The latest version of the Microsoft Surface ( Surface Pro LTE ) has a consumer eUICC built into it. The version of eUICC is thought to comply with Version 2 of the consumer GSMA RSP standard. This provides LTE/4G service without the need for a regular SIM. However in addition the Surface has a slot for a regular removable plastic SIM card. It is possible to buy and download data plans for various countries using an LPA incorporated into Windows 10.
Operating instructions can be found here.
Machines incorporating eSIMs are expected shortly from Acer, Asus and Lenovo.
The GSM Association ( GSMA ) have developed a standard that has been accepted by most of their member operators around the world ( details here ). This allows the intrinsic ‘digital signature’ content of a SIM card to be downloaded ‘Over-The-Air’ ( OTA ). They initially referred to this as ‘Remote SIM Provisioning ( RSP )’ and the chips that facilitate this were known as eUICC’s ( Embedded Universal Integrated Circuit Cards ), however there is a move to get these chips referred to as eSIMs, but in order to avoid confusion on this site they will be referred to as eUICCs.
There are 2 different kinds of eUICC, one that is used in Machine to Machine ( M2M ) devices like connected cars and the other that is used in Consumer devices like mobile phones.
eUICCs offer significant advantages over conventional removable plastic SIM cards. They are smaller, more robust and can be remotely programmed. Their programability means that a single skew of device can be made for several countries and removes the need for expensive field engineers to replace the SIMs in an M2M application.
In order to remotely provision an eUICC it is necessary to have some software loaded in a server which is called ‘Subscription Manager ( SM )’. The Subscription Manager for an M2M eUICC has 2 components, one is called the SM-DP ( Data Preparation ) and the other is called the SM-SR ( Secure Routing ). The SM in the consumer world has combined and enhanced both functions and is called an SM-DP+.
In the consumer world it is preferable to have a server where the end user can discover what mobile services ( profiles ) are available. This is called a Discovery Server ( SM-DS ).
M2M eUICCs are defined by GSMA documents SGP.01 and SGP.02. SGP.01 is a functional specification while SGP.02 defines the technical realisation of the functional spec. Within the GSMA SGP.01 is defined by the GSMA member operators ( MNO’s ), while the OEMs are tasked with producing SGP.02 which is the technical implementation specification.
Most M2M eUICC’s currently in the field comply with version 3.1 of SGP.02.
The figure below describes the basic architecture used for M2M eUICCs.
An SM-SR is responsible for establishing a secure programming channel to the eUICC while an SM-DP manipulates and personalises the Profile that is provided by the MNO into a suitable format for download. Certificates loaded into each component above and issued by a trusted Certificate Issuer ensures that the whole process is secure.
There are two distinct kinds of profile in the eUICC. The provisioning profile provides default connectivity so that the eUICC can be bootstrapped into full functionality by downloading an operational profile.
Further information about M2M eUICCs can be found on the GSMA web site.
In M2M eUICC applications it is the job of the SM-SR to establish a secure link with the eUICC.
This is normally triggered by an SMS being sent to the SM-SR containing the IP address/URL of the SM-SR associated with the fall-back profile programmed into the eUICC at the factory.
The SM-DP is used in an M2M RSP environment. It’s function is to take the raw profile information from an MNO, personalise it with the appropriate IMSI/Ki pair information and convert it into a form that is suitable for transmission by the SM-SR to the eUICC.
The process for a profile download in an M2M environment is as follows:
- SMS sent to eUICC by the SM-SR via the SMSC belonging to the provider of the provisioning profile to trigger a session
- eUICC requests that the device sets up a data session using BIP and the URL ( or IP address ) of the SM-SR ( contained in the SMS )
- CAT_TP or HTTPS transport link established between eUICC and SM-SR ( ES5 )
- A secure channel is established between the SM-DP and eUICC
- A profile download is initiated by the SM-DP
Remote Application Management ( RAM ) or Remote File Management ( RFM ) can be implemented between the SM and eUICC using the data connection as per above or simply using SMS.
Consumer eUICCs are defined by GSMA documents SGP.21 and SGP.22. SGP.21 is a functional specification while SGP.22 defines the technical realisation of the functional spec. Within the GSMA SGP.21 is defined by the GSMA member operators ( MNO’s ), while the OEMs are tasked with producing SGP.22 which is the technical implementation specification.
The figure below describes the basic architecture used for Consumer eUICCs.
The consumer specification is a later addition than the M2M version. The separate functions of the SM-SR and SM-DP have been combined into a single function SM-DP+. This is responsible for both establishing a secure programming channel to the eUICC and manipulating and personalising the Profile that is provided by the MNO into a suitable format for download. Certificates loaded into each component above and issued by a trusted Certificate Issuer ensures that the whole process is secure.
The major addition is that of a Local Profile Assistant ( LPA ) in the device that allows the End user to control what profile is active and select new profiles. There is no need for a provisioning profile as the device can be connected to the Internet using WiFi.
The GSMA Consumer standard ( SGP.22 ) was specified later in than the M2M ( SGP.02 ) version. It consolidates the functionality of the SM-DP and SM-SR into a single component, called the SM-DP+. It’s function is to take the raw profile information from an MNO, personalise it with the appropriate IMSI/Ki pair information, convert it to the appropriate format for an eUICC and transmit the profiles to the eUICC.
In most cases the Local Profile Assistant ( LPA ) will be present in the device ( LPAd ), in which case the below architecture applies:
It is possible however to also have the LPA in the eUICC ( LPAe )
The purpose of an SM-DS is to hold a list of profiles that are available to an end user in a consumer eUICC environment. This discovery service is currently operated by the GSMA although there are plans for alternative discovery services to be offered in the future. Further details of the GSMA service can be found here.
The sequence of events is as outlined in the diagram below.
There are various bodies involved in the certification of the different elements involved in GSMA compliant eUICC applications.
The GSMA operate a scheme called Security Accreditation Scheme ( SAS ) that provides a certification of the site belonging to an organisation that provides Remote SIM Provisioning services. Details of the scheme and a list of approved sites is available on their web site.
GlobalPlatform tests and lists the actual certified eUICC chips on their website. Select “eUICC” from the drop-down to see the eUICCs that are currently approved.
The Global Certification Forum ( GCF ) operates a scheme to certify RSP compliance of consumer devices, the details of which are available on their website.
The GSMA implements a trusted system through the use of signed root certificates.
The GSMA operate a Security Accreditation Scheme ( SAS ).
Companies wishing to manufacture eUICCs must get their site accredited to SAS-UP ( SAS for UICC Production ) while those wishing to program eUICCs must get their site SAS-SM accreditation.
The schemes are in place mainly to ensure that the highly sensitive Profiles from the MNO’s are secure. They have components of ISO 27001 to ensure that an ISMS ( Information Security Management System ) and BCP ( Business Continuity Plan ) are in place. In addition they require that all of these procedures are operated in a High Security Area ( HSA ), over a secure network by trained personnel who comply with strict HR policies.
The GSMA currently use two outside companies to conduct the audits for SAS-UP, FML and ChaseWaterford
For SAS-SM they use NCC Group and SRC Security Research & Consulting GmbH
The audit usually takes about a week and is performed by both auditors.
A provisional approval is given once the site is able to demonstrate that they have all of the processes in place to meet the requirements but is not yet operating with real customers. This is sometimes called a ‘dry audit’. Another audit is conducted up to 9 months after provisional approval to finalise the certification. This is sometimes called a ‘wet audit’.
A list of SAS accredited sites is available on the GSMA web site.