eSIM RSP SM-DP+ Understanding Profile Download and Installation Part 1: PrepareDownload
The SM-DP+ Profile Download and Installation procedure follows on from the previous set of articles on Common Mutual Authentication as specified in GSMA SGP.22 v2.2.
SGP.22 v3.0 was released in October 2022 though the following implementation has been tested with an eUICC that supports v2.2.
As part of Mode51 Software’s SM-DP+ development we have successfully implemented the Profile Download and Installation procedure using the Comprion test eUICC which supports GSMA’s SGP.26 test keys.
Common Mutual Authentication
When a subscriber proactively requests a profile download using an activation method such as a QR code scan, the Common Mutual Authentication procedure must succeed first:
PrepareDownload
Once the Common Mutual authentication procedure has succeeded, the profile preparation, delivery and installation can proceed. This is the Subscriber Management Data Preparation (SM-DP+) server’s core purpose.
The LPAd (Local Profile Assistant for Device) sends PrepareDownload on the ES10b interface into the eUICC:
Some of the returned data from the Common Mutual Authentication procedure’s AuthenticateClient response is sent from the LPAd through to the eUICC and verified including:
- smdpSigned2
- smdpSignature2
- CERT.DPpb.ECDSA
smdpSigned2 consists of:
- Transaction ID
- ccRequiredFlag — whether or not a Confirmation Code is required
- bppEuiccOtpk — an optional eUICC public key
bppEuiccOtpk is the public part of the key pair used to establish the shared secret in part 2. This one time key pair may actually be reused, for example for a download retry, if the public part is passed in here part of smdpSigned2.
Note that SGP.22 v3.0 contains a new rpmPending field.
SmdpSigned2 ::= SEQUENCE {
transactionId [0] TransactionId, -- The TransactionID generated by the
SM-DP+
ccRequiredFlag BOOLEAN, -- Indicates if the Confirmation Code is required
bppEuiccOtpk [APPLICATION 73] OCTET STRING OPTIONAL, -- otPK.EUICC.KA
already used for binding the BPP, tag '5F49'
rpmPending NULL OPTIONAL -- #SupportedForRpmV3.0.0#
}
ES10b.PrepareDownload sends smdpSigned2, smdpSignature2, CERT.DPpb.ECDSA and the optional Hashed Confirmation Code and fetches the euiccSigned2 and euiccSignature2 from the eUICC. This provides the LPAd with the required inputs for the subsequent GetBoundProfilePackage request out towards the SM-DP+ server.
Note that as well as NIST based prime256v1 ECDSA certificates there are brainpoolP256r1 ECDSA certificates provided as part of the SGP.26 test file set.
euiccSigned2 contains:
- Transaction ID
- euiccOtpk — the public part of the ECDH key
- Hashed Confirmation Code — if ccRequiredFlag was enabled in the previous smdpSigned2
Note that SGP.22 v3.0 contains a new additionalInformation field.
EUICCSigned2 ::= SEQUENCE {
transactionId [0] TransactionId,
euiccOtpk [APPLICATION 73] OCTET STRING, -- otPK.EUICC.KA, tag '5F49'
hashCc Octet32 OPTIONAL, -- Hash of confirmation code
additionalInformation VendorSpecificExtension OPTIONAL -- #SupportedFromV3.0.0#
}In Part 2 the GetBoundProfilePackage request is assembled by the LPAd to initiate the Profile Download and Installation procedure which will fetch the new SIM profile data from the SM-DP+ server.
