Mobile networks are starting to be used to connect all sorts of devices -wireless for mobility, ease of connection and remote management. Traditional removable SIM may not be appropriate for certain applications SIMs may be embedded in devices at manufacture.
Mobile networks are starting to be used to connect all sorts of devices -wireless for mobility, ease of connection and remote management. Traditional removable SIM may not be appropriate for certain applications SIMs may be embedded in devices at manufacture.
Mobile networks are starting to be used to connect all sorts of devices -wireless for mobility, ease of connection and remote management. Traditional removable SIM may not be appropriate for certain applications SIMs may be embedded in devices at manufacture.
Michael Walker Michael Walker Vodafone Fellow and Executive Technical Advisor Professor of Telecommunications, Royal Holloway University of London ETSI Security Workshop, 20th January 2011 1 Embedded SIMs & M2M Communications 20th January 2011 New Opportunities for Mobile Communications Mobile networks are starting to be used to connect all sorts of devices wireless for mobility, ease of connection and remote management The traditional removable SIM may not be appropriate for certain applications The traditional removable SIM may not be appropriate for certain applications SIMs may be embedded in devices at manufacture this may even be in advance of choice of country of use and network operator network operator may be changed during life time of the device Deutsche Telekom, Telefnica O2 UK, Vodafone and Giesecke & Devrient (G&D) have worked together to prepare for the standardization of a trusted and flexible solution for the remote management of embedded SIMs Our work will contribute to the GSMA Task Force on the subject 2 Embedded SIMs & M2M Communications 20 January 2011 Example Use-cases for the Embedded SIM Set-up subscriptions for a number of connected M2M devices to start telecommunication services, and if later needed, change MNO: automated reading of utility meters provided by the utility company household security camera a consumer purchased service automotive provided by vehicle manufacturer Set-up a subscription for a consumer electronics devices to start telecommunication services, and if later needed, change MNO: tablet PC with or without wireless service included personal navigation device with wireless service included 3 Embedded SIMs & M2M Communications 20 January 2011 Remote Management of the Embedded SIM Main security challenge is to securely provision the MNO unique key and authentication algorithm needed for chargeable telecommunication services download of key in encrypted form, or secure means to derive key download of an MNO authentication algorithm is an unacceptable security risk, so standard algorithms must be used SIM card is the MNO network presence in the device, and this function should be preserved End user must be provided with use of communications services without limitation in choice and without additional effort Solution proposed makes use of a Subscription Manager trusted by M2M service providers and MNOs securely provisions, changes and deletes MNO subscriptions may use a provisioning subscription and OTA access to embedded SIMs 4 Embedded SIMs & M2M Communications 20 January 2011 M2M Device High Level Architecture Provisioning Network eSIM Supplier Device Vendor M2M Service Provider eSIM Provisioned Telecom Services eSIM ID and Key Data Subscription Credentials MNO 2 MNO 2 5 Embedded SIMs & M2M Communications 20 January 2011 Subscription Manager MNO 1 MNO 2 MNO 1 MNO 2 Subscription Credentials eSIM / device provisioning data telecom services Options to Provision the Authentication Key The overall security shall be at least equivalent to that achieved with current removable SIM card, processes and OTA management A number of symmetric key solutions considered for provisioning of the secret key (as well as asymmetric solutions) but not developed further: pre-provision of multiple keys as used for vehicle tracking in Brazil derive keys from a root key and MCC/MNC data derive keys from a root key and MCC/MNC data sequence of keys generated by a deterministic random bit generator from a secret seed in embedded SIM and the Subscription Manager Preferred method is to encrypt the subscription key under a root key shared by the SM and the embedded SIM allows MNO to choose subscription key may be installed using OTA if provisioning subscription is enabled, or over Internet connection will include integrity checking 6 Embedded SIMs & M2M Communications 20 January 2011 Architecture for Provisioning eUICC 2 Device 1a 1b mobile network via MNO1 subscr. Internet, private network mobile network via provisioning subscr. wired network device 3 mobile network via MNO2 subscr. Use secure packets in the proven OTA mechanism [TS 102 225]; run over other forms of connectivity: Internet (fixed or wireless) local connectivity (eg Bluetooth or NFC) Provision first MNO key + IMSI: Over the wire (1a) Over the air (1b) Change key + IMSI to second MNO (2) 7 Embedded SIMs & M2M Communications 20 January 2011 MNO2 SM1 MNO1 2 1b 1a or NFC) Working for an Industry Solution Leverage the proven strengths of the SIM card and provide a new capability for secure remote management of an embedded version a separate hardware integrated circuit soldered into the device using the recently standardised ETSI SCP MFF2 package the embedded SIM and its manufacture will be accredited to industry standards so that only certified embedded SIMs will be supplied to device vendors Once provisioned, the embedded SIM will hold the active key and IMSI authorising the device for telecommunication services, possibly together with authorising the device for telecommunication services, possibly together with dormant subscriptions 8 Embedded SIMs & M2M Communications 20 January 2011 In Summary Traditional SIM needs to be re-considered in the context of new mobile communication opportunities, in particular machine to machine communications Deutsche Telekom, Telefnica O2 UK, Vodafone and Giesecke & Devrient are preparing for the development of an open and standardized solution in 2011 SIMEG 2010 We can re-use and profile existing international standards and We can re-use and profile existing international standards and minimise changes to existing SIM processes Extend the proven secure hardware identity module and secure OTA mechanisms that have made the SIM the bedrock for secure mobile communications world wide and contribute to the GSMA Task Force 9 Embedded SIMs & M2M Communications 20 January 2011