The GSMA implement a trusted system using certificates based on Public Key Infrastructure ( PKI ) to control what components of a Remote SIM Provisioning system can talk to each other.
The policy is outlined in SGP.14
In order to permit any certified component can talk to any other certified component the GSMA issue signed root certificates.
They have appointed Cybertrust to act as the Root Certificate Issuer for M2M RSP systems ( version 3.1 ) and Digicert as the Certificate Issuer for Consumer RSP systems. The Cybertrust root certificates were acquired by Digicert in 2015. In order to obtain a certificate from one of these sources it is necessary to have SAS certification.
M2M eUICCs are defined by GSMA documents SGP.01 and SGP.02. SGP.01 is a functional specification while SGP.02 defines the technical realisation of the functional spec. Within the GSMA SGP.01 is defined by the GSMA member operators ( MNO’s ), while the OEMs are tasked with producing SGP.02 which is the technical implementation specification.
Most M2M eUICC’s currently in the field comply with version 3.1 of SGP.02.
The figure below describes the basic architecture used for M2M eUICCs.
An SM-SR is responsible for establishing a secure programming channel to the eUICC while an SM-DP manipulates and personalises the Profile that is provided by the MNO into a suitable format for download. Certificates loaded into each component above and issued by a trusted Certificate Issuer ensures that the whole process is secure.
There are two distinct kinds of profile in the eUICC. The provisioning profile provides default connectivity so that the eUICC can be bootstrapped into full functionality by downloading an operational profile.
Further information about M2M eUICCs can be found on the GSMA web site.
In M2M eUICC applications it is the job of the SM-SR to establish a secure link with the eUICC.
This is normally triggered by an SMS being sent to the SM-SR containing the IP address/URL of the SM-SR associated with the fall-back profile programmed into the eUICC at the factory.
The SM-DP is used in an M2M RSP environment. It’s function is to take the raw profile information from an MNO, personalise it with the appropriate IMSI/Ki pair information and convert it into a form that is suitable for transmission by the SM-SR to the eUICC.
The process for a profile download in an M2M environment is as follows:
- SMS sent to eUICC by the SM-SR via the SMSC belonging to the provider of the provisioning profile to trigger a session
- eUICC requests that the device sets up a data session using BIP and the URL ( or IP address ) of the SM-SR ( contained in the SMS )
- CAT_TP or HTTPS transport link established between eUICC and SM-SR ( ES5 )
- A secure channel is established between the SM-DP and eUICC
- A profile download is initiated by the SM-DP
Remote Application Management ( RAM ) or Remote File Management ( RFM ) can be implemented between the SM and eUICC using the data connection as per above or simply using SMS.
Consumer eUICCs are defined by GSMA documents SGP.21 and SGP.22. SGP.21 is a functional specification while SGP.22 defines the technical realisation of the functional spec. Within the GSMA SGP.21 is defined by the GSMA member operators ( MNO’s ), while the OEMs are tasked with producing SGP.22 which is the technical implementation specification.
The figure below describes the basic architecture used for Consumer eUICCs.
The consumer specification is a later addition than the M2M version. The separate functions of the SM-SR and SM-DP have been combined into a single function SM-DP+. This is responsible for both establishing a secure programming channel to the eUICC and manipulating and personalising the Profile that is provided by the MNO into a suitable format for download. Certificates loaded into each component above and issued by a trusted Certificate Issuer ensures that the whole process is secure.
The major addition is that of a Local Profile Assistant ( LPA ) in the device that allows the End user to control what profile is active and select new profiles. There is no need for a provisioning profile as the device can be connected to the Internet using WiFi.
The GSMA Consumer standard ( SGP.22 ) was specified later in than the M2M ( SGP.02 ) version. It consolidates the functionality of the SM-DP and SM-SR into a single component, called the SM-DP+. It’s function is to take the raw profile information from an MNO, personalise it with the appropriate IMSI/Ki pair information, convert it to the appropriate format for an eUICC and transmit the profiles to the eUICC.
In most cases the Local Profile Assistant ( LPA ) will be present in the device ( LPAd ), in which case the below architecture applies:
It is possible however to also have the LPA in the eUICC ( LPAe )
The purpose of an SM-DS is to hold a list of profiles that are available to an end user in a consumer eUICC environment. This discovery service is currently operated by the GSMA although there are plans for alternative discovery services to be offered in the future. Further details of the GSMA service can be found here.
The sequence of events is as outlined in the diagram below.
There are various bodies involved in the certification of the different elements involved in GSMA compliant eUICC applications.
The GSMA operate a scheme called Security Accreditation Scheme ( SAS ) that provides a certification of the site belonging to an organisation that provides Remote SIM Provisioning services. Details of the scheme and a list of approved sites is available on their web site.
GlobalPlatform tests and lists the actual certified eUICC chips on their website. Select “eUICC” from the drop-down to see the eUICCs that are currently approved.
The Global Certification Forum ( GCF ) operates a scheme to certify RSP compliance of consumer devices, the details of which are available on their website.
The GSMA implements a trusted system through the use of signed root certificates.
The GSMA operate a Security Accreditation Scheme ( SAS ).
Companies wishing to manufacture eUICCs must get their site accredited to SAS-UP ( SAS for UICC Production ) while those wishing to program eUICCs must get their site SAS-SM accreditation.
The schemes are in place mainly to ensure that the highly sensitive Profiles from the MNO’s are secure. They have components of ISO 27001 to ensure that an ISMS ( Information Security Management System ) and BCP ( Business Continuity Plan ) are in place. In addition they require that all of these procedures are operated in a High Security Area ( HSA ), over a secure network by trained personnel who comply with strict HR policies.
The GSMA currently use two outside companies to conduct the audits for SAS-UP, FML and ChaseWaterford
For SAS-SM they use NCC Group and SRC Security Research & Consulting GmbH
The audit usually takes about a week and is performed by both auditors.
A provisional approval is given once the site is able to demonstrate that they have all of the processes in place to meet the requirements but is not yet operating with real customers. This is sometimes called a ‘dry audit’. Another audit is conducted up to 9 months after provisional approval to finalise the certification. This is sometimes called a ‘wet audit’.
A list of SAS accredited sites is available on the GSMA web site.