From 695b407b83925828f46509ad475433a2affb99c7 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Fri, 27 Dec 2019 22:58:23 +0100 Subject: 36c3 sim update --- 2019/ccc2019-sim_technology_a_z/32c3-sim-back.jpg | Bin 0 -> 71947 bytes 2019/ccc2019-sim_technology_a_z/32c3-sim-front.jpg | Bin 0 -> 49726 bytes .../36c3-sim_card_technology_from_A_to_Z.tex | 121 +++++++++++++++++++-- .../ccc2019-sim_technology_a_z/7816_activation.png | Bin 0 -> 27927 bytes 2019/ccc2019-sim_technology_a_z/7816_frame.png | Bin 0 -> 11181 bytes 2019/ccc2019-sim_technology_a_z/c-netz-karte.jpg | Bin 0 -> 34351 bytes 2019/ccc2019-sim_technology_a_z/sim_fs.png | Bin 0 -> 33789 bytes 7 files changed, 109 insertions(+), 12 deletions(-) create mode 100644 2019/ccc2019-sim_technology_a_z/32c3-sim-back.jpg create mode 100644 2019/ccc2019-sim_technology_a_z/32c3-sim-front.jpg create mode 100644 2019/ccc2019-sim_technology_a_z/7816_activation.png create mode 100644 2019/ccc2019-sim_technology_a_z/7816_frame.png create mode 100644 2019/ccc2019-sim_technology_a_z/c-netz-karte.jpg create mode 100644 2019/ccc2019-sim_technology_a_z/sim_fs.png diff --git a/2019/ccc2019-sim_technology_a_z/32c3-sim-back.jpg b/2019/ccc2019-sim_technology_a_z/32c3-sim-back.jpg new file mode 100644 index 0000000..89b2644 Binary files /dev/null and b/2019/ccc2019-sim_technology_a_z/32c3-sim-back.jpg differ diff --git a/2019/ccc2019-sim_technology_a_z/32c3-sim-front.jpg b/2019/ccc2019-sim_technology_a_z/32c3-sim-front.jpg new file mode 100644 index 0000000..e8027d9 Binary files /dev/null and b/2019/ccc2019-sim_technology_a_z/32c3-sim-front.jpg differ diff --git a/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex b/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex index 682e6f6..4a926b0 100644 --- a/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex +++ b/2019/ccc2019-sim_technology_a_z/36c3-sim_card_technology_from_A_to_Z.tex @@ -9,7 +9,7 @@ \usetheme{Warsaw} \usecolortheme{whale} -\title{SIM card technology from A to Z} +\title{SIM card technology from A(PDU) to X(RES)} %\subtitle{Subtitle} \author{Harald~Welte} \date[Dec 2019, 36C3]{Chaos Communication Congress 2019} @@ -24,7 +24,12 @@ \begin{frame}{Outline} - \tableofcontents[hideallsubsections] + \item Relevant Specs + Spec Bodies + \item Card Interfaces, Protocols + \item Card File System + \item SIM Evolution from 2G to 5G + \item SIM Toolkit + \item OTA (Over The Air) \end{frame} @@ -45,6 +50,19 @@ \includegraphics[width=150mm]{sim_card_specs.png} \end{frame} +\begin{frame}{Relevant specification bodies/sources} +\begin{itemize} + \item ISO (Integrated Circuit[s] Card) + \item ITU (Telecom Charge Cards) + \item ETSI (where GSM was originally specified) + \item 3GPP (where 3G to 5G was specified) + \item GlobalPlatform Card Specification + \item Sun/Oracle JavaCard API, Runtime, VM + \item GSMA +\end{itemize} +\end{frame} + + % from APDU to Z... ? \begin{frame}{The SIM: Subscriber Identity Module} @@ -64,9 +82,12 @@ \begin{frame}{Classic SIM in early GSM} + \begin{figure} + \centering + \includegraphics[width=80mm]{c-netz-karte.jpg} + \end{figure} \begin{itemize} \item Idea of storing subscriber identity predates GSM (e.g. C-Netz since 1988) - % c-netz-karte.jpg \item GSM from the very beginning introduces concept of SIM card \item store subscriber identity outside of the phone \item store some network related parameters @@ -79,7 +100,7 @@ \end{frame} -\begin{frame}{ISO 7816} +\begin{frame}{DIN EN ISO/IEC 7816} \begin{itemize} \item the {\em mother of all smart card} spec \item "Integrated circuit(s) cards with contacts" @@ -114,12 +135,16 @@ \item Relevant pins: \begin{itemize} \item VCC: Provides supply voltage (5V, 3V or 1.8V) - \item CLK: Provides a clock signal () + \item CLK: Provides a clock signal (1 .. 5 MHz default) \item RST: To reset the card \item IO: bidirectional serial communications \end{itemize} \item Activation sequence triggers card to send ATR (Answer To Reset) \end{itemize} +\begin{figure} +\centering +\includegraphics[width=100mm]{7816_activation.png} +\end{figure} \end{frame} \begin{frame}{Bit transmission level} @@ -135,6 +160,10 @@ \item timings are actually not very well specified \end{itemize} \end{itemize} +\begin{figure} +\centering +\includegraphics[width=100mm]{7816_frame.png} +\end{figure} \end{frame} \begin{frame}{Smart Card Communication} @@ -219,6 +248,7 @@ \end{frame} \begin{frame}{SIM card filesystem hierarchy} +\parbox{.4\textwidth}{ \begin{itemize} \item MF (3F00) \begin{itemize} @@ -238,10 +268,12 @@ \item ... \end{itemize} \end{itemize} +}\hfill\parbox{.6\textwidth}{ + \includegraphics[width=80mm]{sim_fs.png} +} \end{frame} - \begin{frame}{3G: ETSI UICC and the 3GPP USIM} \begin{itemize} \item The GSM SIM was fully specified by ETSI in TS 11.11 @@ -393,9 +425,9 @@ \begin{itemize} \item SMS-PP (normal SMS as you know it) \item SMS-CB (bulk update of cards via cell broadcast) - \item USSD - \item BIP (via CSD, GPRS) - \item now also HTTPS + \item USSD (Release 7) + \item BIP (via CSD, GPRS): ETSI TS 102 223 / TS 102 127 + \item now also HTTPS (Release 9) \end{itemize} \item Cryptographic security mechanisms specified, but detailed use up to operator \begin{itemize} @@ -408,6 +440,7 @@ \begin{frame}{Remote File Management (RFM)} \begin{itemize} + \item Introduced in Relase 6 \item Common use case of OTA \item Allows remote read / update of files in file system \item Example: Change of preferred/forbidden roaming operator list @@ -417,6 +450,7 @@ \begin{frame}{Remote Application Management (RAM)} \begin{itemize} + \item Introduced in Relase 6 \item Common use case of OTA \item Allows remote installation / removal of applications on card \item Example: New multi-IMSI application (MVNOs) @@ -424,6 +458,40 @@ \end{itemize} \end{frame} +\begin{frame}{OTA over HTTPs} +\begin{itemize} + \item 4G and beyond don't natively support SMS-PP, USSD, ... + \item In Release 9, OTA over HTTPs is first introduced + \item References to GlobalPlatform 2.2 Amd B + ETSI TS 102 226 + \item Uses HTTP as per RFC 2616 + \item Uses PSK-TLS as per RFC4279, RFC4785, RFC5487 + \begin{itemize} + \item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_3DES\_EDE\_CBC\_SHA + \item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_AES\_128\_CBC\_SHA + \item TLS 1.0 / 1.1: TLS\_PSK\_WITH\_NULL\_SHA (RFC4785) + \item TLS 1.2: TLS\_PSK\_WITH\_AES\_128\_CBC\_SHA256 (RFC5487) + \item TLS 1.2: TLS\_PSK\_WITH\_NULL\_SHA256 (RFC5487) + \end{itemize} + \item IP and TCP socket terminated in phone, only TCP payload handled by card +\end{itemize} +\end{frame} + +\begin{frame}{OTA over HTTPs} +\begin{itemize} + \item Card acts as HTTP client performing HTTP POST + \item TLS payload is remote APDU format of ETSI TS 102 226 + \item additional HTTP headers + \begin{itemize} + \item X-Admin-Targeted-Application + \item X-Admin-Next-URI + \item X-Admin-Protocol: globalplatform-remote-admin/1.0 CRLF + \item X-Admin-From + \item X-Admin-Script-Status + \item X-Admin-Resume + \end{itemize} +\end{itemize} +\end{frame} + \begin{frame}{S@T} \begin{itemize} \item a strange beast specified outside of ETSI/3GPP @@ -433,20 +501,49 @@ \end{itemize} \end{frame} +\begin{frame}{GSMA eSIM} +\begin{itemize} + \item system for remote provisioning of {\em profiles} to SIM + \item allows change of operator / identity without replacement of physical card + \item main use case is non-removable / soldered SIM chip (MFF2) + \item also available from some operators in classic smart card size + \item main relevant spec is GSMA SGP.22 + \item based around PKI between operators, all parties approved by GSMA +\end{itemize} +\end{frame} + + \begin{frame}{The CCC event SIM cards} +\begin{figure} + \centering + \includegraphics[width=50mm]{32c3-sim-front.jpg} + \includegraphics[width=50mm]{32c3-sim-back.jpg} +\end{figure} \begin{itemize} \item are Java SIM + USIM cards - \item support OTA, RAM, RFM + \item support OTA, RAM, RFM (via SMS-PP and maybe BIP, not HTTPS) \item you can get the ADM PIN and OTA keys from the event GSM team \item a "hello world" Java applet and tools for installation are provided (thanks to shadytel + Dieter Spaar) \item identities and key data can be modified using Osmocom pySim software \end{itemize} \end{frame} -\begin{frame}{Further Reading} +%\begin{frame}{The evoluation of form factors} + %\includegraphics{sim_card_formats.png} +%\end{frame} + +\begin{frame}{Further Reading (hyperlinked)} \begin{itemize} - \item FIXME + \item \href{https://simalliance.org/wp-content/uploads/2017/01/MobileConnectSteppingStones_FINAL_.pdf}{SIM alliance stepping stones} + \item \href{https://osmocom.org/projects/simtrace2/wiki}{SIMtrace2 wiki} + \item \href{https://simjacker.com/downloads/technicalpapers/AdaptiveMobile_Security_Simjacker_Technical_Paper_v1.01.pdf}{Simjacker vulnerability} + \item \href{https://opensource.srlabs.de/projects/simtester/wiki}{SRLabs SIMtester} + \item for historians + \begin{itemize} + \item \href{http://ftp.ccc.de/software/gsm/SIM_sim.zip}{CCC SIM simulator in Turbo C} + \item \href{http://ftp.ccc.de/software/gsm/gsm_hack.tar.gz}{CCC sim clone / D2 Pirat} + \end{itemize} \end{itemize} \end{frame} diff --git a/2019/ccc2019-sim_technology_a_z/7816_activation.png b/2019/ccc2019-sim_technology_a_z/7816_activation.png new file mode 100644 index 0000000..35e7f0d Binary files /dev/null and b/2019/ccc2019-sim_technology_a_z/7816_activation.png differ diff --git a/2019/ccc2019-sim_technology_a_z/7816_frame.png b/2019/ccc2019-sim_technology_a_z/7816_frame.png new file mode 100644 index 0000000..d09ef28 Binary files /dev/null and b/2019/ccc2019-sim_technology_a_z/7816_frame.png differ diff --git a/2019/ccc2019-sim_technology_a_z/c-netz-karte.jpg b/2019/ccc2019-sim_technology_a_z/c-netz-karte.jpg new file mode 100644 index 0000000..4a62d7b Binary files /dev/null and b/2019/ccc2019-sim_technology_a_z/c-netz-karte.jpg differ diff --git a/2019/ccc2019-sim_technology_a_z/sim_fs.png b/2019/ccc2019-sim_technology_a_z/sim_fs.png new file mode 100644 index 0000000..d2f4340 Binary files /dev/null and b/2019/ccc2019-sim_technology_a_z/sim_fs.png differ -- cgit v1.2.3