DE102022000931A1 - Universal integrated chip card, UICC, for managing authentication data and procedures - Google Patents

Abstract

The invention relates to a UICC, preferably a subscriber identity module, set up for managing authentication data of the UICC, having an interface set up for receiving, from the communication network, authentication data for an authentication data record; a data memory set up for storing authentication data management in a file system of the UICC and for storing at least two different authentication data of an authentication data record or at least two different authentication data records in the file system of the UICC, authentication data records being set up to authenticate the UICC on the communication network, and a control unit set up for Selecting an authentication data record stored in the data memory of the UICC, the selected authentication data record then being activated. A corresponding method and a computer program product are also provided.

Description

TECHNICAL FIELD OF THE INVENTION

The invention relates to a universal integrated chip card, UICC, preferably a subscriber identity module, for managing authentication data, a corresponding method and a computer program product.

To use services of a communication network contains a terminal, for example a mobile phone or a machine-to-machine device, English: machine-to-machine device, M2M device for short, or a device for using technologies of the Internet of Things, English: Internet-of-Things, in short: IoT, a UICC. In this description, the term “UICC” is used synonymously with the terms “eUICC”, “subscriber identity module (SIM)”, “chip card”, “iUICC”, “integrated eUICC”, “integrated secure element”, “embedded secure element”, “ Secure Element" or "SIM" is used.

Data is stored in the UICC in order to uniquely identify and/or authenticate a subscriber (person or device) for using a service of a communication network or in a communication network. It is thus possible for an operator of the service or of the communication network to clearly allocate the use of the service offered to each subscriber. It is also possible for the operator of a communications network to allow network access, ie logging into the communications network, as soon as the subscriber has been authenticated. He can also refuse network access if authentication of the subscriber is not possible.

In the following, authentication refers to the proof of an identity. On the other hand, authentication is the checking of this proof of identity for its authenticity.

TECHNICAL BACKGROUND

A user can be authenticated in a communication network for using services using a security architecture as described in the technical specification ETSI TS 33.102 version 16.0.0. This specification defines security functions, security features, security mechanisms and also security requirements that can be implemented within a communication network. Even though the ETSI TS 33.102 was designed primarily for third-generation communications networks (UMTS), use of an authentication management field is Authentication Management Field, hereinafter referred to as AMF for short, with which - as described for example in Appendix H of the ETSI TS 33.102 specification - the security architecture for the third (UMTS), as well as the fourth (LTE) and also the fifth (5G System) generation of communication networks is applicable.

The security architecture of the communication network is ensured, among other things, by using a UICC. A UICC is uniquely assigned to a user. This is realized by corresponding data sets or data in the UICC.

The mechanism provides mutual authentication by the UICC and the communications network by the UICC indicating knowledge of a secret key (K) shared between the UICC and a network.

For some time now, UICCs can also be managed over the air interface (over-the-air). It is possible to generate, provide, load, activate, deactivate and/or delete subscriptions (participant identity data, subscriptions). The corresponding mechanisms are described in the GSMA specifications SGP.02 and SGP.22, to which reference is made. These mechanisms and the fact that a UICC can accommodate several subscriptions at the same time (so-called profiles) enable switching subscriptions (=profile change) without having to physically exchange the UICC. This means that different profiles (ISD-P), for example a business subscription, a private subscription and/or a travel subscription, can be accommodated on a single UICC and managed using a subscription management system (ISD-R). The different profiles can belong to different network operators (MNO), which in particular should not have any knowledge of the authentication data records of the respective other MNO.

There is currently no standardized mechanism for communication networks that allows a UICC for a single subscriber (user) to update or exchange authentication data securely and quickly, of an authentication data record or of complete authentication data records in the UICC; a corresponding mechanism also does not exist for the simultaneous data exchange in a population of many UICCs. The consequence of this is that if long-term keys (secret keys K) become publicly known, whether accidentally or through targeted compromise, the original security level must always be restored by reissuing the UICC, or at least by exchanging the affected SIM profile in a UICC with same timely updating of the network keys and/or the OTA keys is necessary.

Until now, a network operator has only been able to change a parameter or a date in the authentication data record by loading a new profile and deleting the old profile using subscription management (ISD-R) or by physically exchanging the UICC. This requires a complex infrastructure that is not economically viable or efficient in all applications.

In some use cases, profiles of so-called virtual network operators (MVNO) are present in the UICC. The MVNO do not use their own network infrastructure, but use the physical network infrastructure of another (real) network operator (MNO). In contrast to the MNO, an MVNO does not have its own access network. An MNO must therefore be able to check both the authentication of its own users and the authentication of the MVNO's users (who use the MNO's network).

From the technical report 3GPP TR 33.834 (version V16.1.0) the proposal is known to pre-install several key pairs, each consisting of an authentication key K and a network operator-specific value, on a UICC, between which it is possible to switch during operation in the field. The use of a proprietary authentication management data field (AMF) is proposed for the switchover. Two scenarios (solution 4b and 5) from the technical report 3GPP TR 33.834 are analyzed in depth in another technical report ETSI TR 133.935 (version V16.0.0). It is proposed to update the secret key on the UICC using suitable air interface commands (over-the-air). This principle is also described in the document US 2010/064344 A1. The desired replacement of the old key by a new key in the AMF of an authentication request from the network is indicated by a special value, with an authentication tuple based on the old key and the old random number RAND being sent to the terminal. A new key is calculated in the end device from the old key and the old random number RAND. When an authentication request has the special value in the AMF, the old key is replaced with the derived new key and used for future authentication. The new key is thus displayed in an authentication request and the new key K is derived from the parameters RAND and K.

However, the technical reports (TR 33.834 and TR 133.935) explicitly warn against updating the long-term key, LTKUP, and state that the solutions presented are proprietary and should not be carried out over the Internet, otherwise there is a risk of man-in-the-middle attacks . The procedures deal only with updating the authentication key. The update of other authentication parameters of an authentication record is not handled.

SUMMARY OF THE INVENTION

The invention is based on the object of creating a method for managing authentication data of a UICC and a corresponding UICC, with which it is possible in a simple and secure manner to adapt authentication data to a new or changed network environment without jeopardizing the security architecture of the network or to deteriorate and without exchanging a complete profile (subscription).

The object is achieved by the features described in the independent patent claims. Advantageous developments of the invention are specified in the dependent claims.

According to the invention, a UICC, preferably a subscriber identity module, set up to manage authentication data of the UICC is proposed. The UICC has: an interface set up to receive, from the communication network, authentication data for an authentication data record; a data memory set up for storing authentication data management in a file system of the UICC; and storing at least two different authentication data of an authentication data record or at least two different authentication data records in the file system of the UICC, wherein authentication data records are set up for authenticating the UICC on the communication network, and a control unit set up for selecting an authentication data set stored in the data memory of the UICC, the selected authentication data set is then activated.

For example, the UICC has a file system as described in 3GPP TS 11.11 or 3GPP TS 11.14. The file system has files, e.g. elementary files, EF. An EF includes header and body data and comes in three types: Transparent EF, Linear Fixed EF, and Cyclic EF. The file system of the UICC includes, for example, Dedicated Files, DF, which have header data with a hierarchical structure of elementary files, EF, on the UICC. DFs do not have their own n data. You can think of a DF as a directory structure. The file system of the UICC has at least one master file, master file, MF, and represents the master file in the UICC file system.

The file system can physically reside within the UICC. Alternatively, the file system is external to the UICC and only the UICC has access permission to this external file system. Thus, remote access memories or memory areas of the device that are not part of the UICC could be used.

An authentication data management system is stored in the data memory. This authentication data management is set up to manage authentication data of the UICC on the UICC. According to the given data processing architecture of the UICC, the authentication data management can delete individual files, create them and store, move, copy and/or overwrite authentication data in these files. For example, the authentication data can be stored in UICC files. Alternatively or additionally, the authentication data can be stored in data objects, for example in data objects of the UICC. Alternatively or additionally, the authentication data can be stored in reserved memory areas of the operating system, OS, the UICC.

The authentication data can be stored in data sets with different structures depending on where they are stored. The authentication data management is set up in particular to adapt the stored authentication data, in particular the data sets of the authentication data, in each case accordingly in order to be able to use them for intended authentication on the one hand and to store them at the desired storage location on the other.

Authentication data are preferably electronic data which, alone or in combination with other authentication data, enable a UICC to be authenticated on a network. Such authentication data are described in ETSI TS 33.102 V 16.0.0, the content of which is fully referenced in this application.

An authentication record is, for example, a record that includes authentication data.

An authentication data record consists, for example, of one or more of the following parameters: a random number RAND, an expected response XRES, an encryption key CK, an integrity key IK (both keys CK, IK sometimes also referred to generally as authentication keys) and an authentication token AUTN. In addition, the UICC and network can maintain counters to aid in authentication. The sequence number SQN-MS can be an individual counter for each UICC. The sequence number SQN-HE can indicate a highest sequence number that the UICC has accepted.

Receiving authentication data means signaling to mutually authenticate the network at the UICC and vice versa. Receiving takes place, for example, through an exchange of commands, including the sender-receiver model: data or information is encoded in characters and then transmitted from a sender (network, possibly via a terminal) via a transmission channel (interface) to a receiver (UICC ) transfer. It is crucial that the sender and recipient use the same coding so that the recipient understands the message, i.e. can decode the data to be exchanged.

The UICC has a memory area in which authentication data management and also authentication data are stored.

In order to authenticate yourself on a network at a point in time X, only one authentication data record is ever activated. This means that an authentication request from the communication network is answered with the activated authentication data record from the UICC (authentication response). In order to mark or identify an activation data record as activated, an authentication data record is stored, for example, in a special file structure or at a special location in the file system or in a data object or in a reserved memory area of the operating system OS. Alternatively or additionally, a marking is set on one or more of the authentication data associated with the authentication data record. For example, the marking can be a flag or a bit that is set to logic "0" or logic "1". Alternatively or additionally, an address or a pointer of the activated authentication data record is written by the control unit to a corresponding memory area of the memory of the UICC. Reading out the memory area then refers to the authentication data to be used. In this way, the authentication data records can also be selected and/or composed by the control unit with authentication data from different (other) authentication data records, and an advantageous saving in memory is achieved.

A UICC within the meaning of the invention is, for example, an electronic module that is reduced in size and resources and has a control unit (microcontroller) and at least one interface (data interface) for communication with the device. This communication preferably takes place via a connection protocol, in particular a protocol according to the standard ETSI TS 102 221 or ISO-7816.

With UICC designs that are implemented as an integrated system on a chip, System on Chip, SoC for short, such as the "iUICC", "Integrated eUICC", "Integrated SE" or the "Integrated TRE", communication takes place via a SoC internal bus. The UICC has an internal or external secure, non-volatile memory area in which subscriber identity data and authentication data are securely introduced in order to prevent attempts at manipulation and/or misuse during identification and/or authentication on the network.

In one embodiment, the UICC can be operable by means of a device, with the UICC being self-sufficient in this embodiment except for supply signals, such as supply voltage, clock, reset, etc.

The term "UICC" is synonymous with the term "eUICC", "subscriber identity module", "chip card", "iUICC", "integrated eUICC", "integrated secure element", "embedded secure element", "secure element" or "SIM". . The UICC is, for example, a chip card or a SIM card or a subscriber identity module. The UICC is used to identify a subscriber in a communications network using the machine-readable subscriber identity data stored in the secure, non-volatile memory area and to authenticate it for using services. UICC also means USIM, TSIM, ISIM, CSIM or R-UIM. For example, a UICC is defined as a USIM application in ETSI TS 131 102. For example, a UICC is defined as a SIM application in ETSI TS 151 011. For example, a UICC is defined as a TSIM application according to ETSI TS 100 812. For example, a UICC is defined as an ISIM application according to ETSI TS 131 103. For example, a UICC is defined as a CSIM application according to 3GPP2 C.S0065-B. For example, a UICC is defined as an R-UIM application according to 3GPP2 C.S0023-D.

The UICC can be an integral part within the device, such as a hard-wired electronic component. Such UICC are also referred to as eUICC. In this design, these UICCs are not intended to be removed from the device and, in principle, cannot be easily replaced. Such UICC can also be designed as embedded secure elements and are a secure hardware component in the device.

The UICC can also be a software component in a trusted part of an operating system, a so-called Trusted Execution Environment, or TEE for short, of the device. The UICC is designed, for example, within a secure runtime environment in the form of programs running there, so-called “trustlets”.

The UICC can also be an integral part of a larger integrated circuit, such as a modem or application processor. Such UICC are referred to as "integrated UICC", "integrated TRE", "integrated eUICC" or "Integrated SE". Such UICC are permanently integrated into a SoC as an integrated processor block and can be connected via a chip-internal bus.

The UICC can be used for remote monitoring, control and maintenance of devices such as machines, plants and systems. It can be used for counting units such as electricity meters, hot water meters, etc. For example, the UICC is part of the IoT technology.

The term “end device” is preferably used here, whereby the end device in communication technology can primarily be a “terminal”. This does not exclude that a "terminal" can be a "device" in a different technology. The terms "end device" and "device" are used synonymously.

A device according to the invention is basically a device or a device component with means for communicating with a communication network in order to be able to use services of the communication network or to be able to use services of a server via a gateway of the communication network. For example, a mobile device such as a smart phone, a tablet PC, a notebook, a PDA is to be included under the term. Multimedia devices such as digital picture frames, audio devices, televisions, e-book readers, which also have means for communicating with the communications network, can also be understood as devices.

In particular, the device is installed in a machine, an automat and/or a vehicle. If the device is installed in a motor vehicle, it typically has an integrated UICC. The UICC can use the device, for example by means of a modem in the device, to set up a data connection to a server via the communication build up a network. The device can be used, for example, to contact a server from the device manufacturer in order to address control units, for example ECUs (ECU=Electronic Control Unit) for functionalities of the device. A server in the background system of the mobile radio network operator, MNO, can be contacted via the UICC, for example a server, in order to load updates for software, firmware and/or the operating system of the UICC into the UICC.

The UICC is used to update individual authentication data of an authentication data record without a complete profile (comprising an entire file system, subscriber data, application, etc.) being exchanged (i.e. at least one existing profile deactivated and another profile loaded and activated) or the UICC must be physically replaced. Rather, an authentication parameter (=authentication data) to be updated can be received and replaced in a dedicated manner. This saves time and network resources.

When it is carried out by the control unit, the authentication data management is preferably set up to create a new file or a new folder in the file system of the UICC or in a data object or in a reserved memory area of the operating system. A new file can thus be created in the file system or a new entry, record, can be created in an entry-based, record-based file, in which a received current authentication date is then stored.

If the authentication data management is carried out by the control unit, it is preferably set up to store the received authentication data. The authentication file is thus authorized to access the corresponding content of the UICC file system and to store data content there.

If the authentication data management is carried out by the control unit, it is preferably set up to overwrite authentication data that has already been stored with the authentication data received. The authentication file is thus authorized to access a corresponding content of the file system of the UICC, to delete it and to store a newly received data content there.

The interface is preferably also set up to receive, from the communication network, an authentication request for authenticating the UICC on the communication network. In response to the authentication request received from the communication network, the control unit is further set up to create an authentication response using the activated authentication data record and cause the transmission of the authentication response created to the communication network, whereupon the authentication response created is transmitted to the communication network via the interface.

The authentication request has an authentication management data field, AMF for short, with additional information about an authentication data record to be used for authenticating the UICC on the communications network being displayed in the authentication management data field. Additional information is information that was not required for the previous authentication of the UICC on the network, i.e. that is in addition to the previously agreed and distributed authentication data.

The authentication request is preferably an AUTHENTICATE command, with the additional information being included in the eighth to fifteenth bits of an authentication management data field of the AUTHENTICATE command. The AUTHENTICATE command is described, for example, in ETSI TS 102 221 in Section 11.1.16.

The additional information is, for example, an indication of an existing authentication key to be used, and/or an indication of an existing authentication algorithm to be used, and/or an update of an existing authentication key, and/or an update of an existing authentication algorithm, and/or an overwrite request Sequence check, and/or an authentication key identification, and/or a file or folder path specification of the UICC file system for finding authentication data to be used.

The authentication data preferably includes an authentication key. The authentication key, also secret key K, Ki or long-lived key K or CK or IK, is part of the authentication data of an authentication data record.

The authentication data preferably includes an authentication algorithm, for example Milenage or TUAK or the data OP, OPc for Milenage or TOP, TOPc for TUAK.

According to Appendix F.1 of ETSI TS 33.102, a mechanism to support Ver using multiple authentication and key agreement algorithms. The AMF of an AUTHENTICATE command can then be used to specify the algorithm and key used to generate a particular authentication vector.

A network-unique identifier, for example a key ID, can be used to identify the respective authentication key and/or the respective authentication algorithm.

The authentication data preferably includes a parameter for checking a sequence number. For example, according to Appendix F.2 of ETSI TS 33.102, a mechanism for changing the parameters for checking the sequence number is achieved. For this purpose, a limit value for the difference between the sequence number of the terminal device and the sequence number SQN of the network, namely the parameter L from Appendix C.2.2 of ETSI TS 33.102, is dynamically changed in a meaningful way. The AMF of an AUTHENTICATE command can then be used to specify a new value of L to be used by the UICC then.

The authentication data preferably includes a threshold value for limiting the lifetime of an authentication key and/or a request to overwrite a sequence check value. For example, according to Appendix F.3 of ETSI TS 33.102, a mechanism for setting threshold values for limiting the lifetime of encryption and integrity keys is achieved. The AMF field of an AUTHENTICATE command can be used by the operator to set or adjust this limit in the USIM. Two limit values could also - not necessarily - be specified and the AMF field instructs the UICC to switch between them.

A command is an instruction, a command or an instruction that is sent by the device. The command is preferably a command according to the ETSI TS 102 221 or ISO/IEC 7816 standard. It can have a command head and a command body.

The UICC preferably includes an operating system which is stored in the data memory in an executable manner and is set up to carry out the steps of the control unit.

In a further aspect, a method for authenticating a UICC, preferably a subscriber identity module, according to one of the preceding types on a communication network is provided. The method comprises the steps: Obtaining, in the UICC, an authentication request from the communications network, the authentication request having an authentication management data field, wherein additional information about at least one authentication data record to be used for authentication by the UICC is indicated in the authentication management data field; selecting, by the UICC, one of at least two mutually different authentication data sets stored in the UICC using the additional information from the authentication data field; Creating, by the UICC, an authentication response to the communication network using the selected authentication parameter.

The UICC preferably receives a key update request, the key update request including an indication of a new authentication key. The key update request is, for example, an AUTHENTICATE KeyUpdate command, which would be newly included in the standardization. This command could be transmitted to the UICC together with the authentication management data field (“AMF”), the new authentication key (“New Key”) and an authentication key check value (“Key Check Value”, for example a hash value or a CRC value). Optionally, additional encryption agreements can be made for greater security, for example based on a subscriber identity (IMSI) or other secret keys (OTA key, etc.).

The key update request preferably contains the new authentication key in encrypted form, the encryption taking place on the basis of a subscriber identifier of the UICC or a secret previously negotiated between the UICC and the server.

The UICC preferably has authentication data management, this authentication data management being set up to generate a new key file or a new key folder in a file system of the UICC, storing new authentication keys in the file system of the UICC, storing new authentication algorithms in the file system of the UICC, replacing updated authentication keys in the UICC's file system, and/or replacement of updated authentication algorithms in the UICC's file system.

An authentication is preferred before the authentication request is received in the UICC configuration parameter update received via an over-the-air communication.

The authentication request is preferably received as an APDU command in the UICC.

The authentication response is preferably transmitted by the UICC as an APDU command.

The method is preferably executed by an operating system routine of the UICC.

In a further aspect, a computer program product is executably installed in the UICC and has means for executing the method steps of the method described above.

The UICC is set up, for example, to set up a logical data connection to a server in the communications network in order to use the services of the server or another server and to exchange data. When setting up such a data connection from a UICC to a server, connection parameters, for example a unique server address and the data connection protocol to be used, are required. For example, a card application tool kit, CAT for short, of the subscriber identity module according to the ETSI Standard TS 102 223 is used to set up, clear down and operate a data connection.

A communication network is a technical facility on which the transmission of signals takes place with identification and/or authentication of the participant. The communication network offers its own services (own voice and data services) and/or enables the use of services from external entities. The communication network is preferably a cellular network. A device-to-device communication under the supervision of the communication network is possible. In particular, a mobile network is used here, for example, the "Global System for Mobile Communications", GSM for short, as a representative of the second generation, or the "General Packet Radio Service", GPRS for short, or "Universal Mobile Telecommunications System", UMTS for short, as a representative of the third generation, the "Long Term Evolution", LTE for short, understood as a representative of the fourth generation as a mobile network or understood a mobile network of the 5th generation with the current working title "5G" as a communication network. The communication in the communication network can take place via a secure channel, for example as defined in the technical standards ETSI TS 102 225 and/or ETSI TS 102 226, for example SCP80, SCP81 or a transport layer security, TLS.

According to the invention, a server is an entity that is physically remote from the device. The server can be part of the communication network. Alternatively or additionally, the server is an external entity (ie not an entity of the communication network). The server is preferably a server from the device manufacturer in order to address control units, e.g. ECUs (ECU=Electronic Control Unit), for functionalities of the device. Alternatively or additionally, the server is a server for remote administration of the eUICC, for example a so-called OTA server, in order to load updates for the software, firmware and/or operating system of the eUICC into the eUICC.

Subscriber identity data, such as is stored in the non-volatile memory area of the UICC, for example, is data that uniquely identifies a subscriber (a person or a device) in the communications network. This includes, for example, a subscriber identifier, also known as International Mobile Subscriber Identity, or IMSI for short, and/or subscriber-specific data. The IMSI is the subscriber identity file unique in a cellular communication network. It is made up of the country code MCC (Mobile Country Code), the network code MNC (Mobile Network Code) and a sequential number assigned by the network operator. In addition, subscriber identity data are, for example, data that uniquely authenticate a subscriber in the communication network, for example an authentication algorithm, specific algorithm parameters, a cryptographic authentication key Ki and/or a cryptographic over-the-air, OTA for short, key. In addition, subscriber identity data is, for example, data that uniquely authenticates a subscriber to a service (=service), for example a unique identifier or signature. A service is in particular a voice service or a data service of a server with which information and/or data are transmitted via the communication network.

The UICC can be installed in the device ready for operation. The communication between UICC and device is based on a connection protocol. In addition, the device can also be set up to independently set up a data connection to the remote server in order to also use its services and exchange data with this server.

character list

• 1 zeigt eine Sicherheitsarchitektur gemäß dem Stand der Technik,
• 2 zeigt ein Ausführungsbeispiel eines Ablaufdiagrams eines Authentisierungsverfahrens gemäß dem Stand der Technik;
• 3 zeigt den Ablauf eines Authentisierungsverfahren in einer USIM gemäß dem Stand der Technik;
• 4 zeigt ein Ausführungsbeispiel eines Systems aus Netzwerk, Gerät und erfindungsgemäßer UICC;
• 5 zeigt ein Ausführungsbeispiel einer erfindungsgemäßen UICC;
• 6 zeigt ein weiteres Ausführungsbeispiel einer erfindungsgemäßen UICC; und
• 7 zeigt ein Ausführungsbeispiel eines Ablaufdiagrams eines erfindungsgemäßen Verfahrens in einer UICC.

The invention and further embodiments and advantages of the invention are explained in more detail below with reference to the figures, with the figures merely describing exemplary embodiments of the invention. Same components in the figures are provided with the same reference numbers. The figures are not to be regarded as true to scale; in particular, individual elements of the figures may be exaggeratedly large or exaggeratedly simplified.

• 1 shows a security architecture according to the prior art,
• 2 shows an embodiment of a flowchart of an authentication method according to the prior art;
• 3 shows the sequence of an authentication method in a USIM according to the prior art;
• 4 shows an embodiment of a system of network, device and UICC according to the invention;
• 5 shows an embodiment of a UICC according to the invention;
• 6 shows a further exemplary embodiment of a UICC according to the invention; and
• 7 shows an embodiment of a flow chart of a method according to the invention in a UICC.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

1 shows the aforementioned security architecture according to the technical specification ETSI TS 133.102 version 16.0.0 based on the OSI reference model. Security feature groups are shown. Each of these sets of features counters specific threats and achieves specific security goals. Network access security I offers users secure access to communication network services and protects against attacks on the (radio) access connection. A security of the network domain II is, for example, to enable the nodes in the provider domain to securely exchange signaling data and to protect against attacks on the wired part of the communication network. A user domain security III secures access to terminals (mobile stations, devices). An application domain security IV enables applications in the user and in the provider domain to exchange messages securely. A visibility and configurability of the security V makes it possible to be informed whether a security feature is in operation or not and whether the use and provision of services should depend on the security feature.

A non-exhaustive list of specific examples of security features includes: the confidentiality of the user identity (e.g. the IMSI), the confidentiality of the user location (e.g. radio cell information, cell ID), the non-traceability of the user (information about different services per user) , user authentication (the network's confirmation of the user), network authentication (the user's confirmation of the network), trust that the UICC (or end device) and the network can securely agree on an encryption algorithm, and/or trust that the UICC (or end device) and the network can securely agree on an encryption key.

2 shows an exemplary flow chart of an authentication method according to the prior art. 3 shows the sequence of an authentication in a UICC according to the prior art. The mechanism underlying the process is based on a challenge-response protocol, see for example Section 6.3 of ETSI TS 133.102. He is in 2 presented as an overview and in 3 in relation to the USIM. The process is outlined below.

In 2 shows the network with two sub-units, the Visiting Location Register, VLR, (= residence register) and the Home Location Register, HLR, (= home town register). This subdivision is exemplary and not exhaustive. It can be adapted to the actual topology of the network.

Upon receiving a request from the VLR, the HLR sends an ordered array of n authentication vectors to the VLR. The authentication vectors AV are ordered based on the sequence number. For example, each AV consists of the following parameters: a random number RAND, an expected response XRES, a cipher key CK, an integrity key IK, and an authentication token AUTN. Each AV is suitable for authentication and for key agreement between the VLR and the UICC.

The VLR invokes the method by selecting the next unused authentication vector AV from the ordered array of authentication vectors AV in the VLR database. When the VLR initiates an authentication and key agreement, it selects the next AV from the ordered array and sends the random number RAND and the authentication token AUTN to the UICC, see also 3 . The AUTN consists of an exclusive OR operation (EXOR, ⊕) from a sequence parameter SQN and the anonymity key AK and the authentication management data field AMF and a message authentication code MAC.

AVs in a given node are used on a first-in, first-out basis. The UICC checks whether the AUTN can be accepted. This exam in the UICC will be in 3 shown and described below. As part of this check, the UICC also calculates an integrity key IK and an encryption key CK, which remain in the UICC and remain valid until the next authentication. At the end of the test, a RES is sent from the UICC to the VLR. The VLR compares the received RES with XRES. If they match, the VLR considers the exchange of authentication and key agreement as successfully completed. The keys CK and IK are then transmitted from the UICC and the VLR to the entities that perform the appropriate encryption and integrity functions. The VLR can offer a secure service even when HLR connections are unavailable by being able to use previously derived CK and IK for a user, so that a secure connection can be established even without authentication and key agreement. The authenticating parties are specifically the authentication center of the user's HLR and the UICC in the user's terminal.

The authenticating parties are the user's network and the UICC in the user's terminal.

A method for distribution of authentication information from the HLR to the VLR is described in Section 6.3.2 of ETSI TS 33.102. The user's HLR is assumed to trust the VLR to handle authentication information securely. It is also assumed that the intra-system connections between the VLR and the HLR are sufficiently secure. It is further assumed that the user trusts the HLR.

A method for mutual authentication and for building new encryption and integrity keys between the VLR and the UICC or the terminal is described in Section 6.3.3 of ETSI TS 33.102. According to this Section 6.3.3. the purpose of authentication and key agreement is to allow authentication of the user and establishment of a new pair of encryption and integrity keys between the VLR and the UICC. During the authentication, the UICC checks that the authentication vector AV used is up to date.

Based 3 describes the conventional authentication procedure in the UICC. The VLR sends RAND AUTN from the selected authentication vector to the UICC using AUTHENTICATE.

After receiving RAND and AUTN, the UICC first calculates the anonymity key AK=f5K (RAND) with the functional unit f5 using the RAND from the AUTN. The UICC can calculate the SQN with the anonymity key AK received at the output of the unit f5 and the EXOR combination of SQN and AK from the AUTN, for example with SQN=(SQN AK) AK.

In addition, an XMAC (expected MAC) is calculated with the functional unit f1 using a key K stored on the UICC, the calculated SQN and the AMF and RAND obtained from the AUTN, for example with XMAC = f1K (SQN || RAND || AMF ). The calculated XMAC is compared with the MAC. If there is no match, the authentication process is aborted and the user sends an authentication error message back to the VLR, stating the cause. The authentication is then considered to have failed.

Next, the UICC checks whether the received sequence number SQN is in the correct range. If the UICC determines that the sequence number is not in the allowed range, it returns a synchronization error to the VLR, including an appropriate parameter, and aborts the operation. The synchronization error message contains the AUTS parameter. It is AUTS = Conc(SQNMS) || MAC-S. Conc(SQNMS) = SQNMS f5*K(RAND) and is the hidden value of counter SQN-MS in terminal 2, and MAC-S = f1 *K(SQNMS || RAND || AMF), where RAND is the random value Received in the current user authentication request AUTHENTICATE. f1 * is a Message Authentication Code (MAC) function with the property that the function values of f1 * do not contain any valuable information about those of f1, ..., f5, f5* and vice versa. f5* is the key-generating function for calculating AK in re-synchronization processes with the property that the function values of f5* do not contain any usable information about those of f1, f1*, f2, ... , f5 and vice versa.

The AMF used to calculate MAC-S assumes a dummy value of all zeros so that it does not have to be transmitted in the clear in the re-synch message.

If the sequence number SQN is in the allowed range, the functional unit f2 calculates the response RES, for example RES = f2K (RANDRES is sent back to the VLR in the user authentication response, see also 2 .

In addition, the UICC 1 uses the functional unit f3 to calculate the encryption key CK=f3K (RAND) and with the functional unit f4 the integrity key IK = f4K (RAND). The UICC 1 stores CK and IK for later use. CK and IK are valid until the next successful execution of an authentication.

Upon receiving the user authentication response RES from the UICC to the VLR, the VLR compares the RES with the expected response XRES from the selected authentication vector AV. If XRES equals RES, the user has passed authentication. The VLR also selects the appropriate cipher key CK and integrity key IK from the selected authentication vector AV. If XRES and RES are different, the VLR initiates an Authentication Failure Report procedure to the HLR. VLR can also decide to initiate a new identification and authentication procedure towards the user.

The verification of the SQN by the UICC results in the device rejecting an attempt by the VLR to use an SQN more than once to establish a specific UMTS security context. In general, therefore, the VLR is only allowed to use an SQN once.

Conventionally, the algorithm and key K are permanently specified by the network operator and are already stored on the UICC.

According to the invention, it is now provided that several keys K are stored and other algorithms can also be used. According to the invention, the AMF is used to indicate to the UICC which algorithm and which key K the authentication is being carried out with. The network operator knows the occupancy of the AMF field.

With the method according to the invention and the UICC according to the invention, the network operator has a flexible possibility of increasing the security of the UICC in the network, which is currently only possible statically by downloading a new UICC profile. The main advantage is a dynamic change of keys for each algorithm or the offering of services such as lifetimes of authentication data (end-of-life) or an SQN override (override).

The communication network also has a flexible option for increasing the security of the UICC in the network without having to initiate a download of a new UICC profile. The UICC must be able to manage its own file structure (i.e. the file system of the UICC) and expand it accordingly.

A method for distribution of authentication data from a previously visited VLR to a newly visited VLR is described in Section 6.3.4 of ETSI TS 33.102.

4 shows an exemplary embodiment of a system consisting of a device 2 and a UICC 1 according to the invention. The method according to FIG 7 away. The device 2 is, for example, an M2M device in an IoT environment. The device 2 may have a plurality of ECUs, which are not illustrated here. The functionalities of the device 2 are controlled by these ECUs. If the device 2 is an automobile, the ECUs could be engine control, transmission control, climate control, and the like.

The UICC 1 is placed in the device 2 ready for operation and is supplied by the device 2 with a supply voltage Vcc and a clock CLK. The UICC 1 is in 4 shown in more detail. In 3 indicates that the UICC 1 has a memory 17 . Applets, a card application toolkit, CAT, authentication data records 172 and authentication data management 171 can be stored in this memory 17 . Different APDU commands 11 can be exchanged between the UICC 1 and the device 2 by means of the applets, the CAT and the operating system (not shown).

The device 2 includes, for example—but not necessarily—a modem 3. The modem 3 can be viewed, for example, as a logical unit for converting data between the UICC 1 and a server 40 of a network 4. The device 2 can set up a communication link 12 to the UICC 1 through the modem 3 . The communication 12 between the device 2 and the UICC 1 takes place in accordance with the protocols defined in the international standards ISO/IEC 7816-3 and ISO/IEC 7816-4, to which express reference is hereby made.

The entire exchange of data between the UICC 1 and the device 2 expediently takes place using so-called APDUs (Application Protocol Data Units) in accordance with the ISO/IEC 7816-4 standard. An APDU represents a data unit of the application layer, i.e. a type of container with which commands and/or data are transmitted to the UICC 1. A distinction is made between command APDUs, which are sent from a device 2 to the UICC 1, and response APDUs, which are sent from the UICC 1 to the device 2 in response to a command APDU.

The modem 3 is a communication unit of the device 2 to also transfer data from the device 2 or the UICC 1 to the communication network 4 and the server 40 located therein. The data exchanged between UICC 1 and modem 3 can be converted into an IP-based connection protocol in modem 3.

5 shows a block diagram of a UICC 1 according to the invention, preferably a hard-wired eUICC. Alternatively, the UICC 1 is a portable data carrier with a different design. The UICC 1 has an operating system 15 in which the method 100 according to 7 expires. The operating system 15 is a native operating system, for example. It is also conceivable that the operating system 15 is set up to run a Javacard runtime environment, JCRE, 16 which is then stored in the memory 17 together with the operating system 17 .

The UICC 1 is designed with the device 2 according to 4 exchange data. Both the UICC 1 and the device 2 each have suitable communication interfaces 12 for data transmission or communication between the UICC 1 and the device 2 . The interfaces can, for example, be designed in such a way that the communication between them or between the UICC 1 and the device 2 is connected galvanically, ie with contacts. The pin assignment is defined in ISO/IEC 7816. In an embodiment that is not shown, the communication interface is contactless, for example according to an RFID or NFC or WLAN standard.

The UICC 1 also has a central processing unit or control unit, CPU 19, which is in communication with the interface 12. The primary tasks of the CPU 19 include performing arithmetic and logical functions and reading and writing data items, as defined by program code executed by the CPU 19. The CPU 19 is also in communication with volatile random access memory 18 and non-volatile rewritable memory 17 . The non-volatile memory 17 is preferably a flash memory (flash EEPROM). This can be, for example, a flash memory with a NAND or a NOR architecture.

At the in 5 illustrated preferred embodiment is stored in the non-volatile memory 17, the program code that can be executed by the CPU 19. In particular, in the non-volatile memory 17, the program code of the chip card operating system, OS, 15, the Java Card runtime environment, JCRE, 16 (consisting of Java Card Virtual Machine, JCVM and Java Card Application Programming Interfaces, JCAPI), an application 13 for authentication data management and at least two authentication data records 172a, 172b. An application is preferably in the form of Java Card™ applets.

In addition, a CAT (not shown) according to ETSI TS 102 223 can be introduced. Instead of an application 13, a program element written in native code, for example in C or in assembler, can also be provided in order to calculate the authentication in accordance with 3 to do.

6 shows a further exemplary embodiment of a UICC 1, more precisely a memory area 17 of a UICC 1. The memory area 17 is a non-volatile memory, but can also be a volatile memory (RAM). The memory area 17 can be an exclusively allocated memory area 17 that is part of a larger memory unit. Storage area 17 may be a remote storage area. Memory area 17 of UICC 1 describes a memory area to which UICC 1 or control unit 19 of UICC has exclusive access. The access rights to the memory area 17, ie reading, writing, overwriting, can be defined in a security domain (SD), so that different subunits of the UICC 1 have access to different areas of the file system 175 or not.

The memory area 17 of 6 has, for example (but not necessarily) a subscription management 174 (ISD-R) that can manage different subscription profiles 173a-c. By means of an OTA communication between servers 40 of the communication network, for example subscription servers SM-SR or data provision servers SM-DP, SM-DP+ according to the GSMA specifications SGP.02 and SGP.22, a profile 173 ac can be managed, for example SMS, CAT_TP or HTTPS for Over-The-Air, OTA, communication with the UICC 1 is used. This profile management - which is not part of this description - includes "Create", "Load", "Activate", "Deactivate", "Delete" and "Update". For details, reference is made to the GSMA specifications mentioned.

A profile 173a-c has profile data. For example, one of the following components can exist as a profile file per profile 173a-c: an MNO security domain (MNO-SD) with the OTA key sets of OTA servers; at least one authentication parameter (Ki, OP, RAND, SGN) or at least one reference 176 (pointer or address) to a corresponding entry 172 in the file system 175 of the UICC 1; a network access application, policy rules; a profile-specific file system containing DFs, EFs for the respective profile 173a-c; profile connection parameters; applications; a subscriber identifier, IMSI, a subscriber identity module identifier ICCID, and profile updates, if any.

The UICC 1 also has authentication data management 171 . This can be in the form of a Java applet (see 4 ) executable stored in the memory area 17 of the UICC 1. The data management 171 can also be stored in the memory area 17 of the UICC 1 so that it can only be executed as native program code. The control unit 19 carries out the authentication data management 171 as needed.

Furthermore, authentication data records 172 are stored in memory 17 of UICC 1 . Two authentication data sets 172a and 172b are shown as an example, but the number is not limited. An authentication record 172 may include various authentication data. this is in 5 shown by way of example using the first authentication data record 172a. It has an authentication algorithm (Milenage, TUAK) with corresponding authentication parameters, one or more authentication keys (CK, IK, Ki), sequence parameters (counters SGN-MS, SGN-HE, other counters) and authentication updates etc. An authentication data record 172 can contain further authentication data in addition to the ones listed. The authentication data is preferred, as in 6 indicated, stored in a structured manner in the file system 175. However, proprietary files can also be created in order to store the authentication data records 172 .

The authentication data records 172 can be assigned to a respective profile 173 with a reference 176 . For this purpose, in one embodiment of the invention, an area is defined in the file system 175 in which the activated authentication data are stored. A profile 173 then accesses this area in order to authenticate the UICC 1 with the server 40 of the communication network 4 .

In another embodiment, the authentication data are written to the respective memory area of the file system after they have been received in step 101 .

For example, the AMF of an authentication request and/or an update request (key update, etc.) is set up to reference a storage location in the file system.

As in 6 , step 101 indicated, the UICC 1 can receive authentication data. Implementation details for this are described in the technical reports TR 33.834 and TR 133.935 and the implementations, in particular the update according to solutions 4b and 5, are referred to here. If updates are received, they are stored in a memory area of the UICC with the help of the authentication data management 171 . For this purpose, either a new file or a new file structure is created in the file system 175 or a corresponding authentication data record 172 is updated, eg overwritten or expanded. In addition, a reference 176 to the authentication data can be updated, for example by updating a memory address, updating a pointer or copying the updated authentication data to the corresponding area of the profile. Only one authentication data record can be activated at a time, so that the UICC 1 carries out a unique authentication with respect to the communication network.

An AMF field of an authentication request (AUTHENTICATE command) can preferably be used to indicate to the authentication data management 171 where updated authentication data is stored or is to be stored in the memory area 17 of the UICC 1 . The authentication data management 171 converts the information from the AMF field into internal commands that can be executed by the control unit 19 of the UICC 1 . For this purpose, the authentication data management 171 can create new key folders and/or key files in the file system 175 . New or updated authentication data is transmitted using proprietary commands, for example in an OTA UPDATE command.

For example, an AMF field of an authentication request (AUTHENTICATE command) can be used to switch, update and/or parameterize an authentication key Ki, CK, IK or an authentication algorithm (from Milenage to TUAK, etc.) via an AUTHENTICATE command. ) to effect. An independent switching command for switching between different profiles 173 can thus be dispensed with.

In order to occupy the AMF field, the server 40 of the communication network 4 naturally knows which authentication data is expected from the network 4 . The AMF field can then be configured accordingly.

The authentication data can be stored in EF files of the UICC 1, for example. Alternatively or additionally, the authentication data can be stored in data objects, for example in data objects of the UICC 1. Alternatively or additionally, the authentication data can be stored in reserved memory areas of the operating system, OS, the UICC. These different filing locations may require a change in the structure of the data records.

The authentication data can therefore be stored in differently structured data records 172a, 172b according to their storage location. the Authentication data management 171 is set up in particular to restructure and adapt the stored authentication data, in particular the data records 172a, 172b of the authentication data, in order to be able to use them for intended authentication on the one hand and to store them at the desired storage location on the other.

7 shows an exemplary embodiment of a flow chart of a method 100 according to the invention in a UICC 1. In step 101, authentication data are received. This receiving can be done using proprietary OTA commands. In step 102, this authentication data is processed accordingly by the authentication data management ( 4 ) filed and managed accordingly by the UICC 1. This administration 102 includes, for example, the creation of new file structures within the file system of the UICC 1 in order to store new authentication data in the memory 17 if necessary. This management 102 includes, for example, moving authentication data within the file system of the UICC 1 in order to update authentication data in memory 17 if necessary. This management 102 includes, for example, the copying of authentication data within the file system of the UICC 1 in order to update authentication data in memory 17 if necessary. This management 102 includes, for example, deleting authentication data within the file system of the UICC 1 in order to remove authentication data in memory 17 if necessary.

In step 103 an authentication request is received in the UICC 1 . Receiving is preferably an AUTHENTICATE command and includes, for example, the AMF with additional information.

In step 104, an authentication data record stored in the data memory 17 of the UICC 1 is selected, the selected authentication data record thus being activated. Selecting 104 means, for example, marking with which the authentication data record is activated. Selecting 104 also means, for example, moving the authentication data record or individual authentication data within the file system of the UICC, possibly with deleting an authentication data record or individual authentication data activated up to that point. The selection 104 is based on additional information from the AMF of the AUTHENTICATE command and relates, for example, to an authentication key Ki, an authentication algorithm, a parameter for checking a sequence number, a threshold value for limiting the lifetime of an authentication key, and/or an overwrite request for a sequence check value .

The additional information can be: an indication of an existing authentication key to be used, and/or an indication of an existing authentication algorithm to be used, and/or an update of an existing authentication key, and/or an update of an existing authentication algorithm, and/or an overwrite request a sequence check, and/or an authentication key identification, and/or a file or folder path specification of the file system 175 of the UICC 1 for finding authentication data to be used.

In step 105 the selected authentication data are created for an authentication response and then sent to the communication network 4 via the interface 21 .

Within the scope of the invention, all of the elements described and/or drawn and/or claimed can be combined with one another as desired.

Reference List

I

network access security

II

Net Domain Security

III

User Domain Security

IV

Application Domain Security

V

Visibility and configurability of security

1

UICC, Subscriber Identity Module, SIM

11

Command, APDU

12

interface

13

applet

15

operating system, OS

16

Java Runtime Environment, JCRE

17

Non-Volatile Storage

171

authentication data management

172a,b

authentication record

173a-c

subscription profile

174

Subscription Management

175

file system

176

address reference

18

Volatile memory

19

control unit, CPU

2

device

21a,b

Control unit, ECU

22

modem

23

Transmission command, APDU

3

Modem between device and UICC

4

communication network

40

server

5

Over The Air Communication

AK

anonymity key

AMF

Authentication Management Data Field

AUTHENTIC

authentication token

CK

encryption key

f1 - f5

Functional unit in the UICC

IC

integrity key

K

key

MAC

Message authentication code

EDGE

random number

RES

answer

SQN

sequence parameters

XMAC

expected MAC

XRES

anticipated RES101-107 process steps

Claims (17)

A UICC (1), preferably a subscriber identity module, set up to manage authentication data of the UICC (1), having: - An interface (12) set up for receiving (101), from the communication network (4), of authentication data for an authentication data record (172); - a data memory (17) set up for: - Storing an authentication data management (171) in a file system (175) of the UICC (1); and - Storage of at least two different authentication data of an authentication data record (172) or at least two different authentication data records (172a, 172b) in the file system (175) of the UICC (1), wherein authentication data records (172, 172a, 172b) are set up to authenticate the UICC ( 1) on the communication network (1), the authentication data comprising: - an authentication key; - an authentication algorithm; - a parameter to check a sequence number; - a threshold for limiting the lifetime of an authentication key; and or - an overwrite request of a sequence check value, and - a control unit (19) arranged to: - Selecting (104) an authentication data record (172, 172a, 172b) stored in the data memory (17) of the UICC (1), the selected authentication data record (172, 172a, 172b) then being activated. The UICC (1) after claim 1 , wherein the authentication data management (171), when it is carried out by the control unit (19), is set up to create a new file in the file system (175) of the UICC (1) or in a data object or in a reserved memory area of the operating system. The UICC (1) after claim 1 or 2 , wherein the authentication data management (171), when it is carried out by the control unit (19), is set up to store the received authentication data. The UICC (1) according to one of the preceding claims, wherein the authentication data management (171), when it is carried out by the control unit (19), is set up to overwrite already stored authentication data with the received authentication data. The UICC (1) according to any one of the preceding claims, wherein: - The interface (12) is further set up to receive, from the communication network (4), an authentication request for authenticating the UICC (1) on the communication network (4); - in response to the received authentication request from the communication network (4), the control unit (19) is further arranged to: - creating (105) an authentication response using the activated authentication record (172, 172a, 172b); and - Initiating the transmission of the created authentication response to the communications network (4), whereupon the created authentication response is transmitted to the communications network (4) via the interface (12). The UICC (1) according to any one of the preceding claims, wherein - the interface (12) is further arranged to receive, from the communication network (4), an authentication request for authenticating the UICC (1) on the communication network (4); - the authentication request an authentication management data field (AMF), wherein additional information about an authentication data record (172, 172a, 172b) to be used for authenticating the UICC (1) on the communication network (4) is displayed in the authentication management data field (AMF). The UICC (1) according to one of the preceding claims, wherein the authentication request is an AUTHENTICATE command and wherein the additional information is preferably introduced into the eighth to fifteenth bit of an authentication data field (AMF) of the AUTHENTICATE command. The UICC (1) according to any one of the preceding claims, wherein the additional information - an indication of an existing authentication key to be used, and/or - an indication of an existing authentication algorithm to be used, and/or - an update of an existing authentication key, and/or - an update of an existing authentication algorithm, and/or - an overwrite request of a sequence check, and/or - an authentication key identification, and/or - is a file or folder path specification of the file system of the UICC for finding authentication data to be used. The UICC (1) according to any one of the preceding claims, further comprising: - An operating system (15), executable stored in the data memory (17) and set up to carry out the steps of the control unit (19). A method (100) for authenticating a UICC (1), preferably a subscriber identity module, according to one of the preceding claims on a communication network (4), comprising the steps: - Obtaining (103), in the UICC (1), an authentication request from the communications network (4), the authentication request having an authentication management data field (AMF), wherein the authentication management data field (AMF) contains additional information about at least one for authentication by the UICC (1) the authentication record (172, 172a, 172b) to be used is indicated; - Selecting (104), by the UICC (1), one of at least two in the UICC (1) stored mutually different authentication data sets (172, 172a, 172b) using the additional information from the authentication data field (AMF); - Creating (105), by the UICC (1), an authentication response to the communication network (4) using the selected authentication data record (172, 172a, 172b). The method (100) after claim 10 wherein the UICC (1) receives a key update request, the key update request including an indication of a new authentication key. The method (100) after claim 11 , wherein the key update request includes the new authentication key encrypted, the encryption based on a subscriber ID of the UICC (1) or a previously between UICC (1) and the communication network (4) secrets negotiated. The method (100) of any preceding Claims 10 until 12 , wherein the UICC (1) has authentication data management (171) and wherein this authentication data management (171) is set up for: - creating a new file in a file system (175) of the UICC (1), - storing new authentication keys in the file system ( 175) of the UICC (1), - storing new authentication algorithms in the file system (175) of the UICC (1), - replacing updated authentication keys in the file system (175) of the UICC (1), and/or - replacing updated authentication algorithms in the file system (175) of the UICC (1). The method (100) of any preceding Claims 10 until 13 , wherein before receiving (103) the authentication request in the UICC (1), an authentication parameter update is received (101). Method (100) according to any one of the preceding Claims 10 until 14 , wherein the authentication request is received as an APDU command in the UICC (1) and/or wherein the authentication response is transmitted as an APDU command from the UICC (1). Method (100) according to any one of the preceding Claims 10 until 15 , the method (100) being executed by an operating system routine of the UICC (1). A computer program product executable installed in a UICC (1) and having means (17, 19) for executing the method steps of the method (100) according to one of Claims 10 until 16 .

Images