diff options
author | Harald Welte <laforge@osmocom.org> | 2019-12-27 15:25:41 +0100 |
---|---|---|
committer | Harald Welte <laforge@osmocom.org> | 2019-12-27 15:25:41 +0100 |
commit | bd4b6a16a75405d5c74609790f2205d319b9242c (patch) | |
tree | ceeef312edfbb14766d09e833dfc7def50d0d343 | |
parent | 0b42584c6d27149af06552d3b3717bf7542d5524 (diff) |
WIP: SIM card talk 36C3
-rw-r--r-- | 2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex | 459 | ||||
-rw-r--r-- | 2019/ccc2019-sim_technology_a_z/sim_card_specs.png | bin | 0 -> 1030297 bytes |
2 files changed, 459 insertions, 0 deletions
diff --git a/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex b/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex new file mode 100644 index 0000000..682e6f6 --- /dev/null +++ b/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex @@ -0,0 +1,459 @@ +\documentclass[aspectratio=169,11pt]{beamer} +\usetheme{default} +%\setbeamertemplate{frametitle}{} +\newenvironment{myline} + %{\usebeamerfont{frametitle}\usebeamercolor[fg]{frametitle}\vfill\centering} + {\usebeamerfont{frametitle}\vfill\centering} + {\par\vfill} + +\usetheme{Warsaw} +\usecolortheme{whale} + +\title{SIM card technology from A to Z} +%\subtitle{Subtitle} +\author{Harald~Welte} +\date[Dec 2019, 36C3]{Chaos Communication Congress 2019} +\institute{osmocom.org} + + +\begin{document} + +\begin{frame} +\titlepage +\end{frame} + + +\begin{frame}{Outline} + \tableofcontents[hideallsubsections] +\end{frame} + + +\begin{frame}{About the speaker} +\begin{itemize} + \item Free Software + OSHW developer for more than 20 years + \item Used to work on the Linux kernel from 1999-2009 + \item working with contact chip cards since ~1999, contactless since ~2006 + \item developing FOSS in cellular communications (Osmocom) since ~2008 + \begin{itemize} + \item developed various SIM card related tools in software an hardware + \end{itemize} + \item Living and working in Berlin, Germany. +\end{itemize} +\end{frame} + +\begin{frame}{Relation of SIM card specifications} +\includegraphics[width=150mm]{sim_card_specs.png} +\end{frame} + +% from APDU to Z... ? + +\begin{frame}{The SIM: Subscriber Identity Module} +\begin{itemize} + \item probably anyone in the audience has at least one, likely more + \item ubiquitous; every device withe cellular connectivity has at least one + \item not many people outside the telecom industry ever look at them in much detail + \item SIM card hacking (in the security sense) has a tradition at CCC since at least 1998 + \begin{itemize} + \item Vodafone Germany SIM card cloning: https://ftp.ccc.de/software/gsm/gsm\_hack.tar.gz + \item SIM card simulator in Turbo C (1998): https://ftp.ccc.de/software/gsm/SIM\_sim.zip + \end{itemize} + \item meanwhile: SIM technology stack is getting more complex and deep + \item let's recap what SIM cards actually are, and what they do +\end{itemize} +\end{frame} + + +\begin{frame}{Classic SIM in early GSM} +\begin{itemize} + \item Idea of storing subscriber identity predates GSM (e.g. C-Netz since 1988) + % c-netz-karte.jpg + \item GSM from the very beginning introduces concept of SIM card + \item store subscriber identity outside of the phone + \item store some network related parameters + \begin{itemize} + \item static (like access control class) + \item dynamic (like TMSI, Kc, ...) + \end{itemize} + \item full credit card size so it can be used in radios installed in (rented, shared company) cars. +\end{itemize} +\end{frame} + + +\begin{frame}{ISO 7816} +\begin{itemize} + \item the {\em mother of all smart card} spec + \item "Integrated circuit(s) cards with contacts" + \item 15 parts, most relevant are below: + \begin{itemize} + \item Part 1: Physical characteristics + \item Part 2: Dimensions and location of the contacts + \item Part 3: Electronic signals and transmission protocols + \item Part 4: Interindustry commands for interchange + \begin{itemize} + \item Why not international inter-industry commands for interworking information interchange? Anyone? + \end{itemize} + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{GSM TS 11.11} +\begin{itemize} + \item {\em Specification of the Subscriber Identity Module - Mobile Equipment (SIM-ME) Interface} + \item repeats (and some times amends) large portions of 7816-1/2/3/4 + \begin{itemize} + \item Section 4: physical characteristics + \item Section 5: electronic signals, transmission protocol + \end{itemize} + \item but also specifies what makes the SIM a SIM: Information model, file system, commands + \item lats, but not least how to execute authentication: RUN GSM ALGORITHM +\end{itemize} +\end{frame} + +\begin{frame}{Physical Smart Card Interface} +\begin{itemize} + \item Relevant pins: + \begin{itemize} + \item VCC: Provides supply voltage (5V, 3V or 1.8V) + \item CLK: Provides a clock signal () + \item RST: To reset the card + \item IO: bidirectional serial communications + \end{itemize} + \item Activation sequence triggers card to send ATR (Answer To Reset) +\end{itemize} +\end{frame} + +\begin{frame}{Bit transmission level} +\begin{itemize} + \item despite the clock, communication is asynchronous! + \item baud rate derived from divided clock + \item no defined phase relationship between clock and data + \item serial data is just like UART/RS232, ... but: + \begin{itemize} + \item one line for both Rx and Tx + \item direction changes once after every byte (ACK in T=0) + \item direction changes every few bytes (TPDU state machine) + \item timings are actually not very well specified + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Communication} +\begin{itemize} + \item based on APDU (Application Protocol Data Unit) as per ISO 7816-4 + \begin{itemize} + \item CLA (class byte) + \item INS (instruction byte) + \item P1, P2 (parameter bytes) + \item Lc (command length) + \item Command data + \item Le (expected response length) + \item Response data + \item SW (status word) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Smart Card Transmission Protocol} +\begin{itemize} + \item different protocols transceive APDUs from/to cards + \item T=0 most commonly used with SIM cards + \item T=1 also possible but rarely used in SIM + \begin{itemize} + \item specs require phones to implement both T=0 and T=1 + \item SIM card can be either T=0 or T=1 + \item T=1 more used in banking / crypto smart card world + \end{itemize} + \item APDU gets mapped to protocol-specific TPDU (Transmission Protocol Data Unit) + \begin{itemize} + \item: Example Command TPDU: A0 A4 00 00 02 3F 00 + \item: Example Response TPDU: 90 00 (just status word) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Card Filesystem} +\begin{itemize} + \item most smart cards contain file system abstraction + \item cannot be mounted (not exposed like a block device / USB drive!) + \item access based on file-level commands (analogy: more like MTP/PTP) + \item some similarities to general-purpose (computer) OS file systems: + \begin{itemize} + \item MF: Master File (root directory) + \item DF: Dedicated File (subdirectory) + \item EF: Elementary File (data file) + \end{itemize} + \item However, much more comprehensive than computer OS file systems, e.g. + \begin{itemize} + \item {\em transparent EF}: opaque stream of data, like PC + \item {\em linear fixed EF}: fixed-size records, seekable + \item {\em cyclic fixed EF}: ring buffer of records, seekable + \item {\em incrementable}: for monotonically incrementing counters + \end{itemize} + \item Each file has Access Control Conditions (ACC) + \begin{itemize} + \item read/write/update only after PIN1/PIN2/ADM-PIN + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Key SIM Card Commands} +\begin{itemize} + \item SELECT (file) + \item READ RECORD / UPDATE RECORD + \begin{itemize} + \item for record-oriented EF + \end{itemize} + \item READ BINARY / UPDATE BINARY + \begin{itemize} + \item for transparent EF + \end{itemize} + \item CHANGE CHV / DISABLE CHV / ENABLE CHV + \begin{itemize} + \item CHV: Card Holder Verification (PIN) + \end{itemize} + \item RUN GSM ALGORITHM + \begin{itemize} + \item ask SIM to execute authentication algorithm in card + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SIM card filesystem hierarchy} +\begin{itemize} + \item MF (3F00) + \begin{itemize} + \item DF\_TELECOM (7F10) + \begin{itemize} + \item EF\_SMS + \item EF\_MSISDN + \item ... + \end{itemize} + \item DF\_GSM (7F20) + \begin{itemize} + \item EF\_IMSI + \item EF\_Kc + \item ... + \end{itemize} + \item EF\_ICCID + \item ... + \end{itemize} +\end{itemize} +\end{frame} + + + +\begin{frame}{3G: ETSI UICC and the 3GPP USIM} +\begin{itemize} + \item The GSM SIM was fully specified by ETSI in TS 11.11 + \item As GSM specs moved from ETSI to 3GPP, card specs were split: + \begin{itemize} + \item ETSI UICC (Universal Intergrated Circuit Card) + \begin{itemize} + \item like a {\em base class} abstacting out those parts that are not cellular + related, or at very least not 3GPP network related + \end{itemize} + \item 3GPP USIM Applicaiton on top of UICC + \begin{itemize} + \item specifies those parts specifically relevant to 3GPP networks + \item implemented in ADF\_USIM (Application Dedicated File) + \item ADF can be entered via SELECT, similar to classic DF + \end{itemize} + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{4G: The ISIM} +\begin{itemize} + \item 3G/LTE reuses the existing 3G Authentication (UMTS AKA) + \item 4G/LTE simply resuses existing USIM + \item some new optional files were introduced in ADF\_USIM + \item IMS (IP Multimedia System used for not only VoLTE) specifies ISIM application + \begin{itemize} + \item stores additional IMS related parameters like SIP server / user identity + \item presence of ISIM not required for IMS to work + \item if present, ISIM application present next to USIM (and possibly SIM) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SIM cards in 5G} +\begin{itemize} + \item 5G reuses existing 3G/4G USIM + \item some new optional files were introduced in ADF\_USIM + \item SUCI (Subscriber Concealed Identifier) can optionally be computed by SIM + \begin{itemize} + \item this is the only feature requiring different card / apps on card + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame}{SIM card hardware} +\begin{itemize} + \item processor core + \begin{itemize} + \item many different vendors and architectures, from 8-bit 8051 to 32bit ARM + \item today quite often ARM SCxxx "Secure Core" family + \item documentation on hardware, often even simple one-page data sheets not public + \end{itemize} + \item built-in RAM + \item built-in ROM (at leat boot loader, possibly also OS) + \item built-in flash (file system storage, possibly also OS, applications) + \item contrary to expensive crypto smart cards, SIM card chip mostly selected purely by low cost + \begin{itemize} + \item blame pre-paid cards for that + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{SIM card software} +\begin{itemize} + \item Every Smart Card has a Card Operating System (COS) + \item Cards without COS are simple memory cards (like I2C eeprom), insufficinet for SIM + \item Card OS for Crypto Smart Cards (banking, access control) often publicly known + \item SIM Card OS are rarely known / publicly documented or even named + \item Example: ARM not only offers SIM card CPU core designs, but also OS (Kigen OS) + \item SIM Card OS is {\em implementtaion detail}, almost everything relevant is standardized + across OS vendors +\end{itemize} +\end{frame} + +\begin{frame}{SIM card software modularity} +\begin{itemize} + \item Early SIM cards were (likely) monolithic, + \begin{itemize} + \item no separation between OS and SIM application + \end{itemize} + \item Today, SIM cards software is modular + \begin{itemize} + \item Core OS + \item Applications (SIM, USIM, ISIM, ...) + \end{itemize} + \item traditionally, OS very chip/hardware dependent, non-portable + \item traditionally, applications very OS dependent, non-portable +\end{itemize} +\end{frame} + + +\begin{frame}{Java Cards} +\begin{itemize} + \item independent of SIM cards, Java Smart Cards have been developed + \item based on Java Card Platform specifications by Sun (now Oracle) + \item first cards in 1996 by Schlumberger (now Gemalto) + \item independent of SIM cards, Java Smart Cards have been developed in 1996 by Schlumberger + \item most cards implement GlobalPlatform specifications for vendor-independent management + \begin{itemize} + \item super constrained, weird subset of Java + \item special on-card VM (not normal JVM) + \item special CAP format (not normal JAR) + \item Idea: Portability of Cardlets (card applications) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Java SIM Cards} +\begin{itemize} + \item There is no functional requirement for a SIM/USIM/ISIM to be a java card + \item In reality, most SIM cards probably are Java Cards these days + \item Portability is the main driver here + \item Operators want to share same applications over multiple vendors/generations of cards + \item 3GPP and ETSI specify Java APIs / packages available specifically on Java SIM cards +\end{itemize} +\end{frame} + +\begin{frame}{SIM Toolkit (STK) / Card Application Toolkit (CAT)} +\begin{itemize} + \item Ability by card to offer applications with UI/menu on the phone + \item New APDUs/Instructions + \begin{itemize} + \item TERMINAL PROFILE + \item ENVELOPE + \item FETCH + \item TERMINAL RESPONSE + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Proactive SIM} +\begin{itemize} + \item SIM cards are "slave" in the 7816 interface + \item All actions are triggered by the phone, card can only respond + \item Proactive SIM works around this restriction + \item Piggy-backs proactive commands to card responses + \item Phone can be requested to poll the SIM if it has some proactive commands pending + \item Phone can be requested to provide event notifications +\end{itemize} +\end{frame} + +\begin{frame}{OTA (Over-The-Air)} +\begin{itemize} + \item Ability for operator to transparently communicate with SIM card in the field + \item Based on Proactive SIM + \item Can use different transport channels, such as + \begin{itemize} + \item SMS-PP (normal SMS as you know it) + \item SMS-CB (bulk update of cards via cell broadcast) + \item USSD + \item BIP (via CSD, GPRS) + \item now also HTTPS + \end{itemize} + \item Cryptographic security mechanisms specified, but detailed use up to operator + \begin{itemize} + \item Message Authentication (optional) + \item Message Encryption (optional) + \item Replay Protection (optional) + \end{itemize} +\end{itemize} +\end{frame} + +\begin{frame}{Remote File Management (RFM)} +\begin{itemize} + \item Common use case of OTA + \item Allows remote read / update of files in file system + \item Example: Change of preferred/forbidden roaming operator list + \item Example (ancient): Backup of phonebook at operator +\end{itemize} +\end{frame} + +\begin{frame}{Remote Application Management (RAM)} +\begin{itemize} + \item Common use case of OTA + \item Allows remote installation / removal of applications on card + \item Example: New multi-IMSI application (MVNOs) + \item Example: New STK applications +\end{itemize} +\end{frame} + +\begin{frame}{S@T} +\begin{itemize} + \item a strange beast specified outside of ETSI/3GPP + \item allows SIM toolkit applications without writing Java or native applications + \item special byte code format interpreted by S@T browser + \item to me, one of those WTF? techologies +\end{itemize} +\end{frame} + + +\begin{frame}{The CCC event SIM cards} +\begin{itemize} + \item are Java SIM + USIM cards + \item support OTA, RAM, RFM + \item you can get the ADM PIN and OTA keys from the event GSM team + \item a "hello world" Java applet and tools for installation are provided (thanks to shadytel + Dieter Spaar) + \item identities and key data can be modified using Osmocom pySim software +\end{itemize} +\end{frame} + +\begin{frame}{Further Reading} +\begin{itemize} + \item FIXME +\end{itemize} +\end{frame} + +\begin{frame}{Thanks} +Thanks for your attention. + + You have a General Public License to ask questions now :) +\end{frame} + +\end{document} diff --git a/2019/ccc2019-sim_technology_a_z/sim_card_specs.png b/2019/ccc2019-sim_technology_a_z/sim_card_specs.png Binary files differnew file mode 100644 index 0000000..2cae223 --- /dev/null +++ b/2019/ccc2019-sim_technology_a_z/sim_card_specs.png |