Obviousness

The obviousness of US patent 11916893 under 35 U.S.C. § 103 relies on combining existing prior art and well-known practices in wireless communication and security to address identified needs in the context of embedded Universal Integrated Circuit Cards (eUICCs) for machine-to-machine (M2M) applications. A Person Having Ordinary Skill in the Art (PHOSITA) as of the priority date (2013-12-06) would have been motivated to combine these elements to overcome the challenges outlined in the patent.

Prior Art Considered:

The analysis is based on the prior art references and technologies explicitly mentioned within the "Definitions" section of US11916893:

• eUICC Technology: The concept and requirements for an eUICC, including its subscription management and the ability to store profiles, were known, as evidenced by references such as ETSI TS 103 383 v12.1, titled "Smart Cards; Embedded UICC; Requirements Specification". The patent itself describes eUICCs as a solution to "issues for distributing and managing physical media such as a UICC" in M2M applications.
• Traditional UICC/Network Authentication: The fundamental mechanisms for authenticating a mobile device (module) to a wireless network using a physical UICC (or SIM card) and a pre-shared secret key K were well-established. These include:
  • ETSI TR 102 216 and ETSI TS 102 221 V11.0.0, defining physical UICC standards and form-factors.
  • 3GPP TS 33.401 V12.9.0 and ETSI standard TR 131 900 v.10.0.0, detailing the RAND/RES challenge-response authentication protocol.
  • ETSI TS 135 205-209, specifying cryptographic algorithms for calculating the RES value using key K and RAND.
  • Various wireless technologies (e.g., 3G, 4G LTE, Wi-Fi, WiMax) that rely on these authentication principles.
• Machine-to-Machine (M2M) Communications: The field of M2M, also known as the "Internet of Things" (IoT), was rapidly growing, with many applications leveraging wireless connections. The challenges of managing physical SIMs/UICCs in remote or hermetically sealed M2M devices were recognized.
• Two-Factor Authentication (2FA): As a general security practice, 2FA for verifying user identities in online services was known and widely implemented. Methods included web-based input, telephone calls, and data exchange for verification.
• Cryptographic Key Management: Principles of secure key distribution, symmetric and asymmetric encryption, and key derivation algorithms were part of common cryptographic knowledge. The patent mentions "cryptographic algorithms 141" for key derivation, encryption, and decryption.
• Secure Communication over IP: Transport Layer Security (TLS) and similar standards for securing communication at the transport or application layer over IP networks were well-known.

Obviousness Combinations and Motivations:

The core inventive concepts of US11916893 revolve around combining these known elements to enable robust and secure authentication and key management for eUICC-enabled M2M devices.

1. Combining eUICC with Traditional Network Authentication for M2M (Device Authentication)

• Combination: A PHOSITA would combine the requirements and architecture of an eUICC (as taught by ETSI TS 103 383 v12.1) with the well-established UICC-based network authentication protocols (as described in ETSI TR 102 216 and 3GPP TS 33.401). This would involve programming an eUICC in an M2M module to store network access credentials, including a first pre-shared secret key K and a network module identity (e.g., IMSI), and to perform the standard RAND/RES challenge-response mechanism to authenticate with a wireless network.
• Motivation: The patent explicitly states the "rapid growth for 'machine-to-machine' applications has created significant challenges to the traditional model of utilizing physical media such as a UICC". It also identifies the "need exists in the art for the obtained credentials in a eUICC to be fully compatible with the significant installed and legacy base of networks that use a pre-shared secret key K". A PHOSITA would be motivated to leverage eUICC technology to overcome the logistical and cost barriers of managing physical UICCs in M2M deployments. The most straightforward approach would be to replicate the existing, reliable UICC authentication functionality within the eUICC, thereby achieving "backward compatibility" with deployed network infrastructure. Upon successful initial authentication, the module would gain "at least limited access to an IP network".

2. Adding Two-Factor Authentication for User/Service Provider Verification

• Combination: After the eUICC-enabled module performs its initial network authentication using the first key K and gains limited IP access, a PHOSITA would combine this setup with general knowledge of two-factor authentication (2FA) methods. This 2FA would be performed by the Mobile Network Operator (MNO) to authenticate or verify the user or M2M service provider associated with the module, utilizing the established IP connection. Examples of such 2FA could include web-based authentication (user entering information on a webpage), a telephone call to a call center, or direct data exchange with an M2M service provider's server.
• Motivation: The patent identifies a critical security gap: "the distribution of the eUICC profile may be outside the control of the mobile network operator," meaning the MNO might not know the identity of the entity using the module solely based on the eUICC profile. A PHOSITA would recognize the need for a separate, user-centric authentication step to ensure that the legitimate user or M2M service provider is operating the device. Given the module has "at least limited access to an IP network", employing well-known 2FA techniques over this network connection would be an obvious solution to securely verify the associated entity and address the MNO's control concerns. The patent explicitly states, "the MNO can confirm the identity of an entity associated with the module, whereas that identity may not be known before the authentication with the second factor".

3. Dynamically Updating or Deriving Network Keys (Key K) After Second-Factor Authentication

• Combination (Secure Key Transfer): A PHOSITA would combine the above system with conventional secure key distribution practices. After the successful second-factor user authentication, the MNO would transmit a symmetric key to the module, encrypted with a "key ciphering algorithm". This symmetric key would then be used by the module to decrypt a second, previously encrypted portion of the eUICC profile, which contains a "second network module identity and a second key K". The module would then disconnect and reconnect using these new credentials.
• Combination (Key Derivation): Alternatively, a PHOSITA would combine the system with known key derivation techniques. After the second-factor authentication, the MNO and the module (with its eUICC) would "mutually derive a second key K using the token and a key derivation algorithm". This derivation could involve exchanging a token value over the IP network and using pre-recorded public/private key pairs and cryptographic algorithms (e.g., cryptographic algorithms 141) to compute the new key K.
• Motivation: The patent states that "the mobile network operator could prefer for the key K to periodically rotate or change... in order to increase security" and that "the continued and extended use of a single key K... can be a security risk". A PHOSITA would be motivated to implement dynamic key management to enhance security, especially after the MNO has verified the user/service provider through the second factor. Making the release or derivation of a more secure "second key K" contingent on successful second-factor authentication allows the MNO to "retain control over the use of the second key K in the profile for the eUICC, such as not releasing the symmetric key until after a user has successfully completed authentication". Both secure key transfer (using symmetric encryption) and key derivation (using well-known cryptographic principles) are standard methods for securely establishing or updating keys in networked systems, and applying them in this context for enhanced security and MNO control would be an obvious design choice.

Conclusion on Obviousness:

The teachings of US11916893 represent a logical and predictable combination of existing technologies and security principles known to a PHOSITA in 2013. The patent itself articulates the problems (challenges of physical UICCs in M2M, MNO control over eUICC profiles, security risks of static keys) and the motivations for solving them (remote management, enhanced security, MNO control). A PHOSITA, motivated to solve these problems, would have found it obvious to:

1. Adapt standard UICC authentication to the eUICC paradigm for M2M (using references like ETSI TS 103 383 and 3GPP TS 33.401).
2. Implement a second, user-centric authentication factor over the initial IP connection to verify the entity associated with the module (leveraging general 2FA knowledge).
3. Subsequently employ standard key management techniques (either secure encrypted transfer or cryptographic derivation) to provide a new, more secure network key K, contingent on the successful second-factor authentication, thereby enhancing overall security and MNO control.

While the PTAB denied institution for IPR2026-00119, indicating the specific petition did not adequately meet certain claim limitations, this analysis suggests that with a comprehensive combination of the widely available and recognized prior art as identified within the patent itself, strong arguments for obviousness under 35 U.S.C. § 103 could be made. The denial of institution does not preclude other parties from raising different or more robust obviousness challenges.