Abstract: Methods and apparatus for the deployment of financial instruments and other assets are disclosed. In one embodiment, a security software protocol is disclosed that guarantees that the asset is always securely encrypted, that one and only one copy of an asset exists, and the asset is delivered to an authenticated and/or authorized customer. Additionally, exemplary embodiments of provisioning systems are disclosed that are capable of, among other things, handling large bursts of traffic (such as can occur on a so-called “launch day” of a device).

Abstract: Apparatus and methods for distributing electronic access client modules for use with electronic devices. In one embodiment, the access client modules are virtual subscriber identity modules (VSIMs) that can be downloaded from online services for use with cellular-equipped devices such as smartphones. The online services may include a point of sale (POS) system that sells electronic devices to users. A broker may be used to facilitate the selection of a virtual subscriber identity module. A provisioning service may also be used to provision the selected VSIM.

Abstract: Apparatus and methods for efficiently distributing and storing access control clients within a network. In one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent “bottle necking” congestion, and provides reasonable disaster recovery capabilities. In one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: Methods and apparatus for providing controlled switching of electronic access control clients without requiring network access are set forth herein. In one embodiment, a method for swapping of subscriptions and/or profiles for electronic Subscriber Identity Modules (eSIMs) without network supervision that prevents possibly malicious high frequency switching is disclosed. The disclosed embodiments offer reasonable management capabilities for network operators, without compromising the flexibility of eSIM operation.

Abstract: The present invention provides a method that protects symbol types by characterizing symbols as one of two types—DATA or NON_DATA, generating a symbol characterization bit, placing the symbol characterization bit at both ends of the symbol, and transmitting the symbol with the symbol characterization bits at both ends. Thus, a single byte error may affect a type bit in two consecutive symbols, and will affect one or the other of the type bits in a single symbol, but cannot affect both type bits in a single symbol.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: Methods and apparatus for managing access control clients (e.g., electronic Subscriber Identity Modules (eSIMs)). In one embodiment, secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs)) and management entities of secure elements are associated with credentials. Post-deployment managerial operations can be executed, by transmitting the requested operation with the appropriate credentials. For example, a device can receive secure software updates to electronic Subscriber Identity Modules (eSIMs), with properly credentialed network entities.

Abstract: Apparatus and methods for distributing access control clients. In one exemplary embodiment, a network infrastructure is disclosed that enables delivery of electronic subscriber identity modules (eSIMs) to secure elements (e.g., electronic Universal Integrated Circuit Cards (eUICCs), etc.) The network architecture includes one or more of: (i) eSIM appliances, (ii) secure eSIM storages, (iii) eSIM managers, (iv) eUICC appliances, (v) eUICC managers, (vi) service provider consoles, (vii) account managers, (viii) Mobile Network Operator (MNO) systems, (ix) eUICCs that are local to one or more devices, and (x) depots. Moreover, each depot may include: (xi) eSIM inventory managers, (xii) system directory services, (xiii) communications managers, and/or (xiv) pending eSIM storages. Functions of the disclosed infrastructure can be flexibly partitioned and/or adapted such that individual parties can host portions of the infrastructure.

Abstract: The present invention provides a method that protects symbol types by characterizing symbols as one of two types—DATA or NON_DATA, generating a symbol characterization bit, placing the symbol characterization bit at both ends of the symbol, and transmitting the symbol with the symbol characterization bits at both ends. Thus, a single byte error may affect a type bit in two consecutive symbols, and will affect one or the other of the type bits in a single symbol, but cannot affect both type bits in a single symbol.

Abstract: Apparatus and methods for controlling the distribution of electronic access clients to a device. In one embodiment, a virtualized Universal Integrated Circuit Card (UICC) can only load an access client such as an electronic Subscriber Identity Module (eSIM) according to an activation ticket. The activation ticket ensures that the virtualized UICC can only receive eSIMs from specific carriers (“carrier locking”). Unlike prior art methods which enforce carrier locking on a software application launched from a software chain of trust (which can be compromised), the present invention advantageously enforces carrier locking with the secure UICC hardware which has, for example, a secure code base.

Abstract: Apparatus and methods for efficiently distributing and storing access control clients within a network. In one embodiment, the access clients include electronic Subscriber Identity Modules (eSIMs), and an eSIM distribution network infrastructure is described which enforces eSIM uniqueness and conservation, distributes network traffic to prevent “bottle necking” congestion, and provides reasonable disaster recovery capabilities. In one variant, eSIMs are securely stored at electronic Universal Integrated Circuit Card (eUICC) appliances which ensure eSIM uniqueness and conservation. Access to the eUICC appliances is made via multiple eSIM depots, which ensure that network load is distributed. Persistent storage is additionally described, for among other activities, archiving and backup.

Abstract: Apparatus and methods for storing and controlling access control clients. In one embodiment, transmitting and receiving devices ensure that only one copy of an eSIM is active at any time. Specifically, each transferred eSIM is encrypted for the destination device; the eSIM from the source device is deleted, deactivated, or otherwise rendered unusable. Various aspects of network infrastructure are also described, including electronic Universal Integrated Circuit Card (eUICC) appliances, and mobile devices. Various scenarios for transfer of eSIMs are also disclosed.

Abstract: A simulacrum security device and methods. In one embodiment, a simulacrum or likeness of a physical security device is provided for use in conjunction with a software emulation of the security device. In one implementation, a “faux SIM card” is provided that does not contain Subscriber Identification Module (SIM) information itself, but instead enables a user to download Electronic SIM (eSIM) information (e.g., from a network or eSIM server) which is loaded into a software emulation of a Universal Integrated Circuit Card (UICC) device. The faux card is printed with an activation code, scan pattern, or other activation or access information. The subscriber purchases the faux card, and enters the activation code into a device; the entered activation code enables the device to log onto a network, and download the appropriate eSIM data.

Abstract: Methods and apparatus for secure provision of access control entities (such as electronic or virtual Subscriber Identity Module (eSIM) components) post-deployment of the host device on which the access control entity will be used. In one embodiment, wireless (e.g., cellular) user equipment is given a unique device key and endorsement certificate which can be used to provide updates or new eSIMs to the user equipment in the “field”. The user equipment can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the device key. In another aspect, an operating system (OS) is partitioned into various portions or “sandboxes”. During operation, the user device can activate and execute the operating system in the sandbox corresponding to the current wireless network. Personalization packages received while connected to the network only apply to that sandbox.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: Apparatus and methods for distributing electronic access client modules for use with electronic devices. In one embodiment, the access client modules are virtual subscriber identity modules (VSIMs) that can be downloaded from online services for use with cellular-equipped devices such as smartphones. The online services may include a point of sale (POS) system that sells electronic devices to users. A broker may be used to facilitate the selection of a virtual subscriber identity module. A provisioning service may also be used to provision the selected VSIM.

Abstract: The present invention provides a method that protects symbol types by characterizing symbols as one of two types—DATA or NON_DATA, generating a symbol characterization bit, placing the symbol characterization bit at both ends of the symbol, and transmitting the symbol with the symbol characterization bits at both ends. Thus, a single byte error may affect a type bit in two consecutive symbols, and will affect one or the other of the type bits in a single symbol, but cannot affect both type bits in a single symbol.

Abstract: The present invention provides a method that protects symbol types by characterizing symbols as one of two types—DATA or NON_DATA, generating a symbol characterization bit, placing the symbol characterization bit at both ends of the symbol, and transmitting the symbol with the symbol characterization bits at both ends. Thus, a single byte error may affect a type bit in two consecutive symbols, and will affect one or the other of the type bits in a single symbol, but cannot affect both type bits in a single symbol.

Abstract: The present invention provides a method that protects symbol types by characterizing symbols as one of two types—DATA or NON_DATA, generating a symbol characterization bit, placing the symbol characterization bit at both ends of the symbol, and transmitting the symbol with the symbol characterization bits at both ends. Thus, a single byte error may affect a type bit in two consecutive symbols, and will affect one or the other of the type bits in a single symbol, but cannot affect both type bits in a single symbol.