The invention relates to the field of supplying a profile to a secure entity incorporated in a mobile telecommunications terminal.
As a preliminary point, it should be recalled that a “profile” in the context of the invention is a set of files, data, and applications installed on a secure entity or for installation thereon, and enabling the terminal that incorporates the secure entity to access the services of a mobile telecommunications network as defined by the profile, once the profile has been activated.
FIG. 1 shows a method of managing profiles in compliance with the present state of the art. FIG. 1 shows a profile management server 300, a network router 200, and a secure entity 100 incorporated in a mobile terminal 80. The secure entity 100 is an entity of the embedded universal integrated circuit card (eUICC) type as defined by the GSM Association (GSMA). It should be recalled that unlike removable subscriber identity module (SIM) cards, an eUICC entity is an entity that is generally soldered in (and in any event that is not designed to be removed or replaced), and that enables profiles to be changed in secure manner.
It is assumed that the profile management server 300 receives a request 301 during a step S10 to activate a profile on a secure entity. This request may be of the following type:                request (enable-profile (EID, ICCID))in which:        EID is the unique identifier of the eUICC secure element; and        ICCID is a unique identifier for identifying a profile in a secure entity.        
It should be recalled that activating a profile in a secure element consists in deactivating the current active profile and in activating the new profile specified in the request.
Returning to FIG. 1, the profile management server 300 maintains a profile management table 300T1 for each secure element EID, as shown in Appendix A.
This table comprises for each profile:                the identifier ICCID of the profile in the secure entity EID;        the type of the profile. In the example of Appendix A, the table has one provisioning profile and two operational profiles P1 and P2;        the state of the profile: deactivated or active; and        the MSISDN telephone number associated with the profile.        
In this example, it should be observed that the profile management server 300 knows that the current active profile of the secure element 100 is the operational profile P1.
On receiving the request 301, the profile management server 300 acts during a step S15 to identify the profile P2 in the table 300T1 from the identifier ICCID contained in the request, and it then generates an application protocol data unit (APDU) request in compliance with the standard ISO7816:                ENABLE_PROFILE(P2)        
During a step S20, the profile management server 300 encrypts the APDU command and attaches a security header thereto, e.g. an SCP80 security header in compliance with the Global Platform standard:                Scp80-header // ENABLE_PROFILE(P2)        
During a step S25, the profile management server 300 uses a transport service to send the frame constructed in step S20 to the MSISDN telephone number associated with the active profile P1 in the table 300T1. The profile management server defines a time-to-live for this message, e.g. equal to 24 hours.
By way of example, the transport service used for conveying this message and for managing the above-mentioned time-to-live may be the short message service (SMS), the GGSN service, or the Internet. It is assumed below that the SMS service is used.                SMS(Scp80-header // ENABLE_PROFILE(P2), MSISDN(P1), time-to-live)        
This SMS message given reference 302 in FIG. 1 is conveyed to a profile status manager 120 of the secure entity 100 via the transport network, and in particular via the router 200. The profile status manager 120 receives the SMS message 302 during a step G10.
The profile status manager 120 of the secure entity 100 maintains a profile management table 100T1, as shown in Appendix B. This table is similar to the table 300T1 maintained by the profile management server 300 for this secure entity, except that it does not have the fourth column: MSISDN.
In this entity, it should be observed that the active profile of the secure example EID is the profile P1 and that the knowledge of the profile management server 300 is thus correct.
During a step G15, the profile status manager 120 removes the SCP80 security header and decrypts the content of the SMS message 302:
decrypt-scp80(302)
During a step G20, the profile status manager 120 executes the command for activating the profile P2, which amounts to deactivating the current active profile P1 and activating the new profile P2.
During a step G30, the profile status manager 120 places a REFRESH SIM Toolkit command in the buffer for the mobile terminal 80. The effect of processing this REFRESH command is to reinitialize the secure entity 100 and to execute a procedure for restarting the mobile terminal 80. During this restart procedure, the mobile terminal reads the table 100T1 and starts the authentication procedure associated with the new profile P2.
This authentication procedure is defined by the ETSI standard TS 131 102 V11.6.0 (2013-10).
During a test G35, the profile status manager 120 verifies whether the authentication procedure has taken place successfully.
If so, the profile status manager 120 updates its table 100T1 during a step G36 and acts during a step G40 to send an MSM message 306 to the profile management server 300 to inform it that the profile P2 is indeed active:                send-SMS (P2-enabled-OK, MSISDN(300))        
By way of example, the profile status manager 120 may find the MSISDN number of the server 300 from the message 302 or it may obtain this number from a memory of the secure entity. The message 304 is normally received by the profile management server 300 during a step S30.
This message 306 is normally received by the profile management server 300 during a step S35. Under such circumstances, the profile management server 300 stores in its table 300T1 that the profile P2 is active, such that the tables 300T1 and 100T1 are synchronized (step S36).
In the event of the authentication procedure failing, the profile status manager 120 starts an emergency or “fallback” procedure consisting in activating the provisioning profile (step G50), in updating the table 100T1 (step G51), and in sending (step G55) an SMS message 310 to the profile management server 300 to inform it that the provisioning profile has been activated:                send-SMS (provisioning-enabled-OK, MSISDN(300))        
This message 310 is normally received by the profile management server 300 during a step S45. Under such circumstances, the profile management server 300 stores in its table 300T1 that the profile P2 is active such that the tables 300T1 and 100T1 are synchronized (step S46).
Consequently, and in summary, there are four messages that might be sent by the profile status manager 120 of the secure entity 100 to the profile management server 300:                the message 304 acknowledging reception of the message 302 for activating the profile P2;        the message 306 indicating that the profile P2 has been successfully activated;        the message 308 indicating that activation of the profile P2 has failed; and        the message 310 indicating that the provisioning profile has been activated successfully.        
Failure of the profile management server 300 to receive the messages 306 or 310 indicating successful activation of the profile P2 or of the provisioning profile leads to the profile management tables 300T1 and 100T1 becoming desynchronized, since in either of these situations the profile management server considers that the profile P1 is still the current active profile. This situation is harmful, since if the server 300 seeks subsequently to contact the secure entity 100, e.g. in order to send it an updating script, it will consult the table 300T1 and thus make use of the MSISDN telephone number of the profile P1 instead of the number of the profile that is indeed active.
The present invention proposes a profile management method that does not present the above-specified drawbacks.