summaryrefslogtreecommitdiff
path: root/2019
diff options
context:
space:
mode:
Diffstat (limited to '2019')
-rw-r--r--2019/ccc2019-sim_technology_a_z/32c3-sim-back.jpgbin0 -> 71947 bytes
-rw-r--r--2019/ccc2019-sim_technology_a_z/32c3-sim-front.jpgbin0 -> 49726 bytes
-rw-r--r--2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex121
-rw-r--r--2019/ccc2019-sim_technology_a_z/7816_activation.pngbin0 -> 27927 bytes
-rw-r--r--2019/ccc2019-sim_technology_a_z/7816_frame.pngbin0 -> 11181 bytes
-rw-r--r--2019/ccc2019-sim_technology_a_z/c-netz-karte.jpgbin0 -> 34351 bytes
-rw-r--r--2019/ccc2019-sim_technology_a_z/sim_fs.pngbin0 -> 33789 bytes
7 files changed, 109 insertions, 12 deletions
diff --git a/2019/ccc2019-sim_technology_a_z/32c3-sim-back.jpg b/2019/ccc2019-sim_technology_a_z/32c3-sim-back.jpg
new file mode 100644
index 0000000..89b2644
--- /dev/null
+++ b/2019/ccc2019-sim_technology_a_z/32c3-sim-back.jpg
Binary files differ
diff --git a/2019/ccc2019-sim_technology_a_z/32c3-sim-front.jpg b/2019/ccc2019-sim_technology_a_z/32c3-sim-front.jpg
new file mode 100644
index 0000000..e8027d9
--- /dev/null
+++ b/2019/ccc2019-sim_technology_a_z/32c3-sim-front.jpg
Binary files differ
diff --git a/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex b/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex
index 682e6f6..4a926b0 100644
--- a/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex
+++ b/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex
@@ -9,7 +9,7 @@
\usetheme{Warsaw}
\usecolortheme{whale}
-\title{SIM card technology from A to Z}
+\title{SIM card technology from A(PDU) to X(RES)}
%\subtitle{Subtitle}
\author{Harald~Welte}
\date[Dec 2019, 36C3]{Chaos Communication Congress 2019}
@@ -24,7 +24,12 @@
\begin{frame}{Outline}
- \tableofcontents[hideallsubsections]
+ \item Relevant Specs + Spec Bodies
+ \item Card Interfaces, Protocols
+ \item Card File System
+ \item SIM Evolution from 2G to 5G
+ \item SIM Toolkit
+ \item OTA (Over The Air)
\end{frame}
@@ -45,6 +50,19 @@
\includegraphics[width=150mm]{sim_card_specs.png}
\end{frame}
+\begin{frame}{Relevant specification bodies/sources}
+\begin{itemize}
+ \item ISO (Integrated Circuit[s] Card)
+ \item ITU (Telecom Charge Cards)
+ \item ETSI (where GSM was originally specified)
+ \item 3GPP (where 3G to 5G was specified)
+ \item GlobalPlatform Card Specification
+ \item Sun/Oracle JavaCard API, Runtime, VM
+ \item GSMA
+\end{itemize}
+\end{frame}
+
+
% from APDU to Z... ?
\begin{frame}{The SIM: Subscriber Identity Module}
@@ -64,9 +82,12 @@
\begin{frame}{Classic SIM in early GSM}
+ \begin{figure}
+ \centering
+ \includegraphics[width=80mm]{c-netz-karte.jpg}
+ \end{figure}
\begin{itemize}
\item Idea of storing subscriber identity predates GSM (e.g. C-Netz since 1988)
- % c-netz-karte.jpg
\item GSM from the very beginning introduces concept of SIM card
\item store subscriber identity outside of the phone
\item store some network related parameters
@@ -79,7 +100,7 @@
\end{frame}
-\begin{frame}{ISO 7816}
+\begin{frame}{DIN EN ISO/IEC 7816}
\begin{itemize}
\item the {\em mother of all smart card} spec
\item "Integrated circuit(s) cards with contacts"
@@ -114,12 +135,16 @@
\item Relevant pins:
\begin{itemize}
\item VCC: Provides supply voltage (5V, 3V or 1.8V)
- \item CLK: Provides a clock signal ()
+ \item CLK: Provides a clock signal (1 .. 5 MHz default)
\item RST: To reset the card
\item IO: bidirectional serial communications
\end{itemize}
\item Activation sequence triggers card to send ATR (Answer To Reset)
\end{itemize}
+\begin{figure}
+\centering
+\includegraphics[width=100mm]{7816_activation.png}
+\end{figure}
\end{frame}
\begin{frame}{Bit transmission level}
@@ -135,6 +160,10 @@
\item timings are actually not very well specified
\end{itemize}
\end{itemize}
+\begin{figure}
+\centering
+\includegraphics[width=100mm]{7816_frame.png}
+\end{figure}
\end{frame}
\begin{frame}{Smart Card Communication}
@@ -219,6 +248,7 @@
\end{frame}
\begin{frame}{SIM card filesystem hierarchy}
+\parbox{.4\textwidth}{
\begin{itemize}
\item MF (3F00)
\begin{itemize}
@@ -238,10 +268,12 @@
\item ...
\end{itemize}
\end{itemize}
+}\hfill\parbox{.6\textwidth}{
+ \includegraphics[width=80mm]{sim_fs.png}
+}
\end{frame}
-
\begin{frame}{3G: ETSI UICC and the 3GPP USIM}
\begin{itemize}
\item The GSM SIM was fully specified by ETSI in TS 11.11
@@ -393,9 +425,9 @@
\begin{itemize}
\item SMS-PP (normal SMS as you know it)
\item SMS-CB (bulk update of cards via cell broadcast)
- \item USSD
- \item BIP (via CSD, GPRS)
- \item now also HTTPS
+ \item USSD (Release 7)
+ \item BIP (via CSD, GPRS): ETSI TS 102 223 / TS 102 127
+ \item now also HTTPS (Release 9)
\end{itemize}
\item Cryptographic security mechanisms specified, but detailed use up to operator
\begin{itemize}
@@ -408,6 +440,7 @@
\begin{frame}{Remote File Management (RFM)}
\begin{itemize}
+ \item Introduced in Relase 6
\item Common use case of OTA
\item Allows remote read / update of files in file system
\item Example: Change of preferred/forbidden roaming operator list
@@ -417,6 +450,7 @@
\begin{frame}{Remote Application Management (RAM)}
\begin{itemize}
+ \item Introduced in Relase 6
\item Common use case of OTA
\item Allows remote installation / removal of applications on card
\item Example: New multi-IMSI application (MVNOs)
@@ -424,6 +458,40 @@
\end{itemize}
\end{frame}
+\begin{frame}{OTA over HTTPs}
+\begin{itemize}
+ \item 4G and beyond don't natively support SMS-PP, USSD, ...
+ \item In Release 9, OTA over HTTPs is first introduced
+ \item References to GlobalPlatform 2.2 Amd B + ETSI TS 102 226
+ \item Uses HTTP as per RFC 2616
+ \item Uses PSK-TLS as per RFC4279, RFC4785, RFC5487
+ \begin{itemize}
+ \item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_3DES\_EDE\_CBC\_SHA
+ \item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_AES\_128\_CBC\_SHA
+ \item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_NULL\_SHA (RFC4785)
+ \item TLS 1.2: TLS\_PSK\_WITH\_AES\_128\_CBC\_SHA256 (RFC5487)
+ \item TLS 1.2: TLS\_PSK\_WITH\_NULL\_SHA256 (RFC5487)
+ \end{itemize}
+ \item IP and TCP socket terminated in phone, only TCP payload handled by card
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OTA over HTTPs}
+\begin{itemize}
+ \item Card acts as HTTP client performing HTTP POST
+ \item TLS payload is remote APDU format of ETSI TS 102 226
+ \item additional HTTP headers
+ \begin{itemize}
+ \item X-Admin-Targeted-Application
+ \item X-Admin-Next-URI
+ \item X-Admin-Protocol: globalplatform-remote-admin/1.0 CRLF
+ \item X-Admin-From
+ \item X-Admin-Script-Status
+ \item X-Admin-Resume
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
\begin{frame}{S@T}
\begin{itemize}
\item a strange beast specified outside of ETSI/3GPP
@@ -433,20 +501,49 @@
\end{itemize}
\end{frame}
+\begin{frame}{GSMA eSIM}
+\begin{itemize}
+ \item system for remote provisioning of {\em profiles} to SIM
+ \item allows change of operator / identity without replacement of physical card
+ \item main use case is non-removable / soldered SIM chip (MFF2)
+ \item also available from some operators in classic smart card size
+ \item main relevant spec is GSMA SGP.22
+ \item based around PKI between operators, all parties approved by GSMA
+\end{itemize}
+\end{frame}
+
+
\begin{frame}{The CCC event SIM cards}
+\begin{figure}
+ \centering
+ \includegraphics[width=50mm]{32c3-sim-front.jpg}
+ \includegraphics[width=50mm]{32c3-sim-back.jpg}
+\end{figure}
\begin{itemize}
\item are Java SIM + USIM cards
- \item support OTA, RAM, RFM
+ \item support OTA, RAM, RFM (via SMS-PP and maybe BIP, not HTTPS)
\item you can get the ADM PIN and OTA keys from the event GSM team
\item a "hello world" Java applet and tools for installation are provided (thanks to shadytel + Dieter Spaar)
\item identities and key data can be modified using Osmocom pySim software
\end{itemize}
\end{frame}
-\begin{frame}{Further Reading}
+%\begin{frame}{The evoluation of form factors}
+ %\includegraphics{sim_card_formats.png}
+%\end{frame}
+
+\begin{frame}{Further Reading (hyperlinked)}
\begin{itemize}
- \item FIXME
+ \item \href{https://simalliance.org/wp-content/uploads/2017/01/MobileConnectSteppingStones_FINAL_.pdf}{SIM alliance stepping stones}
+ \item \href{https://osmocom.org/projects/simtrace2/wiki}{SIMtrace2 wiki}
+ \item \href{https://simjacker.com/downloads/technicalpapers/AdaptiveMobile_Security_Simjacker_Technical_Paper_v1.01.pdf}{Simjacker vulnerability}
+ \item \href{https://opensource.srlabs.de/projects/simtester/wiki}{SRLabs SIMtester}
+ \item for historians
+ \begin{itemize}
+ \item \href{http://ftp.ccc.de/software/gsm/SIM_sim.zip}{CCC SIM simulator in Turbo C}
+ \item \href{http://ftp.ccc.de/software/gsm/gsm_hack.tar.gz}{CCC sim clone / D2 Pirat}
+ \end{itemize}
\end{itemize}
\end{frame}
diff --git a/2019/ccc2019-sim_technology_a_z/7816_activation.png b/2019/ccc2019-sim_technology_a_z/7816_activation.png
new file mode 100644
index 0000000..35e7f0d
--- /dev/null
+++ b/2019/ccc2019-sim_technology_a_z/7816_activation.png
Binary files differ
diff --git a/2019/ccc2019-sim_technology_a_z/7816_frame.png b/2019/ccc2019-sim_technology_a_z/7816_frame.png
new file mode 100644
index 0000000..d09ef28
--- /dev/null
+++ b/2019/ccc2019-sim_technology_a_z/7816_frame.png
Binary files differ
diff --git a/2019/ccc2019-sim_technology_a_z/c-netz-karte.jpg b/2019/ccc2019-sim_technology_a_z/c-netz-karte.jpg
new file mode 100644
index 0000000..4a62d7b
--- /dev/null
+++ b/2019/ccc2019-sim_technology_a_z/c-netz-karte.jpg
Binary files differ
diff --git a/2019/ccc2019-sim_technology_a_z/sim_fs.png b/2019/ccc2019-sim_technology_a_z/sim_fs.png
new file mode 100644
index 0000000..d2f4340
--- /dev/null
+++ b/2019/ccc2019-sim_technology_a_z/sim_fs.png
Binary files differ
personal git repositories of Harald Welte. Your mileage may vary