Mobile Application Based on (U)SIM Java Card Applet Patrick Biget

CNAM 17-Dec-2007 © Bantry Technologies Ltd.16 Dec 2007

25 Ballsbridge Terrace, Ballsbridge, Dublin 4, IrelandTel: +353 (0)1 6642930 / Fax: +353 (0)1 6642933www.bantry-technologies.com

Slide 1

BantryTechnologies

Mobile Application based on (U)SIMJava Card Applet

Patrick BigetCNAM

17th of December 2007

© Bantry Technologies Ltd. 16 déc. 2007 Mobile Applications based on (U)SIM Java Card Applets

Presentation OverviewSIM Cards & GSM Networks

SIM TechnologySIM Card Applications

SIM Toolkit TechnologyJava Card Enabler for SIM Card Applications

Java Card SIM APIDemonstration (tools and cards)Questions & Answers



Slide 3

BantryTechnologies

SIM Card & GSM Networks

SIM Technology(3GPP TS 11. 11)


OverviewIntroduction to GSM Introduction to the SIM card

Functional role in the GSM Network Physical characteristics

SIM Card Services Data management SecurityContent data


Introduction to GSMHistory of GSMServices Provided by GSMArchitecture of GSM Networks


History of GSM (1/3)Analog cellular telephone systems experienced rapid growth in Europe (early 1980s)Each country developed its own system incompatible with everyone else’sConsequences

mobile equipment were limited within national boundariesvery limited market for each system (no possible economies of scale)


History of GSM (2/3)Creation of the “Groupe Spécial Mobile” (GSM)

Proposed system had to meet certain criteria:Good subjective speech qualityLow terminal and service costSupport for international roamingAbility to support handheld terminalSupport for range of new services and facilitiesSpectral efficiencyISDN compatibility


History of GSM (3/3)1989: GSM responsibility transferred to ETSI (European Telecommunication Standards Institute)1990: Publication of the GSM specs phase I1991: Starting of commercial service1993: 36 GSM networks in 22 countries1995: 114 GSM networks in 66 countries1998: 304 GSM networks in 120 countries2001: 445 GSM networks in 170 countries2006: 700 GSM networks in 218 countries

Over 2 billions GSM subscribers (June 2006)


Services Provided by GSMTelephony Services (voices services)

Basic GSM voice telephony serviceBearer Services (data services)

Facsimile ServiceShort Message ServiceData Exchange Service (CSD, GPRS)

Supplementary ServicesCall ForwardCall Barring (roaming)Others like caller identification, call waiting, multi-party conversations


Architecture of GSM Networks

SIM ME

MobileMobileStationStation

SIM ME

SIM ME

SIM = Subscriber Identity Module

ME = Mobile Equipment

BTS = Base Transceiver Station

BSC = Base Station ControllerHLR = Home Location Register

VLR = Visitor Location Register

EIR = Equipment Identity Register

AuC =Authentication Center

MSC = Mobile services Switching Center

Base StationBase StationSubsystemSubsystem

BSC

BTS

BTS

HLR VLR

EIR AuC

MSC

NetworkNetworkSubsystemSubsystem

PSTNISDN

PSTN = Public Switched Telephone Network

ISDN = Integrated Services Digital Network


Mobile StationThe Mobile Station is composed of

The Mobile Equipment (ME)The Subscriber Identity Module (SIM)

The SIM card allows the user to get access to the subscribed services irrespective of a specific terminalBoth components are uniquely identified

ME through the IMEI (International Mobile Equipment Identity)SIM through the IMSI (International Mobile Subscriber Identity)


Base Station SubsystemThe Base Station Subsystem is composed of

The Base Transceiver StationThe Base Station Controller

Base Transceiver StationHouses the radio transceivers that define a cellHandles the radio-link protocols with the Mobile Station

Base Station ControllerManages the radio resources for one or more BTSs (radio-channel setup, frequency hopping and handovers)


Network Subsystem (1/3)Central Component: Mobile services Switching Center (MSC)

Acts like a normal switching node (PSTN or ISDN)Provides functionalities to handle mobility

RegistrationAuthenticationLocation updatingHandoversCall routing to roaming subscribers

Provides the connection to the fixed networks (PSTN or ISDN)


Network Subsystem (2/3)Home Location Register (HLR)

Administrative information on each subscriber of the local GSM networkCurrent location of the mobileLogically one single HLR per GSM network

Visitor Location Register (VLR)Selected administrative information of each subscriber currently located in the geographical area controlled by the VLR


Network Subsystem (3/3)Equipment Identity Register (EIR)

Contains a list of all valid ME on the networkME is invalid if:

It has been reported stolenIts type is not approved

Each ME is identified by its IMEIAuthentication Center (AuC)

Contains a copy of the secret key stored in each SIM cardUsed for authentication and encryption over the radio channel


Introduction to the SIM CardFunctional role in the GSM Network

Personal mobilitySecurity servicesDownload of other services

Physical characteristics


Role of the SIM CardPersonal mobility

Hold the user’s subscription details to make any mobile phone his/her personal phone

Security servicesHold the secrets necessary to prove that the user is the one he/she claims to be (and optionally to cipher the communications)

Download of other servicesMore recently, the SIM card environment has been enhanced to let the user download on his/her SIM card his/her preferred mobile services


Personal MobilitySubscription details are stored in the card

IMSI: unique identifier of the subscriberKi: secret key for authentication

Other subscriber-related information can be stored in the card

Address bookLanguage preferencesAnd much more information…


Security ServicesSecret codes (PIN)

User authenticationOperator authentication(for administrative operations)

Secret keysAuthentication of the SIM card by the networkCommunication ciphering

7 8 94 5 61 2 3C 0 V


Authentication Services(IMSI, Ki)

IMSI Ki

IMSI

Rnd

Ki

A3

RndKi

A3

Rnd

SIMResult

NetworkResult

AuCMSCBSCBTSMESIM HLR

RefusedAccepted

CheckCheck


Ciphering Services(IMSI, Ki)

IMSI Ki

IMSI

Rnd

Ki

A8

RndKi

A8

Rnd

SessionKey

SessionKey

AuCMSCBSCBTSMESIM HLR

Encrypted Voice ChannelEncrypted Voice Channel


Download of ServicesSecure execution environment for trusted applications

Able to interact with the mobile phoneDisplay information on the screenGet inputs from the userPlace phone calls

Able to interact with the networkSend and receive messages (SMS, CSD, GPRS, etc.)Get localization information

Able to interact with the SIM file systemRead/write into SIM files


Physical CharacteristicsTwo different formats

ID-1 SIM (standard credit card format)Plug-in SIM (specific SIM format)

25 mm

15 mm

85.6 mm

54 mm

ID-1 SIMID-1 SIM

Plug-in SIMPlug-in SIM


SIM Card ServicesData management

File managementSecurity

Data protectionAuthentication/Ciphering

Content dataOverall file structureDetails of the file contents


File ManagementLogical file modelFile identifiersFile selection

SELECT commandSTATUS command

File access commandsREAD BINARY commandUPDATE BINARY commandREAD RECORD commandUPDATE RECORD commandSEEK command


Logical File Model (1/2)2 different classes of file

Dedicated files (directories)Elementary files (data files)

3 different types of elementary filesTransparent filesLinear fixed filesCyclic files

Sequenceof bytes

Transparent Linear Fixed

Record #1

Record #2

Record #3

etc…

Record #n

Cyclic

Record #1

Record #2Record #3

etc…

Record #n


Logical File Model (2/2)MF

DF1

DF2

EF

EF

EF

EF

DF21

DF22

EF

EF

EF

EF

EF


Data ProtectionFile access conditionsCHV management commands

VERIFY CHV commandCHANGE CHV commandDISABLE CHV commandENABLE CHV commandUNBLOCK CHV command

File invalidation commandsINVALIDATE commandREHABILITATE command


File Access ConditionsEvery EF has its own access conditions for each command

ReadUpdateInvalidateRehabilitate

Access conditions can beAlways:no restrictionsCHV1: the CHV1 code must have been presentedCHV2: the CHV2 code must have been presentedADM: an admin. code must have been presentedNever: no access


PIN CodesThe SIM card uses two different types of PIN codes

CHV codes (subscriber’s responsibility)ADM codes (telco’s responsibility)

CHV2 CHVs are defined (only one used today)No hierarchy between the 2 codesUnblock code available for each CHV

ADMUp to 14 ADM codes can be definedGenerally 2/4 are defined and only 1 really usedADM code verification is not defined in the standard


Authentication/CipheringA3/A8 GSM algorithm used for

Authentication (A3)Ciphering (A8)

One single commandRUN GSM ALGORITHM command


Overall File StructureMF

DF GSM DF Telecom

EF LP

EF IMSI

EF Kc

EF PLMNsel

EF HPLMN

EF ACMmax

EF SST

EF ACM

EF GID1

DF Graphics

EF ADN

EF FDN

EF SMS

EF CCP

EF MSISDN

EF SMSP

EF IMG

EF ICCID EF ELP

etc… etc…

EF SMSS

MFID = 3F00General information

DF GSMID = 7F20Network-related information

DF Telecom ID = 7F10Service-related information



Slide 33

BantryTechnologies

SIM Card Applications

SIM Toolkit Technology(3GPP TS 11. 14)


OverviewIntroduction to SIM ToolkitSIM Toolkit ProcessingProactive SIM commandsProfile download mechanismEvent management


Introduction to SIM ToolkitAllow applications in the SIM to interact with any MEETSI GSM 11.14 standard defines the interface between the SIM and the ME to have a full interoperabilitySTK applications can

Initiate actionspro-active commands

Be triggered on external actionsevent management

Get the characteristics of the MEME profile


SIM Toolkit ProcessingSIM has to be “pro-active”Smart card protocols doesn’t allow this

The card is never activeIt only answers to APDU commands coming from the terminal (master/slave relation)

4 new APDU commands are defined to manage SIM Toolkit features

FETCHTERMINAL RESPONSEENVELOPETERMINAL PROFILE


Processing Proactive Commands

FETCHFETCH

Proactive Command (e.g. display text)Proactive Command (e.g. display text)

ME

SIM TERMINAL RESPONSETERMINAL RESPONSE

Status & Response (if any)Status & Response (if any)


Processing Events

ENVELOPE (e.g. menu selection)ENVELOPE (e.g. menu selection)

StatusStatus

ME

SIM


Processing Profile Download

TERMINAL PROFILETERMINAL PROFILE

Status & Profile InformationStatus & Profile Information

ME

SIM


Proactive PollingSTATUSSTATUS

Response with SW=90 00Response with SW=90 00

ME

SIM

STATUSSTATUS

Response with SW=90 00Response with SW=90 00

STATUSSTATUS

Response with SW=91 XXResponse with SW=91 XX

FETCHFETCH

Poll Intervall


Proactive CommandsMan-Machine Interface

Display TextGet InkeyGet InputSelect ItemMore TimePlay ToneSet Up MenuSet Up Idle Mode Text

CommunicationSend Short MessageSend SSSend USSDSet Up CallSend DTMFOpen ChannelClose ChannelReceive DataSend DataGet Channel Status

Dual-SlotPerform Card APDUPower Off CardPower On CardGet Reader Status

MiscellaneousProvide Local InformationTimer ManagementSet Up Event ListRefreshPoll IntervalPolling OffRun AT CommandLanguage NotificationLaunch Browser


Proactive Command Examples

NETWORK BANKING NEWS WEATHER

Setup Menu

BANKING BALANCE PURCHASE TRANSFER

Select Item

The weather today is going to be fine. ok

Display Text

Please enter name:

ok

Get Input

SMS in progress.

Please Wait...

Send SMS

CALLING 01 4746 6667

Please Wait...

Setup Call


Display TextThis command instructs the ME to display a text message and/or an icon. It allows the SIM to define the priority of that message and the text string format.

EOImmediate response TLV

DOIcon identifier TLV

CMText string TLV

BMDevice identities TLV

AMCommand details TLV

1 or 2MLength (A+B+C+D+E)

1MProactive SIM command tag

LenM/ODescription Command Qualifier

Normal priority01 High priority1RFU02 RFU1RFU03 RFU1RFU04 RFU1RFU05 RFU1RFU06 RFU1RFU07 RFU1

Wait for user to clear1Clear after delay08

DescriptionBit

Device Identities

DisplayDest.SIMSource

Command Details TLV

1Command qualifier51Type of command41Command number31Length (=03)21Command details tag1

LenDescriptionByte(s)Device Identities TLV

1Destination device identities4

1Source device identities3

1Length (=02)2

1Device identities tag1

LenDescriptionByte(s)

Text String TLV

X-1Text string(Y-1)+4 to (Y-1)+X+2

1Data coding scheme(Y-1)+3YLength (=X)2 to (Y-1)+21Text string tag1

LenDescriptionByte(s)Icon Identifier TLV

1Icon identifier4

1Icon qualifier3

1Length (=02)2

1Icon identifier tag1


Immediate Response TLV

1Length (=00)2

1Immediate response tag1



Display Text (example)

Command qualifier (normal priority, clear after delay)007

Text string (“SAT”)53 41 5415 - 17

Data coding scheme (8-bit default SMS)0414

Length0413

Text string tag8D12

Destination = Display0211

Source = SIM8110

Length029

Device identities tag828

Type of command (display text)216

Command number015

Length034

Command details tag813

Length0F2

Proactive SIM command tagD01

DescriptionValueByte(s)TL

V

T

L

V

TL

V

T

L

V


Profile Download MechanismME sends to the SIM card (if Phase 2+) during initialization procedureThis profile states the facilities relevant to SIM Application Toolkit that are supported by the ME

STK commands supportedSTK events managedOptions managed

Alpha-identifier, UCS2CSD, GPRSSoft keysScreen sizing, text wrapping & scrolling


Event ManagementMenu selection

Data download to SIMSMS-PP DownloadCell Broadcast Download

Control by SIMCall controlMO SMS control

Timer expiration

Event downloadMT callCall connectedCall disconnectedLocation statusUser activityIdle screen availableCard reader statusLanguage selectionBrowser terminationData availableChannel status



Slide 47

BantryTechnologies

Java Card Enabler for SIM Card Applications

Java Card SIM API(3GPP TS 43.019)


OverviewSIM Toolkit FrameworkSIM Toolkit Management

sim.toolkit packageSIM File Management

sim.access package


SIM Toolkit FrameworkToolkit

Applet 1 Applet 2Toolkit

Applet 3 Applet n

Proactivecommand manager

GSM SIM Kernel Files

SIM API Framework

Appletinstall/uninstall

Security

Applettriggering

Applet securitymanager

Activation

Proactivecommands

P/Cresponses

InstallUninstall

APDU

Interface to terminal

APDUe.g.Envelopes

Proactive polling, 91XX, Fetch,Proactive commands,Terminal Response

Fileaccess

File access

SIM-API

…


Java Card SIM API Overview

Provides classes that enable to communicate with the Toolkit application (3GPP TS 11.14 functions), e.g. GUI management, SMS management, etc…

sim.toolkit

Provides classes that enable to communicate with the GSM application (3GPP TS 11.11 functions), mainly file management

sim.access

PackagesPackages


sim.toolkit Interfaces

ToolkitConstants encapsulates constants related to the Toolkit applets.

ToolkitConstants

ToolkitInterface must be implemented by a Toolkit applet so that it can be triggered by the Toolkit Handler

according to the registration information.

ToolkitInterface

Interface SummaryInterface Summary


sim.toolkit Classes (1/2)

The ViewHandler class offers basic services and contains basic methods to handle TLV list.

ViewHandler

The ProactiveResponseHandler class contains basic methods to handle the Terminal Response data field.

ProactiveResponseHandler

This class is the basic class for the definition of Proactive commands.

ProactiveHandler

The EnvelopeResponseHandler class contains basic methods to handle the Envelope response data field.

EnvelopeResponseHandler

The EnvelopeHandler class contains basic methods to handle the Envelope data field.

EnvelopeHandler

This class is the basic class for the construction of a list of simple TLV elements

EditHandlerClass SummaryClass Summary


sim.toolkit Classes (2/2)

The MEProfile class contains methods to question the handset profile.

MEProfile

The Registry class offers basic services and methods to allow any Toolkit applet to register its configuration during the install phase and possibly to change it during all the applet life time.

ToolkitRegistryClass SummaryClass Summary


sim.toolkit Exceptions

This exception extends the Throwable class and allows the classes of this package to throw specific exceptions in case of problems.

ToolkitExceptionException SummaryException Summary


Toolkit Registrypublic class MyToolkitApplet extends Applet implements ToolkitInterface, ToolkitConstants { private ToolkitRegistry reg; private byte[] menuEntry = { ... }; private byte menuId; public MyToolkitApplet() { reg = ToolkitRegistry.getEntry(); menuId = reg.initMenuEntry(menuEntry, (short)0, (short)menuEntry.length, PRO_CMD_SET_UP_CALL, false, 0, 0); reg.disableMenuEntry(menuId);

reg.setEvent(EVENT_FORMATTED_SMS_PP_ENV); reg.setEvent(EVENT_CALL_CONTROL_BY_SIM); } public static void install(byte bArray[], short bOffset, byte bLength) throws ISOException { MyToolkitApplet applet = new MyToolkitApplet(); applet.register(); } public void processToolkit(byte event) throws ToolkitException { if (event == EVENT_FORMATTED_SMS_PP_ENV) { reg.enableMenuEntry(menuId); } else if (event == EVENT_MENU_SELECTION) { //...


Proactive Handlerprivate static final byte MY_COMMAND = (byte)0x33;private static final byte MY_TAG = (byte)0x45;

ProactiveHandler proHdlr; proHdlr = ProactiveHandler.getTheHandler();proHdlr.init(MY_COMMAND, (byte)0, DEV_ID_ME);proHdlr.appendTLV((byte)(MY_TAG | TAG_SET_CR), (byte)0);short len = proHdlr.getLength();byte result = proHdlr.send();private byte[] text = new byte[12]; text[0] = (byte)'S'; text[1] = (byte)'A';text[2] = (byte)'T';result = proHdlr.initDisplayText((byte)0x80, DCS_8_BIT_DATA, text, (short)0, (short)3);result = proHdlr.send();


Proactive Response Handlerprivate byte[] data;data = new byte[32];

ProactiveResponseHandler ProRespHdlr; ProRespHdlr = ProactiveResponseHandler.getTheHandler();byte result = ProRespHdlr.getGeneralResult();respHdlr.findTLV(TAG_DEVICE_IDENTITIES, 1); byte sourceDev = ProRespHdlr.getValueByte((short)0); byte destinDev = ProRespHdlr.getValueByte((short)1);if (ProRespHdlr.findTLV(TAG_TEXT_STRING, (byte)1) == TLV_FOUND_CR_SET) { if ((short len = ProRespHdlr.getValueLength()) > 1) {

ProRespHdlr.copyValue((short)1, data, (short)0, (short)(len - 1));

} }


Envelope Handler private static final byte MY_TAG = (byte)0x54; private byte[] data; data = new byte[32]; void processToolkit(byte event) throws ToolkitException { // get the EnvelopeHandler system instance EnvelopeHandler theEnv = EnvelopeHandler.getTheHandler(); // look for MY_TAG TLV if (theEnv.findTLV(MY_TAG, (byte)1) != TLV_NOT_FOUND) { // check first element byte if (theEnv.getValueByte((short)0) == (byte)1) { // copy element part into data buffer theEnv.copyValue((short)1, data, (short)0, (short)(theEnv.getValueLength() - 1)); } } }


HelloWorld SIM Toolkit Appletimport javacard.framework.*;import sim.toolkit.*;public class HelloWorld

extends Applet implements ToolkitConstants, ToolkitInterface {private final byte COMMAND_QUALIFIER = (byte)0x80;private final byte[] MENU_ENTRY ={'S','e','r','v','i','c','e','1'};private final byte[] HELLO_WORLD ={'H','e','l','l','o',' ','w','o','r','l','d',' ','!'};private ToolkitRegistry registry;public HelloWorld() { registry = ToolkitRegistry.getEntry();

registry.initMenuEntry(menuEntry, (short)0,(short) MENU_ENTRY.length, PRO_CMD_DISPLAY_TEXT, false, 0, 0);

}


HelloWorld SIM Toolkit Appletpublic static void install(byte bArray[], short bOffset,

byte bLength) throws ISOException {HelloWorld applet = new HelloWorld();applet.register();

}

public void processToolkit(byte event) throws ToolkitException {

ProactiveHandler proHdlr = ProactiveHandler.getTheHandler();if (event == EVENT_MENU_SELECTION) {

proHdlr.init((byte) PRO_CMD_DISPLAY_TEXT, (byte)COMMAND_QUALIFIER, DEV_ID_ME);proHdlr.appendTLV((byte)(TAG_TEXT_STRING), HELLO_WORLD,(short)0, (short) HELLO_WORLD.length);proHdlr.send();

}}


sim.access Interfaces

SIMView is the interface between the GSM application and any SIM Toolkit applet.

SIMViewInterface SummaryInterface Summary


sim.access Classes

The Class SIMSystem provides a way to get access to the GSM file system.In any case, the SIM Toolkit applet will only access to methods of the SIMView interface. No instance of this class is needed.

SIMSystemClass SummaryClass Summary


sim.access Exceptions

SIMViewException encapsulates specific exceptions which can be generated by the methods of the SIMView interface in case of error.

SIMViewException

Exception SummaryException Summary


Exampleimport javacard.framework.*;import sim.toolkit.*;public class MyApplet extends Applet implements ToolkitInterface {

private SIMView simView;private byte[] buffer;private ToolkitRegistry registry;public MyApplet () {

registry = ToolkitRegistry.getEntry();simView = SIMSystem.getTheSIMView();buffer = new byte[32];}

public static void install(APDU apdu) throws ISOException {MyApplet applet = new MyApplet();

applet.register();}public void getADN(short adnNumber) { simView.select(SIMView.FID_EF_TELECOM); simView.select(SIMView.FID_EF_ADN); simView.readRecord((short)adnNumber, SIMView.MODE_ABSOLUTE,(short)0, buffer, (short)0, (short)32);

} }



Slide 65

BantryTechnologies

Demonstrations

VirtuoSimo Development ToolmaXim/jTOP SIM Cards



Slide 66

BantryTechnologies

Questions & Answers

[email protected]

Mobile Application Based on (U)SIM Java Card Applet Patrick Biget

Documents

Transcript of Mobile Application Based on (U)SIM Java Card Applet Patrick Biget