WO2023025411A1 - Verfahren in einem secure element - Google Patents
Verfahren in einem secure element Download PDFInfo
- Publication number
- WO2023025411A1 WO2023025411A1 PCT/EP2022/025382 EP2022025382W WO2023025411A1 WO 2023025411 A1 WO2023025411 A1 WO 2023025411A1 EP 2022025382 W EP2022025382 W EP 2022025382W WO 2023025411 A1 WO2023025411 A1 WO 2023025411A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- identity
- key
- volatile memory
- key pair
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 73
- 230000004044 response Effects 0.000 claims abstract description 73
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 25
- 238000004590 computer program Methods 0.000 claims abstract description 4
- 238000004364 calculation method Methods 0.000 claims description 24
- 238000012913 prioritisation Methods 0.000 claims description 8
- 230000004913 activation Effects 0.000 claims description 6
- 230000006870 function Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 description 36
- 230000008569 process Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- YKFRUJSEPGHZFJ-UHFFFAOYSA-N N-trimethylsilylimidazole Chemical compound C[Si](C)(C)N1C=CN=C1 YKFRUJSEPGHZFJ-UHFFFAOYSA-N 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000009795 derivation Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 230000005611 electricity Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002250 progressing effect Effects 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000013403 standard screening design Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/77—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/40—Security arrangements using identity modules
- H04W12/42—Security arrangements using identity modules using virtual identity modules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/75—Temporary identity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2103—Challenge-response
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- the invention relates to various methods in a secure element, SE, preferably a fifth generation subscriber identity module, a corresponding SE, a computer program product and a system having an SE and a network.
- a terminal device for example a mobile phone or a machine-to-machine device, M2M device for short, or a device for using technologies of the Internet of Things, English: Internet-of-Things, short: loT, a SE.
- Identity data subscriber identity data, subscriber identifier, subscription
- a subscriber person or device
- an operator of the service or of the communication network it is also possible for the operator of a communications network to allow network access, ie logging into the communications network, as soon as the subscriber has been authenticated. He can also refuse network access if authentication of the subscriber is not possible.
- the world is mobile connected, and mobile connectivity is progressing.
- Cellular-capable end devices communicate via cellphone networks.
- the end device In order to use a mobile radio-capable end device, such as a smartphone or mobile phone, in a mobile network of a network operator, the end device contains an SE that contains at least one subscription.
- the subscription includes, for example, a cryptographic authentication key, Ki, and unique identity data, such as International Mobile Subscriber Identity, IMSI, or the Network Specific ID, NSI.
- Ki a cryptographic authentication key
- IMSI International Mobile Subscriber Identity
- NSI Network Specific ID
- the USIM application manages the establishment, operation and termination of connections of the terminal device in the mobile network using the identity data.
- the IMSI was queried by the network for logging the terminal device into the communication network.
- the end device or the SE then sends the IMSI unencrypted, i.e. in plain text, in a NAS message.
- This unencrypted IMSI represents a security problem because so-called IMSI intercept devices (IMSI catchers) can intercept this IMSI in order to locate a position of the terminal device.
- IMSI catchers so-called IMSI intercept devices (IMSI catchers) can intercept this IMSI in order to locate a position of the terminal device.
- IMSI catchers so-called IMSI intercept devices
- any identity data for logging into the network must be transmitted in encrypted form, see for example ETSI TS 102 221 Version 15 or 3GPP TS 31.102 Version 15 or 3GPP TS 33.501 Version 15.
- the identity data (in particular IMSI, NSI) are referred to as Subscription Permanent Identifier, SUPI, and are transmitted encrypted in the SG network as Subscription Concealed Identifier, SUCI, see points 5.2.5 and 6.12 in the 3GPP TS 33.501, version 15.2.0.
- the network can make an identity query or, if necessary, a registration query.
- a registration query includes an identity query, the process of which is basically described in 3GPP TS 23.501.
- An identity request must be answered within a short time frame, for example within 6 seconds. During this time, the identity data must be extensively encrypted and sent to the network in response to the identity question.
- Encrypting the SUPI to form a SUCI is computationally expensive and time-consuming, since complex encryption algorithms are provided, see, for example, Fig. C.3.2.1 of 3GPP TS 33.501, version 15.2.0. It has turned out that the time frame specified for this, also with a view to user-friendliness, is tight and can hardly be met, especially by SEs with few resources. If the time frame is not adhered to (“timeout”), the identity query is deemed not to have been answered and a network login cannot take place.
- SEs with more resources are used, which have a crypto co-processor or a multiplication accelerator, for example. These SEs are expensive.
- WO 2019/068 731 A1 proposes calculating the SUCI completely in advance and storing it in an SE.
- a fully pre-computed SUCI is then loaded from the SE's memory and used in a response to the identity challenge.
- permanent storage of the SUCI is a security risk. It also presupposes that the parameters used in the calculation of the SUCI always remain unchanged. But that's not always the case.
- the invention is based on the object of offering a method in an SE in which the calculation time for creating and sending a response to the identity query of a network can be shortened without the encrypted identity data required for this being permanently stored in advance. There should also be a multiple Create and send a response to one or more identity queries of the network in a reduced time. It is also an object of the invention to adapt the execution steps, which are carried out before an identity query and allow a shortened creation and sending of a response to the identity query, to a resource utilization of the SE and thus the execution of other tasks, tasks or programs on the SE not to block. High-resource SEs (with corresponding crypto processor arithmetic or multiplication accelerators, for example Montgomery, etc.) should be avoided for reasons of cost.
- a method in a secure element, SE for generating at least one symmetric key and/or an SE-individual cryptographic key pair for creating and sending the response to the identity query sent by the network, in particular a GET IDENTITY command, with the following Method steps specified: First step: generating, in the SE, of at least one SE individual cryptographic key pair based on an ECC algorithm and storing the at least one SE individual cryptographic key pair in a non-volatile memory; and/or second step: generating, in the SE, the at least one symmetric key using the stored private key part of the first SE-individual cryptographic key pair and a public key part of a network key pair in the SE and storing the symmetric key part in the non-volatile memory, wherein the first step and/or the second step is already performed before receiving the identity query sent by the network, wherein the generated symmetric key is used to create and send the response to the identity query sent by the network, the start of the execution of the second step takes place at a different time after the
- sub-steps for creating and sending the response to the network's identity query are performed before the identity query is received.
- partial calculation results which are used to create and send the response to the network's identity query, are stored on the SE or the terminal device. If an identity query from the network is received in the SE, only the final calculation steps for creating and sending the answer to the identity query from the network are calculated based on the partial calculation results that have been stored. These last calculation steps can be carried out in a short period of time and do not jeopardize the total time required to send the response to the identity query.
- the computing effort and thus also the time required to create and send a response with encrypted identity data when the identity query from the network is received is thus greatly reduced.
- the SE-individual cryptographic key pair is preferably generated by the SE before the identity query is received.
- the SE-individual cryptographic key pair comprises the private key part (to generate the symmetric key) and a public key part.
- the public key portion is preferably part of the identity challenge response and is incorporated into the response in the sending step of creating and sending the network's identity challenge response.
- the public key part can be the "Eph. public key of UE" according to Fig. C.3.2-1 of 3GPP TS 33.501, version 15.2.0.
- Eph. key pair generation according to Fig. C.3.2-1 of 3GPP TS 33.501, Version 15.2.0, with the difference that this key pair was already generated before receiving the identity query from the network.
- the generation can be based on an encryption with elliptic curves, for example according to an "Elliptic Curve Integrated Encryption Scheme, ECIES", for example according to a Curve25519 algorithm according to RFC7748 or a secp256rl algorithm according to the SEC-2 standard.
- the parameters of the ECIES can be found in Appendix C3.4 of 3GPP TS 33.501, Version 15.2.0, for example.
- the symmetric key is a key of a symmetric cryptosystem in which, in contrast to an asymmetric cryptosystem, both participants, here SE and the network, use the same key to encrypt or decrypt messages/data.
- Generating the symmetric key can follow step “2. Key Agreement” according to Fig. C.3.2-1 of TS 33.501 V 15.2.0, with the difference that this symmetric key is generated before the identity query is received.
- the generation can be based on keys of an elliptic curve, for example according to an "Elliptic Curve Integrated Encryption Scheme, ECIES", for example according to a Curve25519 algorithm according to RFC7748 or a secp256rl algorithm according to the SEC 2 standard.
- the parameters of the ECIES can be found in Appendix C3.4 of 3GPP TS 33.501, Version 15.2.0, for example.
- the symmetric key may be generated using a public key portion of a network cryptographic key pair.
- This public key part is made available to the SE in advance and can be a public key part of a network provider's cryptographic key pair. This public key part can be made available to the SE during personalization of the SE.
- the symmetric key may have been generated using a private key portion of an SE individual cryptographic key pair.
- Just generating the symmetric key can take a certain amount of time in the SE, for example more than 1 second or more than 2 seconds or more than 3 seconds. By generating this symmetric key before receiving the identity query from the network, the time it takes to create and send the response to the network's identity query can be shortened by the time it takes to create the symmetric key, so the identity query can be answered in a timely manner.
- the generated symmetric key and/or the generated SE-individual cryptographic key pair is stored in a non-volatile memory area of the SE or the terminal and is loaded from the memory area of the SE when the method is executed.
- the memory area is a memory area of a non-volatile memory
- Objects of the type "high update objects" - HUO for short - are preferably stored in the memory area.
- the keys generated according to the invention are also regarded as data objects of the HUO type and are then also stored in the special NVM memory area. A maximum number of read/write accesses for storing and reading out the keys generated according to the invention can thus be significantly increased.
- the point in time at which the symmetric key is generated and/or the SE-individual cryptographic key pair is generated may be immediately before the network's identity query is received.
- the point in time at which the symmetric key is generated and/or the SE individual cryptographic key pair is generated can be immediately before or after the network sends a registration request.
- the symmetric key and/or the SE-individual cryptographic key pair can have been generated in response to a STATUS command or in response to a SELECT command in the SE.
- the generation of the SE-individual cryptographic key pair in the SE and/or the generation of the symmetric key can take place before a registration request is sent to the network.
- the SE-individual cryptographic key pairs and the symmetric key can be generated at different times.
- Decoupled in time means that the generation of an associated symmetric key part does not have to start directly after the generation of an SE-individual cryptographic key pair and/or the generation of a further SE-individual cryptographic key pair does not have to start immediately after the generation of a symmetric key part.
- the generation of the SE-individual cryptographic key pair and the generation of the symmetric key part or the generation of the symmetric Key and another SE-individual cryptographic key pair are interrupted in time.
- the duration of this time interruption can be as long or as short as you like.
- the task is a self-contained task represented by part or all of a program.
- a task can also be a process or a task for an operating system and thus a thread, (kernel) thread or user thread.
- the first step and/or the second step is preferably carried out at least twice before the identity query sent by the network is received in the SE.
- SE-individual cryptographic key pairs and/or symmetric keys can be stored in a permanent or non-volatile memory on the SE or the terminal.
- the first step and/or the second step is preferably carried out 10 times before the SE receives an identity query from the network.
- the network preferably registers whether the creation and sending of a response to a GET IDENTITY command has exceeded a maximum period of time and, if necessary, sends a registration request to the SE again. Based on the SE-individual cryptographic key pairs and/or symmetric keys stored in the non-volatile memory, the SE or the terminal device can directly create and send a response to the GET IDENTITY command again in a shorter time.
- the maximum amount of time is preferably the maximum amount of time that the network allows to receive an identity response to the identity query.
- the execution of the first step and/or the second step can preferably be paused at least temporarily and/or aborted if at least one further task is being executed on the SE.
- Pausing means a temporary interruption of a process.
- the process is the execution of the first and/or the second step. Therefore, the first step and/or the second step can be temporarily interrupted if at least one other task is running on the SE.
- the pause can last as long or as short as you like.
- the prioritization determines a priority with which the first step and/or the second step is performed compared to other tasks, tasks or programs on the SE. The higher the priority selected for the first step and/or the second step, the more likely it is that the execution of the first step and/or the second step will be given priority over the execution of other tasks, tasks or programs.
- the priority of the first step and/or the second step in comparison to at least one other task, another task or program on the SE can depend on the number of SE-individual cryptographic key pairs already stored in the non-volatile memory and/or on the number of already depend on the symmetric key stored in non-volatile memory.
- the prioritization of the first step and/or the second step compared to at least one other task, another task or program on the SE is chosen in such a way that the priority becomes all the lower compared to other tasks or programs executed by the SE, the more SE-individual cryptographic key pairs and/or symmetric keys have already been stored on the SE in a non-volatile memory, for example SSDs, EPROM, flash memory.
- the priority can also be selected to be the same from and/or up to a number of symmetric keys that have already been generated.
- the first symmetric key and/or the first SE-individual cryptographic key pair can be stored in the non-volatile memory very promptly. This increases the probability that at least one symmetric key and/or at least a first SE-specific cryptographic key pair for creating and sending the answer to the identity query was already stored in the non-volatile memory of the SE when the network was first asked for identity.
- the further generation of symmetric keys and/or SE-individual cryptographic key pairs can take place with a lower priority. However, several symmetric keys and/or SE-individual cryptographic key pairs can also be generated with high priority. The priority depends, for example, on how many registration requests and/or how many identity requests the network makes to the terminal device or the SE and/or the network expects them.
- the SE preferably carries out a method for creating and sending a response to an identity query sent by a network, in particular a GET IDENTITY command, with the following method steps: receiving, in the SE, the identity query sent by the network; checking whether at least one valid symmetric key or at least one valid public key part of a network key pair is present in the non-volatile memory; Generating the symmetric key by performing a second step, if in the checking step there is no valid symmetric key but at least one valid public key part of a network key pair in the non-volatile memory, the second step involves generating, in the SE, the at least one symmetric comprises keys using a stored private key part of the first SE individual cryptographic key pair and a public key part of a network key pair in the SE; or generating the symmetric key by performing a first step and the second step, in the SE, if in the checking step there is no valid symmetric key and no valid public key part of a network key pair in the non-volatile memory, the first step being
- the SE checks whether system conditions have changed in such a way that the SE-individual cryptographic key pair and/or the symmetric key is no longer valid.
- the public key portion of the network's cryptographic key pair used to generate the symmetric key could have changed in the meantime, making the symmetric key invalid and requiring recalculation
- the previously generated symmetric key would thus be invalid from the point in time of the change/update of the public key part of the cryptographic key pair of the network and/or a changed encryption in the first and/or second step.
- a response to the network's identity query generated with this invalid key would therefore also be invalid, since the response cannot be decrypted and logging into the network would fail.
- the method for generating the response is based on the second step and/or the first step and the second step to the identity query.
- a new symmetric key can be generated by executing only the second step using a valid private part of the SE-individual cryptographic key pair 7 and a current valid public key part of the cryptographic key pair of the network become. This at least saves the time to perform the first step.
- the symmetric key can also be stored in a volatile memory, for example in RAM.
- an SE-individual cryptographic key pair is first generated by executing the first step and the second step and, based on this, a symmetric key is generated using a valid public key part of a cryptographic key pair.
- the SE-individual cryptographic key pair and/or the symmetric key can also be stored in volatile memory, for example in RAM. This ensures that only if no symmetric key and no valid SE-individual cryptographic key pair is stored in the non-volatile memory, these are recreated upon an identity query. Otherwise, a lower computing time can be achieved.
- This generation step also enables a valid key to always be present, so that the response to the network's identity query does not become invalid in that a response cannot be decrypted and the login to the network therefore fails.
- the encrypt step can follow step “4. Symmetry Encryption” according to Fig. C.3.2-1 of TS 33.501 V 15.2.0, with the difference that this symmetric key is generated before the identity query is received.
- the result of the encryption step is, for example, the "Cipher-text value" according to Fig. C.3.2-1 of 3GPP TS 33.501, version 15.2.0.
- the identity data can be loaded from a memory of the SE as input parameters for this encryption step.
- This identity data is unencrypted.
- the identity data is referred to as SUPI.
- the SUPI contains the IMSI or the NSI, which is used for identification in the 5G network.
- the (unencrypted) identity data represents the data to be encrypted and consists of at least parts of the IMSI.
- the (unencrypted) identity data can correspond to the "plain text block" according to Fig. C.3.2-1 of 3GPP TS 33.501, version 15.2.0.
- the unencrypted identity data can be stored in at least one file of the SE, with at least one file preferably being the EFIMSI or EFNSI file, which contains an international mobile radio subscriber identification, IMSENSI, with the answer to the identity query preferably being a subscription concealed identifier , SUCI-, includes.
- the apply step can follow step “5. MAC Function” according to Fig. C.3.2-1 of the TS 33.501 V 15.2.0 standard.
- a message authentication code, MAC for short is used to obtain certainty about the origin of the identity data and to check its integrity.
- the MAC is generated according to the standard over the encrypted data.
- the recipient i.e. the network, uses the MAC to check the symmetrical key generated in the network by the network recalculating the MAC with the generated symmetrical key and comparing it with the MAC received.
- the MAC algorithm needs the result of the encryption step and a secret key, for example the "Eph. Mac Key" according to Fig.
- the symmetric key can be split before it is used in the encryption step, for example into a first partial key that is used in the encryption step for generating of the encrypted identity data and into a second partial key that is used in the apply step to generate the MAC.
- This division can follow step “3. Key Derivation” according to Fig. C.3.2-1 of 3GPP TS 33.501, Version 15.2.0.
- the first partial key can be the “Eph. enc Key, ICB” according to Fig. C.3.2-1 of 3GPP TS 33.501, Version 15.2.0.
- the second partial key can be the “Eph. mac Key” according to Fig. C.3.2-1 of 3GPP TS 33.501, Version 15.2.0.
- a key length can be adjusted.
- the SE no longer needs to have an encryption co-processor or a multiplication accelerator.
- This type of SE requires a particularly large time frame, for example more than 2 seconds, or more than 3 seconds, or more than 4 seconds, or more than 5 seconds, for creating and sending a response according to the conventional method.
- Pre-generating the symmetric key and/or pre-generating the SE-individual cryptographic key pair can significantly reduce this time frame and thus prevent network rejections due to timeout to send a response to an identity query.
- the network preferably recognizes whether the creation and sending of the response to the identity query sent by the network exceeds a maximum period of time or establishes that the identity query has already not been accepted by the network. In this case, the network resends a registration request to the SE, and the SE responds to receiving an identity query sent by the network by recreating and sending a response according to the method described above
- the network registers that creating and sending a response to a GET IDENTITY command has exceeded a maximum amount of time and resends a registration request to the SE.
- the SE and/or the terminal device can again create and send a direct response to the GET IDENTITY command in a shorter time. If the SE does not have another valid symmetric key, the execution of the first and/or second step is preferably started immediately after the renewed registration request has been sent.
- the maximum amount of time is preferably the maximum amount of time that the network allows to receive an identity response to the identity query.
- the duration for transmitting the identity query from the network to the terminal device or to the SE and the duration for transmitting the identity response from the terminal device or from the SE to the network are preferably also taken into account. This means that if it takes longer to create and send the answer to the identity query of the network, for example due to a bad modem, poor reception or due to higher-priority tasks or jobs on the SE, a new identity query can be made directly without waiting for an error message from the network must become.
- the symmetric key and/or the public part and/or the private part of the SE-individual cryptographic key pair is expediently deleted after at least one of these keys has been used to create and send the response to the identity query sent by the network.
- the symmetric key and/or the SE individual cryptographic key pair is deleted after the keys have been used to construct and send a response.
- the keys can also be marked as already used, for example, and remain in the non-volatile memory for further checking, for example.
- a new symmetric key and/or a new SE-individual cryptographic key pair is created and stored in non-volatile memory if a maximum number of symmetric keys and/or SE-individual cryptographic key pairs in non-volatile memory has not yet been exceeded and/or a Storage space required for the symmetric key and/or the SE-individual cryptographic key pairs does not yet exceed a predefined storage space in the non-volatile memory.
- predefined memory space for example. It can also be specified which predefined memory space may be occupied by the symmetric keys and/or the SE-individual cryptographic key pairs in the non-volatile memory.
- the maximum number of symmetric keys to be generated and/or the SE-individual cryptographic key pairs is specified during initialization and/or activation of the SE or the terminal device and/or the predefined storage space in the non-volatile memory during initialization and/or the Activation reserved.
- the size of the predefined memory space can be changed or defined during the initialization and / or activation of the SE or the terminal, which is reserved for storing the symmetric key and / or the SE individual cryptographic key pairs to the SE and / or to adapt the end device to new conditions, such as new networks.
- the SE preferably has no encryption co-processor and/or no multiplication accelerator in order to save costs in the manufacture of the terminal or in the SE used.
- the first step and/or the second step is preferably executed at least once after a STATUS command or a SELECT command has been received in the SE.
- a secure element preferably a fifth-generation subscriber identity module.
- the SE comprises: an interface arranged to receive an identity query sent from a network, in particular a GET IDENTITY command; a non-volatile memory set up for storing identity data, preferably in at least one file; and a control unit configured to carry out at least one of the method steps described above.
- the SE can further comprise an operating system, executably stored in the non-volatile memory and set up, when executed in the control unit, to carry out the method steps of the methods described above.
- a computer program product is executable installed in an SE, preferably a fifth generation subscriber identity module, and has means for executing the method steps of the methods described above.
- a system having an SE, preferably a subscriber identity module of the fifth generation, and a network, wherein the system is set up to carry out the method steps of the methods described above.
- An SE within the meaning of the invention is an electronic module that is reduced in size and scope of resources and has a control unit (microcontroller).
- SE is synonymous with the term “UICC”, “eUICC”, “subscriber identity module”, “chip card”, “iUICC”, “Integrated eUICC”, “Integrated Secure Element”, “embedded Secure Element”, “Secure Element” or “SIM”.
- the SE is, for example, a chip card or a SIM card or a subscriber identity module.
- the SE is used to identify a subscriber in a communications network with the machine-readable identity data stored in the secure, non-volatile memory area and to authenticate it for using services.
- SE also includes USIM, TSIM, ISIM, CSIM or R-UIM.
- an SE is defined as a USIM application in ETSI TS 131 102.
- an SE is defined as a SIM application in ETSI TS 151 011.
- an SE is defined as a TSIM application according to ETSI TS 100 812.
- an SE is defined as an ISIM application according to ETSI TS 131 103.
- an SE is defined as a CSIM application according to 3GPP2 C.S0065-B.
- an SE is defined as an R-UIM application according to 3GPP2 C.S0023-D.
- the SE can be an integral part within the terminal device, for example a hard-wired electronic component. Such SE are also referred to as eUICC. In this design, these SEs are not intended to be removed from the terminal device and, in principle, cannot simply be exchanged. Such SE can also be designed as embedded secure elements and are a secure hardware component in the device.
- the SE can also be a software component in a trusted part of an operating system, a so-called Trusted Execution Environment, or TEE for short, of the terminal device.
- TEE Trusted Execution Environment
- the SE is designed, for example, within a secure runtime environment in the form of programs running there, so-called “trustlets” or “trusted applications”.
- the SE can also be an integral part of a larger integrated circuit such as a modem or application processor. Such SE are referred to as "integrated UICC", “integrated TRE", “integrated eUICC” or “Integrated SE”. Such SEs are permanently integrated into a SoC as an integrated processor block and can be connected via a chip-internal bus.
- the SE has, for example, an internal or external, secure, non-volatile memory area in which the identity data is securely introduced in order to prevent attempts at manipulation and/or misuse during identification and/or authentication on the network.
- the SE can be operable by means of a terminal device, with the SE in this configuration except for supply signals such as supply voltage, clock, reset, etc. is self-sufficient.
- the SE can then have an interface (data interface) for communication with the terminal device, into which the SE is possibly installed ready for operation.
- This communication preferably takes place via a connection protocol, in particular a protocol according to the standard ETSI TS 102 221 or ISO-7816.
- end device is preferably used here, since the end device in communication technology can primarily be a "terminal”. This does not exclude that the "terminal” can be a “device” in a different technology.
- end device and device are used synonymously here.
- the SE can be used for remote monitoring, control and maintenance of devices such as machines, plants and systems. It can be used for metering units such as electricity meters, hot water meters, etc.
- the SE is part of the technology of the loT.
- a terminal within the meaning of the invention is basically a device or a device component with means for communicating with a communications network in order to be able to use services in the communications network or to be able to use services from a server via a gateway in the communications network.
- a mobile end device such as a smartphone, a tablet PC, a notebook, a PDA is to be included under the term.
- the end device can also be understood to mean, for example, multimedia devices such as digital picture frames, audio devices, televisions, e-book readers, which also have means for communicating with the communications network.
- the end device is installed in a machine, an automat and/or a vehicle.
- the terminal is installed in a motor vehicle, it has an integrated SE, for example.
- the SE can set up a data connection to a server via the communications network using the terminal device, for example a modem in the terminal device.
- ECUs Electronic Control Unit
- a server in the background system of the mobile radio network operator, MNO can be contacted via the UICC, for example a server, in order to load updates for software, firmware and/or the operating system of the SE into the SE.
- mobile communications-capable end devices also include control devices (control devices or measuring devices or combined control/measuring devices) for industrial facilities in the commercial or private environment.
- Industrial facilities are, for example, production facilities that have one or more control devices (terminals) that communicate with a background system and/or with one another via a mobile radio network can.
- Other industrial facilities are smart home facilities such as heaters or electricity consumers with end devices in the form of control devices.
- a command can be, for example, an instruction, a command, or an instruction sent by the device.
- the command is preferably a command according to ETSI TS 102221 or ISO/IEC 7816 standard.
- commands are received as APDU commands in the UICC.
- An APDU is a combined command/data block of a connection protocol between the UICC and the device.
- the structure of the APDU is defined by the IS 0-7816-4 standard.
- APDUs represent an information element of the application layer (layer 7 of the OSI layer model).
- the SE is preferably a fifth generation USIM, also referred to as “5G USIM”. This means that a subscriber can be identified according to the 5G standard.
- the at least one file is the EFIMSI, which contains an international mobile radio subscriber identification, IMSI.
- IMSI international mobile radio subscriber identification
- This IMSI needs to be protected. If possible, it should not be transmitted to the end device or the network in plain text. In a 5G network, the IMSI is not exchanged in the clear between the SE and the communication network.
- the at least one file is the EFNSI file, which contains a permanent subscription identifier, or SUPI for short.
- This SUPI must be protected. If possible, it should not be transmitted to the end device or the network in plain text.
- This SUPI in the EFNSI is preferably not the IMSI.
- This SUPI can be a network access identifier, NAI for short, as defined in the 3GPP TS 23.003 standard.
- the at least one file is the EFRouting identifier file, which contains a routing indicator for the SUCI calculation.
- a terminal or the SE can carry out the method according to the invention and, as a result, create a SUCI and send it to the network.
- This EFRouting identifier file contains the routing indicator which, together with an MCC and an MNC, allows to forward network signaling with SUCI to AUSF and UDM entities capable of serving the subscriber as defined in the 3GPP TS 23.003 standard is.
- a subscription permanent identifier, SUPI for short is used as identity data.
- the SUPI is defined in the 3GPP specification TS 23.501.
- a valid SUPI can be an IMSI or a Network Access Identifier, NAI for short, as defined in RFC 4282 in conjunction with 3GPP TS 23.003.
- the SUPI can then under be converted into a Subscription Concealed Identifier, SUCI for short, using the 5G USIM (encrypted SUPI).
- the SUCI is a privacy-preserving network identifier containing the SUPI hidden within.
- the 5G USIM will generate a SUCI using the method described here and using this ECIES based protection scheme presented above with the symmetric key generated earlier.
- the IMSI (which is part of the SUPI) is then sent encrypted as a SUCI in response to the network's identity challenge.
- identity data are, for example, data that uniquely authenticate a participant in the communication network, for example an authentication algorithm, specific algorithm parameters, a cryptographic authentication key Ki and/or a cryptographic Over-The-Air, OTA for short, key.
- service is in particular a voice service or a data service of a server with which information and/or data are transmitted via the communication network.
- a communication network (the network) is a technical device on which the transmission of signals takes place with identification and/or authentication of the subscriber.
- the communication network offers its own services (own voice and data services) and/or enables the use of services from external entities.
- the communication network is preferably a cellular network.
- a device-to-device communication under the supervision of the communication network is possible.
- a mobile network of the 5th generation "5G" is understood here as a communication network.
- FIG. 1 shows a flow chart of a method according to the invention in an SE
- FIG. 2 shows a flow chart of a method according to the invention in an SE
- FIG. 3 shows a flow chart of a method according to the invention in an SE
- FIG. 4 shows a flow chart of a method according to the invention between an SE, a device and a network
- FIG. 5 shows a flow chart of a method according to the invention between an SE, a device and a network
- FIG. 6 shows a flow chart of a method according to the invention between an SE, a device and a network
- Fig. 7 shows an embodiment of a system consisting of a device with SE and a network
- a first step 101 and a second step 102 are part of a routine for creating and storing 200 the keys before receiving an identity query from the network.
- an SE-specific cryptographic key pair PubKsE, PrivKsE is generated in the SE on the basis of an ECC algorithm generated.
- the SE-individual cryptographic key pair PubKsE, PrivKsE depends on the type of encryption that is to be used.
- the type of encryption is determined by the network. In principle, the type of encryption can change.
- the network transmits to the SE, for example, a configuration file that contains an indication of the cryptographic encryption to be used.
- An execution of a configuration file is described, for example, in the simalliance specification "eUICC Profile Package: Interoperable Format", Version 2.3.1, November 2019, Annex D.
- the configuration file is read out by the SE at certain times, such as when booting up; expediently, it is always read out when the SE receives a GET IDENTITY command.
- a Curve25519 / X25519 algorithm is used as the encryption method.
- An ECIES profile parameter used in Annex C3.4 of the 3GG TS 33.501 standard can be used.
- the encryption method can be of the ECIES Profile A or ECIES Profile B type.
- the encryption method to be used is determined, for example by reading out the configuration file.
- the SE-individual cryptographic key pair PubKsE, PrivKsE is calculated with the identified encryption method.
- this first step 101 can take up to 3 seconds.
- a symmetric key SharedKsE-HN is generated in the SE.
- This symmetric key SharedKsE-HN is generated using the private key part PrivKsE generated in the first step 101 of the SE-individual cryptographic key pair and a public key part PubKuN of a cryptographic key pair of a network.
- the public key part PubKuN is known to the SE before the execution of the second step 102 and is present in the SE.
- the public Change key part PubKuN For example, the network can have communicated a new, up-to-date public key part PubKuN to the SE via OTA.
- the public key part PubKuN is expediently contained in the configuration file.
- An initial public key part PubKuN can already be stored in the memory of the SE when the SE is personalised.
- the SE Before executing the second step 102, the SE checks whether the last used public key part PubKuN matches the current public key part PubKuN. If this is the case, the SE uses the stored public key part PubKuN, otherwise it updates the stored public key part PubKuN with the current stored public key part PubKuN and then uses this.
- the second step 102 can follow the step “2. Key agreement" of the procedure according to Fig. C.3.2-1 of TS 33.501 V 15.2.0. In an SE without a crypto co-processor or without a multiplication accelerator, this step can take up to 3 seconds.
- the execution of the first step 101 and the second step 102 can take place at different times. Therefore, a time Zeiti may elapse between the execution of the first step 101 and the second step 102 on the SE.
- the time Zeiti between the execution of the first step 101 and the second step 102 can be defined by a prioritization of the execution of the first step 101 and the second step 102 on the SE compared to other tasks that are executed on the SE. It is also possible that the first step 101 is not carried out immediately, but only after a period of time has elapsed after a start, an activation and/or an initialization of the SE. It is also possible that between the completion of the execution of the first step 101 and/or the second step 102 a longer time elapses before the SE receives an identity query from the network.
- the execution of the first step 101 or the second step 102 upon receipt of an identity query is aborted so that the SE starts creating and sending 300 a Response to the network's identity query can begin. This preferably only takes place if at least one valid symmetric key is present in the non-volatile memory.
- first step 101 and/or the second step 102 it is also possible to carry out the first step 101 and/or the second step 102 multiple times (shown in FIG. 2, not in FIGS. 1 and 3).
- several SE individual cryptographic key pairs PubKsE, PrivKsE and/or symmetric keys SharedKsE-HNv can be stored in the non-volatile memory.
- the prioritization 202 can be defined again.
- the first step 101 and/or the second step 102 is carried out until sufficient SE-individual cryptographic key pairs PubKsE, PrivKsE and/or symmetric keys SharedKsE-HNv are stored in the non-volatile memory. This is checked in step 201.
- a routine for creating and sending 300 a response to an identity challenge is described below.
- step 104 it is checked whether a valid symmetric key SharedKsE-HN is present in the non-volatile memory. For this purpose, it is checked whether the cryptographic calculation method used to determine the SE-individual cryptographic key pair PubKsE, PrivKsE present in the non-volatile memory 17 has changed in the meantime. This can be the case, for example, if the type of encryption or the encryption parameters have changed.
- Boundary conditions managed via the network are expediently stored in a configuration file that is kept on the SE and is also stored in the non-volatile memory 17 .
- An execution of a configuration file is described, for example, in the simalliance specification "eUICC Profile Package: Interoperable Format", Version 2.3.1, November 2019, Annex D.
- the configuration file expediently designates at least the current cryptographic calculation method to be used and contains the current public key part PubKuN.
- the configuration file is always kept up to date and can be updated by the network at any time.
- the SE reads out the configuration file.
- the SE compares the entry read out for the cryptographic calculation method to be used with the calculation method that was used to calculate the individual cryptographic key pair PubKsE, PrivKsE located in the non-volatile memory 17 .
- a mismatch can occur, for example, if the type of encryption has been switched from ECIES Profile A to ECIES Profile B.
- the SE expediently compares the current public key part PubKuN, which can be taken from the configuration file, with the public key part PubKuN, which was used to calculate the symmetric key SharedKsE-HN stored in the non-volatile memory 17 . If there is a change afterwards, the SE stores the current public key part PubKuN contained in the configuration file as a new valid public key part PubKuN in the non-volatile memory 17.
- the first step 101 and the second step 102 executed from the point “A” and the second step 102 executed from the point “B” correspond to the first step 101 and the second step 102 for creating and filing 200 the key before receiving an identity challenge from the network.
- the SE-individual cryptographic key pair PubKsE, PrivKsE created in the first step 101 and/or the symmetric key SharedKsE-HN created in the second step 102 can also be stored in a volatile memory area 18, for example a RAM.
- a first partial key and a second partial key are derived from the symmetric key SharedKsE-HN.
- This step 105 can follow step “3. Key derivation” according to Fig. C.3.2-1 of 3GPP TS 33.501, Version 15.2.0.
- the first partial key can be the “Eph. enc Key, ICB” according to Fig. C.3.2-1 of 3GPP TS 33.501, Version 15.2.0.
- the second partial key can be the “Eph. mac Key” according to Fig. C.3.2-1 of 3GPP TS 33.501, Version 15.2.0.
- a key length can also be adjusted during this division 105 .
- step 106 encryption of identity data stored in the SE takes place.
- file contents of the EFIMSI file are used as input data for the encryption 106 .
- This encryption 106 can be the step “4. Symmetry Encryption” according to Fig. C.3.2-1 of 3GPP TS 33.501, Version 15.2.0. Encrypted identity data is obtained as a result of this step.
- the encrypted identity data from step 106 is (also) sent from the network to the network as part of a response to an identity query.
- step 107 (shown in Figures 1 and 3 but not in Figure 2) a MAC algorithm is applied.
- the encrypted identity data from step 106 is used as an input parameter of the MAC algorithm.
- the second partial key “Eph. mac Key” can be used as another input parameter of the MAC algorithm.
- This applying 107 can be the step “5. MAC function” according to Fig. C.3.2-1 of 3GPP TS 33.501, version 15.2.0.
- a MAC is obtained, which can also be the "MAC tag value" according to FIG. C.3.2-1 of 3GPP TS 33.501, version 15.2.0.
- the MAC from step 107 is (also) sent from the network to the network as part of a response to an identity challenge.
- step 108 a response to the network's identity query is sent.
- the response includes, for example, a concatenation from the public part PubKsE (step 101), the encrypted identity data (step 106) and the MAC (step 107). Additional parameters can also be included in the response.
- the response 108 is preferably the result of the GET IDENTITY command.
- the SE used individual cryptographic key pair PubKsE, PrivKsE and / or the used symmetric key SharedKsE-HN to create and send 300 a response to the Identity query cleared from non-volatile memory or marked as used if values were saved to non-volatile memory.
- the routine for constructing and sending 300 the response to a network identity query must not take longer than a maximum time. Otherwise the answer will no longer be accepted by the network. If the routine for creating and sending 300 the answer to the identity query takes longer than the maximum time, a new registration request 103 can be sent directly from the network to the SE (shown in Fig. 2 but not in Fig. 1 and 3). Subsequently, the re-determination of the prioritization 202 and the execution of the first step 101 and the second step 102 can be started directly.
- the first step 101 and the second step 102 can be started directly with the execution of the first step 101 and the second step 102 to the time between the registration request 103 and an identity query of the network or a transition TI, which includes the identity query of the network, which preferably includes the terminal to the SE to use PubKsE, PrivKsE and/or symmetric keys SharedKsE-HN to create new SE individual cryptographic key pairs.
- the ETSI TS 102 221 standard, version 15 and higher, and the 3GPP TS 31.102 standard, version 15 and higher, define the GET IDENTITY command.
- This command is used in SG networks to generate a SUCI.
- the SUCI context contains an IMSI (Intern. Mobile Subscription ID) or NSI (Network specific ID) as identity data, which is used to identify a participant in a 5G network.
- IMSI Intern. Mobile Subscription ID
- NSI Network specific ID
- the GET IDENTIY command is sent from the network and must be answered within six seconds, including the transmission time. This poses a major problem for SEs that do not have a crypto co-processor or a multiplication accelerator.
- the first step 101 requires 1100 milliseconds and the second step 102 requires 1101 milliseconds. If the GET IDENTITY command is executed with precomputed keys after the first step 101 and the second step 102, only 23 milliseconds are required.
- the first step 101 requires 2934 milliseconds and the second step 102 requires 2938 milliseconds. If the GET IDENTITY command is executed with precomputed keys after the first step 101 and after the second step 102, only 23 milliseconds are required.
- FIGS. 3, 5 and 6 show flow charts of preferred exemplary embodiments for carrying out the method 100 according to the invention.
- the method steps 101 to 109 correspond to the method steps 101 to 109 of FIG. 1 or FIG. 2.
- the SE of FIGS. 3, 5 and 6 can be a 5G USIM. Figures 3, 5 and 6 will be described together below.
- the first step 101 and the second step 102 are each executed once in the SE before the terminal receives a registration request from the network.
- the time between the start of the SE and the first execution of the first step 101 is the time durationo.
- the time between the first execution of the first step 101 and the first execution of the second step 102 is the time Zeiti.
- the first step 101 and the second step 102 are each carried out k times before the network sends the registration request to the terminal.
- the time between the k-th execution of the first step 101 and the k-l-th execution of the second step 102 is a time timek.
- the time between the k+l th execution of the second step 102 and the k th execution of the first step 102 is a time time k+i.
- the first step 101 and the second step 102 are each carried out twice before the network device sends the registration request to the terminal device.
- the time between the first execution of the second step 102 and the second execution of the first step 101 is a time time2.
- the time between the second execution of the first step 101 and the second execution of the second step 102 is a time Zeih.
- the number of executions of the first step 101 and the second step 102 is exemplary and not limited. It is also possible that the first step 101 and the second step 102 are carried out in different numbers or not carried out completely. A period of time can elapse between the last execution of the first step 101 or the second step 102 and the identity query, since the execution of the first step 101 and/or the second step 102 is decoupled from the identity query or a previous registration request.
- the registration request is intended to enable the terminal device (shown in FIGS. 4, 5 and 6) to be able to use network services.
- the network checks the identity of the end device and requests it to be authenticated/identified.
- the process of a registration request and authentication/identification request is described in principle in 3GPP TS 23.501.
- the network sends an identification query to the end device. This is converted into a GET IDENTITY command in the terminal and forwarded to the SE.
- the SE is now forced to transmit the identity data, which is known as SUPI and comprising e.g. IMSI, NSI, NAI, into a SUCI and send back to the network within a time period ZeitMAx (e.g. 6 seconds).
- the network can again send a registration request to the terminal (shown in FIG. 6, but not in FIGS. 3 and 4).
- the SE can then start executing the first step 101 and/or the second step 102, possibly with a high priority, or if there is still a sufficient number of symmetric keys SharedKsE-HN in the non-volatile memory, wait for the next identity query from the network and then start again with the calculation of steps 104 to 109.
- An IMSI is part of a subscriber ID and should - if possible - not be read out.
- the UICC 1 is a 5G USIM and is therefore set up to generate a SUCI based on the IMSI.
- Using the SUCI instead of the IMSI is advantageous because when the SUCI is sent, the IMSI is not sent to the end device or the network in plain text. Sending the SUCI would therefore protect the security-relevant and/or personal information from the EFIMSI file.
- the SUCI is therefore expediently sent as the network identifier instead of the IMSI.
- the SUCI In order to send a SUCI instead of an IMSI in response to the identity query, the SUCI must be calculated.
- the method in FIGS. 1, 2 and 3 with steps 101 to 109 is applied.
- This calculation can correspond to the standardized procedure according to 3GPP 23.501 and is significantly improved according to the invention by performing the first step 101 and the second step 102 in advance in order to avoid time-consuming calculations after step 103 or the identity query of the network TI.
- the subscriber identification mechanism according to the 5G network enables a terminal device to be identified on the over-the-air radio interface (interface 41 of FIG. 4) using the generated SUCI.
- the SE encrypts the SUPI into a SUCI based on the GET IDENTITY command and makes this SUCI available to the terminal in step 108.
- the SUCI is a privacy-friendly identifier that contains the hidden SUPI.
- the SE generates in the first step 101 and in the second step 102 using the ECIES -based protection scheme with the public key of the home network PubKuN, which was made available to the SE securely during USIM registration or personalization. Only the MSIN part of the SUPI is encrypted, while the identifier of the home network, ie MCC/MNC, is still transmitted in the clear.
- the method 100 is integrated into an operating system 15 of the SE and can thus be deployed and used in any native SE.
- FIG. 7 shows an exemplary embodiment of a system made up of a terminal and SE, in which the method of FIGS. 1, 2 and 3 runs.
- the end device is, for example, an M2M device in an IoT environment.
- the end device can have a plurality of ECUs 21; two ECUs 21a and 21b are shown here as representatives.
- the functionalities of the terminal device are controlled by these ECUs 21 .
- the SE is brought into the terminal device ready for operation and is supplied with a supply voltage Vcc and a clock CLK by the terminal device.
- the SE is shown in more detail in FIG. It is indicated in FIG. 7 that the SE has applets 13 . These applets 13 can use a Card Application Toolkit, CAT, 12 to send different APDU commands 11 to the terminal.
- CAT Card Application Toolkit
- the terminal also comprises a modem 22.
- the modem 22 can be seen as a logical unit for converting data between the SE and a network 4, for example.
- the terminal can set up a communication link 3 to the SE through the modem 22 .
- the communication 3 between the terminal and the SE takes place, for example, in accordance with the protocols defined in the international standards ISO/IEC 7816-3 and ISO/IEC 7816-4, to which express reference is hereby made.
- An APDU represents a data unit of the application layer, i.e. a type of container with which commands and/or data are transmitted to the SE.
- command APDUs which are sent from a terminal to the SE
- response APDUs which are sent from the SE to the terminal in response to a command APDU.
- the modem 22 is a communication unit of the terminal device to also transmit data from the terminal device or the SE via a communication interface 41 to the network, for example a server of a network operator.
- the data exchanged between the SE and the modem 22 can be converted in the modem 22 into an IP-based connection protocol.
- FIG. 8 shows a block diagram of an SE according to the invention, preferably a hard-wired eUICC.
- the SE is a portable data carrier with a different design.
- the SE has an operating system 15 in which the method 100 according to FIG. 1, FIG. 2 and FIG. 3 runs.
- the operating system 15 is a native operating system, for example. It is also conceivable that the operating system 15 is set up to run a Java Card runtime environment, JCRE, 16 .
- the SE is designed to exchange data with the terminal device according to FIG.
- Both the SE and the terminal have suitable communication interfaces 31 for data transmission or communication between the SE and the terminal.
- the interfaces can, for example, be designed in such a way that the communication between them or between the SE and the end device is connected galvanically, i.e. with contact.
- the pin assignment is defined in ISO/IEC 7816.
- the communication interface is contactless, for example according to an RFID or NFC or WLAN standard.
- the terminal can forward an identity query from the network to the SE (transition TI of the method 100 in FIG. 1, FIG. 2 or FIG. 3).
- the SE also has a central processor or control unit, CPU 19, which is in communication with the interface 31.
- the primary tasks of the CPU 19 include performing arithmetic and logical functions and accessing (reading, writing, modifying, overwriting, creating and/or deleting) files in the SE as defined by program code executed by the CPU 19 .
- the files are, for example, elementary files, elementary files, EF, in a file directory, directory files, DF, a root directory or a profile directory of the SE of a non-volatile memory 17.
- the CPU 19 is also available with a volatile main memory, RAM 18 and the non-volatile rewritable memory 17 in connection.
- the non-volatile memory 17 is preferably a flash memory (flash EEPROM). This can be, for example, a flash memory with a NAND or a NOR architecture.
- the control unit 19 is also set up to carry out steps 101 to 108 of the method in FIGS. 1, 2 and 3 when corresponding program code is executed.
- the non-volatile memory 17 stores the program code which can be executed by the CPU 19.
- the program code of the chip card operating system, OS, 15, the Java Card runtime environment, JCRE, 16 (consisting of Java Card Virtual Machine, JCVM and Java Card Application Programming Interfaces, JCAPI) can be stored in the non-volatile memory 17.
- the application 13 is preferably in the form of Java CardTM applets.
- the concept of the integrated UICC, iUICC is proposed for the future 5G mobile communications standard currently under development, in which the functionality of a USIM card or a UICC is distributed in the chipset, i.e. in one or more chips or processor(s), of the terminal is integrated. It is of great cost advantage if this chipset does not have a crypto processor or hardware accelerator, which is made possible by the present method.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2022333162A AU2022333162A1 (en) | 2021-08-23 | 2022-08-19 | Method in a secure element |
CN202280057033.2A CN117916734A (zh) | 2021-08-23 | 2022-08-19 | 安全元件中的方法 |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102021004318 | 2021-08-23 | ||
DE102021004318.9 | 2021-08-23 | ||
DE102022002276.1A DE102022002276A1 (de) | 2021-08-23 | 2022-06-23 | Verfahren in einem secure element |
DE102022002276.1 | 2022-06-23 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023025411A1 true WO2023025411A1 (de) | 2023-03-02 |
Family
ID=83280093
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2022/025382 WO2023025411A1 (de) | 2021-08-23 | 2022-08-19 | Verfahren in einem secure element |
Country Status (2)
Country | Link |
---|---|
AU (1) | AU2022333162A1 (de) |
WO (1) | WO2023025411A1 (de) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019028698A1 (en) * | 2017-08-09 | 2019-02-14 | Apple Inc. | PROTECTION OF THE CONFIDENTIALITY OF A SUBSCRIBER IDENTITY |
EP3468130A1 (de) * | 2017-10-06 | 2019-04-10 | Gemalto Sa | Verfahren zur übermittlung eines verschlüsselten identifizers, der in einem sicherheitselement enthalten ist, auf ein physisches oder virtuelles element eines telekommunikationsnetzes, entsprechendes sicherheitselement, physisches oder virtuelles element und terminal, das mit diesem sicherheitselement zusammenarbeitet. |
US20190268335A1 (en) * | 2018-02-23 | 2019-08-29 | T-Mobile Usa, Inc. | Key-Derivation Verification in Telecommunications Network |
-
2022
- 2022-08-19 AU AU2022333162A patent/AU2022333162A1/en active Pending
- 2022-08-19 WO PCT/EP2022/025382 patent/WO2023025411A1/de active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019028698A1 (en) * | 2017-08-09 | 2019-02-14 | Apple Inc. | PROTECTION OF THE CONFIDENTIALITY OF A SUBSCRIBER IDENTITY |
EP3468130A1 (de) * | 2017-10-06 | 2019-04-10 | Gemalto Sa | Verfahren zur übermittlung eines verschlüsselten identifizers, der in einem sicherheitselement enthalten ist, auf ein physisches oder virtuelles element eines telekommunikationsnetzes, entsprechendes sicherheitselement, physisches oder virtuelles element und terminal, das mit diesem sicherheitselement zusammenarbeitet. |
US20190268335A1 (en) * | 2018-02-23 | 2019-08-29 | T-Mobile Usa, Inc. | Key-Derivation Verification in Telecommunications Network |
Non-Patent Citations (4)
Title |
---|
"3 Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 17)", vol. SA WG3, no. V17.2.0, 25 June 2021 (2021-06-25), pages 1 - 257, XP052029780, Retrieved from the Internet <URL:https://ftp.3gpp.org/Specs/archive/33_series/33.501/33501-h20.zip 33501-h20.doc> [retrieved on 20210625] * |
3GPP TS 23.003 |
3GPP TS 33.501 |
KHAN HAIBAT ET AL: "Identity Confidentiality in 5G Mobile Telephony Systems", 21 November 2018, ADVANCES IN DATABASES AND INFORMATION SYSTEMS; [LECTURE NOTES IN COMPUTER SCIENCE; LECT.NOTES COMPUTER], SPRINGER INTERNATIONAL PUBLISHING, CHAM, PAGE(S) 120 - 142, ISBN: 978-3-319-10403-4, XP047494680 * |
Also Published As
Publication number | Publication date |
---|---|
AU2022333162A1 (en) | 2024-02-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3574625B1 (de) | Verfahren zum durchführen einer authentifizierung | |
EP2910039B1 (de) | Verfahren zum einbringen von teilnehmeridentitätsdaten in ein teilnehmeridentitätsmodul | |
EP2898714B1 (de) | Identitätsmodul zum authentisieren eines teilnehmers in einem kommunikationsnetzwerk | |
DE102020003275B3 (de) | Personalisierung eines Secure Element | |
DE112008002860T5 (de) | Verfahren und Vorrichtung für das Bereitstellen einer sicheren Verknüpfung mit einer Benutzeridentität in einem System für digitale Rechteverwaltung | |
EP3595237B1 (de) | Nachladen kryptographischer programminstruktionen | |
EP3314933B1 (de) | Kommunizieren eines teilnehmeridentitätsmoduls zu einem server, insbesondere bei profilwechsel | |
EP3713268B1 (de) | Verfahren zum aufbau einer datenverbindung, verfahren zum bereitstellen von verbindungsparametern, sowie teilnehmeridentitätsmodul | |
DE102021005869A1 (de) | Verfahren zum Ändern eines Zugriffsrechts in einer UICC | |
WO2023025411A1 (de) | Verfahren in einem secure element | |
DE102022002276A1 (de) | Verfahren in einem secure element | |
WO2023016669A1 (de) | Verfahren in einem secure element | |
WO2015018510A2 (de) | Verfahren und vorrichtungen zum wechseln eines mobilfunknetzes | |
EP3664490A1 (de) | Imei speicherung | |
WO2022214219A1 (de) | Verfahren zum personalisieren eines sicheren elementes | |
EP3130165A1 (de) | Bereitstellen einer virtuellen verbindung zum übertragen von anwendungsdateneinheiten | |
DE102022000931A1 (de) | Universal integrated chip card, UICC, zum Verwalten von Authentisierungsdaten, sowie Verfahren | |
DE102012020987A1 (de) | Verfahren zum sicheren Verwalten von Teilnehmeridentitätsdaten | |
DE102023110415A1 (de) | Ein Verfahren zum Bereitstellen von Daten für ein Abonnementenprofil für ein Secure Element | |
EP2701359B1 (de) | Verfahren zum Erhalten von Teilnehmeridentitätsdaten | |
WO2023186348A1 (de) | Verfahren zur verwaltung einer anwendung zur elektronischen identifizierung eines nutzers | |
WO2020239255A1 (de) | Verfahren zum einrichten eines subskriptions-profils, verfahren zum bereitstellen eines subskriptions-profils, teilnehmeridentitätsmodul | |
DE102020002658A1 (de) | Verfahren zum Betreiben einer Universal Integrated Chip Card, UICC, sowie UICC | |
DE102021004158A1 (de) | Verfahren zum Betreiben einer universal integrated Circuit Card, UICC, und UICC | |
DE102022104834A1 (de) | Onboarding von cloud-diensten ohne vorherige anpassung der endgeräte |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22768628 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: AU2022333162 Country of ref document: AU |
|
ENP | Entry into the national phase |
Ref document number: 2022333162 Country of ref document: AU Date of ref document: 20220819 Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2022768628 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2022768628 Country of ref document: EP Effective date: 20240325 |