2022 Advanced SIM
After Width: | Height: | Size: 41 KiB |
|
@ -0,0 +1,346 @@
|
|||
Advanced SIM topics: ARA-M, SCP02, OTA, ISIM
|
||||
============================================
|
||||
:author: Harald Welte <laforge@gnumonks.org>
|
||||
:copyright: 2022 by Harald Welte (License: CC-BY-SA)
|
||||
:backend: slidy
|
||||
:max-width: 45em
|
||||
|
||||
|
||||
== Overview
|
||||
|
||||
* Administrative Commands
|
||||
* ADF.ISIM
|
||||
* DF.5GS
|
||||
* ARA-M applet
|
||||
* GlobalPlatform SCP02
|
||||
* pySim-shell updates
|
||||
|
||||
== Recap: Some smartcard terminology
|
||||
|
||||
* card filesystem
|
||||
** *MF* (Master File): The root directory
|
||||
** *DF* (Dedicated File): A subdirectory
|
||||
** *ADF* (Application Dedicated File): Directory of an application (like USIM, ISIM)
|
||||
** *EF* (Entry File): A regulare file
|
||||
*** *Transparent EF*: An unstructured file
|
||||
*** *Linear Fixed EF*: An file consisting of fixed-length records
|
||||
|
||||
== specs vs. proprietary
|
||||
|
||||
* SIM cards are fully specified by a combination of ISU, ETSI and 3GPP specs
|
||||
* this covers only the operation after the card has been issued, e.g.
|
||||
** reading and writing files accessible without PIN auth, after PIN auth
|
||||
** performing GSM authentication or UMTS AKA
|
||||
* it does _not_ cover how the card is issued/provisioned
|
||||
** secret key material (Ki / K / OP / OPc) is not readable from the card
|
||||
** it is an implementation detail on how the card manufacturer writes those to the card
|
||||
* this leads to the need for card-specific support / code in software like pySim
|
||||
|
||||
== Administrative Commands (TS 102 222)
|
||||
|
||||
* most well-known SIM/UICC commands relate to normal operation
|
||||
** reflects what happens between phone (ME) and SIM
|
||||
** SELECT, {READ,UPDATE} {BINARY,RECORD}, VERIFY CHV, ...
|
||||
* there are also standardized _administrative_ commands
|
||||
** intended for use by the operator / card issuer
|
||||
** usually only work after authentication with ADM PIN or via secure channel
|
||||
|
||||
== Administrative Commands (TS 102 222)
|
||||
|
||||
* `CREATE FILE`
|
||||
* `DELETE FILE`
|
||||
* `DEACTIVATE FILE`
|
||||
** temporary deactivation (cannot be selected anymore)
|
||||
* `ACTIVATE FILE`
|
||||
** reactivation of deactivated files
|
||||
* `TERMINATE DF`
|
||||
** DF can never be used again
|
||||
* `TERMINATE EF`
|
||||
** EF can never be used again
|
||||
* `TERMINATE CARD USAGE`
|
||||
** permanently bricks the card
|
||||
|
||||
== The ISIM application
|
||||
|
||||
The history:
|
||||
|
||||
* initial 2G SIM cards had `DF.GSM` + `DF.TELECOM`
|
||||
* ETSI UICC was specified as application-independent card
|
||||
* 3G/UMTS: 3GPP USIM application specified for UICC
|
||||
* 4G/LTE: continues to use USIM
|
||||
* IMS/VoLTE: optional ISIM application for UICC
|
||||
|
||||
== ISIM application: Entirely optional
|
||||
|
||||
* ISIM application is entirely optional
|
||||
* IMS (VoLTE, VoWiFi) can be used with pure USIM
|
||||
* without ISIM, default / fall-back mechanisms are used
|
||||
** P-CSCF address
|
||||
** Identities (IPUI derived from IMSI)
|
||||
|
||||
== ISIM application: Files in USIM or ISIM
|
||||
|
||||
Some files can either be in ADF.USIM **or** in ADF.ISIM
|
||||
|
||||
* cards without ISIM might have them in USIM
|
||||
* cards with ISIM *must not* have them in USIM
|
||||
|
||||
Files:
|
||||
|
||||
* `EF.UICCIARI`
|
||||
* `EF.FromPreferred`
|
||||
* `EF.IMSConfigData`
|
||||
* `EF.XCAPConfigData`
|
||||
* `EF.MuDMiDConfigData`
|
||||
|
||||
== ISIM application: Separate authentication context
|
||||
|
||||
While IMS uses the same UMTS AKA Authentication Mechanism as 3G/4G systems,
|
||||
the authentication context can be different:
|
||||
|
||||
* transport / access network (e.g. LTE) authenticates against USIM
|
||||
* IMS core network (e.g. P-CSCF) authenticates against ISIM
|
||||
|
||||
At least in theory (and in practice with sysmoISIM-SJA2), one can configure
|
||||
different key material and even choose different algorithms for the two
|
||||
situations.
|
||||
|
||||
== ISIM application: Files in ADF.ISIM
|
||||
|
||||
image::adf_isim.png[align="center"]
|
||||
|
||||
== ISIM application: Files in ADF.ISIM
|
||||
|
||||
* `EV.IMPI` (IMS Private User Identity)
|
||||
* `EF.DOMAIN` (Home Network Domain Name)
|
||||
* `EF.IMPU` (IMS Public User Identity)
|
||||
* `EF.AD` (Administrative Data)
|
||||
* `EF.ARR` (Access Rule Reference)
|
||||
* `EF.IST` (ISIM Service Table, like EF.UST for USIM)
|
||||
* `EF.P-CSCF` (P-CSCF Address
|
||||
* `EF.GBABP` (GBA Bootstrapping Parameters)
|
||||
* `EF.NAFKCA` (NAF Key Centre Address)
|
||||
* `EF.SMS / EF.SMSS / EF.SMSR / EF.SMSP` (SMS like in GSM/USIM)
|
||||
* `EF.UICCIARI` (IMS Application Reference Identifier)
|
||||
* `EF.FromPreferred`
|
||||
* `EF.IMSConfigData`
|
||||
* `EF.XCAPConfigData`
|
||||
* `EF.WebRTCURI`
|
||||
* `EF.MuDMiDConfigData`
|
||||
|
||||
|
||||
== BER-TLV files (1/2)
|
||||
|
||||
* new file type ('structure') from existing known types
|
||||
** transparent
|
||||
** linear fixed
|
||||
** cyclic
|
||||
* BER-TLV files store data in BER-TLV format [surprise!]
|
||||
* difference between storing BER-TLV in transparent file:
|
||||
** read/write/delete only TLV for a certain specific tag
|
||||
** no need to bother with padding
|
||||
* supported from sysmoISIM-SJA2v2 onwards (IMSI ending in >= 50000)
|
||||
|
||||
== BER-TLV files (2/2)
|
||||
|
||||
* USIM Files specified as BER-TLV:
|
||||
** `EF.URSP` (UE Route Selection Policies)
|
||||
** `DF.GRAPHICS/EF.ICE_graphics` (?)
|
||||
** `DF.MULTIMEDIA/EF.MML` (Multimedia Messages List)
|
||||
** `DF.MULTIMEDIA/EF.MMDF` (Multimedia Messages Data File)
|
||||
** `DF.MCS/EF.MCS_CONFIG` (Mission Critical Services)
|
||||
** `DF.V2X/EF.V2X_CONFIG` (V2X configuration Data)
|
||||
* ISIM Files specified as BER-TLV
|
||||
** `EF.IMSConfigData` (IMS Configuration Data)
|
||||
** `EF.MuDMiDConfigData` (Multi-Device / Multi-Identity Config)
|
||||
|
||||
|
||||
== 5G SIM / DF.5GS
|
||||
|
||||
* 3GPP did not specify a new card application
|
||||
* 5G/NR uses the same USIM as 4G/LTE and 3G/UMTS
|
||||
* some optional additional files in ADF.USIM/DF.5GS
|
||||
** together with their associated _services_ (122-135)
|
||||
** `EF.5GS3GPPLOCI` (like EF.LOCI/3G and EF.EPSLOCI/4G)
|
||||
** `EF.5GSN3GPPLOCI` (non-3GPP location information)
|
||||
** `EF.5GS3GPPNSC` (NAS Security Context)
|
||||
** `EF.5GAUTHKEYS` (K_SEAF / K_AUSF, like EF.KEYS/3G)
|
||||
** `EF.UAC_AIC` (UAC Access Identities Configuration)
|
||||
** `EF.SUCI_Calc_Info` (For SUCI computation in ME)
|
||||
** `EF.OPL5G` (5GS Operator PLMN List)
|
||||
** `EF.SUPI_NAI` (SUPI as Network Access Identifier)
|
||||
** `EF.Routing_Indicator`
|
||||
** `EF.URSP` (UE Route Selection Policies per PLMN)
|
||||
** `EF.TN3GPPSNN` (Trusted non-3GPP Serving network names list)
|
||||
|
||||
== 5G SIM / Files in DF.5GS
|
||||
|
||||
image::df_5gs.png[align="center"]
|
||||
|
||||
== 5G SIM / Calculation of SUCI on SIM
|
||||
|
||||
* 5G introduces the optional SUCI security menchanism
|
||||
** SUCI == Subscriber Concealed Identifier
|
||||
* prevents IMSI (SUPI) transmission in plain-text
|
||||
* two implementation options:
|
||||
** SUCI computation on ME (phone) using key from SIM
|
||||
** SUCI computation on SIM card
|
||||
|
||||
Some high-end cards (like eUICC) support SUCI calculation on the card.
|
||||
|
||||
|
||||
== ARA-M and Android Carrier Privileges
|
||||
|
||||
* Android specific system to give apps more API access
|
||||
** change carrier/operator settings like APN, Roaming, ...
|
||||
** change IMS configuration for VoLTE / VoWiFi
|
||||
** inject SMS into android from an app
|
||||
* hash/cert of key used to sign app stored on SIM
|
||||
* if Android detects apps signed with matching key, API access is enabled
|
||||
* hash/cert is not stored as normal file in filesytem
|
||||
* requires _Secure Element Access Control_ application on card
|
||||
|
||||
== ARA-M / Secure Element Access Control
|
||||
|
||||
image::ara-m-architecture.png[width=1000,align="center"]
|
||||
|
||||
== ARA-M in practice
|
||||
|
||||
* minimal open source ARA-M applet: https://github.com/bertrandmartel/aram-applet
|
||||
* pre-installed on sysmoISIM-SJA2
|
||||
* pySim-shell has support for adding/deleting rules (see user manual)
|
||||
* see https://github.com/herlesupreeth/CoIMS_Wiki for more information
|
||||
|
||||
== pySim-shell updates since April 2021
|
||||
|
||||
* commands
|
||||
** more decoders for more files
|
||||
** TS 102 222 administrative commands
|
||||
** `ust_service_check`
|
||||
** `apdu` command
|
||||
** `export --json`
|
||||
* encoders/decoers
|
||||
** TLV definitions for IMS, XCAP and MudMid
|
||||
** FCP in `export`
|
||||
* BER-TLV file support
|
||||
* ARA-M support
|
||||
* support for generic, non-sysmocom cards
|
||||
* WIP
|
||||
** basic GlobalPlatform commands
|
||||
** `decode_hex` command
|
||||
|
||||
|
||||
== GlobalPlatform
|
||||
|
||||
* GlobalPlatform specifies the Javacard universe
|
||||
* SIM cards are not required to be Java cards, but in practice they mostly are
|
||||
** ... and they mostly only implement ancient GlobalPlatform versions
|
||||
* specifies how to install/remove/lock/unlock applets
|
||||
* specifies transport layer security protocols (SCP02, SCP03)
|
||||
|
||||
== GlobalPlatform APDU commands
|
||||
|
||||
* Key Management
|
||||
** `PUT KEY`
|
||||
** `DELETE KEY`
|
||||
* Data
|
||||
** `GET DATA`
|
||||
** `STORE DATA`
|
||||
* Application Locking/Unlocking
|
||||
** `GET STATUS`
|
||||
** `SET STATUS`
|
||||
* Installation / Deletion (Executables, Applets)
|
||||
** `INSTALL`
|
||||
** `DELETE`
|
||||
|
||||
== GlobalPlatform INSTALL / DELETE flavours
|
||||
|
||||
* `INSTALL`
|
||||
** `INSTALL [for load]`
|
||||
** `INSTALL [for install]`
|
||||
** `INSTALL [for load, install and make selectable]`
|
||||
** `INSTALL [for install and make selectable]`
|
||||
** `INSTALL [for make selectable]`
|
||||
** `INSTALL [for extradition]`
|
||||
** `INSTALL [for registry update]`
|
||||
** `INSTALL [for personalization]`
|
||||
* `DELETE`
|
||||
** Executable Load File
|
||||
** Executable Load File and related Applications
|
||||
** Application
|
||||
|
||||
== GlobalPlatform SCP02 initiation
|
||||
|
||||
* mutual authentication between card and external software
|
||||
** contains random factor from both sides
|
||||
** generates session keys
|
||||
* transport-level security established ('secure messaging')
|
||||
* protected APDUs between on-card software and off-card software
|
||||
|
||||
image::scp02-flow.png[align="center"]
|
||||
|
||||
== GlobalPlatform SCP02 APDU commands
|
||||
|
||||
* `INITIALIZE UPDATE`
|
||||
* `EXTERNAL AUTHENTICATE`
|
||||
* `BEGIN R-MAC SESSION`
|
||||
* `END R-MAC SESSION`
|
||||
|
||||
== C-MAC
|
||||
|
||||
* C-MAC (Command Message Authentication Code)
|
||||
** either on unmodified APDU or modified APDU
|
||||
|
||||
image::scp02_cmac_modified.png[align="center"]
|
||||
|
||||
== R-MAC
|
||||
|
||||
optional MAC on responses generated by card
|
||||
|
||||
image::scp02_rmac.png[align="center"]
|
||||
|
||||
|
||||
== Data Field Encryption
|
||||
|
||||
optional confidentiality of data field of APDUs
|
||||
|
||||
image::scp02_data_field_encryption.png[align="center"]
|
||||
|
||||
|
||||
== OTA (Over The Air)
|
||||
|
||||
* Mechanism how some software in operator core can talk to SIM in the field
|
||||
* traverses the entire 3GPP Core and Radio Access Network, hence _over the air_.
|
||||
|
||||
image::ota_overview.png[width=1000,align="center"]
|
||||
|
||||
== OTA transport mechanisms
|
||||
|
||||
* SMS-PP (SMS as you know it)
|
||||
* SMS-CB (Cell Broadcast)
|
||||
** would require shared keys, bad idea
|
||||
* USSD
|
||||
** faster, more responsive than SMS
|
||||
* BIP (Bearer Independent Protocol)
|
||||
** CSD, GPRS, Bluetooth, IrDA
|
||||
* HTTP over TLS-PSK on the card (!)
|
||||
** Amendmend B GlobalPlatform Card Sepc v2.2
|
||||
|
||||
== Further Reading
|
||||
|
||||
* https://git.osmocom.org/pysim/about/[pySim source code / git repository]
|
||||
* https://media.ccc.de/v/36c3-10737-sim_card_technology_from_a-z[Video of talk "SIM card technology from A-Z"]
|
||||
* Specs
|
||||
** ETSI TS 102 221 (UICC)
|
||||
** ETSI TS 102 222 (Administrative Commands)
|
||||
** ETSI TS 102 223 (Bearer Independent Protocol)
|
||||
** ETSI TS 102 225 (Secured Packets for OTA)
|
||||
** 3GPP TS 31.102 (USIM)
|
||||
** 3GPP TS 31.103 (ISIM)
|
||||
** GlobalPlatform Card Specification 2.2.1
|
||||
** GlobalPlatform Secure Element Access Control v1.0
|
||||
|
||||
|
||||
== EOF
|
||||
|
||||
End of File
|
After Width: | Height: | Size: 143 KiB |
After Width: | Height: | Size: 32 KiB |
After Width: | Height: | Size: 51 KiB |
After Width: | Height: | Size: 68 KiB |
After Width: | Height: | Size: 68 KiB |
After Width: | Height: | Size: 72 KiB |
After Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 64 KiB |