36c3 sim update

2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex

@@ -9,7 +9,7 @@
 \usetheme{Warsaw}
 \usecolortheme{whale}
 
-\title{SIM card technology from A to Z}
+\title{SIM card technology from A(PDU) to X(RES)}
 %\subtitle{Subtitle}
 \author{Harald~Welte}
 \date[Dec 2019, 36C3]{Chaos Communication Congress 2019}
@@ -24,7 +24,12 @@
 
 
 \begin{frame}{Outline}
-	\tableofcontents[hideallsubsections]
+	\item Relevant Specs + Spec Bodies
+	\item Card Interfaces, Protocols
+	\item Card File System
+	\item SIM Evolution from 2G to 5G
+	\item SIM Toolkit
+	\item OTA (Over The Air)
 \end{frame}
 
 
@@ -45,6 +50,19 @@
 \includegraphics[width=150mm]{sim_card_specs.png}
 \end{frame}
 
+\begin{frame}{Relevant specification bodies/sources}
+\begin{itemize}
+	\item ISO (Integrated Circuit[s] Card)
+	\item ITU (Telecom Charge Cards)
+	\item ETSI (where GSM was originally specified)
+	\item 3GPP (where 3G to 5G was specified)
+	\item GlobalPlatform Card Specification
+	\item Sun/Oracle JavaCard API, Runtime, VM
+	\item GSMA
+\end{itemize}
+\end{frame}
+
+
 % from APDU to Z... ?
 
 \begin{frame}{The SIM: Subscriber Identity Module}
@@ -64,9 +82,12 @@
 
 
 \begin{frame}{Classic SIM in early GSM}
+	\begin{figure}
+	\centering
+	\includegraphics[width=80mm]{c-netz-karte.jpg}
+	\end{figure}
 \begin{itemize}
 	\item Idea of storing subscriber identity predates GSM (e.g. C-Netz since 1988)
-	% c-netz-karte.jpg
 	\item GSM from the very beginning introduces concept of SIM card
 	\item store subscriber identity outside of the phone
 	\item store some network related parameters
@@ -79,7 +100,7 @@
 \end{frame}
 
 
-\begin{frame}{ISO 7816}
+\begin{frame}{DIN EN ISO/IEC 7816}
 \begin{itemize}
 	\item the {\em mother of all smart card} spec
 	\item "Integrated circuit(s) cards with contacts"
@@ -114,12 +135,16 @@
 	\item Relevant pins:
 	\begin{itemize}
 		\item VCC: Provides supply voltage (5V, 3V or 1.8V)
-		\item CLK: Provides a clock signal ()
+		\item CLK: Provides a clock signal (1 .. 5 MHz default)
 		\item RST: To reset the card
 		\item IO: bidirectional serial communications
 	\end{itemize}
 	\item Activation sequence triggers card to send ATR (Answer To Reset)
 \end{itemize}
+\begin{figure}
+\centering
+\includegraphics[width=100mm]{7816_activation.png}
+\end{figure}
 \end{frame}
 
 \begin{frame}{Bit transmission level}
@@ -135,6 +160,10 @@
 		\item timings are actually not very well specified
 	\end{itemize}
 \end{itemize}
+\begin{figure}
+\centering
+\includegraphics[width=100mm]{7816_frame.png}
+\end{figure}
 \end{frame}
 
 \begin{frame}{Smart Card Communication}
@@ -219,6 +248,7 @@
 \end{frame}
 
 \begin{frame}{SIM card filesystem hierarchy}
+\parbox{.4\textwidth}{
 \begin{itemize}
 	\item MF (3F00)
 	\begin{itemize}
@@ -238,10 +268,12 @@
 		\item ...
 	\end{itemize}
 \end{itemize}
+}\hfill\parbox{.6\textwidth}{
+	\includegraphics[width=80mm]{sim_fs.png}
+}
 \end{frame}
 
 
-
 \begin{frame}{3G: ETSI UICC and the 3GPP USIM}
 \begin{itemize}
 	\item The GSM SIM was fully specified by ETSI in TS 11.11
@@ -393,9 +425,9 @@
 	\begin{itemize}
 		\item SMS-PP (normal SMS as you know it)
 		\item SMS-CB (bulk update of cards via cell broadcast)
-		\item USSD
-		\item BIP (via CSD, GPRS)
-		\item now also HTTPS
+		\item USSD (Release 7)
+		\item BIP (via CSD, GPRS): ETSI TS 102 223 / TS 102 127
+		\item now also HTTPS (Release 9)
 	\end{itemize}
 	\item Cryptographic security mechanisms specified, but detailed use up to operator
 	\begin{itemize}
@@ -408,6 +440,7 @@
 
 \begin{frame}{Remote File Management (RFM)}
 \begin{itemize}
+	\item Introduced in Relase 6
 	\item Common use case of OTA
 	\item Allows remote read / update of files in file system
 	\item Example: Change of preferred/forbidden roaming operator list
@@ -417,6 +450,7 @@
 
 \begin{frame}{Remote Application Management (RAM)}
 \begin{itemize}
+	\item Introduced in Relase 6
 	\item Common use case of OTA
 	\item Allows remote installation / removal of applications on card
 	\item Example: New multi-IMSI application (MVNOs)
@@ -424,6 +458,40 @@
 \end{itemize}
 \end{frame}
 
+\begin{frame}{OTA over HTTPs}
+\begin{itemize}
+	\item 4G and beyond don't natively support SMS-PP, USSD, ...
+	\item In Release 9, OTA over HTTPs is first introduced
+	\item References to GlobalPlatform 2.2 Amd B + ETSI TS 102 226
+	\item Uses HTTP as per RFC 2616
+	\item Uses PSK-TLS as per RFC4279, RFC4785, RFC5487
+	\begin{itemize}
+		\item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_3DES\_EDE\_CBC\_SHA
+		\item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_AES\_128\_CBC\_SHA
+		\item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_NULL\_SHA (RFC4785)
+		\item TLS 1.2: TLS\_PSK\_WITH\_AES\_128\_CBC\_SHA256 (RFC5487)
+		\item TLS 1.2: TLS\_PSK\_WITH\_NULL\_SHA256 (RFC5487)
+	\end{itemize}
+	\item IP and TCP socket terminated in phone, only TCP payload handled by card
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OTA over HTTPs}
+\begin{itemize}
+	\item Card acts as HTTP client performing HTTP POST
+	\item TLS payload is remote APDU format of ETSI TS 102 226
+	\item additional HTTP headers
+	\begin{itemize}
+		\item X-Admin-Targeted-Application
+		\item X-Admin-Next-URI
+		\item X-Admin-Protocol: globalplatform-remote-admin/1.0 CRLF
+		\item X-Admin-From
+		\item X-Admin-Script-Status
+		\item X-Admin-Resume
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
 \begin{frame}{S@T}
 \begin{itemize}
 	\item a strange beast specified outside of ETSI/3GPP
@@ -433,20 +501,49 @@
 \end{itemize}
 \end{frame}
 
+\begin{frame}{GSMA eSIM}
+\begin{itemize}
+	\item system for remote provisioning of {\em profiles} to SIM
+	\item allows change of operator / identity without replacement of physical card
+	\item main use case is non-removable / soldered SIM chip (MFF2)
+	\item also available from some operators in classic smart card size
+	\item main relevant spec is GSMA SGP.22
+	\item based around PKI between operators, all parties approved by GSMA
+\end{itemize}
+\end{frame}
+
+
 
 \begin{frame}{The CCC event SIM cards}
+\begin{figure}
+	\centering
+	\includegraphics[width=50mm]{32c3-sim-front.jpg}
+	\includegraphics[width=50mm]{32c3-sim-back.jpg}
+\end{figure}
 \begin{itemize}
 	\item are Java SIM + USIM cards
-	\item support OTA, RAM, RFM
+	\item support OTA, RAM, RFM (via SMS-PP and maybe BIP, not HTTPS)
 	\item you can get the ADM PIN and OTA keys from the event GSM team
 	\item a "hello world" Java applet and tools for installation are provided (thanks to shadytel + Dieter Spaar)
 	\item identities and key data can be modified using Osmocom pySim software
 \end{itemize}
 \end{frame}
 
-\begin{frame}{Further Reading}
+%\begin{frame}{The evoluation of form factors}
+	%\includegraphics{sim_card_formats.png}
+%\end{frame}
+
+\begin{frame}{Further Reading (hyperlinked)}
 \begin{itemize}
-	\item FIXME
+	\item \href{https://simalliance.org/wp-content/uploads/2017/01/MobileConnectSteppingStones_FINAL_.pdf}{SIM alliance stepping stones}
+	\item \href{https://osmocom.org/projects/simtrace2/wiki}{SIMtrace2 wiki}
+	\item \href{https://simjacker.com/downloads/technicalpapers/AdaptiveMobile_Security_Simjacker_Technical_Paper_v1.01.pdf}{Simjacker vulnerability}
+	\item \href{https://opensource.srlabs.de/projects/simtester/wiki}{SRLabs SIMtester}
+	\item for historians
+	\begin{itemize}
+		\item \href{http://ftp.ccc.de/software/gsm/SIM_sim.zip}{CCC SIM simulator in Turbo C}
+		\item \href{http://ftp.ccc.de/software/gsm/gsm_hack.tar.gz}{CCC sim clone / D2 Pirat}
+	\end{itemize}
 \end{itemize}
 \end{frame}