Feeds

Mind out, Apple: Ericsson leads charge against the SIM

Gemalto pitches in to manage the machines

Choosing a cloud hosting partner with confidence

Gemalto and Ericsson have partnered to create SIM-less mobile phones aimed at machines rather than people - though the technology and techniques developed will be well-received in Cupertino.

The partnership will create a provisioning system to allow things (cars, electricity meters, etc) to be fitted with an embedded mobile phone*, without knowing the network on which it's going to operate, or even in which country it will be used. Gemalto, meanwhile, will kick in the secure provisioning system which will make the removable SIM redundant.

European mobile phones are required to conform to the GSM standard, which mandates a removable SIM so customers can easily switch networks, but Apple has been (successfully) leading a project to extend the standard to encompass embedded SIMs. Such SIMs could change network operators, letting Apple sell connectivity in the iTunes store and car buyers to select a mobile network** on first turn of the key.

Doing that in a secure way is hard, and replicating the long-term success of the removable SIM will be very tough.

Each GSM SIM stores a different secret key, which is replicated in the Authentication Server at the network operator. The key is never transmitted and can't be extracted from the SIM without an enormous amount of effort, and physical access. That shared secret is used to create matching "session" keys with which GSM communication is secured, and those session keys have been broken from time to time, but the shared-secret authentication made possible by the SIM remains secure.

Shared secret is always the best cryptography, assuming the secret can't be intercepted. Dual-key systems (such as RSA or ECC) only exist because of the difficulties in distributing a shared-secret, and such systems are only used in order to safely create a shared secret.

The removable SIM solves this problem by sending the secret in a secure package (the SIM) over a separate communications medium (the post), removing the need for more complicated solutions.

So an operator-independent SIM will have two options: store a shared secret for each network operator, and select which one based on user choice, or store a shared secret from a third party such as Gemalto, or Apple, then use that secret to encrypt the selected operator's secret on request.

The latter solution is better as it offers more flexibility and wider application, but it requires the network operators to share some secrets with that third party, and that is an enormous favour to ask. It's hard to imagine the operators agreeing to share secrets with anyone, but Gemalto is already providing the SIMs to many of them (and thus responsible for programming the secrets into those SIMs) so if they'd trust anyone then it would be Gemalto.

But it never pays to underestimate how craven the operators can be when confronted with iShiny, so where machines lead so human customers will likely follow. ®

* Technically the eUICC (embedded Universal Integrated Circuit Card) does perform the functions of a SIM, but through a chip soldered on the handset's motherboard rather than a detachable, removable unit.

** All new European cars will need a mobile network within two years, to conform with eCall legislation. ®

Intelligent flash storage arrays

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.