USIM-RN and USIM-INI are used for Relay Node network connections establishment. USIM-INI, if present on the UICC, and USIM-RN include at least all mandatory files defined for a USIM in the present document, with the exception of files related to emergency calls. USIM-INI is only required in case of a certificate based solution as described in TS 33.401. For the certificate-based solution, the UICC shall support BIP-UICC server mode (see TS 31.111) and may support the Inter-Chip USB UICC/terminal interface (see TS 31.101) to perform the TLS handshake. The USIM-RN is used to ensure a one to one binding with the Relay Node. The security architecture for Relay Nodes is defined in TS 33.401.

Application selection is performed according to the procedures defined in clause 5.1.1.1. The following provisions apply: When using pre-shared keys, only a USIM-RN is required, and the Relay Node will establish directly a secure channel with USIM-RN. It is assumed that the Relay Node knows the "3G application code" within the PIX value reserved for 3GPP USIM-RN. When using certificate based procedure, the UICC inserted in the Relay Node shall contains two USIMs, the USIM-RN and USIM-INI. In case initial provisioning is required, the Relay Node will first select USIM-INI, either by direct application selection or by use of the EF_DIR file.

1. Direct application selection: with full or with partial AID. It is assumed that the Relay Node knows the "3G application code" within the PIX value reserved for 3GPP USIM-INI.
2. By use of the EF_DIR file: The Relay Node identifies the USIM-INI, which is characterised by an AID with a "3G application code" within the PIX value reserved for 3GPP USIM-INI, see TS 31.101, and selects the USIM-INI by AID. The AID of the USIM-RN is characterised by an AID with a "3G application code" within the PIX value reserved for 3GPP USIM-RN, see TS 31.101. If the only applications present in EF_DIR are a USIM-RN and a USIM-INI, the terminal omits user presentation and proceeds to application selection.

The USIM applications USIM-INI and USIM-RN are not simultaneously active. USIM-INI is used to establish an initial network connection and USIM-INI is deactivated once the network related operations are finished. USIM-INI is deactivated prior to activating USIM-RN. USIM-INI may be selected on any logical channel, see TS 31.101. Prior to selecting USIM-RN a new logical channel shall be opened using the MANAGE CHANNEL command as specified in TS 31.101, an application to application secure channel can only be established on a logical channel different from channel 0. USIM-RN is then selected on the new logical channel. USIM-RN shall be configured to support implicit and explicit application selection. The Relay Node will first select USIM-INI, according to the application selection mechanisms specified in TS 31.101. When the USIM-RN is selected explicitly, the Relay Node shall send a SELECT by AID APDU command in clear text prior to secure channel establishment. The implicit selection mechanism is performed by specifying USIM-RN AID in the MANAGE SECURE CHANNEL - Establish Master SA command.

The USIM-RN shall allow communication only via "Secured APDU" secure channel as defined in ETSI TS 102 484 [66]. In case the certificate based solution is used, the UICC inserted in the Relay Node shall contain two USIMs, USIM-RN and USIM-INI. A TLS handshake shall be used to provide key material for the Master SA for the secured APDU protocol, according to ETSI TS 102 484 [66].

The Relay Node may limit the set of APDU commands encapsulated in TRANSACT DATA command to the strict minimum (READ BINARY, READ RECORD, SELECT, STATUS, UPDATE BINARY, UPDATE RECORD, AUTHENTICATE). The Relay Node and the UICC shall support letter class 'e' toolkit commands for BIP, see TS 31.111. In order to support toolkit the TERMINAL PROFILE, TERMINAL RESPONSE, ENVELOPE and FETCH commands need to be supported. These commands are not issued on the secure channel. According to TS 31.111, USAT commands shall be sent on logical channel 0.

If the UICC supports the certificate based procedure, the UICC shall be provisioned with the UICC certificate and the root certificate. The UICC certificate, which is used as a server certificate in the TLS handshake, is stored in EFCERT in USIM-INI as it needs to be accessed by the RN for reading the CRL distribution point before establishing the secure channel, for details cf. TS 33.401. The root certificate, which is used to verify the RN certificate in the TLS handshake, is only needed for UICC-internal purposes and need not be stored in an EF.