GSMA SGP.22: “RSP Technical Specification,” Version 1.0 Jan. 13, 2016 (hereinafter “SGP.22”).
An eUICC includes an operating system, and the operating system can include ability to provide authentication algorithms to network access applications associated with a given operator. The operating system also can include the ability to translate profile package data into an installed profile using a specific internal format of the eUICC. An ISD-P (issuer security domain—profile) can host a unique profile within an eUICC. The ISD-P is a secure container or security domain for the hosting of the profile. The ISD-P is used for profile download and installation based on a received bound profile package. A bound profile package (BPP) is a profile package which has been encrypted for a target eUICC. An ISD-R (issuer security domain—root) is a function in a eUICC responsible for the creation of new ISD-Ps on the eUICC. An ECASD (embedded UICC controlling authority security domain) provides secure storage of credentials required to support the security domains on an eUICC. A controlling authority security domain (CASD) may also be referred to as a “key store” herein. A security domain within the eUICC contains the operator's over the air (OTA) keys and provides a secure OTA channel. OTA keys are credentials used by an operator for remote management of operator profiles on an eUICC. Thus, a BPP is a kind of data vehicle by which a profile is delivered to a device from an eSIM server. After installation of the eSIM from the BPP, the device becomes functional for the user with the carrier associated with the eSIM.
eUICCs comprise several security domains for the purposes of profile management. Identifiers are associated with security domains. Applications within a security domain have a trust relationship. Further description of profiles (eSIMs), profile provisioning, download of bound profile packages, and of security domains is available in SGP.22.