Introduction to

SIM Cards

20 September 2007 1
 Contents

Part 1 : SIM Concepts

1. Overview of GSM Networks
2. SIM in GSM Networks
3. Introduction to GSM 11.11

Part 2 : SIM Applications

1. Anti-Cloning and Authentication Counter
2. Local Applications
3. Point to Point Applications

20 September 2007 2
 Overview of GSM Networks

20 September 2007 3
 What is GSM?

Original name: GSM now stands for:

Groupe Global
Spéciale System for
Mobile Mobile communication

20 September 2007 4
 Key Features of GSM

GSM properties:

n Open standard
n Provision of roaming
n SIM
n Digital (ISDN compatible)
n TDMA (Time Division Multiple Access)

20 September 2007 5
 Network Elements

MS
MS

Network
MS

MS: Mobile Station = Mobile equipment + SIM

20 September 2007 6
 Network Elements

Network
BSS BSS BSS

BSS Core

BSS: Base Station System

20 September 2007 7
 Network Elements

Base Station System

BTS
BTS

BTS

BSC
Core
BTS

BSC: Base Station Controller

BTS: Base Transceiver Station

20 September 2007 8
 Network Elements

Abbreviations:

HLR: Home Location Register

VLR: Visiting Location Register
AUC: Authentication Center
EIR: Equipment Identity Register
MSC: Mobile Switching Center
GMSC: Gateway MSC
OMC: Operational and Maintenance Center
SMSC: Short Message Service Center

20 September 2007 9
 Network Elements

The core network

BSC
BSC AUC HLR VLR EIR
BSC SMSC

GMSC
OMC Gateway to
•PLMN roaming
•PSTN
•others
BSC MSC VLR
BSC

20 September 2007 10
 SIM in GSM Networks

20 September 2007 11
 What is a SIM?

SIM stands for:

Subscriber
Identity
Module

20 September 2007 12
 What is a SIM?

The purpose of a SIM:

l Identify a user
l Authenticate a user
l Data storage
l Marketing tool
l Portable

20 September 2007 13
 What is in a SIM?

Hardware:

•CPU
•I/O devices
•ROM
•RAM
•EEPROM

ROM : EEPROM:

•Basic OS functionality •Setup for OS

•GSM functionality
•Patches to the OS
•SIM vendor functionality
•Network operator functionality (optional) •Extensions to the OS
•Fixed data (optional) •Data

20 September 2007 14
 Architecture of standard SIM
Architecture of first Generation SIM

APDU Dispatch

ISO 7816-4 APDUs

GSM 11.11
Subscriber Identity Module –Mobile Equipment
(SIM-ME) Interface

ISO 7816-4 File System

20 September 2007 15
 SIM in GSM networks

What is required to activate the SIM in the

GSM network?

Ø Input file
Ø Output file
Ø Transport Key (Optional)
Ø SIM Card (with network profile)
Ø Algorithm Type

20 September 2007 16
 SIM in GSM networks

Network Side

(Stores
ICCID, IMSI, HLR AUC (Stores IMSI, KI values)
PINs)

1. Input File, profile, keys 2. Output File

Card Vendor

3. Perso data

Data Gen

20 September 2007 17
 Input file format
* HEADER DESCRIPTION
***************************************
Customer: TELCO
Quantity: 4500
Quantity
Type: PLUG IN
Profile:
Batch:
5.0
00045
Transport Key Index
*
Transport_key: 001
*
Address1: TELCO
Address2: COUNTRY
***************************************
* INPUT VARIABLES
***************************************
var_in_list: Start IMSI
IMSI: 238993210070000
Ser_nb: 894502300000070000
***************************************
* OUTPUT VARIABLES
Start ICCID
***************************************
var_out:PIN/PUK/PIN2/PUK2/Code_ADM/KI

20 September 2007 18
 Output file format
* HEADER DESCRIPTION
***************************************
Customer: TELCO
Quantity: 4500
Type: PLUG IN
Profile: 5.0
Batch: 00045
*
Transport_key: 001
*
Address1: TELCO
Address2: COUNTRY
***************************************
* INPUT VARIABLES
***************************************
var_in_list:
IMSI: 238993210070000
Subscriber data
Ser_nb: 894502300000070000
***************************************
* OUTPUT VARIABLES
***************************************
var_out:PIN/PUK/PIN2/PUK2/Code_ADM/KI
894502300000070000 238993210070000 1234 12345678 0000 12345678 88888888
12345678901234567890123456789012

20 September 2007 19
 How transport key is used?

Card Vendor 1. Transport key index

Network Side
2. Get key value

6. . Ki is
3. Transport key value
decrypted in
AUC
Transport 5. Encypted Ki in Transport
keys 4. Use Transport key to
encrypt Ki in output file output file keys

AUC

Objective : To protect the KI

value during transport of file from
SIM vendor to Network Operator

20 September 2007 20
 GSM Authentication Process

The action on the air interface

Network
MS RAND

SRES

RAND: random value

SRES: response for authentication

20 September 2007 21
 GSM Authentication Process

RAND

IMSI
Ki RAND
Ki RAND

A3

A8 A3
SRES’

SRES Comparison
Kc

20 September 2007 22
 Confidentiality in GSM

Encrypted Voice Data

Channel

A5Kc[Data] A5Kc[Data]

20 September 2007 23
 Comp 128 algorithm

SIM Process Comp 128 consists of

•A3 ð Authentication Algorithm

•A8 ð Kc Calculation Algorithm

ME Process •A5 ð Voice Data Encryption Algorithm

ØTo use the Comp 128 command, ME calls SIM command:

RUN_GSM_ALGO

ØRUN_GSM_ALGO returns a 12-bytes response, of which 4

bytes are the SRES, and 8 bytes are the Kc.

20 September 2007 24
 Security in GSM

Ø Ki is never revealed in the network

Ø Ki is never passed from SIM card to Mobile Phone

Ø All Authentication Calculations including Kc are

done in the SIM card

20 September 2007 25
 Introduction to GSM 11.11

20 September 2007 26
 GSM Specifications

ØDefined by ETSI

ØAKA European Telecommunications

Standards Institute
ØAll the specs can be downloaded at
http://www.3gpp.org/ftp/Specs/

20 September 2007 27
 GSM Specifications

Functions of a SIM card

Phase 1 Phase 2 Phase 2+

ØSubscriber More Security PIN2

Ø ØService Dialing
Authentication to the Numbers (SDNs)
network ØFixed Dialing
Numbers (FDNs) ØBarred Dialing
ØPIN protection to Numbers (BDNs)
Subscriber Data ØPublic Land Mobile
Networks (PLMNs) Over The Air (OTA)
Ø
ØPhonebook Storage
SIM ToolKit (STK)
Ø
ØSMS Storage

20 September 2007 28
 GSM 11.11 Basic SIM Specifications

File System

•Purpose of Command Set

each file
•APDU Coding of
•Default
commands
Contents
•Coding of
•Access
responses
Conditions
•Communication
Protocol

Power Up
Procedure

20 September 2007 29
 Types of Files

1. Transparent File 2. Linear Fixed File 3. Cyclic File

Ø Consists of sequence Ø Consists of sequence Ø Consists of sequence

of bytes of records all having of records all having
Ø Total length of file is same fixed length same fixed length
defined in the header Ø First record has index Ø Number of record and
Ø Relative address is number 1 length is defined in the
used for reading or Ø Number of record and header
updating data in file length is defined in the Ø Stores data in
header chronological order
Ø Record Number is used Ø When record pointer is
for reading or updating at last record, record 1
data in file will be used next
20 September 2007 30
 SIM File System, Data and Algo
More important Files (EF) and Folders (DF) includes:

Master File
(Base Directory)

EF_ICCID DF Telecom DF GSM

•Integrated Circuit
Chip ID EF_ADN
•Each card is unique •Phonebook
EF_IMSI
•Assigned by operator
EF_SMS •International Mobile
•19 Digit printed on Subscriber ID
exterior of SIM
•Each card is unique
•Follows international
format •Assigned by operator
•Network to identify
SIM

20 September 2007 31
 SIM File System

SIM Card File System

MF ( ROOT )
3F00 EF_ICCID EF_MANU
2FE2 0002

ICCID
EF_KEY_EXT EF_CHV1 EF_CHV2
0011 0000 0100

PIN1 PIN2
DF_GSM
7F20

EF_KEY_INT EF_PLMNSEL
0001 6F30

DF_TELECOM
7F10

EF_ADN EF_SMS EF_MSISDN

6F3A 6F3C 6F40

Addr Book Short Message

20 September 2007 32
 SIM Data
Format of ICCID
Primary account number
19 visible characters (maximum)

Issuer identification number (digits variable, maximum 7)

8 9

Luhn
check
digit

Individual account identification number

(variable, but fixed number of digits for
each particular issuer identifier number)
Issuer identifier number
(variable, but fixed number of digits within
a country or world zone where appropriate)

T0102740-92/d01
Country code: Recommendation E.164 [2]
(variable, 1 to 3 digits)

Major Industry Identifier (MII)

(Standard ISO/IEC 7812) [1]
"89" is assigned for telecommunication purposes
to ROAs

.
Charge card numbering system

20 September 2007 33
 ICCID -format

ICCID is the SIM cards unique identification number and is coded in accordance to
ITU-T recommendation E.118 (18).
Format : 89 66 15 XTH YYYYYYYYY C
Number of digits ICCID : 19 digits including check digit
89 : Telecom Application Code
66 : Mobile country Code (eg. Thailand)
18 : Mobile Network Code (eg. DTAC)
X : Card Manufacture Code
T : Type of card (ID-1=1 and Plug-in=2)
H : HLR ID (HLR1=0,HLR2=1,HLR3=2)
YYYYYYYYY: Sequential Number
C : Luhn key computed from the 18 previous digits (1 nibble)
Example : 89661 51100 00000 001 -7

20 September 2007 34
 Use of ICCID in Graphical Personalisation

2 rows vertical x 10 digits each row or

5 rows horizontal x 4 digits each row
ICCID

8966
1811
0000
0000
01 7

89661 81100 00000 001-7

Barcode

20 September 2007 35
 SIM Data
Format of IMSI

IMSI

MCC MNC MSIN

1 2 3 4 5 6 7 8 9 10 11 1 2 13 14 15

20 September 2007 36
 IMSI - format

IMSI Format IMSI is the International Mobile subscriber Identity. Length

of IMSI coding must be according to GSM 04.48 [15]. IMSI is coded on
15 digits, according to the following structure:

MCCNCXXXXXXXXXX e.g. 520181000000001

MCC Mobile network country code defined by GSM11.11. ‘

520’for Thailand.
NC Network code registered in ITU for the operator. ‘
18’for DTAC.
XX..X Running number of serial number , included HLR ID

Note : The running number taken from the input file and automatically
incremented from the initial value.

20 September 2007 37
 SIM File System, Data and Algo

Ø Important Data
Ø Ki
Ø Unique 16 byte secret key used for authentication
Ø Usually encrypted with transport key
Ø PIN / PUK (Max 8 bytes)
Ø Personal Identification Number (3 tries)
Ø PIN Unblocking Key (10 tries)
Ø Can be fixed or random specified by operators
Ø ADM (Max 8 bytes)
Ø Administrative PIN (5 tries)

Ø Important Algo
Ø A3/A8 (COMP128)
Ø Authentication algorithm
Ø Version 1, 2 and 3

20 September 2007 38
 GSM Command Set
Ø Basic GSM 11.11 command set includes
Ø Select MF/DF/EF
Ø Read Binary
Ø Update Binary
Ø Read Record
Ø Update Record
Ø Verify PIN/PUK/ADM
Ø Run GSM Algo

Transpatent Linear Fixed File

File

20 September 2007 39
 Part 2 : SIM Applications

20 September 2007 40
 Anti Cloning &
Authenication Counter

20 September 2007 41
 Hacking of Ki

Ø Cloning Kits call RUN_GSM_ALGO command

many times with a series of Fake RAND

Ø Analyze SRES returned by the RUN_GSM_ALGO

commands

Ø Ki can be found in 40000 to 80000

RUN_GSM_ALGO commands

Ø Only Comp128-1 can be hacked now. Comp128-2

and Comp128-3 are safe from hacking

20 September 2007 42
 Methods to curb hacking

20 September 2007 43
 Authentication Counter
1. SIM Solution

How Limit the Number of times

RUN_GSM_ALGO command can be called

Advantages Effective in reducing possibility of SIM

cloning

Disadvantages Life Span of SIM compromised

Difficult to find optimal limit

20 September 2007 44
 Strong Ki
2. Non SIM Solution

How Software generates Ki values that can

withstand Cloning Kits Analysis
Only these Ki values are used in Perso

Advantages No SIM technology needed

Easy to Implement
Does not compromise SIM Life-Span

Disadvantages Ki values may still be hacked with new

analysis algorithm in the future
Customers may not feel safe

20 September 2007 45
 Pattern Recognition
3. SIM Solution

How Detect Fake RAND –eg: Running numbers

Detect unusually high percentage of
RUN_GSM_ALGO commands received by
the SIM card
Once Hacking Pattern is detected, return a
Wrong SRES value, which will thwart the
Analysis
Wrong SRES value generation
§Random Number Generation

§Dummy Ki

20 September 2007 46
 Pattern Recognition
3. SIM Solution

Advantages Does not compromise SIM Life-Span

Very effective as it will not be affected by new

Cloning Kits

20 September 2007 47
 Comparison of Methods

20 September 2007 48
 Comparison table

Authentication Strong Ki Pattern

Counter Recognition

SIM Solution ü û ü

Easy to ü ü ü
Implement

Maintain SIM û ü ü
Life Span

Protection û û ü
against New
Cloning Kits

20 September 2007 49
 User Applications

20 September 2007 50
 Value-Added Applications
Applications Portfolio

§Eastcompeace Applications
Portfolio may be divided into 2 Info on demand
main categories: Data back up m-Banking

üLocal

üPoint to Point

Prepaid Internet/E-mail
Loyalty

20 September 2007 51
 Value-Added Applications
Local Applications

§Local Applications are stand-alone applications, running

into the Mobile Station without producing traffic.

§Eastcompeace offer of Local Applications includes:

üDual IMSI
üPhonebook plus
üEnhanced Phonebook
üMulti-Inbox
üPassword Manager
üWelcome Note

20 September 2007 52
 Value-Added Applications

Dual IMSI

§Dual IMSI application allows the operator to offer two different

accounts on the same SIM card without any impact on the
network side.

§Applications:
üPrivate/Business
üRoaming

§Operator Benefits:
üDifferentiate the product
üIncrease customer satisfaction
üTarget specific subscribers segment

20 September 2007 53
 Value-Added Applications
Phonebook Plus

§Phonebook Plus application provides the SIM card with an increased

phonebook, up to 500 entries.

§The standard phonebook is duplicated, the user can access by menu

two phonebooks, pbook1 and pbook2, each up to 250 entries.

§Phonebook is the unique solution that allows increasing SIM phonebook

without changing the user experience.

§Operator Benefits:
Differentiate the product
Increase customer satisfaction

20 September 2007 54
 Value-Added Applications

Enhanced Phonebook

§USIM:
üEnhanced Phonebook for USIM allows to access all the 3G Phone
Book functionalities (more than 250 entries, second name, additional
number, e-mail, …) even from a 2G handset.
üEnhanced Phonebook makes smoother the 2G migration toward 3G.

§SIM:
üEnhanced Book for SIM makes 3G Phonebook functionalities (more
than 250 entries, second name, additional number, e-mail, …)
available on a 2G SIM card.
Mr. White
§Operator Benefits: principal number
üDifferentiate the product second number
üIncrease customer satisfaction email address
second name
group

20 September 2007 55
 Value-Added Applications
Multi-Inbox

§Multi-Inbox application satisfies the need to store as many SMS as

possible.

§The standard Inbox is duplicated, the user can access by menu two
Inbox, Inbox1 and Inbox2.

§Once an Inbox is selected, it is managed as the standard SIM Inbox

folder, through the ME commands, without changing the user experience.

§Operator Benefits:
üDifferentiate the product
üIncrease customer satisfaction

20 September 2007 56
 Value-Added Applications
Password Manager

§Password Manager application allows the operator to dedicate a certain

amount of memory to the user, where he can store his highly sensitive
personal data (credit card number, access codes, …).

§The dedicated space can only be accessed by code presentation.

§The secured data can be stored into a secure application server and
securely retrieved in case of the SIM card is lost or stolen.

§Operator Benefits:
üDifferentiate the product
üIncrease customer satisfaction
üIncrease ARPU

20 September 2007 57
 Value-Added Applications
Welcome Note

§This application provides a personalized welcome note when the phone

is powered up. This application can be used by the operator to display
the service branding and the customer’ s subscription plan, which will
help our customers to guarantee loyalty by improving the user
experience.

§Welcome message can be modified via OTA, which is a perfect

marketing tool to inform each customer of relevant new services or offers
available!

20 September 2007 58
 Value-Added Applications
Point-to-Point Applications

§Point to point applications provide end to end connections to the users.

The aim is to offer value added services, generating traffic and revenue
for the operator.

§Eastcompeace offer of Point to Point applications includes:

üSmart Lock
üGroup SMS
üMy Secret SMS
üFlash SMS

20 September 2007 59
 Value-Added Applications
Smart Lock

§Smart Lock application provides a feature to prevent unauthorized use

of your mobile phone. If the user forgot to carry his/her mobile phone or
lose it, the user can send a special SMS to his/her phone to lock the SIM
card with PIN1.

ü The STK-SMS must follow a special format and include a password

ü The password can be set through your SIM card’ s STK menu
ü The SIM card can be unlocked by presenting the password again
through the STK menu

20 September 2007 60
 Value-Added Applications
Group SMS

§Group SMS application assists the user to broadcast information.

§Once a group is defined, the application allows to send a SMS to the
entire group by single operation.

§Definitely, this application produce revenue for the operator, leading to

increase SMS traffic per user.

§Operator Benefits:
üDifferentiate the product
üIncrease customer satisfaction
üIncrease ARPU

20 September 2007 61
 Value-Added Applications
My Secret SMS

§My Secret SMS application allows the user to send/receive anonymous

SMS, protected by PIN.

§Upon the arrival of a secret SMS, the user experience is to receive a

standard SMS, the text of which, configurable by the same user,
represents the notification of the arrival of a secret SMS.

§The “Secret Inbox”can be accessed via menu after a PIN code

presentation.

§Operator Benefits:
üDifferentiate the product
üIncrease customer satisfaction
üIncrease ARPU

20 September 2007 62
 Value-Added Applications
Flash SMS

§Flash SMS application offers mobile subscribers the following features:

üUpon receiving SMS, the contents of the SMS are displayed on the
mobile phone screen
üthe SMS will not be stored in inbox directly
üUser scroll down to read the SMS
üAt the end of the SMS, the user shall be prompted to save or
discard the SMS

20 September 2007 63
 Thank you J

We are always willing to grow with you.

20 September 2007 64