Abstract: A method, computer program and apparatus for installing a given bound package on a given security module, the method comprising receiving a plurality of bound packages, BPs, corresponding to a plurality of security-module identifiers, IDs, wherein each BP corresponds to a corresponding ID, selecting, for a given security module manufactured without an associated ID, the given BP and a given ID corresponding to the given BP, and providing the given ID, a given set of credentials corresponding to the given ID, and the given BP for installation on the given security module.

Abstract: The method of the invention comprises: an identification step (E30-E50) of identifying the user of the mobile terminal; a generation step, triggered if identification is successful, of a secure element of the terminal generating (E70) at least one identification value for the terminal by using a first secret key shared between the secure element and a token service provider device; a sending step (E100) of sending a request to the token service provider device to obtain at least one security token, the request including said at least one identification value for the terminal; and a reception step (F90) of receiving from the token service provider device said at least one security token in encrypted form, each security token being associated with a random number generated by the token service provider device and being encrypted by means of an encryption key generated for that token from the random number and from a second secret key shared between the token service provider device and the secure element of th

Abstract: A mobile data communications system comprises a mobile device having a reconfigurable identification module to store a set of one or more mobile identity profiles, the mobile device being configured to provide mobile data communication using a currently active mobile identity profile selected from the set of one or more mobile identity profiles; and control circuitry external to the mobile device to communicate mobile identity profile management information with the reconfigurable identification module; in which the control circuitry and the reconfigurable identification module are configured to establish a secure communication channel for the communication of at least some of the mobile identity profile management information.

Abstract: A method for controlling access to a security module [of a mobile terminal by an application of the mobile terminal is described. The method includes sending by a current application of the mobile terminal a request to access the security module, said access request comprising the current identifier of an applet comprised in the security module. The operating system of the mobile terminal reads a look-up table comprising a set of access control rules, an access control rule comprising the identifier of an applet of the security module associated with a control value for an application of the mobile terminal, said access control rule indicating that said application of the mobile terminal is authorized to communicate with the applet of the security module.

Abstract: A method for obtaining a profile for access to a communication network by a secondary terminal via a main terminal. The main terminal includes a security element having an authentication key, the authentication key being used by the network and by the main terminal to generate at least one session master key specific to the main terminal. The secondary terminal: provides its identifier to the main terminal; receives from the main terminal a temporary key specific to the secondary terminal, a temporary identifier of the secondary terminal, and an identifier of the network for access to the network. The temporary key is based on the temporary identifier of the secondary terminal and the session master key of the main terminal. The temporary key, the temporary identifier, the identifier of the secondary terminal, and the identifier of the access network are included in an profile for access to the network.

Abstract: A method for obtaining a command relating to a profile for a security module of the equipment to access a network by mobile equipment. The method includes: sending, to a first server, a request including an anonymous identifier of the security module based on a physical identifier of the module and a random variable; receiving, from the first server, an address of a second server, which prepared the command and associated the command with the anonymous identifier, a request of the command having been previously received from a third server via the second server; sending, to the second server, the physical identifier of the module and of the random variable; receiving, from the second server, the command when a verification by the second server that the anonymous identifier of the security module has been computed on the basis of the received physical identifier and of the random variable is positive.

Abstract: A technique for downloading a profile for access to a communication network by a security module. This access profile has been prepared by a network operator and is available from a server configured to provide this access profile by downloading to the security module. The security module obtains a first verification datum prepared by the network operator. A secure downloading session is established thereafter. During establishment, session keys are jointly generated between the server and the security module and the server is authenticated by the security module using a public downloading key. The security module verifies authenticity of the public downloading key by using the first verification datum enabling verification that the server uses a secret downloading key corresponding to that provided by the network operator during preparation of the first verification datum. When the public downloading key is not authentic, the security module interrupts downloading of the access profile.

Abstract: A method for setting up an execution rule of an operating environment for a communication terminal in a mobile network of an operator. The environment is referred to as a operator profile. The operator profile is stored in a subscriber module embedded in the terminal. According to the method, the subscriber module: obtains a first token signed by the operator and includes information relative to the identification of the rule; obtains a second token signed by a third party other than the operator and including a first element for verifying the authenticity of the first token; verifies the authenticity of the first token by using the first verification element; verifies the authenticity of the second token by using a second verification element; and sets up the rule in the subscriber module if the authenticity of the first and second tokens is verified.

Abstract: A communication system which includes a terminal, a telecommunications network server able to provide a network service to the terminal; and an application server able to provide application services to the terminal via the network and the network server. The terminal and the network server share and store a same network root key kept secret from the application server and are configured to generate, on the basis of this network root key, a network session key used to sign and verify the integrity of messages exchanged on the network between the terminal and the network server. The terminal and the application server share and store a same application root key kept secret from the network server, and configured to generate, on the basis of this application root key, an application session key used to encrypt and decrypt messages exchanged between the terminal and this application server via the network.

Abstract: A technique for managing a right of access to a service for a communicating device. A security element of the device authenticates a security element of an electrical power supply module subsequent to a detection of a start of distribution of electrical energy to the device so as to power it electrically. These security elements are then associated. The security element of the power supply module then configures the security element of the device, the latter having, once configured, a right of access to a valid service allowing it to access the service and this right of access remaining valid as long as the device is powered by this electrical power supply module.

Abstract: A method for anonymously identifying a security module by a server. The method includes: receiving, from the module, a request for the address of a server managing subscription data of an operator, the request including a current identification value of the module, which depends on an identifier of the module and a current date; searching for the current identification value in at least one set of identification values, the set being associated with an operator and including, for a given module, a plurality of identification values, which are calculated depending on the identifier of the module and a date, the date varying for the plurality of identification values of the set between a start date and an end date; and sending, to the security module, the address of the server managing subscription data associated with the operator when the current identification value appears in the set of identification values.

Abstract: A method for obtaining a profile for access to a telecommunications network by a mobile equipment. The method includes: sending by the mobile equipment to a network entity a request for accessing the network, the request including an initial subscriber identifier included in an initial profile; mutual authentication between the mobile equipment and the network entity by using an initial secret key associated with the initial identifier; and receiving from the network entity a new profile for access to the network, the new access profile including a new subscriber identifier and a new secret key, the new profile being configured for accessing the network.

Abstract: A method for obtaining a command relating to a profile for a security module of the equipment to access a network by mobile equipment. The method includes: sending, to a first server, a request including an anonymous identifier of the security module based on a physical identifier of the module and a random variable; receiving, from the first server, an address of a second server, which prepared the command and associated the command with the anonymous identifier, a request of the command having been previously received from a third server via the second server; sending, to the second server, the physical identifier of the module and of the random variable; receiving, from the second server, the command when a verification by the second server that the anonymous identifier of the security module has been computed on the basis of the received physical identifier and of the random variable is positive.

Abstract: A communication system which includes a terminal, a telecommunications network server able to provide a network service to the terminal; and an application server able to provide application services to the terminal via the network and the network server. The terminal and the network server share and store a same network root key kept secret from the application server and are configured to generate, on the basis of this network root key, a network session key used to sign and verify the integrity of messages exchanged on the network between the terminal and the network server. The terminal and the application server share and store a same application root key kept secret from the network server, and configured to generate, on the basis of this application root key, an application session key used to encrypt and decrypt messages exchanged between the terminal and this application server via the network.

Abstract: A method for obtaining a profile for access to a communication network by a secondary terminal via a main terminal. The main terminal includes a security element having an authentication key, the authentication key being used by the network and by the main terminal to generate at least one session master key specific to the main terminal. The secondary terminal: provides its identifier to the main terminal; receives from the main terminal a temporary key specific to the secondary terminal, a temporary identifier of the secondary terminal, and an identifier of the network for access to the network. The temporary key is based on the temporary identifier of the secondary terminal and the session master key of the main terminal. The temporary key, the temporary identifier, the identifier of the secondary terminal, and the identifier of the access network are included in an profile for access to the network.

Abstract: A method for controlling access to a security module [of a mobile terminal by an application of the mobile terminal is described. The method includes sending by a current application of the mobile terminal a request to access the security module, said access request comprising the current identifier of an applet comprised in the security module. The operating system of the mobile terminal reads a look-up table comprising a set of access control rules, an access control rule comprising the identifier of an applet of the security module associated with a control value for an application of the mobile terminal, said access control rule indicating that said application of the mobile terminal is authorized to communicate with the applet of the security module.

Abstract: A technique for managing a right of access to a service for a communicating device. A security element of the device authenticates a security element of an electrical power supply module subsequent to a detection of a start of distribution of electrical energy to the device so as to power it electrically. These security elements are then associated. The security element of the power supply module then configures the security element of the device, the latter having, once configured, a right of access to a valid service allowing it to access the service and this right of access remaining valid as long as the device is powered by this electrical power supply module.

Abstract: A technique for downloading a profile for access to a communication network by a security module. This access profile has been prepared by a network operator and is available from a server configured to provide this access profile by downloading to the security module. The security module obtains a first verification datum prepared by the network operator. A secure downloading session is established thereafter. During establishment, session keys are jointly generated between the server and the security module and the server is authenticated by the security module using a public downloading key. The security module verifies authenticity of the public downloading key by using the first verification datum enabling verification that the server uses a secret downloading key corresponding to that provided by the network operator during preparation of the first verification datum. When the public downloading key is not authentic, the security module interrupts downloading of the access profile.

Abstract: A method for setting up an execution rule of an operating environment for a communication terminal in a mobile network of an operator. The environment is referred to as a operator profile. The operator profile is stored in a subscriber module embedded in the terminal. According to the method, the subscriber module: obtains a first token signed by the operator and includes information relative to the identification of the rule; obtains a second token signed by a third party other than the operator and including a first element for verifying the authenticity of the first token; verifies the authenticity of the first token by using the first verification element; verifies the authenticity of the second token by using a second verification element; and sets up the rule in the subscriber module if the authenticity of the first and second tokens is verified.

Abstract: The method of the invention comprises: an identification step (E30-E50) of identifying the user of the mobile terminal; a generation step, triggered if identification is successful, of a secure element of the terminal generating (E70) at least one identification value for the terminal by using a first secret key shared between the secure element and a token service provider device; a sending step (E100) of sending a request to the token service provider device to obtain at least one security token, the request including said at least one identification value for the terminal; and a reception step (F90) of receiving from the token service provider device said at least one security token in encrypted form, each security token being associated with a random number generated by the token service provider device and being encrypted by means of an encryption key generated for that token from the random number and from a second secret key shared between the token service provider device and the secure element of th