Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  ETSI TS 102 221   PDF version:  17.1.0

Top   Top   Up   Prev   Next
0…   4…   5…   6…   7…   7.3…   8…   9…   10…   10.2…   11…   11.1.2…   11.1.9…   11.1.14…   11.1.19…   11.1.20…   11.1.21…   11.2…   11.3…   12…   13…   14…   15   A   B   C…   D   E…   F…   G…   H…   I   J…   K…   L…   M…

 

11.1.20  MANAGE SECURE CHANNELp. 117

11.1.20.1  General functional descriptionp. 117

This command performs the functionality specified by ETSI TS 102 484 [20] to manage APDU based secure channels.
P1 determines which sub procedure is required, the P2 parameter value meaning is specific to each P1 value. The command and response data are encapsulated in BER-TLV objects structured as defined in clause 11.3 using tag '73' for BER-TLV structured data and tag '53' otherwise.
This command can chain successive blocks of command data, if present, with a maximum size of 255 bytes each, required for one operation using P2 to indicate the first/next block. The terminal performs the segmentation of the data, and the UICC the concatenation of the data. The first MANAGE SECURE CHANNEL APDU is sent with P2 indicating "First block of command data". Following MANAGE SECURE CHANNEL APDUs are sent with P2 indicating "Next block of command data". As long as the UICC has not received all segments of the command data it shall answer with SW1 SW2 '63 F1'. When all segments of the command data are received and if the command produces a response, the UICC shall answer with SW1 SW2 '62 F3'.
The command response data is retrieved from the UICC using one or more separate MANAGE SECURE CHANNEL APDUs with the same chaining mechanism as for the command data. The UICC performs the segmentation of the data, and the terminal the concatenation of the response data. The first MANAGE SECURE CHANNEL APDU is sent with P2 indicating "First block of response data". Following MANAGE SECURE CHANNEL APDUs are sent with P2 indicating "Next block of response data". As long as the UICC has not sent all segments of the response data it shall answer with SW1 SW2 '62 F1'. When all segments of the response data are sent, the UICC shall answer with SW1 SW2 '90 00'.
The following P1 values are defined:
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-----000Retrieve UICC Endpoints
----0001Establish SA - Master SA
----0010Establish SA - Connection SA
----0011Start Secure Channel
----0100Terminate secure channel SA
----All other valuesRFU
XXXX----RFU (shall be set to 0)
Each sub procedure indicated by P1 is defined below.
The following P2 values are defined:
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
100-----First block of command data
000-----Next block of command data
010-----Retransmit previous block of command data
101-----First block of response data
001-----Next block of response data
011-----Retransmit previous block of response data
All other values-----RFU
---XXXXXRFU (shall be set to 0)
RFU bits in P1 and P2 shall be ignored by the UICC.
Up

11.1.20.2  Retrieve UICC Endpointsp. 118

11.1.20.2.0  Introductionp. 118
Clause 11.1.20.2 defines the MANAGE SECURE CHANNEL function and coding when P1 = 'Retrieve UICC Endpoints'.
11.1.20.2.1  Functional descriptionp. 118
This command allows the terminal to retrieve a list of secure channel endpoints from the UICC as defined in ETSI TS 102 484 [20] and the maximum data container size available for the TRANSACT DATA command. In order to retrieve the end point information P2 is set to "First block of response data" or in case of the response data longer than 255 bytes following blocks are retrieved be setting P2 to "Next block of response data".
If this command is sent via any existing secure channel, then the endpoints returned shall be the end points that are currently available at the UICC end of this secure channel.
If there are endpoints available on the UICC, then an "Endpoint information" TLV shall be present for each available
endpoint.
If the remaining Response is greater than 255 bytes then the next 255 bytes shall be returned and the SW1 SW2 shall be set to "More data available".
If the remaining Response is less than or equal to 255 bytes then all of the bytes shall be returned and SW1 SW2 shall be set to "normal ending of command".
Up
11.1.20.2.2  Command parameters and datap. 118
Code Value
CLAAs specified in clause 10.1.1
INSAs specified in clause 10.1.2
P1'00'
P2 See Table 11.21b
LcNot Present
DataNot Present
LeLength of expected response data
Response data:
The UICC shall return the following data encapsulated in tag '73':
Description Tag Status
UICC_ID TLV'81'M
Endpoint information TLV'82'C
Endpoint information TLV'82'C
Endpoint information TLV'82'C
If no endpoints are available tag '82' is not returned. Multiple endpoints are indicated by multiple BER-TLV objects using tag '82'.
Coding of UICC_ID TLV:
Byte(s) Description Value Length
1Tag'81'1
2LengthX1
3 to 3+XUICC_IDX
Coding of UICC_ID:
This shall be a unique value that identifies that UICC. This shall be the ICCID as defined for EFICCID.
Endpoint information TLV:
This TLV contains the identity and type for an available endpoint.
Byte(s) Description Value Length
1Tag'82'1
2Length7+X1
3Endpoint type1
4 to 7Endpoint Secure channel capability4
8 to 9Endpoint Port number2
10 to 10+XEndpoint identifierX
Coding of Endpoint type value:
  • '01' = "Platform level secure channel endpoint".
  • '02' = "Application level secure channel endpoint".
Coding of Endpoint Secure channel capability value:
Byte 1:
Transport support
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1Accessible via APDU interface
------1-Accessible via USB IP interface
-----1--Accessible via BIP IP interface
XXXXX---RFU
Byte 2:
Supported secure channel types
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1TLS
------1-Ipsec
-----1--APDU secure channel
----1---Proprietary type known to both parties
--00----No information given
--01----Two connection Sas supported concurrently
--10----Three connection Sas supported concurrently
--11----Four connection Sas supported concurrently
1-------Secure channel required for all communication to this endpoint
-X------RFU
Byte 3:
Supported key agreement methods
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1Strong Preshared Keys - GBA
------1-Strong Preshared Keys - Proprietary Pre agreed keys
-----1--Weak Preshared Keys - Proprietary Pre agreed keys
----1---Certificate exchange
XXXX----RFU
Byte 4:
indicates the maximum data container size - this is the maximum container size that can be indicated in the Endpoint data container size BER-TLV in the MANAGE SECURE CHANNEL - Start Secure Channel for this endpoint. The coding is hexadecimal.
Coding of the Endpoint Port Number:
If the Endpoint Secure channel capability indicates support of TLS then the endpoint port number shall be the hex coded value of the TCP port to be used else this shall be set to 'FFFF'.
Coding of the Endpoint identifier value:
The endpoint identifier shall be the AID value of the application that hosts the endpoint. See ETSI TS 101 220 [3].
Up

11.1.20.3  Establish SA - Master SAp. 120

11.1.20.3.0  Introductionp. 120
Clause 11.1.20.3 defines the MANAGE SECURE CHANNEL function and coding when P1 = 'Establish SA - Master SA'.
11.1.20.3.1  Functional descriptionp. 120
This command allows the terminal to establish a Master SA with the UICC as defined in ETSI TS 102 484 [20].
11.1.20.3.2  Command parameters and datap. 120
The command data is sent to the UICC using P2='80' and the response data is retrieved using P2='A0'. The command and response data is encapsulated using tag '73'.
If P2 is set to " First block of command data" or " Next block of command data".
Code Value
CLAAs specified in clause 10.1.1
INSAs specified in clause 10.1.2
P1'01'
P2 See Table 11.21b
LcLength of subsequent data field
Data As specified in Table 11.23
LeNot Present
If P2 is set to " First block of response data" or "Next block of response data".
Code Value
CLAAs specified in clause 10.1.1
INSAs specified in clause 10.1.2
P1'01'
P2 See Table 11.21b
LcNot present
DataNot present
LeLength of the response data
Command data:
Description Tag Status
Key Agreement Mechanism tag'87'M
Term label - Terminal_ID tag'83'M
Term label - Terminal_appli_ID tag'84'M
Term label - UICC_Identifier tag'85'M
Term label - UICC_appli_ID'86'M
  • This BER-TLV data object contains the available Key Agreement Mechanisms. Coding of Key Agreement Mechanism BER-TLV tag '87'.
Byte(s) Description Value Length
1Tag'87'1
2LengthX1
3 to 3+XAvailable Key Agreement MechanismX
NOTE:
In the present document only the first byte is defined, see below.
  • Coding of Byte 1 - Supported key agreement methods:
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1Strong Preshared Keys - GBA
------1-Strong Preshared Keys - Proprietary Pre agreed keys
-----1--Weak Preshared Keys - Proprietary Pre agreed keys
----1---Certificate exchange
XXXX----RFU
  • Coding of Term label - Terminal_ID BER-TLV, tag '83':
Byte(s) Description Value Length
1Tag'83'1
2LengthX1
3 to 3+XTerminal_IDX
  • Coding of Terminal_ID:
    • This shall be a unique value that identifies that terminal. This may be the IMEI as defined in TS 24.008.
  • Coding of Term label - Terminal_appli_ID BER-TLV, tag '84':
Byte(s) Description Value Length
1Tag'84'1
2LengthX1
3 to 3+XTerminal_appli_IDX
  • Coding of Terminal_appli_ID:
    • This shall be a value that identifies the application in that terminal that hosts the terminal endpoint. This value shall uniquely identify an application within the terminal.
  • Coding of Term label - UICC_Identifier BER-TLV, tag '85':
Byte(s) Description Value Length
1Tag'85'1
2LengthX1
3 to 3+XUICC_IdentifierX
  • Coding of UICC_ID:
    • This shall be a unique value that identifies that UICC. This shall be the ICCID as defined for EFICCID.
  • Coding of Term label - UICC_appli_ID BER-TLV, tag '86':
Byte(s) Description Value Length
1Tag'86'1
2LengthX1
3 to 3+XUICC_appli_IDX
  • Coding of UICC_appli_ID:
    • This shall be the AID of the application in that UICC that hosts the UICC endpoint. See ETSI TS 101 220 [3].
Response data:
Description Tag Status
Key Agreement Mechanism tag'87'M
MSA_ID tag'88'M
  • Coding Key agreement mechanism to be used tag '87':
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1Strong Preshared Keys - GBA
------1-Strong Preshared Keys - Proprietary Pre agreed keys
-----1--Weak Preshared Keys - Proprietary Pre agreed keys
0---1---Certificate exchange
1-------Pre shared key exists
-XXX----RFU
  • Coding of MSA_ID BER-TLV, tag '88':
Up

11.1.20.4  Establish SA - Connection SAp. 122

11.1.20.4.0  Introductionp. 122
This clause defines the MANAGE SECURE CHANNEL function and coding when P1 = 'Establish SA - Connection_SA'.
11.1.20.4.1  Functional descriptionp. 122
This command allows the terminal to establish a Connection SA with the UICC as defined in ETSI TS 102 484 [20].
11.1.20.4.2  Command parameters and datap. 122
The command data is sent to the UICC using P2='80' and the response data is retrieved using P2='A0'. The command and response data is encapsulated using tag '73'.
If P2 is set to "First block of command data" or "Next block of command data":
Code Value
CLAAs specified in clause 10.1.1
INSAs specified in clause 10.1.2
P1'02'
P2 See Table 11.21b
LcLength of subsequent data field
Data As specified in Table 11.23
LeNot present
If P2 is set to " First block of response data" or " Next block of response data":
Code Value
CLAAs specified in clause 10.1.1
INSAs specified in clause 10.1.2
P1'02'
P2 See Table 11.21b
LcNot present
DataNot present
LeLength of the response data
Command data:
Description Tag Status
Algorithm and integrity tag'89'M
MSA_ID tag'88'M
Tnonce tag'8A'M
  • Coding of Algorithm and Integrity BER-TLV, tag '89':
  • Coding of Byte 1 - Supported Ciphering Algorithms TSCA:
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1 3DES - outer CBC using 2 keys as defined in ETSI TS 102 225 [21]
------1- 3DES - outer CBC using 3 keys as defined in ETSI TS 102 225 [21]
-----1-- 128-bit AES in CBC mode as defined in ETSI TS 102 225 [21]
1-------Proprietary algorithm (known to both parties)
-XXXX---RFU
  • Coding of Byte 2 - Supported Integrity mechanisms TSIM:
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1 CRC32 as defined in ETSI TS 102 225 [21]
------1- MAC algorithm 3 using block cipher DES and padding method 1 as defined in ISO/IEC 9797-1 [31] without MAC truncation. See ETSI TS 102 484 [20]
-----1-- 128-bit AES in CMAC mode as defined in ETSI TS 102 225 [21]
1-------Proprietary mechanism (known to both parties)
-XXXX---RFU
  • Coding of MSA_ID BER TLV, tag '88':
  • Coding of Tnonce BER_TLV, tag '8A':
Response data:
Description Tag Status
Algorithm and integrity BER-TLV'89'M
CSA_ID BER-TLV'8B'M
Unonce BER-TLV'8C'M
CSAMAC BER-TLV'8F'M
  • Coding of Algorithm and Integrity BER-TLV, tag '89':
  • Coding of Byte 1 - Ciphering Algorithm (UCA):
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1 3DES - outer CBC using 2 keys as defined in ETSI TS 102 225 [21]
------1- 3DES - outer CBC using 3 keys as defined in ETSI TS 102 225 [21]
-----1-- 128-bit AES in CBC mode as defined in ETSI TS 102 225 [21]
1-------Proprietary algorithm (known to both parties)
-XXXX---RFU
  • Coding of Byte 2 - Integrity mechanism (UIM):
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1 CRC32 as defined in ETSI TS 102 225 [21]
------1- MAC algorithm 3 using block cipher DES and padding method 1 as defined in ISO/IEC 9797-1 [31] without MAC truncation. See ETSI TS 102 484 [20]
-----1-- 128-bit AES in CMAC mode as defined in ETSI TS 102 225 [21]
1-------Proprietary mechanism (known to both parties)
-XXXX---RFU
  • Coding of CSA_ID BER-TLV, tag '8B':
  • Coding of Unonce BER-TLV, tag '8C':
Up

11.1.20.5  Establish SA - Start Secure Channelp. 124

11.1.20.5.0  Introductionp. 124
This clause defines the MANAGE SECURE CHANNEL function and coding when P1 = 'Establish SA - Start Secure Channel'.
11.1.20.5.1  Functional descriptionp. 124
This command allows the terminal to secure a logical channel with the UICC as defined in ETSI TS 102 484 [20]. For a platform to platform secure channel, this command shall only be used on logical channel 0. It contains the final part of the authenticated handshake for the MANAGE SECURE CHANNEL - 'Establish SA - Connection_SA' command.
11.1.20.5.2  Command parameters and datap. 124
The command data is sent to the UICC using P2='80' and the response data is retrieved using P2='A0'. The command data is encapsulated using tag '73' and the response data is encapsulated using tag '53'.
If P2 is set to "First block of command data" or "Next block of command data":
Code Value
CLAAs specified in clause 10.1.1
INSAs specified in clause 10.1.2
P1'03'
P2 See Table 11.21b
LcLength of subsequent data field
Data As specified in Table 11.23
LeNot present
If P2 is set to "First block of response data" or "Next block of response data":
Code Value
CLAAs specified in clause 10.1.1
INSAs specified in clause 10.1.2
P1'03'
P2 See Table 11.21b
LcNot present
DataNot present
LeLength of the response data
Command data:
Description Tag Status
Algorithm and integrity tag'89'M
CSA_ID tag'8B'M
SSCMAC tag'8D'M
Endpoint data container size tag'8E'M
  • Coding of Algorithm and Integrity BER-TLV, tag '89':
  • Coding of Byte 1 - Ciphering Algorithm (UCA):
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1 3DES - outer CBC using 2 keys as defined in ETSI TS 102 225 [21]
------1- 3DES - outer CBC using 3 keys as defined in ETSI TS 102 225 [21]
-----1-- 128-bit AES in CBC mode as defined in ETSI TS 102 225 [21]
1-------Proprietary algorithm (known to both parties)
-XXXX---RFU
Only one bit shall be indicated.
  • Coding of Byte 2 - Integrity mechanism (UIM):
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
-------1 CRC32 as defined in ETSI TS 102 225 [21]
------1- MAC algorithm 3 using block cipher DES and padding method 1 as defined in ISO/IEC 9797-1 [31] without MAC truncation. See ETSI TS 102 484 [20]
-----1-- 128-bit AES in CMAC mode as defined in ETSI TS 102 225 [21]
1-------Proprietary mechanism (known to both parties)
-XXXX---RFU
Only one bit shall be indicated.
  • Coding of CSA_ID BER-TLV, tag '8B':
  • Coding of SSCMAC BER-TLV, tag '8D':
    • 16 byte hex value. See ETSI TS 102 484 [20].
  • Coding of the Endpoint data container size BER-TLV, tag '8E':
    • This is the length of the value part of the secure channel data TLV specified for the TRANSACT DATA command. The data container size set by the terminal shall be less or equal to the value indicated in the BER-TLV object returned with Tag '82' returned by the Retrieve UICC Endpoints command.
Response data:
The response data is encapsulated in BER-TLV using tag '53'.
b8 b7 b6 b5 b4 b3 b2 b1 Meaning
XX------Session number
--000000RFU
In the TRANSACT DATA command the session number shall be associated with the Endpoint data container size for the secure channel started with this command.
Up

11.1.20.6  Terminate Secure Channel SAp. 126

11.1.20.6.0  Introductionp. 126
This clause defines the MANAGE SECURE CHANNEL function and coding when P1 = "Terminate secure channel SA".
11.1.20.6.1  Functional descriptionp. 126
This command allows the terminal to terminate one or several secure channel Security Association(s) with the UICC as defined in ETSI TS 102 484 [20]. In case the MAC provided by the terminal is incorrect, the UICC shall indicate the error by returning SW1 SW2 '98 62'. Attempts to terminate a non-existing Security Association shall be indicated with a success status word. Failure to terminate one or more Security Association(s) shall be indicated with an error status word.
Up
11.1.20.6.2  Command parameters and datap. 126
The command data is sent to the UICC using P2='80' and the response data is retrieved using P2='A0'. The command and response data are encapsulated using tag '73'.
If P2 is set to "First block of command data" or "Next block of command data":
Code Value
CLAAs specified in clause 10.1.1
INSAs specified in clause 10.1.2
P1'04'
P2 See Table 11.21b
LcLength of subsequent data field
Data As specified in Table 11.23
LeNot present
If P2 is set to "First block of response data" or "Next block of response data":
Code Value
CLAAs specified in clause 10.1.1
INSAs specified in clause 10.1.2
P1'04'
P2 See Table 11.21b
LcNot present
DataNot present
LeLength of the response data
Command data:
Description Tag Status
Master_SA (MSA)_ID tag'88'C
Connection_SA (CSA) ID tag'8B'C
Connection_SA (CSA) ID tag'8B'C
The command data shall contain either a Master_SA TLV only or a list of Connection_SA TLVs associated to the same MSA. The UICC may reject the command when issued with a list of unrelated CSAs.
  • Coding of Master_SA BER-TLV, tag '88':
Byte(s) Description Value Length
1Tag'88'1
2Length321
3MSA_ID16
19MAC16
  • Coding of MSA_ID:
  • Coding of Connection_SA BER-TLV, tag '8B':
  • Byte(s) Description Value Length
    1Tag'8B'1
    2Length321
    3CSA_ID16
    19MAC16
    • Coding of CSA_ID:
    Response data:
    • None.
    Up

    Up   Top   ToC