2022 Advanced SIM

2022/osmodevcall-advanced_sim/advanced_sim.adoc

@@ -0,0 +1,346 @@
+Advanced SIM topics: ARA-M, SCP02, OTA, ISIM
+============================================
+:author:	Harald Welte <laforge@gnumonks.org>
+:copyright:	2022 by Harald Welte (License: CC-BY-SA)
+:backend:	slidy
+:max-width:	45em
+
+
+== Overview
+
+* Administrative Commands
+* ADF.ISIM
+* DF.5GS
+* ARA-M applet
+* GlobalPlatform SCP02
+* pySim-shell updates
+
+== Recap: Some smartcard terminology
+
+* card filesystem
+** *MF* (Master File): The root directory
+** *DF* (Dedicated File): A subdirectory
+** *ADF* (Application Dedicated File): Directory of an application (like USIM, ISIM)
+** *EF* (Entry File): A regulare file
+*** *Transparent EF*: An unstructured file
+*** *Linear Fixed EF*: An file consisting of fixed-length records
+
+== specs vs. proprietary
+
+* SIM cards are fully specified by a combination of ISU, ETSI and 3GPP specs
+* this covers only the operation after the card has been issued, e.g.
+** reading and writing files accessible without PIN auth, after PIN auth
+** performing GSM authentication or UMTS AKA
+* it does _not_ cover how the card is issued/provisioned
+** secret key material (Ki / K / OP / OPc) is not readable from the card
+** it is an implementation detail on how the card manufacturer writes those to the card
+* this leads to the need for card-specific support / code in software like pySim
+
+== Administrative Commands (TS 102 222)
+
+* most well-known SIM/UICC commands relate to normal operation
+** reflects what happens between phone (ME) and SIM
+** SELECT, {READ,UPDATE} {BINARY,RECORD}, VERIFY CHV, ...
+* there are also standardized _administrative_ commands
+** intended for use by the operator / card issuer
+** usually only work after authentication with ADM PIN or via secure channel
+
+== Administrative Commands (TS 102 222)
+
+* `CREATE FILE`
+* `DELETE FILE`
+* `DEACTIVATE FILE`
+** temporary deactivation (cannot be selected anymore)
+* `ACTIVATE FILE`
+** reactivation of deactivated files
+* `TERMINATE DF`
+** DF can never be used again
+* `TERMINATE EF`
+** EF can never be used again
+* `TERMINATE CARD USAGE`
+** permanently bricks the card
+
+== The ISIM application
+
+The history:
+
+* initial 2G SIM cards had `DF.GSM` + `DF.TELECOM`
+* ETSI UICC was specified as application-independent card
+* 3G/UMTS: 3GPP USIM application specified for UICC
+* 4G/LTE: continues to use USIM
+* IMS/VoLTE: optional ISIM application for UICC
+
+== ISIM application: Entirely optional
+
+* ISIM application is entirely optional
+* IMS (VoLTE, VoWiFi) can be used with pure USIM
+* without ISIM, default / fall-back mechanisms are used
+** P-CSCF address
+** Identities (IPUI derived from IMSI)
+
+== ISIM application: Files in USIM or ISIM
+
+Some files can either be in ADF.USIM **or** in ADF.ISIM
+
+* cards without ISIM might have them in USIM
+* cards with ISIM *must not* have them in USIM
+
+Files:
+
+* `EF.UICCIARI`
+* `EF.FromPreferred`
+* `EF.IMSConfigData`
+* `EF.XCAPConfigData`
+* `EF.MuDMiDConfigData`
+
+== ISIM application: Separate authentication context
+
+While IMS uses the same UMTS AKA Authentication Mechanism as 3G/4G systems,
+the authentication context can be different:
+
+* transport / access network (e.g. LTE) authenticates against USIM
+* IMS core network (e.g. P-CSCF) authenticates against ISIM
+
+At least in theory (and in practice with sysmoISIM-SJA2), one can configure
+different key material and even choose different algorithms for the two
+situations.
+
+== ISIM application: Files in ADF.ISIM
+
+image::adf_isim.png[align="center"]
+
+== ISIM application: Files in ADF.ISIM
+
+* `EV.IMPI` (IMS Private User Identity)
+* `EF.DOMAIN` (Home Network Domain Name)
+* `EF.IMPU` (IMS Public User Identity)
+* `EF.AD` (Administrative Data)
+* `EF.ARR` (Access Rule Reference)
+* `EF.IST` (ISIM Service Table, like EF.UST for USIM)
+* `EF.P-CSCF` (P-CSCF Address
+* `EF.GBABP` (GBA Bootstrapping Parameters)
+* `EF.NAFKCA` (NAF Key Centre Address)
+* `EF.SMS / EF.SMSS / EF.SMSR / EF.SMSP` (SMS like in GSM/USIM)
+* `EF.UICCIARI` (IMS Application Reference Identifier)
+* `EF.FromPreferred`
+* `EF.IMSConfigData`
+* `EF.XCAPConfigData`
+* `EF.WebRTCURI`
+* `EF.MuDMiDConfigData`
+
+
+== BER-TLV files (1/2)
+
+* new file type ('structure') from existing known types
+** transparent
+** linear fixed
+** cyclic
+* BER-TLV files store data in BER-TLV format [surprise!]
+* difference between storing BER-TLV in transparent file:
+** read/write/delete only TLV for a certain specific tag
+** no need to bother with padding
+* supported from sysmoISIM-SJA2v2 onwards (IMSI ending in >= 50000)
+
+== BER-TLV files (2/2)
+
+* USIM Files specified as BER-TLV:
+** `EF.URSP` (UE Route Selection Policies)
+** `DF.GRAPHICS/EF.ICE_graphics` (?)
+** `DF.MULTIMEDIA/EF.MML` (Multimedia Messages List)
+** `DF.MULTIMEDIA/EF.MMDF` (Multimedia Messages Data File)
+** `DF.MCS/EF.MCS_CONFIG` (Mission Critical Services)
+** `DF.V2X/EF.V2X_CONFIG` (V2X configuration Data)
+* ISIM Files specified as BER-TLV
+** `EF.IMSConfigData` (IMS Configuration Data)
+** `EF.MuDMiDConfigData` (Multi-Device / Multi-Identity Config)
+
+
+== 5G SIM / DF.5GS
+
+* 3GPP did not specify a new card application
+* 5G/NR uses the same USIM as 4G/LTE and 3G/UMTS
+* some optional additional files in ADF.USIM/DF.5GS
+** together with their associated _services_ (122-135)
+** `EF.5GS3GPPLOCI` (like EF.LOCI/3G and EF.EPSLOCI/4G)
+** `EF.5GSN3GPPLOCI` (non-3GPP location information)
+** `EF.5GS3GPPNSC` (NAS Security Context)
+** `EF.5GAUTHKEYS` (K_SEAF / K_AUSF, like EF.KEYS/3G)
+** `EF.UAC_AIC` (UAC Access Identities Configuration)
+** `EF.SUCI_Calc_Info` (For SUCI computation in ME)
+** `EF.OPL5G` (5GS Operator PLMN List)
+** `EF.SUPI_NAI` (SUPI as Network Access Identifier)
+** `EF.Routing_Indicator`
+** `EF.URSP` (UE Route Selection Policies per PLMN)
+** `EF.TN3GPPSNN` (Trusted non-3GPP Serving network names list)
+
+== 5G SIM / Files in DF.5GS
+
+image::df_5gs.png[align="center"]
+
+== 5G SIM / Calculation of SUCI on SIM
+
+* 5G introduces the optional SUCI security menchanism
+** SUCI == Subscriber Concealed Identifier
+* prevents IMSI (SUPI) transmission in plain-text
+* two implementation options:
+** SUCI computation on ME (phone) using key from SIM
+** SUCI computation on SIM card
+
+Some high-end cards (like eUICC) support SUCI calculation on the card.
+
+
+== ARA-M and Android Carrier Privileges
+
+* Android specific system to give apps more API access
+** change carrier/operator settings like APN, Roaming, ...
+** change IMS configuration for VoLTE / VoWiFi
+** inject SMS into android from an app
+* hash/cert of key used to sign app stored on SIM
+* if Android detects apps signed with matching key, API access is enabled
+* hash/cert is not stored as normal file in filesytem
+* requires _Secure Element Access Control_ application on card
+
+== ARA-M / Secure Element Access Control
+
+image::ara-m-architecture.png[width=1000,align="center"]
+
+== ARA-M in practice
+
+* minimal open source ARA-M applet: https://github.com/bertrandmartel/aram-applet
+* pre-installed on sysmoISIM-SJA2
+* pySim-shell has support for adding/deleting rules (see user manual)
+* see https://github.com/herlesupreeth/CoIMS_Wiki for more information
+
+== pySim-shell updates since April 2021
+
+* commands
+** more decoders for more files
+** TS 102 222 administrative commands
+** `ust_service_check`
+** `apdu` command
+** `export --json`
+* encoders/decoers
+** TLV definitions for IMS, XCAP and MudMid
+** FCP in `export`
+* BER-TLV file support
+* ARA-M support
+* support for generic, non-sysmocom cards
+* WIP
+** basic GlobalPlatform commands
+** `decode_hex` command
+
+
+== GlobalPlatform
+
+* GlobalPlatform specifies the Javacard universe
+* SIM cards are not required to be Java cards, but in practice they mostly are
+** ... and they mostly only implement ancient GlobalPlatform versions
+* specifies how to install/remove/lock/unlock applets
+* specifies transport layer security protocols (SCP02, SCP03)
+
+== GlobalPlatform APDU commands
+
+* Key Management
+** `PUT KEY`
+** `DELETE KEY`
+* Data
+** `GET DATA`
+** `STORE DATA`
+* Application Locking/Unlocking
+** `GET STATUS`
+** `SET STATUS`
+* Installation / Deletion (Executables, Applets)
+** `INSTALL`
+** `DELETE`
+
+== GlobalPlatform INSTALL / DELETE flavours
+
+* `INSTALL`
+** `INSTALL [for load]`
+** `INSTALL [for install]`
+** `INSTALL [for load, install and make selectable]`
+** `INSTALL [for install and make selectable]`
+** `INSTALL [for make selectable]`
+** `INSTALL [for extradition]`
+** `INSTALL [for registry update]`
+** `INSTALL [for personalization]`
+* `DELETE`
+** Executable Load File
+** Executable Load File and related Applications
+** Application
+
+== GlobalPlatform SCP02 initiation
+
+* mutual authentication between card and external software
+** contains random factor from both sides
+** generates session keys
+* transport-level security established ('secure messaging')
+* protected APDUs between on-card software and off-card software
+
+image::scp02-flow.png[align="center"]
+
+== GlobalPlatform SCP02 APDU commands
+
+* `INITIALIZE UPDATE`
+* `EXTERNAL AUTHENTICATE`
+* `BEGIN R-MAC SESSION`
+* `END R-MAC SESSION`
+
+== C-MAC
+
+* C-MAC (Command Message Authentication Code)
+** either on unmodified APDU or modified APDU
+
+image::scp02_cmac_modified.png[align="center"]
+
+== R-MAC
+
+optional MAC on responses generated by card
+
+image::scp02_rmac.png[align="center"]
+
+
+== Data Field Encryption
+
+optional confidentiality of data field of APDUs
+
+image::scp02_data_field_encryption.png[align="center"]
+
+
+== OTA (Over The Air)
+
+* Mechanism how some software in operator core can talk to SIM in the field
+* traverses the entire 3GPP Core and Radio Access Network, hence _over the air_.
+
+image::ota_overview.png[width=1000,align="center"]
+
+== OTA transport mechanisms
+
+* SMS-PP (SMS as you know it)
+* SMS-CB (Cell Broadcast)
+** would require shared keys, bad idea
+* USSD
+** faster, more responsive than SMS
+* BIP (Bearer Independent Protocol)
+** CSD, GPRS, Bluetooth, IrDA
+* HTTP over TLS-PSK on the card (!)
+** Amendmend B GlobalPlatform Card Sepc v2.2
+
+== Further Reading
+
+* https://git.osmocom.org/pysim/about/[pySim source code / git repository]
+* https://media.ccc.de/v/36c3-10737-sim_card_technology_from_a-z[Video of talk "SIM card technology from A-Z"]
+* Specs
+** ETSI TS 102 221 (UICC)
+** ETSI TS 102 222 (Administrative Commands)
+** ETSI TS 102 223 (Bearer Independent Protocol)
+** ETSI TS 102 225 (Secured Packets for OTA)
+** 3GPP TS 31.102 (USIM)
+** 3GPP TS 31.103 (ISIM)
+** GlobalPlatform Card Specification 2.2.1
+** GlobalPlatform Secure Element Access Control v1.0
+
+
+== EOF
+
+End of File