Kamis, 26 Januari 2012
SIM Access Control Class
15 classes are defined inside this file. The first 10 classes are randomly allocated for normal subscribers, the rest 5 classes are allocated for specific high priority users. The class allocation
is depent on the requirements of Mobile Operator.
In some cases, Mobile Operator will enable the Class based on the last digit of IMSI. For example, if one SIM has "0" as the last digit, then Class 0 will be enabled. With this method the Mobile Operator
can manage the usage of Radio Access channels.
The size of EF ECC is 2 bytes (16 bits) which each bit represents the enabled class, except for the 3rd bit which set to "0" (disable). The 3rd bit represent Class 10.
Below is the figure of class allocation in this file :
Byte 1:
b8 b7 b6 b5 b4 b3 b2 b1
15 14 13 12 11 10 09 08 Number of the ACC (except for bit b3)
Byte 2:
b8 b7 b6 b5 b4 b3 b2 b1
07 06 05 04 03 02 01 00 Number of the ACC
In normal condition the radio site will give access with SIM with classes 0- 9 enabled. In other condition radio site will give priority for classes 11- 15 enabled SIM. Some examples for high priority users
are Emergency Call, Police Department, etc.
References :
- Universal Mobile Telecommunications System (UMTS); LTE; Characteristics of the Universal Subscriber Identity Module (USIM) application (3GPP TS 31.102 version 8.5.0 Release 8)
- Digital cellular telecommunications system; Service accessibility (GSM 02.11 version 5.0.0)
Rabu, 30 November 2011
How to control your call
With FDN we can control the destination number of outgoing call and as result we can control the bill as well :)
Inside the SIM there is a file named EF FDN (6F3B) wich contain records to store phone numbers. The number of records and capacity are following the SIM Phonebook records. Outgoing call can only be made to the listed numbers in these records.
To activate FDN you need to put PIN2 then you can start to store phone numbers. you can ask your operators for your PIN2.
Here are the steps to activate FDN. I am using Nokia 2626 menu as example :
- menu - setting - security - fixed dialing number - on
- put your PIN2
- then you can put phone numbers in the list
Senin, 28 November 2011
Use your PIN !
One of the basic security feature provided by your SIM is PIN Protection. It is simple but unluckily most of SIM users are not using it. Let me tell you something. What happen if someday you lost your SIM and it is found by somebody else and using it.
It is Okay if it is a prepaid SIM then you don't have to be worry because it has limited credit. But if it is a post paid then it will be disaster :) you have to pay for what you didn't use.
Here are several steps to activate PIN in your SIM. I am using Nokia 2626 menu as example.
- Activate your PIN code request
Menu - Setting - Security setting - PIN code request
Then you will asked to put your PIN.
Select "On".
And after that, when everytime you start your SIM it will ask you to put the PIN number. After you successfully activate your PIN, better to change it.
Here are the steps :
- Setting - Security setting - Access code - Change PIN code.
- Put your current PIN.
- Put your new PIN.
- Confirm your new PIN.
- Done
Kamis, 27 Agustus 2009
USIM Authentication
The usage of a mobile phone also increase from it's previous function to deliver voice and clear text. Now the mobile phones can also provide enterainment, multimedia messaging service,
mobile internet access, location based services, and so on.
Based on the data behaviour, 3G services can be described as follows :
- Conversation, such as voice, video telephony, video gaming
- Streaming, such as multimedia, video on demand, webcast
- Interactive, such as web browsing, network gaming
- Background, such as Email, SMS
As the services of 3G Mobile Phones has increase, the security of data also has become critical issue. Security mechanism in 3G Network is not just about subcriber authentication into the network. But it is also about how to secure 3G Services run on the network.
In this article, I will describe how a USIM application can be authenticated into 3G Network.
Authentication will perfomed in challenge - respond method combined with key establishment
for network authentication.
Initialization
After UICC activation the ME will SELECT USIM application in EF DIR. If no USIM application is listed or EF DIR not exist, then the ME will try ro select GSM application.
After a successful USIM application selection, the USIM AID (Application Identifier)
will stored in USIM. The last activated USIM application will remain in UICC until the UICC is reset.
UICC
Is a physical processor chip where USIM application reside. Usually the memory capacity to store USIM application are range from 64K to 256K.
Application Selection
USIM is an application reside in UICC card. It contain many security parameters needed for an UICC to access into UMTS network.USIM will perform some related security procedures before a 3G Subscriber can gain access into the network. I will describe just some of them.
1. Authentication algorithm computation.
The ME will select a USIM application using AUTHENTICATE command and
the response is sent back to ME. In 3G context is used when 3G authentication
variables are available such as RAND, XRES, CK, IK, AUTN.
2. IMSI Request
The ME perform READ procedure on EF IMSI.
This is also the procedure of User Identity request.
3. Access Control information request.
The ME perform READ procedure on EF ACC.
4. Higher Priority PLMN search period request.
The ME perform READ procedure on EF HPPLMN
5. Location Information
In this procedure, the ME perform request and update activity
which ME perform READ procedure on EF Keys. And the ME also
perform UPDATE procedure with EF Keys.
6. Forbidden PLMN
Also in this procedure, the ME perform request and update activity
on EF PLMN.
7. GSM Chiper Key
This procedure will be performed if service n 27 in UST ( USIM Service Table )
is available. The request and update procedure is on EF KC.
8. GPRS Chiper Key
This procedure will be performed if service n 27 in UST ( USIM Service Table )
is available. The request and update procedure is on EF KCGPRS.
Service n 27 in EF UST is where GSM Access Service
9. Initialization value of Hyperframe number
The ME perform READ and UPDATE procedure on EF START-HFN
10. Maximum value of START.
The ME perform READ procedure on EF THRESHOLD.
11. HPLMN Selector with Access Technology Request
The ME perform READ procedure on EF HPLMN w ACT
12. Packet Switch Location Information
The ME perform READ and UPDATE procedure on EF PSLOCI
13. Chiper and Integrity key for Packet Switch Domain
The ME perform READ and UPDATE procedure on EF KeysPS
14. LSA Information.
This procedure will be performed by the ME if service n 23
in EF UST is activated. The ME performs READ procedure with
EF SAI, EF SLL and it's associated LSA Descriptor files
and UPDATE procedure with EF SLL.
15. Voice Group Call Services.
This procedure will be perfomed by the ME if service n 57
in EF UST is activated.
Voice group call service
The ME perform READ procedure with EFVGCSS
Voice group call service status
The ME perform READ and UPDATE procedure on EFVGCSS
17. Voice broadcast services
This procedure will be perfomed by the ME if service n 58
in EF UST is activated.
Voice group call service
The ME perform READ procedure with EFVBS
Voice group call service status
The ME perform READ and UPDATE procedure on EFVBS
Source : Universal Mobile Telecommunications System (UMTS); LTE; Characteristics of the Universal Subscriber Identity Module (USIM) application (3GPP TS 31.102 version 8.6.0 Release 8)
Jumat, 14 Agustus 2009
Smart Card Security Mechanism
Below is the security mechanisms based on the type of Smart Cards :
Memory Card
Because this type of smart card is just to store data without the capability to calculate or process it, so the security mechanism is more simple. Usually after the card detected by the reader, card will challenge the reader to read PIN stored inside it. The reader will calculate the PIN as part of the authentication process.
Microprocessor Card
A microprocessor card has a capability to perform it's own enryption method and algorithm to protect the data stored inside it. The security mechanism of a microprocessor card difference based on how the data can be accessed.
Why it is more complicated to protect data inside a microprocessor card ? Because the data stored inside a microprocessor card are more critical. For example a Cardholder data inside a credit card.
Kamis, 13 November 2008
SIM Application Toolkit
Have you ever use Mobile Banking menu in your Mobile Phone ? In your Mobile Phone there are some interactive menus which let your Mobile Phone 'talk' with the network. This menus displayed in your Mobile Phone screen in a 'scroll down' menu. By entering one menu, then you will come into the sub menus. This capability is provided by two direction communication between SIM Card and Mobile Phone and just a part of mechanism named SIM Application Toolkit (SAT). SAT provide mechanism which reside in the SIM Card to communnicate and interact with Mobile Phone. SAT action is initiated by Mobile Phone. SAT can only work during the network operation phase of GSM.
Some simple facts of SAT are :
- SAT applications is a set of commands inside SIM Card which define how the SIM Card interact with the outside world through Mobile Phone.
- SAT is designed as client server application. SIM Card act as a client and network act as a sever. As A server, network provide services to SIM Card which previously asked by the SIM Card. If the SIM Card indicating that it support SAT commands, then Mobile Phone will execute the next command.
- Mobile Phone act as interface to trigger SAT commands.
- SIM Card send command to Mobile Phone in TLV format.
SAT Mechanism
Profile Download
This mechanism allow MObile Phone to ask to SIM Card what SAT capability it can provide. The Mobile Phone knows SIM Card SAT capability by reading EF Phase. One of the initialization steps on the Mobile Phone is by reading this EF. By using initialization, a Mobile Phone can get information about capabilities those can be provided by SIM Card inside it.
Proactive SIM
Proactive SIM give order mechanism to the SIM Card so it can ask Mobile Phone to execute certain actions. These actions include :
- Displaying text from SIM Card to Mobile Phone's screen.
- Sending a Short Message
- Make a voice call to a number that held by the SIM Card.
- Make a data call to a number and bearer capabilities that held ny the SIM Card.
- Playing tone.
- Provide a dialogue with the user.
- SIM initialization request and change notification to EFs.
- Provide local information from the Mobile Phone to the SIM Card.
Data Download to SIM
This command allow network to use SMS or cell broadcast to transfer information to the SIM Card.
Information transfer over SIM- ME uses the ENVELOPE command. If the Mobile Phone receive SMS with
protocol identifier equal to SIM Data Download and coding scheme equals to class 2 message, then the Mobile Phone will pass the SMS directly to the SIM Card without intervension of Mobile Phone's user.
Menu Selection
A set of menu entries is provided by the SIM Card in Proactive SIM command. The menu shows some menu applications so the user can enter the menu appliaction and then this menu selection will transfer command to the SIM Card.
Call Control by the SIM
When this SAT service activated in a Mobile Phone, whena user make a call, it will result in a phone number, supplementary service, and unstructured supplementary service data (USSD) strings first sent to the SIM Card. The SIM Card can decide wether it will alow this action or selectively bar it.
Mobile Originated Short Message Control by SIM
This SAT service use the same mechanism like Call Control. But this service applied to the SMS. Before a Mobile Phone sending any SMS, it will ask SIM Card authorization. The SIM Card will return with an answer which can be authorization or refusal.
Event Download
A set to monitor for is supplied by SIM Card in proactive SIM command. This mechanism is used to transfer details of event to the SIM. Events that a Mobile Phone can report to the SIM card area include incoming calls, location status, and availability of the screen for applications.
Security
Multiple Card
One event and a set of proactive commands are supplied to monitor card behaviour.
Timer Expiration
SIM Card has capability to manage timers which running physically in the Mobile Phone with proactive command. This mechanism is used to inform the SIM when a timer exprires.
Bearer Independent Protocol
Reference : 3GPP TS 11.14 , Specification of SIM Application Toolkit (SAT) for the SIM -ME Interface
Selasa, 06 Mei 2008
Inside Your SIM Card
Today many GSM Network subscribers have SIM Cards inside their Mobile Phones in order to be authenticated to GSM Network. Well, in other words, you need a SIM card to connect to your GSM Network then make a call and utilizing Mobile Services such as Short Message Services (SMS), or Content Browsing.
SIM card basically is an EPROM which has Operating System (OS) and Applications inside it. This can be compared to your PC which has OS such as MS Windows, UNIX, etc and many Applications. But you can not imagine that SIM Card also has Applications just like MS Office or Image Editor. Applications inside the SIM Card are more simple. Most of the Applications that owned by SIM Card are to support SIM Card so it can be connected to the GSM Network and to make SIM Card communicate with your Mobile Phone. One example of SIM Card Application is when you use content browsing some drag drop menus displayed on your Mobile Phone's screen.
Files and Directories
SIM Card has many files inside it which needed by SIM Card to connect to GSM Network.
File Structure of SIM Card can be compared to UNIX hierarcial file system which in UNIX
many Applications and information of devices stored as files. The UNIX file structure
can be represented by this file tree structure :
\root
|
|
+---- \etc
|
+---- \bin
|
+---- \usr
|
+---- \tmp
Similar to UNIX, we will find Files and Directories inside a SIM Card in a hierarcial structure. A file contain information or data, and a directory contain files. How a Mobile Phone or a Card Reader access these files and directories is related to the security features which managed by SIM Card Operating System. Every file and directory have their
owned security feature based on some technical requirements.
SIM Card also manages files and directories inside it in hierarcial structure. The logical model of files and directories is related with how Operating System inside the SIM Card manage them. If in UNIX every file and directory has it's name, in SIM Card logical model, every files and directory have it's file ID. File ID used to addresed or identify
the file. The first byte of File ID identify the file's type.
The Logial Model of a SIM Card devided into :
Master File (MF)
An MF can be compare to /root directory in UNIX. An MF act as a "root" for DF and EF. The File ID of an MF is 3F.
Dedicated File (DF)
DF can be refer to directory which contain files inside it. Some EF which have related functional purpose grouped into the same DF. So the functional grouping of a DF refer to it self and all it's complete EF subtree. A DF also act as a 'second door' to access an EF. So to access an EF you need to access the MF and the 'main door' and then DF as the 'second door'. This is quite similar to UNIX file system. For example files that handle device configuration grouped into /dev directory. Because of it's function, a DF does not contain data, it only contain header part.
File ID of DF are :
7F -> First level Dedicated File
5F -> Second level Dedicated File
The are several DFs inside the SIM Card, but in this article I will describe only two DFs which mandatory
for GSM subscriber requirements :
File Name | File ID | Function |
DF Telcom | 7F10 | Contain EFs those hold telecom service features |
DF GSM | 7F20 | Contain applications for both GSM and/or DCS 1800 |
Elementary File (EF)
An EF consist of header and body part. The body part contain data which have attributes related to the security aspects, file size, record length, and how the data can be accessed. The first information that read from an EF is it's File Structure. Starting from the File Structure then can be known the file type, record length, and access method of an EF. The total data length that stored in the body of an EF is indicated in it's header.
File ID of EF are :
2F -> EF under Master File
6F -> EF under first level DF
4F -> EF under second level EF
EF grouping
Inside the SIM Card, EFs grouped under MF and DF. This grouping based on functional purpose of an EF. For example EF that support or hold data for telecom service features will be grouped under DF Telecom (7F10). The existing of these EF are may Mandatory or Optional. Mandatory EF means that this EF should be exist inside the SIM Card for the minimum requirement based on 3GPP TS 11.11 document. Optional EF means that this EF maybe
exist inside the SIM Card based on the Network Operator specific requirement. Below, I will describe all of EFs those have Mandatory requirement based on 3GPP TS 11.11 document. Well, here they are :
EF under Master File
File Name | File ID | Size |
EF ICCID | 2FE2 | 10 bytes |
EF under DF GSM
File Name | File ID | Size |
EF LP | 6F05 | 1-n bytes n = nth language code |
EF IMSI | 6F07 | 9 bytes |
EF KC | 6F20 | 9 bytes |
EF HPPLMN | 6F31 | 1 byte |
EF SST | 6F38 | X bytes X >= 2 |
EF BCCH | 6F74 | 16 bytes |
EF ACC | 6F78 | 2 bytes |
EF FPLMN | 6F7B | 12 bytes |
EF LOCI | 6F7E | 11 bytes |
EF AD | 6FAD | 3 + X bytes |
EF Phase | 6FAE | 1 byte |
EF under DF Telecom
File Name | File ID | Size |
EF ADN | 6F3A | X + 14 bytes |
EF FDN | 6F0B | X + 14 bytes |
EF SMS | 6F3C | 176 bytes |
EF MSISDN | 6F40 | X + 14 bytes |
The File Structure of EF are :
Elementary Files usually has attributes that related with file size, how the file can be accessed, record length, etc. File Structure of an EF represent security feature of EF and how it will be managed.
Transparent
An EF with Transparent File Structure consist of a sequence of bytes. This sequence of bytes used when the file need to be updated or read which indicates the starting bytes position and the number of bytes to be updated or read. Starting bytes position known as relative address (offset). The first byte in a Transparent EF has an offset '00 00'
Linier Fixed
An EF with Linier Fixed File Structure consist of sequence of records which have the same fixed record length. The first record is starting from record number 1.
Cyclic
An EF with Cyclic File Strucutre used to store records in chronological order. When all records have used to store data, then the next data will be overwrite the oldest information. All records in a Cyclic EF has a fixed number of quantity and the fixed record length. In a Cyclic EF there is a link between record number 1 and the last record (n). When the pointer is set to the last record (n), then the next record would be record number 1.
Security Features
SIM Card which reside inside your Mobile Phone contain data that needed to logon to the network then after that you can make your call or sending your SMS. The Security Features supported by SIM Card utilized to enable the following :
SIM Card authentication to the network
After your Mobile Phone turned on, then the network send Random Signal or RAND (128 bit) to your Mobile Phone, then your Mobile Phone pass the RAND to your SIM Card using RUM GSM ALGORITHM command. Other value for the input of RAND calculation is KI (128 bit). The calculation of RAND and KI utilized A38 Algorithm. In this process, IMSI is used to retrived KI in the network.
The result of RAND and KIcalculation that done by SIM Card is Signal Respond or SRES (32 bit) and Kc.
SRES passed to the Mobile Phone and then to the network. The network will compare this SRES with SRES that
owned by the network. The comparison of these SRES values provide authentication. The Kc value will be used
by SIM Card for any future enchipered communication.
File Access Condition.
Every EF has it's own specific access condition for each command. The differentiation of access condition for each command based on the security level of each file. File access condition will limit your access to an EF. For example for several EFs, READ command will have ALWAYS access condition for READ command which mean that you can READ this EF with input any parameter key. But for some EFs, they have NEVER access condition for READ command which mean you can not READ this EF.
Level Access Condition
------------- ----------------------------
Level 0 ALWAYS
Level 1 CHV1
Level 2 CHV2
Level 3 RFU
Level 4 ADM 1
..... ......
Level 14 ADM 14
Level 15 NEVER
For more complete and detail SIM Card specification, please refer to 3GPP RS 11.11 Digital Cellular Tellecommunication System (Pahse 2+), Specification of SIM-ME Interface. But this document is quite hard to understand, except for you those has been long period involved in smart card industries.
Reference : 3GPP RS 11.11 Digital Cellular Tellecommunication System (Pahse 2+), Specification of SIM-ME Interface, en.wikipedia.org
Ichwan Sontani
Some of GSM, CDMA, and Network topics will be posted in this blog. Please feel free to give comments, additional advices, also correction if needed.
Arsip Blog
About Me
- Ichwan Sontani
- Doha, Qatar