Content for TS 33.110 Word version: 17.0.0
0 Introduction
1 Scope
2 References
3 Definitions, symbols and abbreviations
3.1 Definitions
3.2 Symbols
3.3 Abbreviations
...
...
0 Introduction p. 5
The smart card, tamper resistant device, has a primary role of storing credentials and performing sensitive cryptographic computations, it also provides portability of the user credentials. The smart card is rarely a stand-alone device; it usually interacts with a terminal. Sensitive applications are often split between a smart card and a terminal with sensitive data exchanged between the two. Therefore, the need to establish a secure channel between a UICC and a terminal that may host the UICC or be connected to the device hosting the UICC via a local interface has been identified by different standardization groups in order to protect the communication between the UICC and the terminal.
This document describes key establishment between a UICC and a terminal.
1 Scope p. 6
The present document describes the security features and mechanisms to provision a shared key between a UICC and a terminal that may host the UICC or be connected to the device hosting the UICC via a local interface. Candidate applications to use this key establishment mechanism include but are not restricted to secure channel between a UICC and a terminal ETSI TS 102 484 [8].
The scope of this specification includes an architecture overview and the detailed procedure how to establish the shared key between the UICC and the terminal.
2 References p. 6
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 31.101: "UICC-terminal interface; Physical and logical characteristics".
[3]
TS 33.220: "Generic Authentication Architecture (GAA); Generic bootstrapping architecture".
[4]
TS 22.259: "Service requirements for Personal Network Management (PNM); Stage 1".
[5] Void.
[6] Void.
[7]
TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".
[8]
ETSI TS 102 484: "Smart Cards; Secure Channel between a UICC and an end-point Terminal".
[9]
TS 24.008: "Mobile radio interface Layer 3 specification; Core network protocols; Stage 3".
[10]
NIST, FIPS PUB 180-2: "Secure Hash Standard (SHS)".
[11]
RFC 4634 (2006): US Secure Hash Algorithms (SHA and HMAC-SHA).
[12]
RFC 2104 (1997): "HMAC: Keyed-Hashing for Message Authentication".
[13]
TR 33.905: "Recommendations for Trusted Open Platforms".
[14]
TCG Mobile Phone Specifications, https://www.trustedcomputinggroup.org/specs/mobilephone .
[15]
TCG Trusted Network Connect (TNC) Specifications, https://www.trustedcomputinggroup.org/specs/TNC .
[16]
TS 29.109: "Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter protocol; Stage 3".
[17]
RFC 2616 (1999): "Hypertext Transfer Protocol -- HTTP/1.1".
[18] Void.
[19] Void.
[20]
TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".
3 Definitions, symbols and abbreviations p. 7
3.1 Definitions p. 7
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
NAF Key Center:
Dedicated NAF in charge of performing the key establishment between a UICC and a Terminal.
UICC Hosting Device:
The entity, which is physically connected to the UICC. The UICC Hosting Device may be the MT or the ME.
Terminal:
For the purposes of the present document, the term Terminal denotes a trusted device that can establish a shared key with a UICC. The Terminal is a generic term aiming to address either the scenario where it is part of the UICC Hosting Device or the scenario where it is a physically separated component (e.g. PNE as defined in TS 22.259).
Remote Terminal:
A Terminal that is physically separated from the UICC Hosting Device.
ICCID:
ICCID is the identifier of the smart card. ICCID is defined in ITU standard and is encoded as a 10 octet string.
Terminal_appli_ID:
It identifies an application in a Terminal. Terminal_appli_ID is an octet string of maximum 32 octets. If an application has an identifier of longer than 32 octets, this should be hashed using SHA 256 [10] into a string of length 32 octets which will be used as Terminal_appli_ID.
Terminal_ID:
It identifies uniquely the Terminal and is 10 octets. The Terminal_ID of a ME is the IMEI and shall be encoded using BCD coding as defined in clause 10.5.1.4 of TS 24.008.
UICC_appli_ID:
It uniquely identifies an application in the UICC. The UICC_appli_ID is an octet string of maximum 16 octets.
3.2 Symbols p. 7
For the purposes of the present document, the following symbols apply:
||
Concatenation
3.3 Abbreviations p. 8
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
B-TID
Bootstrapping Transaction Identifier
BSF
Bootstrapping Server Function
GBA
Generic Bootstrapping Architecture
GBA_ME
ME-based GBA
GBA_U
GBA with UICC-based enhancements
ICCID
Integrated Circuit Card Identification
KDF
Key Derivation Function
Ks_ext_NAF
Derived key in GBA_U
Ks_int_NAF
Derived key in GBA_U, which remains on UICC
Ks_local
Derived key, which is shared between a Terminal and a UICC
NAF
Network Application Function
MAC
Message Authentication Code
PNE
Personal Network Element
SLF
Subscriber Locator Function
USS
User Security Setting
