GSMA Embedded SIM for Connected Cars

Similar documents
GSMA Embedded SIM Specification Remote SIM Provisioning for M2M. A single, common and global specification to accelerate growth in M2M

GSMA Embedded SIM 9 th December Accelerating growth and operational efficiency in the M2M world

New Business. Opportunities for Cellular IoT. Loic Bonvarlet Director of Marketing Secure Identity Arm. Copyright 2018 Arm, All rights reserved.

Connected Living. SIMs & M2M the Central and Developing Role of SIMs

Embedded SIM (esim)/euicc Technology

esim Whitepaper The what and how of Remote SIM Provisioning March 2018

ebook - TRUSTED esim TESTING FRAMEWORK - June 2016 BUILDING A TRUSTED EMBEDDED SIM TESTING FRAMEWORK IN THE AGE OF IOT

Mobile network operator on-demand subscription management study

GSM Association (GSMA) Mobile Ticketing Initiative

The UICC. Recent Work of ETSI TC Smart Card Platform. Dr. Klaus Vedder Chairman ETSI TC SCP

Secure Elements 101. Sree Swaminathan Director Product Development, First Data

Secure Application Trend in Smartphones. STMicroelectronics November 2017

Case Study. gsma.com/iotsecurity

Emerging Mobile IoT Technologies: Use Cases, Business and Security Requirements

Testing Remote SIM Provisioning. Solutions for M2M and Consumer Devices

Massive M2M Communications: Challenges for NRAs

Introduction to Device Trust Architecture

Bringing you an end to end Mobile Connect Solution. Mobile Connect for Mobile Network Operator. Mars 2016

Solutions to Enhance IoT Authentication Using SIM Cards (UICC)

Natural Security Alliance

INSPIRING IOT INNOVATION: MARKET EVOLUTION TO REMOVE BARRIERS. Mark Chen Taiwan Country Manager, Senior Director, Sales of Broadcom

Machina Research. Balancing regulatory and operator requirements for extra-territorial use of e.164

The Open Application Platform for Secure Elements.

The following use cases were developed by the Connected Living Programme in 2014/15:

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Regulation and the Internet of Things

SOLUTIONSPORTFOLIO RESHAPING SIM BUSINESS

Connected Living: The Market Opportunity in Embedded Mobile

Eligibility for Associate Membership

Kigen SIM Solutions. Unlock the full potential of IoT

Orange Smart Cities. the ICT partner for innovators in the urban space

SEPA goes Mobile Dr. Marijke De Soete ETSI Security Workshop January 2011 Sophia Antipolis, France

Mixed use of 2 and 3 digit MNCs. Main points from report prepared for the Swedish Post and Telecom Authority (PTS) Copenhagen 4 March 2014

GlobalPlatform Addressing Unique Security Challenges through Standardization

Next steps for NFC and mobile wallets

EGNSS Mass Market Applications - Mobility as a service and Smart cities, IoT, Commercial and Social LBS

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

OECD work on IoT. Regulatory impacts of IoT or the liberalisation of the SIM-card

INDUSTRY-LED COLLABORATION

Secure Technology Alliance Response: NIST IoT Security and Privacy Risk Considerations Questions

Jean-Pierre Muzard Business Development Manager, Global Service Provider Team. October 2012

Welcome to the 5G age

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Launch Smart Products With End-to-End Solutions You & Your Customers Can Trust

Date: 13 June Location: Sophia Antipolis. Integrating the SIM. Dr. Adrian Escott. Qualcomm Technologies, Inc.

The international CETECOM Group. ETSI ITS Workshop 2013 Session 4 Testing and Certification CETECOM ITS Service Partner Ulrich Keuling, CETECOM

Mobile Payments Building the NFC Ecosystem

RESHAPING SIM BUSINESS PARIS. MOSCOW. DUBAI. SINGAPORE. SEATTLE.

A Novel Scheme for On-demand Distribution of Secure Element Keys

ECC Recommendation (17)04. Numbering for ecall

Future-Proof Security & Privacy in IoT

SIM Evolution. Klaus Vedder. Presented by: 10 July 2018 ETSI th Sigos Conference

IEEE-SA Internet of Things - Security & Standards

NTT DOCOMO Technical Journal. 1. Introduction. Kazunari Suzuki Teppei Azuma

Embedded SIM Study. September 2015 update

esim Covering the Last Mile to Internetbased

Secure Data Acquisition, Communication, and Processing for Your IoT Solutions

NRENs and IoT Security: Challenges and Opportunities. Karen O Donoghue TICAL 2018 Cartagena 4 September 2018

IoT/M2M Policy Roadmap

Business Potential from Industry Digitalization

M2M INTEROPERABILITY DEMONSTRATIONS

Verizon Software Defined Perimeter (SDP).

CEN TC 224 WG15. European Citizen Card. Brussels May 10th CEN/TC 224 WG15 European Citizen Card

Mobile NFC Services Opportunities & Challenges. NGUYEN Anh Ton VNTelecom Conference 31/10/2010

Managing an NFC Ecosystem

Delivering the Wireless Software-Defined Branch

Friedrich Smaxwil CEN President. CEN European Committee for Standardization

Recommendations on residual issues relevant to ecall

euicc for: Connected cars

euicc for: Connected wearable technology

Smart Cities & The 4th Industrial Revolution

Accelerating solutions for highway safety, renewal, reliability, and capacity. Connected Vehicles and the Future of Transportation

Expanding the human possibilities of the connected world

Mobile Payment & Retail Project. Maura Turolla, Telecom Italia - Innovazione

Internet of Everything Qualcomm Brings M2M to the World

Workshop Numbering for ecall 31. January Johannes Vallesverd CEPT ECC WG NaN Chairman

Strong Customer Authentication and common and secure communication under PSD2. PSD2 in a nutshell

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

TAF-TAP TSI Steering Committee Agenda item..: Presentation of the activities of the sector TAP TSI. Brussels, 24 June 2015

All rights reserved. ITS at ETSI. Presented by Luis Jorge Romero on behalf of ETSI TC ITS

WIND RIVER NETWORKING SOLUTIONS

Powering the Internet of Things with MQTT

Second Workshop of India-EU Collaboration on Standardization for Select Technologies

The Windstream Enterprise Advantage for Healthcare

PKI and FICAM Overview and Outlook

Mobile Driver s License Region IV May 24, 2017 Seattle, WA

05/31/2010. Smart OpenID

FCC, Voice Telephone Services Report: Status as of December 31, 2016, at

Machine to Machine (m2m) Wholesale 3G Mobile Connectivity

Korea ICT Market Overview. Yoonmi Kim Finpro Korea

European Union Agency for Network and Information Security

to Serve the Internet of Things: the onem2m Initiative

SMARTER CONNECTED SOCIETIES

Building Digital Key Solution for Automotive

A Role-Based Service Level NFC Ecosystem Model

IoT Accelerator. Laurent Mayaux. Ericsson Innovation Day Principal Consultant

Mobile IoT: The Ideal Fit for Smart Cities

SGS CYBER SECURITY GROWTH OPPORTUNITIES

The Future of Smart Cards: Bigger, Faster and More Secure

RCS OVERVIEW. Fábio Moraes GSMA October 2018 Future Networks Programme

Transcription:

GSMA Embedded SIM for Connected Cars C-ITS ronde tafel Security 10 mei 2016 Arjan Geluk UL Software & Security UL and the UL logo are trademarks of UL LLC 2016 1

Arjan Geluk - bio Principal Advisor, Software & Security With UL s security business since 2003 Participates in international standardization around identification and authentication (ISO/ ICAO) Authored the EU regulation for edriver s license Contributed to the security framework for the next generation European Digital Tachograph system Advises AAMVA on secure mobile driver s license Advises key players in public and private sectors on the security of in-vehicle software Serves on the ASRB Technical Steering Committee Develops UL s automotive security service portfolio 2

3

4

5

Use Cases for Embedded SIM Health Automotive Smart Cities Wearables Remote Glucose Monitoring Emergency Services Energy Management demand response Health and Fitness Assisted Living Bracelet Infotainment Municipal Management waste, water, lighting, safety etc. Personal Medical Connected Ambulance Remote Service Management Transport System Management Geofencing patient care Healthcare professional portable device Fleet Management Economic & Open Data projects Child & Pet Tracking just the beginning! 6

What is Embedded SIM (euicc)? Embedded SIM (euicc) is a chip soldered onto the device baseband that cannot be removed or easily accessed Performs most of the same functions as the traditional SIM card with the additional ability to be remotely reprogrammed OTA with a new SIM profile on demand 7

What is Embedded SIM (euicc) 2 A secure element with a remotely managed subscription Eliminates the need for traditional SIM swap euicc is a new business enabler for all players in the M2M/IoT ecosystem New market opportunities for traditional players - MNO s, MVNO s - Card vendors, chipset vendors, handset vendors, modem vendors New business opportunities for Service Providers Key GSMA specifications: Embedded SIM specification Remote SIM Provisioning (RSP) Technical specification 8

Smart & Connected Things Smart Electricity Grid Home Automation Smart Meter Smart factories Smarter logistics Smart appliances Smart lighting Supply chain optimization Building automation Patient Monitoring Source: Goldman Sachs 9

Some questions Connected cars connected street lights connected traffic lights How do these entities communicate with each another? How do they trust each other? Who facilitates connectivity? Who facilitates trust? How and where can we store credentials securely? When are standards ready enough to go live? Can we future proof and/or remain flexible? Can we leverage Embedded SIM to buy time? 10

euicc Architecture A GlobalPlatform View ISD-R ECASD ISD-P n AM SCP80 SM-SR Keyset SCP81 SM-SR Keyset POL1 SCP03 SM-DP Keyset ISD-P 1 Profile ISD-P n Profile MNO-SD AM SCP80 Keyset SCP81 Keyset (opt) MNO other Keysets (opt) Issuer Security Domain Root (ISD-R) is the representative of the off-card SM-SR euicc Controlling Authority Security Domain (ECASD) is the representative of the off-card CI Issuer Security Domain Profile (ISD-P) is the representative of the off-card SM-DP. At least one ISD-P with a profile must be installed & first personalized by the EUM at euicc manufacturing to allow initial connectivity to the euicc in the future An euicc can contain multiple ISD-Ps The Fall-back Attribute must be set for one ISD-P CASD File System NAA SSD Application Note: The traditional sense of the GP Issuer Security Domain (ISD) does not exist 11

Beyond SIM additional euicc applications Leverage remotely manageable esim in vehicles and infrastructure for other applications (future proofing) Authentication mutual authentication for remote management functions Secure software patching/ update/ upgrade (secure storage of trust anchors for code signing verification) Secure storage of credentials for V2X communication 12

THANK YOU. UL Software & Security Arjan Geluk +31 6 4476 8624 arjan.geluk@ul.com 13

Appendix euicc ecosystem, key roles, architecture & deployment 14

Key Roles Existing legacy SIM role is replaced by new euicc role New Subscription Manager (SM) roles Modem and handset vendors play more of a central role Service Providers SM-SR MVNOs* SM-DP MNOs* euicc Vendors M2M euicc Ecosystem M2M Platform Vendors Chipset Vendors *ETSI view MNOs as Service Distributors Modem Vendors Device Vendors Application Vendors Key: Existing Changed New 15

Elements Involved Embedded SIM (euicc) Functionally identical to a traditional SIM At manufacture a provisioning profile assigned with secret keys allowing the associated subscription manager to download & manage operational profiles on the euicc Technically an initial MNO profile in the euicc, as well as the selection of a new MNO later is possible but the implementation will depend on the commercial agreement between MNO & SP Subscription Manager Manages the euicc by; - Generating SIM profiles in real-time - Management and execution of MNO policy - Secure routing profiles to the euicc M(V)NO Uses subscription manager to manage profiles Maximum re-use of existing provisioning interfaces and processes Service Provider Signs up with initially chosen MNO or direct with EUM 16

General architecture: what is required to rollout euicc? Subscription Manager Data Preparation (SM-DP) Certificate Issuers (CI) Subscription Manager Secure Routing (SM-SR) MNO Service Provider euicc Manufacturer (EUM) euicc Legend: GSMA Interface SP Interface out of scope CI Interface out of scope 17

Overall system architecture: what is required to roll-out euicc? The SM-DP securely packages profiles to be provisioned on the euicc. The SM-DP manages the installation of these profiles onto the euicc. Subscription Manager Data Preparation (SM-DP) The MNO backend systems handle legacy OTA RAM and RFM functions and for euicc handles Profile ordering and Master Delete Certificate Issuers (CI) Subscription Manager Secure Routing (SM-SR) MNO Service Provider euicc Manufacturer (EUM) euicc The SM-SR ensures the secure transport of both euicc platform and euicc profile management commands in order to load, enable, disable and delete profiles on the euicc The CI issues and manages Public/Private Certificates for all entities in the euicc ecosystem The EUM is responsible for manufacturing euiccs and loading profiles and keys into the SM-SRs and SM-DPs The euicc is the SIM replacement embedded in the M2M device modem with the additional ability to load, enable, disable and delete profiles The SP systems are usually proprietary interfaces established with their preferred MNO to initiate profile management requests 18

Interoperability Interoperability GSMA specifications identify the following interfaces to guarantee interoperability Subscription Manager Data Preparation (SM-DP) ES2 ES3 ES7* Certificate Issuers (CI) ES1 Subscription Manager Secure Routing (SM-SR) ES4 MNO Service Provider euicc Manufacturer (EUM) ES5 euicc ES8 ES6 Legend: GSMA Interface SP Interface out of scope CI Interface out of scope * Note: The ES7 SM-SR - SM-SR interface is between different MNOs 19

Interoperability & Security The security applied on these interfaces is via: TLS 1.2 or X.509 Certificates and VPN for off-euicc activity, or Global Platform Secure Channel Protocol (SCP) for on-euicc activity Interoperability Security Subscription Manager Data Preparation (SM-DP) ES2 [TLS (X.509 + VPN)] ES3 [TLS (X.509 + VPN)] ES7* [TLS (X.509 + VPN)] Certificate Issuers (CI) euicc Manufacturer (EUM) Subscription Manager Secure ES1 Routing (SM-SR) [TLS (X.509 + VPN)] ES5 (SCP80 or SCP81) euicc MNO ES4 [TLS (X.509 + VPN)] ES8 (SCP03) ES6 (SCP80 or SCP81) Legend: Service Provider GSMA Interface SP Interface out of scope CI Interface out of scope * Note: The ES7 SM-SR - SM-SR interface is between different MNOs 20

GSMA Embedded SIM Profile & SIM Subscription NAA File Structure Other Applications Security Credentials Today s SIM cards contain different types of data, collectively called a SIM Profile Network Access Application (NAA) Is everything required to allow the SIM to register onto the MNOs network. This includes home network, tower frequencies, location data, authentication algorithms keys & IMSI. All of this is referred to as a SIM Subscription Just like a PC the SIM has a file structure, with each file having a specific purpose. The SIM typically contains a number of other applications, each providing some kind of value-added service e.g. Call Control or mcommerce etc. The SIM may have a wide range of secret keys, algorithms, certificates and other cryptographic data Provisioning Profile is the initial profile that manage Operational Profiles Operational Profile is used as the initial Provisioning Profile 21

euicc Architecture A GlobalPlatform View ISD-R ECASD ISD-P n AM SCP80 SM-SR Keyset SCP81 SM-SR Keyset POL1 SCP03 SM-DP Keyset ISD-P 1 Profile ISD-P n Profile MNO-SD AM SCP80 Keyset SCP81 Keyset (opt) MNO other Keysets (opt) Issuer Security Domain Root (ISD-R) is the representative of the off-card SM-SR euicc Controlling Authority Security Domain (ECASD) is the representative of the off-card CI Issuer Security Domain Profile (ISD-P) is the representative of the off-card SM-DP. At least one ISD-P with a profile must be installed & first personalized by the EUM at euicc manufacturing to allow initial connectivity to the euicc in the future An euicc can contain multiple ISD-Ps The Fall-back Attribute must be set for one ISD-P CASD File System NAA SSD Application Note: The traditional sense of the GP Issuer Security Domain (ISD) does not exist 22

SM to euicc Architecture SCP80 SCP81 Subscription Manager Secure Routing (SM-SR) Subscription Manager Data Preparation (SM-DP) SCP03 Keyset MNO SCP80 Keyset SCP81 Keyset MNO other Keysets ES5 ISD-R ECASD ISD-P n AM SCP80 SM-SR Keyset SCP81 SM-SR Keyset ES8 POL1 ES6 SCP03 SM-DP Keyset ISD-P 1 Profile ISD-P n Profile SCP03 SM-DP Keyset MNO-SD AM SCP80 Keyset SCP81 Keyset (opt) MNO other Keysets (opt) File System CASD NAA SSD Application 23

SM Deployment Architecture Options 1. M(V)NO Owns SM-DP & SM-SR 2. M(V)NO Owns SM-DP SM-DP ES2 SM-DP ES2 ES3 ES7* ES3 ES7* CI ES1 SM-SR ES4 MNO SP CI ES1 SM-SR ES4 MNO SP ES5 ES8 ES5 ES8 EUM euicc ES6 EUM euicc ES6 3. M(V)NO Owns no SMs 4. Third Party SM-SR and/or SM-DP SM-DP ES2 SM-DP ES2 ES3 ES7* ES3 ES7* CI ES1 SM-SR ES4 MNO SP CI ES1 SM-SR ES4 MNO SP ES5 ES8 ES5 ES8 EUM euicc ES6 EUM euicc ES6 What is the business use case and ROI per option? 24

UL support 25

UL advisory services to support your implementation project UL can support, building on a strong and relevant knowledge base Remote management of secure applications via TSM & SM Mobile authentication mechanisms, MNO-centric (SIM-based applets, and network authentication) as well as non-mno-centric mpki 26

References Extensive experience in projects where Mobile Authentication is central Many mobile payments projects (KPN, Softcard, Vodafone, Valyou, Swisscom, ING, etc) TRA smart Government, providing consultancy for and managing the implementation of the National TSM Banco Itaú advisor for mobile wallet implementation, where Mobile authentication is a crucial element Hands-on experience with Mobile authentication in the MNO domain, e.g. KPN ecommerce and SCP81 RAM over HTTP VALYOU SCP81 RAM over HTTP Softcard (AT&T, T-Mobile & Verizon) 4G IMS Authentication Softcard SCP80 push SMS Softcard SCP81 RAM over HTTP Orange Switzerland 3G Milenage Authentication Telia Sonera SMS Secured Data for RAM & RFM OTA services 27

THANK YOU. UL Software & Security Arjan Geluk +31 6 4476 8624 arjan.geluk@ul.com 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback