Stage of card manufacturing
To manage SIM/UICC card content, two refinements are required in part of the GlobalPlatform Messaging Specification.
The first refinement is related to adding the Controlling Authority role with two functions:
controlling the Controlling Authority Security Domain (CASD), which provides secure loading of the initial keys of the card security domains;
control of a special security domain that performs the function of mandatory verification of the signature of the downloaded code of the Mandated DAP application.
In practice, the role of Controlling Authority is often performed by CKLA. Moreover, the Mandated DAP function can be performed by the CASD domain.
The second addition is related to the introduction of the SSD Manager role, which provides the function of managing the security domain’s secure channel (supplemental Security Domain, or SSD) and the function of storing security domain keys. The SSD Manager role cannot be performed by the card Issuer.
Remote data loading to a SIM/UICC card is traditionally performed using the widespread OTA (over-Air) technology defined in the GSM 03.48/3GPP TS 23.048 standards. In these standards, data upload security is implemented at the level of SMS packets that provide transport between the data source host and the SIM/ UICC card. Within GlobalPlatform, data security is provided at the APDU block level. There are still a number of discrepancies between the GSM 03.48/3GPP TS 23.048 and GlobalPlatform standards. To resolve these discrepancies, the GlobalPlatform consortium upgraded the GSM 03.48/3GPP TS 23.048 specification and as a result, ETSI TS standards were introduced
102.225 (OTA Security) and ETSI TS 102.226 (OTA Management). Based on the ETSI TS 102.225 standard, the GlobalPlatform defines a secure data link, SCP80. Any security domain that supports the SCP80 channel can exchange data with external systems via the standard OTA technology for cellular communications.
Another type of secure channel that can be supported by a security domain is SCP02. The Protocol underlying this channel was described earlier in clause 2.7. This channel is used for transmitting data via the contact interface, and can also be encapsulated in the SCP80 channel for transmitting data via the contactless interface.
As defined in the GlobalPlatform UICC Configuration V. 1.0 specification, each APSD (Application Provider Security Domain) and TSD (TSM Security Domain) security domain can support either SCP80 or SCP02, or both security channels.
To implement the function of secure loading of initial keys to security domains in accordance with Chapter 11 “Confidential Setup of Initial Secure Channel Keys” of the GlobalPlatform UICC Configuration V. 1.0 specification, keys and certificates of the CASD domain must be loaded to the SIM/UICC Card at the card manufacturing stage. The responsibility of the Controlling Authority role is so high that the Manager implementing it, for example, CKLA, must be a trusted third party for the Manager whose OTA platform is used for downloading data (most often for MNO and TSM) and the Manager responsible for personalization of the application (most often for TSM and SP). Indeed, by knowing the initial keys of security domains, the CKLA Manager is able to control the card content management performed through these domains. The ckla functions can be performed by a card manufacturer or a well-known key certification authority. The reputational responsibility of these companies determines their existence, and therefore they enjoy the necessary confidence in the market.
The following SIM/UICC card content management models are distinguished:
Simple Mode: SIM/UICC card content is managed using the OTA platform of the mobile operator (MNO OTA) and the security domain of the mobile operator (card Issuer). At the same time, personalization of downloaded applications can be performed by TSM via the TSM OTA platform.
Delegated Mode: content management of the SIM/UICC card is transferred by the mobile operator through the pre-authorization procedure to the TSD domain-the TSM security domain.
Authorized Mode: content management of the SIM/UICC card is completely transferred by the TSM mobile operator inside the SIM/UICC card memory area allocated by the mobile operator.
Let’s look at SIM/UICC card content management models in more detail. Simple Mode Model. Scenario 1:
The service provider delegates all management functions of its TSM application. This delegation covers creating an APSD domain, downloading the app, and personalization.
TSM uses the MNO OTA platform to create an APSD domain, download and personalize the service provider’s app.
APSD domain keys are created and revoked by TSM in the way described in Chapter 11 “Confidential Setup of Initial Secure Channel Keys” of the GlobalPlatform UICC Configuration V. 1.0 specification.
The main elements of this model are shown in figure 7.13. in figure SM (Simple Mode), APSD indicates the security domain of the service provider that does not manage the card content. The figure shows that the card content management in this case implements the ISD domain (Issuer Security Domain). The SM APSD app is loaded and installed on the card via ISD. Then, after uploading the initial domain keys to SM APSD by CKLA, the service provider’s application is downloaded and installed via ISD. When registering an application in Card Registry, the ISD domain indicates that the service provider’s application is personalized (receiving and processing APDU scripts) by the SM APSD domain. As a result, all personalization script commands in accordance with GlobalPlatform Messaging will be sent to the service provider’s application.
Personalized data is uploaded to the app using the SCP02 ‘MNO OTA-SM APSD domain ‘ channel, whose data packets are encapsulated in the SCP80 channel organized between MNO OTA and ISD. This ensures the confidentiality of data uploaded to the app (the card Issuer does not know the SCP02 channel keys) for the card Issuer. At the same time, the card Issuer has full control over the content management of the SIM/UICC card.
Simple Mode Model. Scenario 2:
The service provider delegates all management functions of its TSM application. This delegation covers creating an APSD domain, downloading the app, and personalization.
TSM uses the MNO OTA platform to create APSD and download the app. For application personalization to the TSM uses its own OTA platform TSM.
APSD domain keys are created and revoked by TSM in the way described in Chapter 11 “Confidential Setup of Initial Secure Channel Keys” of the GlobalPlatform UICC Configuration V. 1.0 specification.
The main elements of this model are shown in figure 7.14. In this drawing, SM TSD indicates a TSM security domain that does not manage card content. The figure shows that the card content is managed via ISD in this case. SM TSD and SM APSD applications are loaded and installed on the card via ISD. Then, after uploading the initial keys of these security domains to SM TSD and SM APSD by CKLA, the service provider’s application is downloaded and installed via ISD. When registering an application in Card Registry, the ISD domain indicates that the application is personalized (receiving and processing APDU scripts) by the SM APSD domain. As a result, all personalization script commands in accordance with GlobalPlatform Messaging will be sent to the service provider application using the SCP02 channel of the SM APSD domain.
Personalized data is uploaded to the app using the SCP02 ‘MNO TSM-SM APSD ‘ channel, whose data packets are encapsulated in the SCP80 channel that is organized between the MNO OTA and SM TSD. This ensures that the data uploaded to the app is confidential (only TSM knows the SCP02 channel keys) for the card Issuer. At the same time, the card Issuer continues to have full control over the management of the SIM/UICC card content.
The Model Of Delegated Mode. Scenario 1:
The service provider delegates all management functions of its TSM application. This delegation covers creating an APSD domain, downloading the app, and personalization.
TSM uses its own MNO TSM platform to create APSD, load and personalize the application in the Delegated Management mode defined by GlobalPlatform. In accordance with this mode, for each content management procedure (download, installation, extradition, application deletion), TSM pre-receives special digital tokens from MNO, representing the signature of the card Issuer, which are verified by TSD before performing the listed procedures.
APSD domain keys are created and revoked by TSM in the way described in Chapter 11 “Confidential Setup of Initial Secure Channel Keys” of the GlobalPlatform UICC Configuration V. 1.0 specification.
DM TSD denotes a TSM security domain that performs content management procedures in Delegated Management (DM) mode. The figure shows that card content management for service providers in this case takes place via the DM TSD domain. If necessary, the SM APSD application is loaded and installed on the card via DM TSD. Then, after uploading the initial keys of these security domains to the DM TSD (the keys are uploaded to this domain before the SM APSD application is installed) and SM APSD by CKLA, the service provider’s application is downloaded and installed via the DM TSD. When registering an application in Card Registry, the DM TSD domain indicates that the application is personalized (receiving and processing APDU scripts) by either the DM TSD domain or the SM APSD domain. As a result, all personalization script commands in accordance with GlobalPlatform Messaging will be sent to the service provider application using the scp80 channel of the DM TSD domain or the SCP02 channel of the SM APSD domain.
When you personalize an application through the SM apsd domain, personalized data is uploaded to the application using the scp02 ‘MnO TSM-SM apsd’ channel, whose data packets are encapsulated in the scp80 channel that is organized between the TSM OTA and the DM TSD. This ensures the confidentiality of data uploaded to the application (SC scp02 TS TSM) for the card Issuer. At the same time, the card Issuer continues to fully control the content management of the SIM/UICC card.
Model Mode Is Delegated. Scenario 2 (the application is personalized by the service provider):
The service provider delegates the management functions of its TSM application. This delegation covers creating an apsd domain and loading the application.
TSM uses TSM’s own MnO platform to create apsd, Delegated delegated management, Glob globalplatform, as described above.
APSD domain keys are created and revoked by the SP service provider in the manner described in Chapter 11 “confidential configuration of the initial secure channel keys” of the GlobalPlatform Msdb configuration specification V. 1.0.
The service provider prepares personalized scripts for uploading to the card via the TSM OTA platform.
In this case, the card content is managed for service providers via the DM TSD domain. The SM apsd application is loaded and installed on the card via the DM TSD domain. Then, after loading the DM DD (keys are loaded to this domain before the installation of the cm APSD application) and CM APSD by CKLA forces of the initial keys of these security domains, the service provider’s application is loaded and installed through the DM TSD. When registering an application in the registry card, the DM CD domain indicates that the application personalization (receiving and processing AI scripts) is performed by the cm APSD domain. As a result, all personalization script commands in accordance with GlobalPlatform messages will be sent to the service provider application using the scp02 channel of the cm APSD domain.
When you personalize an application through the SM apsd domain, personalized data is uploaded to the application using the scp02 ‘MnO TSM-SM apsd’ channel, whose data packets are encapsulated in the scp80 channel that is organized between the TSM OTA and the DM TSD. This ensures the confidentiality of data uploaded to the application (SC scp02 SP SP) TS TSM. At the same time, TSM sim sim / UICC CARDS IN the service PROVIDER part.
Mode The Authorization Mode. Scenario 1:
The service provider delegates all management functions of its TSM application. This delegation covers creating an APSD domain, downloading the app, and personalization of the app.
The CM uses THE cm operator’s own platform to create an APSD for loading and personalization of the application in a mode where authorization of the mobile operator (card Issuer) may be required if a certain area of card memory is allocated for applications downloaded via the TSD by the card Issuer.
Apsd TS TSM domain keys in the way described in Chapter 11 “confidential configuration of the initial keys of a secure channel” configuration globalplatform UICC V. 1. 0 configuration.
AM TSD refers to the TSM security domain that performs content management procedures in the card memory area allocated to it. As the figure shows, Am Am TSD. If necessary, the SM apsd application is downloaded and installed on the card via am TSD. In the Future, after downloading THE am CD (in this domain, the keys are loaded before the installation of the cm APSD application) and CM APSD by ckla of the initial keys of these security domains, I use the TSD to download and install the service provider’s application. When registering an application in the registry card, the am CD domain indicates that the vendor service application is personalized (receiving and processing AI scripts) by either the am CD domain or the cm APSD domain. As a result, all personalized script commands in accordance with GlobalPlatform messages will be sent to the service provider’s application using the scp80 channel of THE am CD domain or the SCP02 channel of the cm APSD domain.
When an application is personalized via the SM apsd domain, personalized data is uploaded to the application using the scp02 ‘MnO TSM-SM apsd’ channel, whose data packets are encapsulated in the scp80, TS TSM OTA Am Am TSD channel. This ensures the confidentiality of data uploaded to the application (SC scp02 TS TSM) for the card Issuer. At the same time, the card Issuer continues to fully control the content management of the SIM/UICC card.
Mode The Authorization Mode. Scenario 2 (the application is personalized by the service provider):
The service provider delegates the management functions of its TSM application. This delegation covers creating an apsd domain and loading the application.
TSM uses its own TSM INR platform to create an apsd, load and personalize the application in the card memory area allocated by the Issuer.
APSD domain keys are created and revoked by the SP service provider in the manner described in Chapter 11 “confidential configuration of the initial secure channel keys” of the GlobalPlatform Msdb configuration specification V. 1.0.
The service provider prepares personalized scripts for uploading to the card via the TSM OTA platform.
As the figure shows, Am Am TSD. The SM apsd application is loaded and installed on the card via the am TSD domain. Then, after uploading the initial keys of these security domains to the TSD (the keys are uploaded to this domain before the installation of the sm APSD application begins) and SM APSD by CKLA forces, the service provider’s application is downloaded and installed via the TSD. When registering an application in the registry card, the am CD domain indicates that the service provider’s application is personalized (receiving and processing AI scripts) by the cm APSD domain. As a result, all personalization script commands in accordance with GlobalPlatform messages will be sent to the service provider’s application using the scp02 channel of the cm APSD domain.
When an application is personalized via the SM apsd domain, personalized data is uploaded to the application using the scp02 ‘MnO TSM-SM apsd’ channel, whose data packets are encapsulated in the scp80, TS TSM OTA Am Am TSD channel. This ensures the confidentiality of data uploaded to the application (SC scp02 SP SP) TS TSM. At the same time, TSM sim sim / UICC CARDS IN the service PROVIDER part.