The present improvements concern different topics related to the management of secure elements, like UICCs embedding Sim applications, these secure elements being installed, fixedly or not, in terminals, like for example mobile phones. In some cases, the terminals are constituted by machines that communicate with other machines for M2M (Machine to Machine) applications.
A UICC (Universal Integrated Circuit Card) can be in the format of a smart card, or may be in any other format such as for example but not limited to a packaged chip as described in PCT/SE2008/050380, or any other format. It can be used in mobile terminals in GSM and UMTS networks for instance. The UICC ensures network authentication, integrity and security of all kinds of personal data.
In a GSM network, the UICC contains mainly a SIM application and in a UMTS network it is the USIM application. A UICC may contain several other applications, making it possible for the same smart card to give access to both GSM and UMTS networks, and also provide storage of a phone book and other applications. It is also possible to access a GSM network using an USIM application and it is possible to access UMTS networks using a SIM application with mobile terminals prepared for this. With the UMTS release 5 and later stage network like LTE, a new application, the IP multimedia Services Identity Module (ISIM) is required for services in the IMS (IP Multimedia Subsystem). The telephone book is a separate application and not part of either subscription information module.
In a CDMA network, the UICC contains a CSIM application, in addition to 3GPP USIM and SIM applications. A card with all three features is called a removable user identity card, or R-UIM. Thus, the R-UIM card can be inserted into CDMA, GSM, or UMTS handsets, and will work in all three cases.
In 2G networks, the SIM card and SIM application were bound together, so that “SIM card” could mean the physical card, or any physical card with the SIM application.
The UICC smart card consists of a CPU, ROM, RAM, EEPROM and I/O circuits. Early versions consisted of the whole full-size (85×54 mm, ISO/IEC 7810 ID-1) smart card. Soon the race for smaller telephones called for a smaller version of the card.
Since the card slot is standardized, a subscriber can easily move their wireless account and phone number from one handset to another. This will also transfer their phone book and text messages. Similarly, usually a subscriber can change carriers by inserting a new carrier's UICC card into their existing handset. However, it is not always possible because some carriers (e.g. in U.S.) SIM-LOCK the phones that they sell, thus preventing competitor carriers' cards being used.
The integration of the ETSI framework and the Application management framework of Global Platform is standardized in the UICC configuration.
UICCs are standardized by 3GPP and ETSI.
A UICC can normally be removed from a mobile terminal, for example when the user wants to change his mobile terminal. After having inserted his UICC in his new terminal, the user will still have access to his applications, contacts and credentials (network operator).
It is also known to solder or weld the UICC in a terminal, in order to get it dependent of this terminal. This is done in M2M (Machine to Machine) applications. The same objective is reached when a chip (a secure element) containing the SIM or USIM applications and files is contained in the terminal. The chip is for example soldered to the mother-board of the terminal or machine and constitutes an UICC.
Some of the further disclosed improvements apply to such soldered UICCs or to such chips containing the same applications than the chips comprised in UICCs. A parallel can be done for UICCs that are not totally linked to devices but that are removable with difficulty because they are not intended to be removed, located in terminals that are distant or deeply integrated in machines. A special form factor of the UICC (very small for example and therefore not easy to handle) can also be a reason to consider it as in fact integrated in a terminal. The same applies when a UICC is integrated in a machine that is not intended to be opened.
In the next description, welded UICCs or chips containing or designed to contain the same applications than UICCs will generally be called embedded UICCs or embedded secure elements (in contrast to removable UICCs or removable secure elements). This will also apply to UICCs or secure elements that are removable with difficulty.
The first improvement concerns the authentication of the end user of a terminal during SIM application transfer. In a given context, an entire Sim application (meaning personal data, file system, Java applications like bank applications for example, and secrets) is stored in an embedded UICC comprised in a first terminal (for example soldered in a first mobile phone) and a user wishes to transfer this entire Sim application in another embedded UICC comprised in a second terminal (for example constituted by a second mobile terminal). This can happen when a user changes his mobile phone but does not want to lose the applications, contacts and personal data such as photographs, videos or songs stored in the UICC of his first mobile phone.
Such a problem does not occur when the Sim application is stored in a Sim card that can be removed from a mobile phone and inserted in another one since when a secure element like a UICC is soldered onto the mobile phone, it is not possible to physically change the secure element, containing the SIM application, from a mobile phone to another one.
The general process to achieve this operation of transfer of the Sim application could normally be the following:                The secure element packages the installed SIM in a way it can be reinstalled on another secure element. This packaging must be secured, meaning, ciphered in order than only the targeted secure element is able to read it, and signed in order to ensure that the package comes from the initial secure element;        The packaged SIM is uploaded to a secure vault on the cloud (Internet). This operation may be required in the case the targeted secure element is not known at the packaging time;        The packaged SIM is downloaded to the targeted new secure element;        The targeted secure element performs security checking and then can install the downloaded packaged SIM.        
The result is that the initial complete Sim has been transferred in another secure element, with the whole user environment.
A similar method is disclosed in US2005/0266883 from Nokia Corporation.
When initiating the initial transfer from initial secure element up to the secure vault, we can imagine that the end user is entering a PIN code to authenticate himself and confirm the operation. But a problem occurs when it is desired to transfer the packaged SIM again from secure vault to the targeted secure element: How to be sure that the request is coming from the same end user? There is no possibility to enter again the PIN code as it is part of the SIM application and it is necessary to be sure of the identity of the end user before installing the SIM in the targeted new secure element. This problem could lead to the fact that the subscription carried with the SIM could be installed and reused by another user.
In order to avoid this problem, it could be possible to first install the SIM in the targeted secure element and then to request for PIN authentication. However, the drawback is that installation of the Sim has been made and the authentication is not strong since, for a PIN code on 4 digits, after maximum 10.000 trials, a dishonest person could find the correct PIN code and use the Sim application of another user (and consequently his subscription).
This improvement has the purpose to solve this problem.