Feeds

Mind out, Apple: Ericsson leads charge against the SIM

Gemalto pitches in to manage the machines

Intelligent flash storage arrays

Gemalto and Ericsson have partnered to create SIM-less mobile phones aimed at machines rather than people - though the technology and techniques developed will be well-received in Cupertino.

The partnership will create a provisioning system to allow things (cars, electricity meters, etc) to be fitted with an embedded mobile phone*, without knowing the network on which it's going to operate, or even in which country it will be used. Gemalto, meanwhile, will kick in the secure provisioning system which will make the removable SIM redundant.

European mobile phones are required to conform to the GSM standard, which mandates a removable SIM so customers can easily switch networks, but Apple has been (successfully) leading a project to extend the standard to encompass embedded SIMs. Such SIMs could change network operators, letting Apple sell connectivity in the iTunes store and car buyers to select a mobile network** on first turn of the key.

Doing that in a secure way is hard, and replicating the long-term success of the removable SIM will be very tough.

Each GSM SIM stores a different secret key, which is replicated in the Authentication Server at the network operator. The key is never transmitted and can't be extracted from the SIM without an enormous amount of effort, and physical access. That shared secret is used to create matching "session" keys with which GSM communication is secured, and those session keys have been broken from time to time, but the shared-secret authentication made possible by the SIM remains secure.

Shared secret is always the best cryptography, assuming the secret can't be intercepted. Dual-key systems (such as RSA or ECC) only exist because of the difficulties in distributing a shared-secret, and such systems are only used in order to safely create a shared secret.

The removable SIM solves this problem by sending the secret in a secure package (the SIM) over a separate communications medium (the post), removing the need for more complicated solutions.

So an operator-independent SIM will have two options: store a shared secret for each network operator, and select which one based on user choice, or store a shared secret from a third party such as Gemalto, or Apple, then use that secret to encrypt the selected operator's secret on request.

The latter solution is better as it offers more flexibility and wider application, but it requires the network operators to share some secrets with that third party, and that is an enormous favour to ask. It's hard to imagine the operators agreeing to share secrets with anyone, but Gemalto is already providing the SIMs to many of them (and thus responsible for programming the secrets into those SIMs) so if they'd trust anyone then it would be Gemalto.

But it never pays to underestimate how craven the operators can be when confronted with iShiny, so where machines lead so human customers will likely follow. ®

* Technically the eUICC (embedded Universal Integrated Circuit Card) does perform the functions of a SIM, but through a chip soldered on the handset's motherboard rather than a detachable, removable unit.

** All new European cars will need a mobile network within two years, to conform with eCall legislation. ®

Beginner's guide to SSL certificates

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.