eSIM RSP SM-DP+ Common Mutual Authentication Part 3: InitiateAuthentication

InitiateAuthentication Request

The LPAd submits the eUICCInfo1 and eUICCChallenge data to the SM-DP+ in the InitiateAuthentication request along with the expected SM-DP+ Address. The SM-DP+ then verifies this data:

InitiateAuthentication from the LPA to the SM-DP+

Example InitiateAuthentication Request

The euiccChallenge and euiccInfo1 parameters are base 64 encoded, as the raw hexadecimal is likely to contain non-alphanumeric characters:

{"euiccChallenge":"v9ZRgGebs90qFb0YAvFX6w==",
"euiccInfo1":"vyBhggMCAgCpLAQUwLxwujaSnUO0Z/9XVwUw5Xq4/NgEFPVBcr35ipXWXL64ijihwR2ACoXDqiwEFMC8cLo2kp1DtGf/V1cFMOV6uPzYBBT1QXK9+YqV1ly+uIo4ocEdgAqFw5AA",
"smdpAddress":"testsmdpplus1.example.com"}

InitiateAuthentication Response

InitiateAuthentication responds with a new TransactionID, serverChallenge, the serverSigned1 data structure and a signature created using the private key from a certificate signed by a certificate issuer that is reported as trusted by the eUICC in the eUICCInfo1 data structure.

InititateAuthentication response payload recived by the LPA

Example InitiateAuthentication Response

{"header":
  {"functionExecutionStatus": 
    {"status":"ExecutedSuccess"} 
  }, 
  "transactionId":"0123456789ABCDEF8899aabbccddeeff", 
  "serverSigned1":"MFGAEAEjRWeJq83viJmqu8zd7v+BEL/WUYBnm7PdKhW9GALxV+uDGXRlc3RzbWRwcGx1czEuZXhhbXBsZS5jb22EEIiZqrvM3e7/ABEiM0RVZnc=",
  "serverSignature1":"XzdAGKXNBZqRrxRgDTfCkPrWVjf3AA/8QsoYKs1zOXbqglNr0TlHlgz+ehdsypA+Me1GGdubXEpu0lJ/QoL4rLd7fA==",
  "euiccCiPKIdToBeUsed":"BBT1QXK9+YqV1ly+uIo4ocEdgAqFww==",
  "serverCertificate":"MIICODCCAd+gAwIBAgICAQAwCgYIKoZIzj0EAwIwRDEQMA4GA1UEAwwHVGVzdCBDSTERMA8GA1UECwwIVEVTVENFUlQxEDAOBgNVBAoMB1JTUFRFU1QxCzAJBgNVBAYTAklUMB4XDTIwMDQwMTA4MzEzMFoXDTMwMDMzMDA4MzEzMFowJTENMAsGA1UECgwEQUNNRTEUMBIGA1UEAwwLVEVTVCBTTS1EUCswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARN/tT0aUeRvxaVzqAwejW0GAGWlTh7t1t9JEe2tSCfBEWuTl5SHNE4iNdf4HyFgCIq4g26rB13zXYwSZNCG9c5o4HfMIHcMB8GA1UdIwQYMBaAFPVBcr35ipXWXL64ijihwR2ACoXDMB0GA1UdDgQWBBS9WoLMGpZgIRi6dWCh/4OniyEL5TAOBgNVHREEBzAFiAOINwowDgYDVR0PAQH/BAQDAgeAMBcGA1UdIAEB/wQNMAswCQYHZ4ESAQIBBDBhBgNVHR8EWjBYMCqgKKAmhiRodHRwOi8vY2kudGVzdC5leGFtcGxlLmNvbS9DUkwtQS5jcmwwKqAooCaGJGh0dHA6Ly9jaS50ZXN0LmV4YW1wbGUuY29tL0NSTC1CLmNybDAKBggqhkjOPQQDAgNHADBEAiAII+59+l490Hg46TD4G8NK6Z8Gy6NZJ/6eUCxGTcH+4wIgDS1Ah9sBpTgtIWkKwEiLFQZ/skYNM2MyRGypnwiopO8="
}

The base64 decoded serverSigned1 ASN.1 data structure:

305180100123456789ABCDEF8899AABBCCDDEEFF8110BFD65180679BB3DD2A15BD1802F157EB831974657374736D6470706C7573312E6578616D706C652E636F6D84108899AABBCCDDEEFF0011223344556677

Annotated serverSigned1:

// serverSigned1

// ASN.1 SEQUENCE with length 81
30 51

  // Transaction ID
  80 10 0123456789ABCDEF8899AABBCCDDEEFF

  // eUICC challenge
  81 10 BFD65180679BB3DD2A15BD1802F157EB

  // Server domain, UTF-8 "testsmdpplus1.example.com"
  83 19 74657374736D6470706C7573312E6578616D706C652E636F6D

  // Server challenge
  84 10 8899AABBCCDDEEFF0011223344556677

The base 64 encoded euiccCiPKIdToBeUsed indicated by the server idenitifies the trusted certificate issuer by subjectKeyIdentifier for the LPAd.

In the next step, part 4, the LPAd sends serverSigned1 to the eUICC.