36c3 sim update
This commit is contained in:
parent
bd4b6a16a7
commit
695b407b83
Binary file not shown.
After Width: | Height: | Size: 70 KiB |
Binary file not shown.
After Width: | Height: | Size: 49 KiB |
|
@ -9,7 +9,7 @@
|
|||
\usetheme{Warsaw}
|
||||
\usecolortheme{whale}
|
||||
|
||||
\title{SIM card technology from A to Z}
|
||||
\title{SIM card technology from A(PDU) to X(RES)}
|
||||
%\subtitle{Subtitle}
|
||||
\author{Harald~Welte}
|
||||
\date[Dec 2019, 36C3]{Chaos Communication Congress 2019}
|
||||
|
@ -24,7 +24,12 @@
|
|||
|
||||
|
||||
\begin{frame}{Outline}
|
||||
\tableofcontents[hideallsubsections]
|
||||
\item Relevant Specs + Spec Bodies
|
||||
\item Card Interfaces, Protocols
|
||||
\item Card File System
|
||||
\item SIM Evolution from 2G to 5G
|
||||
\item SIM Toolkit
|
||||
\item OTA (Over The Air)
|
||||
\end{frame}
|
||||
|
||||
|
||||
|
@ -45,6 +50,19 @@
|
|||
\includegraphics[width=150mm]{sim_card_specs.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Relevant specification bodies/sources}
|
||||
\begin{itemize}
|
||||
\item ISO (Integrated Circuit[s] Card)
|
||||
\item ITU (Telecom Charge Cards)
|
||||
\item ETSI (where GSM was originally specified)
|
||||
\item 3GPP (where 3G to 5G was specified)
|
||||
\item GlobalPlatform Card Specification
|
||||
\item Sun/Oracle JavaCard API, Runtime, VM
|
||||
\item GSMA
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
||||
% from APDU to Z... ?
|
||||
|
||||
\begin{frame}{The SIM: Subscriber Identity Module}
|
||||
|
@ -64,9 +82,12 @@
|
|||
|
||||
|
||||
\begin{frame}{Classic SIM in early GSM}
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics[width=80mm]{c-netz-karte.jpg}
|
||||
\end{figure}
|
||||
\begin{itemize}
|
||||
\item Idea of storing subscriber identity predates GSM (e.g. C-Netz since 1988)
|
||||
% c-netz-karte.jpg
|
||||
\item GSM from the very beginning introduces concept of SIM card
|
||||
\item store subscriber identity outside of the phone
|
||||
\item store some network related parameters
|
||||
|
@ -79,7 +100,7 @@
|
|||
\end{frame}
|
||||
|
||||
|
||||
\begin{frame}{ISO 7816}
|
||||
\begin{frame}{DIN EN ISO/IEC 7816}
|
||||
\begin{itemize}
|
||||
\item the {\em mother of all smart card} spec
|
||||
\item "Integrated circuit(s) cards with contacts"
|
||||
|
@ -114,12 +135,16 @@
|
|||
\item Relevant pins:
|
||||
\begin{itemize}
|
||||
\item VCC: Provides supply voltage (5V, 3V or 1.8V)
|
||||
\item CLK: Provides a clock signal ()
|
||||
\item CLK: Provides a clock signal (1 .. 5 MHz default)
|
||||
\item RST: To reset the card
|
||||
\item IO: bidirectional serial communications
|
||||
\end{itemize}
|
||||
\item Activation sequence triggers card to send ATR (Answer To Reset)
|
||||
\end{itemize}
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics[width=100mm]{7816_activation.png}
|
||||
\end{figure}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Bit transmission level}
|
||||
|
@ -135,6 +160,10 @@
|
|||
\item timings are actually not very well specified
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics[width=100mm]{7816_frame.png}
|
||||
\end{figure}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Smart Card Communication}
|
||||
|
@ -219,6 +248,7 @@
|
|||
\end{frame}
|
||||
|
||||
\begin{frame}{SIM card filesystem hierarchy}
|
||||
\parbox{.4\textwidth}{
|
||||
\begin{itemize}
|
||||
\item MF (3F00)
|
||||
\begin{itemize}
|
||||
|
@ -238,10 +268,12 @@
|
|||
\item ...
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
}\hfill\parbox{.6\textwidth}{
|
||||
\includegraphics[width=80mm]{sim_fs.png}
|
||||
}
|
||||
\end{frame}
|
||||
|
||||
|
||||
|
||||
\begin{frame}{3G: ETSI UICC and the 3GPP USIM}
|
||||
\begin{itemize}
|
||||
\item The GSM SIM was fully specified by ETSI in TS 11.11
|
||||
|
@ -393,9 +425,9 @@
|
|||
\begin{itemize}
|
||||
\item SMS-PP (normal SMS as you know it)
|
||||
\item SMS-CB (bulk update of cards via cell broadcast)
|
||||
\item USSD
|
||||
\item BIP (via CSD, GPRS)
|
||||
\item now also HTTPS
|
||||
\item USSD (Release 7)
|
||||
\item BIP (via CSD, GPRS): ETSI TS 102 223 / TS 102 127
|
||||
\item now also HTTPS (Release 9)
|
||||
\end{itemize}
|
||||
\item Cryptographic security mechanisms specified, but detailed use up to operator
|
||||
\begin{itemize}
|
||||
|
@ -408,6 +440,7 @@
|
|||
|
||||
\begin{frame}{Remote File Management (RFM)}
|
||||
\begin{itemize}
|
||||
\item Introduced in Relase 6
|
||||
\item Common use case of OTA
|
||||
\item Allows remote read / update of files in file system
|
||||
\item Example: Change of preferred/forbidden roaming operator list
|
||||
|
@ -417,6 +450,7 @@
|
|||
|
||||
\begin{frame}{Remote Application Management (RAM)}
|
||||
\begin{itemize}
|
||||
\item Introduced in Relase 6
|
||||
\item Common use case of OTA
|
||||
\item Allows remote installation / removal of applications on card
|
||||
\item Example: New multi-IMSI application (MVNOs)
|
||||
|
@ -424,6 +458,40 @@
|
|||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{OTA over HTTPs}
|
||||
\begin{itemize}
|
||||
\item 4G and beyond don't natively support SMS-PP, USSD, ...
|
||||
\item In Release 9, OTA over HTTPs is first introduced
|
||||
\item References to GlobalPlatform 2.2 Amd B + ETSI TS 102 226
|
||||
\item Uses HTTP as per RFC 2616
|
||||
\item Uses PSK-TLS as per RFC4279, RFC4785, RFC5487
|
||||
\begin{itemize}
|
||||
\item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_3DES\_EDE\_CBC\_SHA
|
||||
\item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_AES\_128\_CBC\_SHA
|
||||
\item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_NULL\_SHA (RFC4785)
|
||||
\item TLS 1.2: TLS\_PSK\_WITH\_AES\_128\_CBC\_SHA256 (RFC5487)
|
||||
\item TLS 1.2: TLS\_PSK\_WITH\_NULL\_SHA256 (RFC5487)
|
||||
\end{itemize}
|
||||
\item IP and TCP socket terminated in phone, only TCP payload handled by card
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{OTA over HTTPs}
|
||||
\begin{itemize}
|
||||
\item Card acts as HTTP client performing HTTP POST
|
||||
\item TLS payload is remote APDU format of ETSI TS 102 226
|
||||
\item additional HTTP headers
|
||||
\begin{itemize}
|
||||
\item X-Admin-Targeted-Application
|
||||
\item X-Admin-Next-URI
|
||||
\item X-Admin-Protocol: globalplatform-remote-admin/1.0 CRLF
|
||||
\item X-Admin-From
|
||||
\item X-Admin-Script-Status
|
||||
\item X-Admin-Resume
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{S@T}
|
||||
\begin{itemize}
|
||||
\item a strange beast specified outside of ETSI/3GPP
|
||||
|
@ -433,20 +501,49 @@
|
|||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{GSMA eSIM}
|
||||
\begin{itemize}
|
||||
\item system for remote provisioning of {\em profiles} to SIM
|
||||
\item allows change of operator / identity without replacement of physical card
|
||||
\item main use case is non-removable / soldered SIM chip (MFF2)
|
||||
\item also available from some operators in classic smart card size
|
||||
\item main relevant spec is GSMA SGP.22
|
||||
\item based around PKI between operators, all parties approved by GSMA
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
||||
|
||||
\begin{frame}{The CCC event SIM cards}
|
||||
\begin{figure}
|
||||
\centering
|
||||
\includegraphics[width=50mm]{32c3-sim-front.jpg}
|
||||
\includegraphics[width=50mm]{32c3-sim-back.jpg}
|
||||
\end{figure}
|
||||
\begin{itemize}
|
||||
\item are Java SIM + USIM cards
|
||||
\item support OTA, RAM, RFM
|
||||
\item support OTA, RAM, RFM (via SMS-PP and maybe BIP, not HTTPS)
|
||||
\item you can get the ADM PIN and OTA keys from the event GSM team
|
||||
\item a "hello world" Java applet and tools for installation are provided (thanks to shadytel + Dieter Spaar)
|
||||
\item identities and key data can be modified using Osmocom pySim software
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Further Reading}
|
||||
%\begin{frame}{The evoluation of form factors}
|
||||
%\includegraphics{sim_card_formats.png}
|
||||
%\end{frame}
|
||||
|
||||
\begin{frame}{Further Reading (hyperlinked)}
|
||||
\begin{itemize}
|
||||
\item FIXME
|
||||
\item \href{https://simalliance.org/wp-content/uploads/2017/01/MobileConnectSteppingStones_FINAL_.pdf}{SIM alliance stepping stones}
|
||||
\item \href{https://osmocom.org/projects/simtrace2/wiki}{SIMtrace2 wiki}
|
||||
\item \href{https://simjacker.com/downloads/technicalpapers/AdaptiveMobile_Security_Simjacker_Technical_Paper_v1.01.pdf}{Simjacker vulnerability}
|
||||
\item \href{https://opensource.srlabs.de/projects/simtester/wiki}{SRLabs SIMtester}
|
||||
\item for historians
|
||||
\begin{itemize}
|
||||
\item \href{http://ftp.ccc.de/software/gsm/SIM_sim.zip}{CCC SIM simulator in Turbo C}
|
||||
\item \href{http://ftp.ccc.de/software/gsm/gsm_hack.tar.gz}{CCC sim clone / D2 Pirat}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 27 KiB |
Binary file not shown.
After Width: | Height: | Size: 11 KiB |
Binary file not shown.
After Width: | Height: | Size: 34 KiB |
Binary file not shown.
After Width: | Height: | Size: 33 KiB |
Loading…
Reference in New Issue