White Paper

Smart Card Web Server—

Merging the SIM and the
World Wide Web
Contents

1 Executive Summary .............................................................................. 3

2 Introduction ......................................................................................... 4

3 Use Cases ............................................................................................ 5

4 SCWS Technology Overview................................................................. 8

5 SCWS Standardization ....................................................................... 10

6 SCWS Administration......................................................................... 11

7 Glossary ............................................................................................. 13

8 About Giesecke & Devrient ................................................................ 14

-2-
1 Executive Summary
For 15 years, the SIM card has been an important component in the world of mobile
communications. It is unique in taking over the global market as the one
exchangeable authentication token in GSM and UMTS networks. In the past few
years, the (U)SIM has been enhanced by many more functionalities than simple user
authentication. The (U)SIM has evolved to become a central medium for the storage
and administration of user data in the provider network. Moreover, the SIM has
been enabled to exchange information directly with the mobile phone user and the
provider network using additional mechanisms like the Card Application Toolkit
(CAT) and Over the Air (OTA) communication.
The next step to improve integration of (U)SIMs in the provider network and mobile
equipment is imminent. Giesecke & Devrient’s innovative GalaxSIM® and ProxSIM®
product lines support standard Web technologies like HTML (hypertext markup
language) pages and HTTP (hypertext transfer protocol).
Interaction among the (U)SIM, end user, and mobile phone network can be
significantly enhanced by bringing Internet technologies to the new (U)SIMs offered
by Giesecke & Devrient. On the user side, a Web look and feel simplifies information
exchange. For example, users browse a phone book or FAQ list based on HTML
pages stored directly on the Smart Card Web Server (SCWS) hosted on the (U)SIM.
On the provider side, an HTTP-based update mechanism simplifies the exchange of
content with previously issued (U)SIMs.
In conjunction with the Internet technology on smart cards, the variety of different
data types stored on the (U)SIM and delivered by the SCWS is increasingly
considerably. Moreover, the SIM can be responsible for protecting countless data
such as music, video clips, purchased ring tones, personal data, and access
information for various mobile services. In conjunction with these new technologies,
G&D has the following vision:

The (U)SIM will be an Internet-enabled network node seamlessly

integrated into other IP networks. The (U)SIM is the link that
creates confidence among the mobile phone user, the network
operator, and services providers in the operator’s network.

-3-
2 Introduction
The mobile telecommunications industry has recently opened up an interesting level
of service for subscribers. Multimedia features in new handsets, such as high
resolution displays and the availability of HTTP browsers, in combination with higher
network bandwidths have led to new challenges for network operators. Subscribers
want a suitable phone and an interesting service portfolio at a reasonable price. To
achieve this, an SCWS can offer new services, while the Internet-enabled (U)SIM can
secure additional services offered by (Internet) servers on the provider network.
Moreover, the bandwidth of the traditional smart card protocol T=0 appears to limit
the usability of new IP-based services, and there is a need for a new high-speed
protocol between the handset and (U)SIM. The ETSI has selected USB 2.0 Interchip
in full speed mode as the future smart card protocol.
The basic functionality of a Web server is the delivery of Web pages using HTTP
protocol. This is the same for an SCWS. However, unlike a regular Web server, the
SCWS offers two possible bearers as transport protocols for the HTTP protocol. One
is the T=0 protocol with a BIP interface layer. The other is a full TCP/IP stack built on
top of the USB 2.0 full speed interface.

For legacy reasons, HTTP data, which is exchanged between a mobile phone
browser and an SCWS, can be transmitted over the traditional serial smart card
interface according ISO/IEC 7816. This enables the BIP (bearer independent protocol)
to be used in a special server mode, which can be easily implemented in the mobile
phone firmware.

-4-
In the future, BIP will increasingly be replaced by handsets using a broadband full
speed USB interface for transferring HTTP data over a TCP/IP stack implemented in
the smart card. But the new high-speed interface will also entail a change in the
mobile phone hardware. Therefore it will take some time until mobile phones
supporting USB are available.

3 Use Cases
The SCWS is the first step in integrating (U)SIMs as network nodes in the mobile
phone provider’s IP network. The following use cases outline the path toward new
user and network interaction of smart cards on the basis of an SCWS. For some use
cases, BIP is sufficient; other use cases will need a high-speed connection and a full
TCP/IP stack on the (U)SIM.

The Next Step in User Interaction beyond SAT

An SCWS can replace user interaction based on the SIM Application Toolkit (SAT)
and offer the mobile phone user a Web-based look and feel. In addition to the
enhanced user experience, HTML pages offer the possibility to distinguish between
pure data and the data layout. This differentiation is an advantage that limits the
bandwidth for transferring complex information from the (U)SIM to the handset and
offers the opportunity to create a dialog between the user and (U)SIM. Even the
slower BIP connection of the SCWS is sufficient for this use case.

-5-
Use case: Java™ Applet Phonebook
The use case described above is the basis for a
phonebook based on HTML pages served by the
(U)SIM. Giesecke & Devrient has already
implemented this phonebook in a Java™ applet.
Custom-tailored (U)SIMs with sufficient memory
are the ideal platform for phonebook applets,
which can replace a multimedia phonebook in
mobile phones. A Java™ applet allows storage of
a variety of phonebook data such as several phone
numbers, address, and e-mail address. Since the phonebook applet is located on the
(U)SIM card, it can be used by any 2G or 3G mobile phone. The user interface comes
with the applet and is therefore completely independent of different mobile phone
types and manufacturers. The phonebook applet can be customized and thus
tailored for specific needs. Another strength is that the phonebook applet is
supplied as a bundle that includes a phonebook management tool for the customer.
The phonebook management tool allows easy synchronization with 3rd party
address databases such as Lotus Notes® and MS Outlook™.

Use case: User Interface for Payment and Ticketing Applications

Mobile phone ticketing and payment is on its way to being a widely demonstrated
and accepted technology. The (U)SIM can currently play the role of a security
module authorizing electronic transactions, but user interaction in ticketing or
payment scenarios is currently based on GUIs provided by the handset. An SCWS
offers the opportunity to implement the whole ticketing or payment application,
including user interaction, on a (U)SIM. This increases the security because the GUI is
generated directly on the (U)SIM, while the deployment and administration of
contactless applications can be simplified. An SCWS is the basis for offering all
functionalities necessary for the eTicketing/ePayment user front end on a (U)SIM.
Moreover, the few interfaces to the handset are highly standardized and ensure
interoperability between different handsets.

-6-
Use case: Security Proxy and Authentication Gateway
In future use case scenarios, the SCWS can play the role of an HTTP proxy with HTTP
client functionality. This gives the (U)SIM the opportunity to offer the functionality of
an authentication gateway to an Internet portal. Banking transactions and other
security-critical operations such as user authentications can be authorized by the
(U)SIM over the HTTP(S) connection to the Internet portal. In this use case scenario,
the SCWS provides the user interface to the handset’s browser, which displays the
HTML pages tunneled over the security proxy on the (U)SIM. This use case needs a
certain bandwidth because two or even more HTTP connections have to be opened
simultaneously. Therefore a USB interface is recommended.

Use case: Support of Other Types of Internet Application Level Protocols

SCWS refers primarily to the application level protocol HTTP, but a full TCP/IP stack
on a (U)SIM offers the bandwidth to implement other application level protocols
such as SOAP or SIP. Moreover, the HTTP binding for the SOAP protocol offers the
opportunity to implement Web services on the smart card, in a Java™ applet for
example. The SIP (Session Initiation Protocol) is responsible for opening realtime
connections on the Internet. A fully Internet-enabled (U)SIM can implement this
protocol to trigger multimedia data transmissions such as voice over IP connections
controlled by the network operator.

-7-
4 SCWS Technology Overview
The central link between a Web-enabled (U)SIM and the Internet is the routing
functionality of the mobile equipment (ME). The ME is the gateway that connects
the (U)SIM to the operator network and the Internet. This routing functionality can
vary depending on the protocol used for (U)SIM communication.
In the case of a BIP interface, the router in the ME only has to redirect certain HTTP
requests from the ME browser to the local available SCWS. HTTP requests on a
certain TCP port are sent to the SCWS on the (U)SIM, and the HTML page in the
response is generated by the SCWS. HTTP requests not using the TCP port dedicated
to BIP are directed to a server on the Internet.

Routing is different when the USB protocol is used in combination with a full TCP/IP
stack on the (U)SIM. In this case, the ME has the same IP gateway functionality as
other computers connecting an intranet to the Internet. The ME gateway also
depends on the IP protocol version used, i.e. IPv4 or IPv6. In comparison to BIP, the
full TCP/IP stack also offers the possibility to route requests from the (U)SIM to the
Internet, which is the basis for the security gateway use case.

-8-
The SCWS can send out static or dynamic HTML pages.
Static HTML pages are never modified and are sent out in the same format as stored
in the NVM (non-volatile memory) of the (U)SIM.
Dynamic HTML pages are generated according the incoming HTTP request by an
application running on the smart card. For the SCWS, this application is a Java™
applet that interacts with the SCWS over a dedicated API specified in ETSI TS 102
588. This API allows the Java™ applet to receive an HTTP request and to send out
the dynamically generated HTML page. This dynamic behavior can be enhanced by
an XML processor for Web services on the (U)SIM. In this case, the XML output
formatted by the Java™ applet is transmitted with the HTTP response.

-9-
5 SCWS Standardization
The topic of Internet-enabled smart cards and SCWS has been treated by several
standardization bodies.

OMA SCWS Specification

The Open Mobile Alliance (OMA) specification defines the external interfaces of an
HTTP server in a smart card (i.e. smart card Web server), which is embedded in a
(U)SIM. These interfaces cover the following aspects:
ƒ The URL for accessing the Smart Card Web Server (SCWS)
ƒ The possible bearers used for the HTTP protocol

ƒ The HTTP profile that the Smart Card Web Server needs to implement
ƒ A secure remote administration protocol for the Smart Card Web Server
ƒ User, or principal, authentication with the Smart Card Web Server and
related security protocols

ETSI Specifications

The work of the ETSI is mainly dedicated to the transfer protocols that can be used
by the SCWS to enable communication between HTTP applications on the mobile
device and the Smart Card Web Server. BIP has already been completely
standardized in TS 102 223, and the USB Ethernet Emulation Model in conjunction
with a full TCP/IP stack is currently being finalized by the ETSI. The Java
programming interface required for the Java™ applet providing dynamic content is
described in ETSI specification TS 102 588.

- 10 -
6 SCWS Administration
OMA standardization has specified a special administrative protocol. The aim of this
protocol is the ability to upload new data (e.g. xHTML pages), delete data, and
change configuration parameters for the SCWS. Commands are sent using the OMA
admin protocol and are divided into single administrative commands, such as
installing or deleting a HTML page, and special admin commands, such as defining
access control parameters. The OMA admin protocol can use three different bearers:
Lightweight admin protocol over the bearer SMS
The lightweight administration protocol can be used for sending short
administration commands for setting or changing a small number of configuration
parameters for the SCWS. It is suitable for the exchange of a small amount of data
between the administration application and the SCWS. Nevertheless it supports the
same command set as the full admin protocol.
Full admin protocol over BIP or TCP/IP
The full administration protocol is suitable for the exchange of a large amount of
data between the administration application and the SCWS. The full administration
protocol can also be used for securely exchanging or updating data with the Java™
applet registered to the SCWS via the ETSI API. This may be useful for securely
updating data used by these applications or for securely retrieving data from them.
The full administration protocol enables the use of a standard Web server as the
remote administration server implementation. The full administration protocol (and
its card administration agent) has the following characteristics:
ƒ End-to-end security is based on the standard Internet security layer SSL/TLS
ƒ A special administration agent on the (U)SIM is a real HTTP client and
manages the connection establishment between the remote administration
server and the SCWS.
ƒ The card administration agent is able to encapsulate and transparently
transport any HTTP exchange between the two servers, i.e. the SCWS and
admin server.
ƒ The card administration agent is responsible for retry and reconnection
management in the event of a communication breakdown.
ƒ The card administration agent can be triggered either by external events
(e.g. SMS) or by internal events (generated internally by the card) for
initializing a connection to the remote administration server.

- 11 -
- 12 -
7 Glossary

API Application Programming Interface

BIP Bearer Independent Protocol

ETSI European Telecommunications Standards Institute

HTTP Hyper Text Transfer Protocol

HTML Hyper Text Markup Language

ICC Integrated Circuit Card

IP Internet Protocol

GUI Graphical User Interface

NFC Near Field Communication

NVM Non Volatile Memory

OMA Open Mobile Alliance

SAT SIM Application Toolkit

SCWS Smart Card Web Server

SIM Subscriber Identity Module

SIP Session Initiation Protocol

SMS Short Message Service

SOAP Simple Object Access Protocol

SSL Secure Socket Layer

TCP Transmission Control Protocol

TLS Transport Layer Security

UMTS Universal Mobile Telephone System

(U)SIM Universal SIM

USB Universal Serial Bus

XML Extended Markup Language

- 13 -
8 About Giesecke & Devrient

Giesecke & Devrient (G&D) is a globally operating technology group. Established in

1852, the company initially specialized in banknote and security printing, later
adding automatic currency processing equipment to its product portfolio. Today,
G&D is also a leading supplier of smart cards and cutting-edge system solutions in
the fields of mobile communications, electronic payment technology, health care,
identification, transportation, and IT security (PKI).
The G&D Group, based in Munich, Germany, comprises 52 subsidiaries and joint
ventures throughout the world, employing 8,300 people.
As a leading manufacturer of (U)SIM cards for 2G and 3G networks, G&D provides
operators with (U)SIM-based solutions for smooth migration from 2G to 3G, with
OTA server solutions and service hosting, and with logistics services. With its (U)SIM
card products and services, G&D offers tailor-made packages from a single source: Giesecke & Devrient
GmbH
from (U)SIM lifecycle management and cost-effective (U)SIM ordering and Prinzregentenstrasse 159
production processes to the complete development and deployment of mobile P.O. Box 80 07 29
services. 81607 Munich
GERMANY
The Giesecke & Devrient Group has a strong international orientation. Group
Phone:
companies and joint ventures operate in Germany, Argentina, Australia, Bahrain, +49 (0)89 41 19 - 15 43
Belgium, Brazil, Canada, China, Egypt, Greece, Great Britain, Hong Kong, India, Fax:
Italy, Japan, Luxembourg, Malaysia, Mexico, Morocco, Nigeria, Portugal, Russia, +49 (0)89 41 19 – 15 40
Singapore, Slovakia, Spain, South Africa, South Korea, Sri Lanka, Taiwan, Turkey, www.gi-de.com/telecom
the United Arab Emirates, and the United States. telecom@gi-de.com

Security and competence are the international high-tech group’s core concepts. Its © Giesecke & Devrient
customer-focused products, systems, and services make G&D a reliable partner for GmbH, 2007. GalaxSIM®,
any organization needing to solve complex problems in security-related fields. ProxSIM® are registered
trademarks of Giesecke &
For more information about the subject of this white paper, please contact Devrient GmbH. Java™ is
a registered trademark of
telecom@gi-de.com Sun Microsystems, Inc.
Lotus Notes® is a
registered trademark of
IBM Corp. Outlook® is a
registered trademark of
Microsoft Corporation in
the United States and/or
other countries. Technical
data subject to
modification. G&D
patents.

- 14 -