Open in app

Sign in

Write

Sign in

Mastodon
Chris Mode51
3 min readNov 24, 2022

eSIM RSP SM-DP+ Common Mutual Authentication Part 1

The Remote SIM Provisioning (RSP) Common Mutual Authentication procedure detailed in this series of articles is specified in GSMA’s SGP.22.

The examples have been produced using Comprion’s test eUICC and Mode51 Software’s development SM-DP+ which aims to provide diagnostic features for security researchers.

The Comprion eUICC contains test certificates that are in the public domain, specified in GSMA’s SGP.26.

Common Mutual Authentication Procedure

The Common Mutual Authentication procedure is used to establish PKI based trust between the client side eUICC and the Subscription Manager Data Preparation+ (SM-DP+) server via the Local Profile Assistant for Device (LPAd).

The eUICC stores a very small number of trusted Certificate Issuer (CI) certificates — usually the GSMA root CI and perhaps one other. The SGP.26 sample ECDSA certificates trusted by the Comprion eUICC include both brainpool and prime256v1 variants.

RSP Certificate Chains

In the following articles we will explore the Common Mutual Authentication procedure supported by the SM-DP+, the Subscription Manager Data Preparation server — with a + to indicate consumer RSP as defined in SGP.21 and SGP.22 rather than non-plus M2M RSP as defined in SGP.01 and SGP.02.

All of the requests specified in SGP.22 are listed below. In this series of articles we will look at the following ES9+ APIs accessed by the LPAd which is the Local Profile Assistant for Device installed on top of the client device OS that brokers requests between the eUICC and the SM-DP+:

  • InitiateAuthentication
  • AuthenticateClient

The ES11 APIs are towards the SM-DS which is the Subscription Manager Discovery Server. This isn’t covered in this set of articles though the payload format is the same.

List of RSP SM-DP+ Functions between the LPAd on Device and the SM-DP+ Server

The ES9+ interface between the SM-DP+ and the LPAd is indicated by the red marker:

Activation Methods

The authentication procedure is triggered by an activation method which may be one of:

  • user scans a QR code which sends the IP address of the SM-DP+ to the LPAd
  • a default SM-DP+ address configured in the eUICC
  • Discovery services including GSMA eSIM Discovery service, Apple Lookup Service, Custom discovery services
  • Android apps can initiate an eSIM profile download by passing a message to the eUICC containing the SM-DP+’s address and an activation code. The app then obtains carrier app privileges based on a signature present in the eSIM profile’s metadata prior to the installation that matches the app’s own fingerprint. In this way the app becomes a carrier app just as the eSIM profile is being downloaded. For more details check the article eSIM RSP Android App Privilege Elevation for WRITE_EMBEDDED_SUBSCRIPTIONS.

The first procedure triggered by the activation method is between the LPAd and the eUICC in part 2.

Esim
Euicc
Mobile Network
Provisioning Software
Provisioning
Chris Mode51

Written by Chris Mode51

33 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams