Teleconilnunicutibns V
`standardization
`
`SIERRA WIRELESS 1015
`SIERRA WIRELESS 1015
`
`

`
`European Telecommunications Standardization
`and the Information Society
`
`— The State of the Art 1995 —
`
`Eublished by
`Atalink,Ltd
`40 Bowling Green Lane
`London EC1Fi ONE
`United Kingdom
`Telephone: +44 (0) 171 278 0333
`Facsimile: +44 (0) 171 837 6135
`Internet address
`ta|k@ata|ink.demon.co.uk
`
`On behalf of the
`European Telecommunications Standards Institute
`" 650 Route des Lucioles
`
`F-06921 Sophia Antipolis Cedex
`France
`
`Telephone: +33 92 94 42 O0
`Facsimile: +33 93 65 47 16
`
`Publisher
`Charles Gregoriou
`
`Editor
`Mark Harrington
`
`.
`
`_
`
`Editorial Committee
`Malcolm Butler, Christopher J Corbett
`Mark Harrington, Kirit Lathia
`Miguel Pellon, Karl Heinz‘ Rosenbrock
`.
`Coordinator-in-Chief
`Christopher J Corbett
`
`Sub-Editors (United Kingdom)
`Beverly Wing
`Auriol de Stacpoole
`
`V
`
`Editorial Coordination (France)
`Frédérique Chauvel, Nathalie Kounakoff
`Ulli Merz
`
`.
`
`»
`
`Production
`Sally Hooker
`Chris Hutchings
`
`Meg Lawrence
`
`Marketing
`Philip Charles, Geoff Farmer
`Mike Walsh, Stuart Ferguson
`Mark Hall
`
`Computersetting
`Lynx Graphics Ltd, London, England
`
`Origination
`Stones Digital Imaging, Potters Bar, England
`
`Printing
`Cradley Print, West Midlands, England
`
`Paper
`’
`Printed on G Print Matt 115gsm
`
`Production Manager
`Nancy Clarke
`
`Front Cover Design and Origination
`GS Communication — Sophia Antipolis, France
`
`Acknowledgements
`The publishers would like to thank all those individuals who have contributed to this publication. Special thanks are extended to the
`authors for the time -and effort spent in writing their substantial articles. Our utmost gratitude is extended to the Editorial Committee for
`their many hours spent travelling to meetings in order to spend many more hours planning the editorial structure of the publication and
`directing its content. We would like to thank Motorola for the kind use of their videoconferencing facilities. We would also like to thank
`Karl Heinz Ftosenbrock and Christopher J Corbett for their invaluable assistance and guidance throughout the many months spent
`preparing this publication.
`'
`
`Copyright
`© Atalink Ltd and European Telecommunications Standards Institute, June 1995. All rights reserved. No part of this publication may be
`used, reproduced, stored in an information retrieval system or transmitted in any manner whatsoever without the express written per-
`mission of European Telecommunications Standards institute.
`
`This publication has been prepared wholly upon information supplied by the contributors and whilst the publishers trust that its content
`will be of interest to readers, its accuracy cannot be guaranteed. The publishers are unable to accept, and hereby expressly disclaim,
`any liability for the consequences of any inaccuracies, errors or omissions in such information whether occurring during the process-
`ing of such information for publication or otherwise. No representations, whether within the meaning of the Misrepresentation Act 1967
`or otherwise, warranties or endorsements of any information contained herein are given or intended and full verification of all informa-
`tion appearing in this publication of the articles contained herein does not necessarily imply that any opinions therein are necessarily
`those of the publishers.
`
`

`
`The
`
`Subscriber
`
`Identity
`
`Module
`
`Dr. Klaus Vedder, Giesecke & Devrient GmbH
`
`and, Chairman ETSI Sub Technical
`Committee SMG 9.
`
`The Global System for Mobile
`
`communications (GSM) is the first
`
`international system employing a smart
`card as a secure device for the authen-
`
`tication of the subscription and the
`
`subscriber. The smart card, which is
`
`called the Subscriber Identity Module
`
`(SIM), contains subscription and
`
`security related data as well as user
`data. This article discusses the role of
`
`the SIM as an important part of the
`
`security built into GSM and as a token
`for services rendered to subscribers
`
`and operators.
`
`Cashless payment transactions at the point of sale: the
`G&D terminals process all cards including chipcards.
`Copyright: Giesecke & Devrient 1994
`
`The idea of using a microprocessor or “smart”
`cart; for the authentication of a subscriber in a
`mobile network goes backto the early 1980s when
`discussions in Germany led to the use of micro-
`processor cards in the analogue mobile network
`“Netz-C”. These ideas coincided with theearly dis-
`cussions about
`the design of a multi-national
`mobile network which would allow the user to roam
`
`on a previously unknown scale, the Global System
`for Mobile communications (GSM).
`
`The Sub Technical Committee SMG 9 “SIM
`
`aspects” was established in April 1994 as the suc-
`cessor of the Subscriber Identity Module Expert
`Group (SIMEG) which had been founded in 1988
`as a Working Party of what is now Sub Technical
`Committee SMG 1 “Services and facilities". The
`
`scope of SIMEG was to look into the functional
`characteristics of a subscriber identity module and
`its development. It was the common understand-
`ing that an integrated Circuit card having the
`format of a credit card‘(the so—ca|led lD—1 card)
`would be one of them. Two additional implemen-
`tations were considered for quite some time: a
`Plug-in module which could be used for mobiles
`too small to accept an ID-1 card, and a module
`which would be an integral part of the mobile.
`Though the “integral” module had the obvious
`advantage that it required no extra interface in the
`mobile, it was considered not to be suitable for the
`requirements of GSM. The problems concerned
`mainly the handling of security related data.
`It
`would be difficult, if not impossible, for the opera-
`tors to use their own specific security algorithms
`and to keep very close control of the secret keys
`and other operator specific data without a dedi-
`cated security module.
`it was also believed that
`“non-personal” mobiles would open up the market
`for all manufacturers and reduce trade barriers as
`
`every mobile could be used in every network. The
`discussions on the Plug-in module concentrated
`mainly on the use of Surface Mounted Device
`(SMD) packages for housing the chip and a
`smaller form of card which could be obtained by
`
`

`
`Mobile
`
`cutting away “excessive" plastic from an ID-1 card.
`The latter, which had been proposed by the author,
`was eventually accepted as the realization of the
`“semi-permanent” Plug—in SIM”.
`
`The split of a Mobile Station (MS) into a radio part,
`the Mobile Equipment
`(ME), which does not
`contain any subscription related information, and a
`subscription part, the SIM, gives the network oper-
`ator, on whose behalf the SIM is issued, complete
`control over all subscription and security related
`data. The concept of a removable SIM adds a new
`dimension of mobility to the subscription. The SIM
`is thus an integral part of the overall security
`system of each, and therefore all networks, and a
`token for the mobility of the subscriber.
`
`if
`
`The main specifications dealing with the SIM are
`the description of its functionality, Technical Speci-
`fication GSM 02.17‘ and the specification of its
`interface to the ME Technical Specification GSM
`11 .1 12. Tests of the SIM/ME interface are contained
`in Technical Specification GSM 11.10 which spec-
`ifies the type approval of the Mobile Station. For
`the interested reader more detailed information on
`all aspects of GSM can be found in Hillebrand3 and,
`Mouly and Pautet4.
`
`The following sections discuss the security ser-
`vices provided by GSM and the role played by the
`SIM as a secure device for storing keys and algo-
`rithms, briefly introduce the microcomputer con-
`tained in the SIM and discuss access to the SIM.
`This is followed by a description of the main ser-
`vices supported by the SIM. The handling of SlMs
`and an outlook of services and features to come,
`conclude this overview.
`
`Security services and the SIM
`One of the novel security services of GSM is the
`possibility to encipher the link between the Mobile
`Station (MS) and the Base Station for the protec-
`tion of user and signalling data against eaves-
`dropping. Special ciphers have been developed for
`this purpose. They are integrated into the Mobile
`Equipment as a dedicated piece of silicon. The key
`for enciphering the data is derived by the SIM as
`part of the authentication process. The network
`can only authenticate the SIM if it knows its iden-
`tity. As this has to be sent by the Mobile Station
`overthe air interface, temporary identities are used
`to counteract the tracing of the whereabouts of a
`user
`
`More precisely, the temporary identities prevent
`the tracing of the location of a user by intercepting
`the user’s identity on the air interface. Clearly, the
`International Mobile Subscriber "Identity (IMSI),
`which uniquely identifies the subscriber worldwide
`has to be used for the set up of a session if there
`
`are no other means to identify a subscriber. This
`is, for instance, the case when the subscriber uses
`the SIM for the very first time. After a successful
`authentication the network assigns a Temporary
`Mobile Subscriber Identifier (TMSI) to the SIM and
`transmits this identifier after the activation of the
`cipher process in an enciphered form to the MS
`where it is deciphered. The MS stores the tempo-
`rary identity in the SIM. This TMSI will be used
`instead of the IMSI whenever possible until a new
`TMSI is assigned to the SIM. Reassignment takes
`place at defined times by each operator.
`
`Authentication is the “corroboration that an entity
`is the one claimed” or, in terms of GSM, the verifi-
`cation of the identity of the SIM or the subscriber.
`The illegitimate use of a service is certainly of
`concern with respect to proper billing. The not so
`obvious
`illegitimate
`use
`is masquerading.
`Impersonating a subscriber and claiming after-
`wards that this subscriber (or to be more precise
`the subscriber’s SIM) must have been in a partic-
`ular location at a particular time is certainly not a
`very widespread threat but one which could prove
`very serious indeed in certain circumstances.
`Cloning of security relevant subscription data
`needs to be ruled out.
`
`in the authentication pro-
`The main players
`cess of
`the subscriber are the SIM and the
`Authentication Centre (AuC) of the home net-
`work. Both contain the (operator specific) authen-
`tication algorithm, denoted by A3, and the secret
`authentication key Ki which is unique to each
`
`Glossary
`
`ADM
`
`AuC
`
`ADMinistrative
`
`Authentication Centre
`
`CBMI
`Cell Broadcast Message Identifier
`EEPROM Electrically Erasable Programmable Read
`Only Memory
`
`GSM
`HLR
`
`ID
`
`IMSI
`ME ‘
`MS
`
`Global System for Mobile communications
`Home Location Register
`
`IDentity
`
`International Mobile Subscriber Identity
`Mobile Equipment
`Mobile Station
`
`MSISDN
`
`Mobile Station ISDN number
`
`PIN
`PUK
`
`RAM
`
`ROM
`
`SIM
`
`SMG
`TMSI
`VLR
`
`Personal Identification Number
`PIN Unblocking Key
`
`Random Access Memory
`
`Read only Memory
`
`Subscriber Identity Module
`
`Special Mobile Group
`Temporary Mobile Subscriber Identity
`Visitor Location Register
`
`

`
`Mobile
`
`
`
`G&D supplied more than 100 million prepaid phone cards and subscriber cards in EEPHOM-technology to
`international telephone network operators.
`
`SIM. The AuC is usually part of a Home Location
`Register (HLFI) which contains the data about
`the subscription and the user. The method
`employed between the HLRlAuC and the SIM is
`a Challenge-Response mechanism using “non-
`predictable numbers”.
`
`Once the (home) network has received an authen-
`tication request and established the (claimed)
`identity of the SIM it transmits a non-predictable
`number RAND as a challenge to the ME which
`sends it
`to the SIM. The SIM computes the
`response to the challenge by using the algorithm
`A3 with FIAND and the key Ki stored in the SIM as
`input data. The response is transmitted to the
`(visited) network where it
`is compared with the
`value computed by the home network which has
`used the same algorithm with the same RAND and
`the key associated with the identity claimed by the
`subscriber. The MS is granted access to the
`network only if the response received from the MS
`and the value computed by the home network are
`equal. For only in this case can it be assumed that
`the SIM is in possession of the right subscriber key
`Ki and that,
`therefore,
`its
`identity is
`the one
`claimed.
`
`Copyright: Bavaria/Giesecke & Devrient GmbH
`
`algorithm called A8. The purpose of enciphering is
`to ensure the privacy of the user information
`carried in both traffic and signalling channels and
`of user-related signalling elements on the radio
`path. The activation of this service is controlled by
`the network.
`It is started by the base station by
`sending a “start cipher” command to the MS. One
`or two standard cipher algorithms, denoted by
`A5/1 and A5l2, are contained as a dedicated
`piece of silicon in Mobile Equipment and Base
`Stations.
`
`The 64 bit key Kc, which controls the generation of
`the key stream by the cipher algorithm A5,
`is
`calculated in the SIM during the authentication
`process using the same A8 as the’ home network
`and the same input as for
`the authentication
`process. No additional input data is thus required
`and there is no need to send secret data or
`even Kc over
`the air
`interface. Furthermore,
`
`“bypassing” the authentication procedure by, say,
`manipulating the comparison of challenge and
`response, is of no use to the fraudster as the Mobile
`Station and Base Station will use different cipher
`keys
`resulting in
`an indecipherable garbled
`message.
`
`Accompanying the Challenge-Response pairs cal-
`culated in the HLR/AuC is a new cipher key Kc.
`This is computed using Ki and the same non-pre-
`dictable number RAND with an (operator specific)
`
`A functional description of these security services
`is contained in Technical Specification GSM
`02.095. Such a description is, by its very nature, not
`sufficient to ensure interoperability between net-
`
`

`
`Mobile
`
`
`
`Optus Communicuiom
`GPO flax ISII Sydney
`NSW 100! Australia
`14 hour Customer Service
`Tel: 008 555 555
`
`
`
`
`GSM — the Global System for Mobile communications — allows calls to be made to and from mobile telphones round ‘
`the world, from Australia to Portugal. G&D has supported this new freedom in telephone communications through the
`supply of, up to now, over five million GSM cards (SlMs) worldwide.
`
`Copyright: Bavaria/Giesecke & Devrient GmbH
`
`works. The specification of the network functions
`and the parameters of
`the security algorithms
`needed to provide these services globally as well
`as the scenarios discussing their use are con-
`tained in Technical Specification GSM 03.205. The
`interested reader is referred to a recent overview
`
`of security considerations in mobile communica-
`fions?
`
`It is worth noting that the authentication algorithm
`A3 as well as the cipher key generator A8 com-
`press the non—constant input data RAND from 128
`bits to 32 and 64 bits, respectively. Even if A3 and
`A8 are one and the same algorithm, which is fea-
`sible judging by the parameters, a compression
`takes place. This implies that more than one input
`value can produce the same output and that the
`algorithm is irreversible. The input is, therefore, not
`derivable from the output even if the key Ki
`is
`known. This means that the SIM cannot be used
`
`for enciphering or deciphering data.
`
`In summary, GSM provides three security services:
`temporary identities for the confidentiality of the
`identity of the user; authentication for the corrobo-
`ration of the identity of the user; and, enciphering
`for the confidentiality of data related to the user.
`The SIM is an integral part of all these services.
`Before discussing the internal handling of data by
`the SIM and its authentication of the user, the
`
`requirement for a microcomputer in the SIM will be
`briefly described.
`
`The SIM Microcomputer - Small enough
`to fit on a credit card
`The tasks of the SIM as a security device require
`the execution of complex algorithms and storage
`of the associated keys. A microcomputer with
`on-board non-volatile memory was determined to
`be the best platform to supportthese requirements.
`The typical microcomputer consists of an eight bit
`Central Processing Unit (CPU) and three types of
`memory. The masked programmed Read Only
`Memory (ROM) usually contains the operating
`system of the card, the administrative system and
`the security algorithms A3 and A8. The Random
`Access Memory (RAM) is used for execution of the
`algorithms and as a buffer for the transmission of
`data. Electrically Erasable Programmable Read
`Only Memory (EEPROM) is needed for the non-
`volatile memory as data has to be updated fre-
`quently. The EEPROM contains
`subscription
`specific data such as IMSI and Ki as well as user
`specific data such as abbreviated dialling numbers
`and short messages. Present day smart card chips
`offer the following memory capacity: ROM 6-16
`kBytes; RAM 128-256 bytes; and, EEPROM 2-8
`kBytes.
`
`Six kBytes of ROM are sufficient for coding GSM
`
`

`
`
`
`The compan building of Giesecke& Dvriet GmbH in
`Munich, Germany, at Prinzregentenstrafie 159.
`Copyright: Giesecke & Devrient 1994
`
`Phase 2 with all its optional features. More memory
`space allows, of course, for the implementation of
`a more complex administrative system. For
`instance, the operating system may require that
`the EEPFIOM can be re-configured after
`the
`SIM has been pre-personalized. This could be
`employed to allow the subscriber to choose the
`number of abbreviated dialling numbers and
`short messages at point-of-sale or have them
`changed thereafter. The amount of EEPROM
`determines the amount of memory offered to the
`user for support of various services. There is
`usually a trade-off between “competing” services
`for available memory. For example, each additional
`kByte of EEPROM can be used to store nearly six
`short messages or over 40 abbreviated dialling
`numbers with an alphanumeric identifier of up to
`ten characters.
`
`The electrical and mechanical interfaces of both
`
`the ID-1 SIM and the Plug-in SIM are, with the
`obvious exceptions due to the size of the Plug-in
`SIM,
`in-line with
`the
`relevant
`international
`standards“. More stringent conditions were speci-
`fied in some instances to cater for the specific
`needs of GSM. These include the operational
`
`temperature. range the card has to satisfy and
`the power consumption of the chip. For more
`information on smart cards the reader is referred
`
`in Proceedings CompEuro 929.
`to K. Vedder
`Security aspects of microcomputers and their man-
`ufacture are described by M. Paterson in Smart
`Card 200010.
`Access to the SIM
`
`The operating system of the microcomputer in the
`SIM controls the access of the outside world, which
`may be an ME or any other interface device, to the
`algorithms and all data stored in the card. Access
`is mainly by reading or updating the contents of the
`respective files. GSM has specified five (indepen-
`dent) access conditions. These are NEVER,
`ALWAYS, Administrative (ADM), Personal Identifi-
`
`and second Personal
`(PIN)
`cation Number
`Identification. Number (PIN2). The access condi-
`tion ALWAYS means that no security restriction
`holds. For instance, the identification number of the
`SIM, which is also printed on the card itself, may
`ALWAYS be read over the interface but the oper-
`ating system will NEVER permit this number to be
`updated. The definition and use of ADM is up to the
`discretion of the operator. This may be one of the
`other access condition or a specific procedure
`which can only be executed by an appropriate
`administrative authority. For instance, a change
`(update) of the IMSI would constitute a “re-per-
`sona|ization” of the SIM and is thus under the
`
`is
`the operator. Reading the IMSI
`control of
`restricted to the authorized user and, therefore,
`
`protected by a Personal
`(PIN).
`
`Identification Number
`
`The SIM itself controls user access by verifying the
`PIN offered by the user against a reference PIN
`stored in its memory. The comparison is done by
`the CPU of the SIM which ensures that the valid
`
`PIN does not leave the SIM. This is not the only dif-
`ference to magnetic stripe based access control
`systems. The PIN can be freely chosen and
`changed by the user within the range of four to
`eight digits.
`It is protected against trial and error
`attacks as the microcomputer records the number
`of consecutive false PIN entries. After three such
`
`entries IMSI and temporary identity are not read-
`able any longer and the ME cannot set up a GSM
`session. Access is blocked even if the SIM has
`
`been removed in between attempts. or a different
`ME is used.
`
`GSM introduced several novel features in con-
`
`junction with the handling of PINs. One of these
`new features is that the user may “unblock” a SIM
`by presenting the so-called PIN Unblocking Key
`(PUK) to the SIM together with a new PIN. The
`PUK is simply another identification number con-
`sisting of eight digits. As it cannot be changed it
`could be stored by the operator and given, if the
`necessity arises, to the user under specified secu-
`rity conditions. After ten consecutive wrong PUK
`entries the SIM is permanently blocked for GSM
`operation.
`
`Also new is the possibility to disable the PIN check.
`The network operator may set a flag in the SIM
`which allows the user to switch off (and on) the PIN
`check. The disabling of the PIN check by the user
`does however imply that the access control to the
`SIM and thus the network (if the card is not black-
`listed) is based merely on the possession of the
`card.
`
`The introduction of some of the new services in
`
`GSM Phase 2 required the introduction of a second
`
`

`
`IVIODIIe
`
`PIN for protecting the contents of certain data-
`fields as this access had to be independent of user
`access to the GSM service. For instance, a “Fixed
`Dialling SIM” will only work in special MEs and the
`user can only dial those numbers which are stored
`in the SIM. Protectingthe change ofthese numbers
`by the PIN would allow the user to bypass the fixed
`dialling mechanism by just storing the number
`he/she wishes to call in the SIM. The update of
`fixed dialling numbers is thus under the control of
`a second PIN (PIN2) which is not known to the user
`but, say, only to the personnel department of a
`company running a fleet of lorries whereas the
`drivers would know the PIN itself. Clearly, where
`there is a PIN there is a PUK, and PUK2 can be
`used to unblock PIN2.
`
`It
`Subscription related services
`Apart from its use as a secure token, the SIM
`serves as a tool to support features and services
`of the ME and the network. While some services
`are mandatory and have to be supported by
`every SIM, the allocation and activation of the
`optional services depend on the particular sub-
`scription,
`their availability in the network and
`their support by the user's mobile. In addition to
`the services described previously there are,
`in
`particular, abbreviated dialling numbers and short
`messages.
`
`Abbreviated dialling numbers are stored in the SIM
`by the user under an alphanumeric identifier for a
`quick search by the mobile and short dialling by the
`user. The user need of course not present the
`whole identifier but may employ a pattern search
`by the mobile on the first characters of the identi-
`fier. This is of particular interest for chips which
`provide a large amount of memory and allow the
`storage of potentially the complete address related
`to the telephone number. Short messages, which
`are similar to alphanumeric paging messages, can
`be received from the network and stored in the SIM
`for future reference. A user may also send short
`messages, though this feature is not yet supported
`by all mobiles. The SIM contains a specific field to
`help the user setting up a mobile originated short
`message.
`
`A number of additional services and features are
`supported by the SIM which have not been
`mentioned so far. They include the storage of
`charging information, Cell Broadcast Message
`Identifiers
`(CBMls), Mobile Station Integrated
`Services Digital Network (MSISDN) numbers and
`of languages preferred by the user. Advice of
`Charge is a relative complex service which
`includes a meter for accumulating call charges and
`a field for setting a “credit limit”. The user may also
`store those languages, in the preferred order,
`in
`which she/he wants to be addressed by the mobile.
`
`This information can also be used in conjunction
`with the CBMls to select the messages broadcast
`by the network to all mobiles in a certain location.
`The storage of the user’s MSISDN numbers, has
`been introduced so that a user may recall her/his
`own numbers for display on the ME while making
`a call. There are several other features for which
`the reader is referred to Technical Specification
`GSM 11.112 and the relevant specifications which
`describe them in detail.
`
`Handling of SIMs
`Technical Specification GSM 02.17‘ distinguishes
`between “pre-personalization”, “personalization”
`and “re-persona|ization” though no clear segrega-
`tion of these terms is given for Phase 2. This is due
`to different operators interpreting the terms differ-
`ently and that there is no clear definition of who is
`responsible for what in the production of a SIM
`ready for the GSM operational phase. The specifi-
`cation of any administrative matters related to the
`SIM is outside the scope of ETSI Sub Technical
`Committee SMG 9.
`
`As no subscriber related information is required in
`the SIM for access to a GSM network, a pre-per-
`sonalized SIM is usually understood to contain all
`subscription information necessary for the GSM
`operational phase. It is ready for use subject only
`to its “release” in the HLR/AuC. This certainly facil-
`itates the handling and issue of SlMs and the asso-
`ciated PIN- and PUK-mailers. Personalization of a
`SIM usually means the printing, engraving or
`embossing of the subscriber’s name on the card
`body and, possibly, the loading of the subscriber's
`abbreviated dialling and MSISDN numbers into the
`SIM. Re-personalization usually refers to the re-
`issue of a used card to a different subscriber. As
`this could imply the update of the IMSI or security
`related data as well as the “cleaning” of the SIM, it
`is more than questionable whether the implications
`for security and administration justify a re-person-
`alization.
`
`The use of P|Ns and PUKs requires, depending on
`the procedures of the network operator, the issue
`of up to four secure mailers containing these
`numbers. There are several ways of handling the
`distribution of SIMs and mailers. To reduce the
`number of mailers the network operator could, for
`instance, not issue any PUK-mailers (and PUK2-
`mailers) and give the PUK to the user only when
`necessity arises. Another possibility would be the
`issue of SlMs with a constant PIN and request the
`subscriber to change the PIN to a secret one only
`known to himself/herself upon the rendering of the
`SIM. Combination of these two options could make
`it unnecessary to print PIN- or PUK-mailers. The
`issuer could also employ the use of the “blocking”
`mechanism. In this case all S|Ms are blocked at
`
`

`
`pre-personalization and the subscriberwould have
`to unblock the SIM before use and thus automati-
`
`cally choose his/her own PIN. These are just afew
`of the possibilities which GSM offers to operators
`and service providers.
`
`The handling of the subscriber keys and their
`loading into the S|Ms is also an administrative‘
`matter though of great importance for the overall
`security of the GSM system. The heart of the secu-
`rity of each network is the Authentication Centre
`(AuC) in which potentially millions of secret sub-
`scriber authentication keys Ki are stored. The
`method employed for loading and storing these
`keys as well as their handling during an authenti-
`cation request is of importance for both the secure
`and the smooth running of
`the network. This
`method also depends on the way in which the keys
`have been generated. There are two standard
`ways for generating keys. This may be done by
`using a random number generator or by means of
`an algorithm which is used to derive the key from
`user related data under the control of a master key.
`The two methods or variation thereof which the
`
`designer of the security system may choose is
`dependent on local circumstances.
`
`Outlook
`
`The completion of Phase 2 and of the specification
`of new services supported by the SIM gives the
`basic tool fora user friendly token which may also
`be employed in a multi-application environment.
`ETSI Sub Technical Committee SMG 9 is now
`
`specifying a multi-application card supporting
`GSM and other services. Though the first concrete
`example of such a card will probably be a Digital
`European Cordless Telecommunications/Global
`System for Mobile communications (DECT/GSM)
`card, SMG 9 does not see the use of the SIM appli-
`cation in a multi-application card restricted to
`DECT or other telecommunications applications.
`
`Of great importance for the user are also two other
`topics presently under discussion within SMG 9.
`The introduction of 3 volt mobiles will greatly
`reduce drain on the batteries and improve stand-
`by and active time. To maximize these advantages
`SMG 9 is specifying a 8 volt SIM/ME interface. This
`is expected to be completed in the first half of 1995.
`Using the short message and cell broadcast ser-
`vices for over-the-air administration of the SIM is
`
`another topic which will benefit the user. The so-
`called proactive SIM will allow the SIM to initiate
`commands to be executed by the ME. These
`include the display of text and the sending of a
`short message stored in the SIM.
`
`References
`1
`GSM 02.17 (ETS 300 509): “European digital cellular tele-
`communications system (Phase 2); Subscriber
`Identity
`
`2
`
`3
`
`7
`
`8
`
`'
`
`Modules, functional characteristics”.
`GSM 11.11
`(ETS 300 608): “European digital cellular
`telecommunications system (Phase 2); Specification of the
`Subscriber Identity Module — Mobile Equipment (SIM - ME)
`interface".
`F. Hillebrand (ed.)_. Proceedings of the GSM Seminar in
`Beijing, September 1994.
`4 M. Mouly and M.B. Pautet, The GSM system for mobile com-
`munications, ISBN 2-9507190-0-7, Palaiseau, 1992.
`5 GSM 02.09 (ETS 300 506): “European digital cellular tele-
`S communications system (Phase 2); Security aspects”.
`6 GSM 03.20 (ETS 300 534): “European digital cellular tele-
`communications system (Phase 2); Security related network
`functions”.
`K. Vedder, Security Aspects of Mobile communications, in:
`Computer security and industrial cryptography (eds.: B.
`Preenel, R. Govaerts, J. Vandewalle), Springer-Verlag,
`Berlin Heidelberg, 1993, 193-210.
`ISO/IEC 7816: “ldentification cards-Integrated circuit(s)
`cards with contacts".
`Part 1: 1987: “Physical characteristics”.
`Part 2: 1988: “Dimensions and location of the contacts".
`Part 3: 1989: “Electronic signals and transmission protocols”.
`K. Vedder, Smart Cards,
`in: Proceedings CompEuro 92,
`IEEE Computer Society Press, Los Alamitos, 1992, 630-635.
`
`9
`
`10 M. Paterson, Secure Single Chip Microcomputer Manufac-
`ture, in: Smart Card 2000 (ed. D. Chaum), North Holland,
`Amsterdam, 1991, 29-37.
`
`About the author
`Klaus Vedder was educated in Mathematics and
`
`of Tiibingen,
`universities
`the
`at
`Physics
`Birmingham and London (WestfieId College)
`where he received his doctoral degree with a dis-
`sertation on finite incidence structures and their
`
`collineations. He has published extensively on
`topics
`in
`the
`fields
`of Finite Geometry,
`Cryptography, Data Security and Smart Cards. He
`is editor of two International Standards published
`by ISO//EC on the authentication of messages and
`entities. Since October 1992 he is the chairman of
`the committee ISO/IEC JTC 1/80 27 "Information
`
`technology — Security techniques". His activities
`within ETSI relate mainly to smart cards. Apart
`from his work on the Subscriber Identity Module for
`GSM he has been the founding chairman of ETSI
`STC FIES 3/DAM which produced prETS 300 331
`"DECT Authentication Module". This standard
`
`specifies the use of a smart card similar to the SIM
`as an authentication device for
`the Digital
`European Cordless Telecommunications. Klaus
`Vedder
`is
`currently Head of Mobile Com-
`munications at Giesecke & Devrient GmbH which
`
`has its main offices in Munich, Germany.
`
`Giesecke & Devrient GmbH
`
`Giesecke & Devrient has been operating in the
`special field of banknote and security paper man-
`ufacture as well as the printing of money for more
`than 140 years. As a pioneer in the production of
`cards, the company researched and developed the
`major elements of
`the eurocheque system.
`Giesecke & Devrient has played a leading role in
`the development of chip cards and is one of the
`major suppliers of SIMs for the Global System for
`Mobile communications.
`
`
`
`

`
`«
`
`PROFILE
`Wavecom
`S.A.
`
`Complete
`
`solutions for
`
`digital
`
`radiocommunications
`
`E stablished near Paris in June 1993 by three
`
`radiocommunications engineers, Wavecom S.A has
`based a robust growth on its unique capability to ofler
`worldwide customers complete solutions in digital
`radiocommunications systems and products, covering the
`-domains