Академический Документы
Профессиональный Документы
Культура Документы
2 Introduction ......................................................................................... 4
6 SCWS Administration......................................................................... 11
7 Glossary ............................................................................................. 13
-2-
1 Executive Summary
For 15 years, the SIM card has been an important component in the world of mobile
communications. It is unique in taking over the global market as the one
exchangeable authentication token in GSM and UMTS networks. In the past few
years, the (U)SIM has been enhanced by many more functionalities than simple user
authentication. The (U)SIM has evolved to become a central medium for the storage
and administration of user data in the provider network. Moreover, the SIM has
been enabled to exchange information directly with the mobile phone user and the
provider network using additional mechanisms like the Card Application Toolkit
(CAT) and Over the Air (OTA) communication.
The next step to improve integration of (U)SIMs in the provider network and mobile
equipment is imminent. Giesecke & Devrient’s innovative GalaxSIM® and ProxSIM®
product lines support standard Web technologies like HTML (hypertext markup
language) pages and HTTP (hypertext transfer protocol).
Interaction among the (U)SIM, end user, and mobile phone network can be
significantly enhanced by bringing Internet technologies to the new (U)SIMs offered
by Giesecke & Devrient. On the user side, a Web look and feel simplifies information
exchange. For example, users browse a phone book or FAQ list based on HTML
pages stored directly on the Smart Card Web Server (SCWS) hosted on the (U)SIM.
On the provider side, an HTTP-based update mechanism simplifies the exchange of
content with previously issued (U)SIMs.
In conjunction with the Internet technology on smart cards, the variety of different
data types stored on the (U)SIM and delivered by the SCWS is increasingly
considerably. Moreover, the SIM can be responsible for protecting countless data
such as music, video clips, purchased ring tones, personal data, and access
information for various mobile services. In conjunction with these new technologies,
G&D has the following vision:
-3-
2 Introduction
The mobile telecommunications industry has recently opened up an interesting level
of service for subscribers. Multimedia features in new handsets, such as high
resolution displays and the availability of HTTP browsers, in combination with higher
network bandwidths have led to new challenges for network operators. Subscribers
want a suitable phone and an interesting service portfolio at a reasonable price. To
achieve this, an SCWS can offer new services, while the Internet-enabled (U)SIM can
secure additional services offered by (Internet) servers on the provider network.
Moreover, the bandwidth of the traditional smart card protocol T=0 appears to limit
the usability of new IP-based services, and there is a need for a new high-speed
protocol between the handset and (U)SIM. The ETSI has selected USB 2.0 Interchip
in full speed mode as the future smart card protocol.
The basic functionality of a Web server is the delivery of Web pages using HTTP
protocol. This is the same for an SCWS. However, unlike a regular Web server, the
SCWS offers two possible bearers as transport protocols for the HTTP protocol. One
is the T=0 protocol with a BIP interface layer. The other is a full TCP/IP stack built on
top of the USB 2.0 full speed interface.
For legacy reasons, HTTP data, which is exchanged between a mobile phone
browser and an SCWS, can be transmitted over the traditional serial smart card
interface according ISO/IEC 7816. This enables the BIP (bearer independent protocol)
to be used in a special server mode, which can be easily implemented in the mobile
phone firmware.
-4-
In the future, BIP will increasingly be replaced by handsets using a broadband full
speed USB interface for transferring HTTP data over a TCP/IP stack implemented in
the smart card. But the new high-speed interface will also entail a change in the
mobile phone hardware. Therefore it will take some time until mobile phones
supporting USB are available.
3 Use Cases
The SCWS is the first step in integrating (U)SIMs as network nodes in the mobile
phone provider’s IP network. The following use cases outline the path toward new
user and network interaction of smart cards on the basis of an SCWS. For some use
cases, BIP is sufficient; other use cases will need a high-speed connection and a full
TCP/IP stack on the (U)SIM.
-5-
Use case: Java™ Applet Phonebook
The use case described above is the basis for a
phonebook based on HTML pages served by the
(U)SIM. Giesecke & Devrient has already
implemented this phonebook in a Java™ applet.
Custom-tailored (U)SIMs with sufficient memory
are the ideal platform for phonebook applets,
which can replace a multimedia phonebook in
mobile phones. A Java™ applet allows storage of
a variety of phonebook data such as several phone
numbers, address, and e-mail address. Since the phonebook applet is located on the
(U)SIM card, it can be used by any 2G or 3G mobile phone. The user interface comes
with the applet and is therefore completely independent of different mobile phone
types and manufacturers. The phonebook applet can be customized and thus
tailored for specific needs. Another strength is that the phonebook applet is
supplied as a bundle that includes a phonebook management tool for the customer.
The phonebook management tool allows easy synchronization with 3rd party
address databases such as Lotus Notes® and MS Outlook™.
-6-
Use case: Security Proxy and Authentication Gateway
In future use case scenarios, the SCWS can play the role of an HTTP proxy with HTTP
client functionality. This gives the (U)SIM the opportunity to offer the functionality of
an authentication gateway to an Internet portal. Banking transactions and other
security-critical operations such as user authentications can be authorized by the
(U)SIM over the HTTP(S) connection to the Internet portal. In this use case scenario,
the SCWS provides the user interface to the handset’s browser, which displays the
HTML pages tunneled over the security proxy on the (U)SIM. This use case needs a
certain bandwidth because two or even more HTTP connections have to be opened
simultaneously. Therefore a USB interface is recommended.
-7-
4 SCWS Technology Overview
The central link between a Web-enabled (U)SIM and the Internet is the routing
functionality of the mobile equipment (ME). The ME is the gateway that connects
the (U)SIM to the operator network and the Internet. This routing functionality can
vary depending on the protocol used for (U)SIM communication.
In the case of a BIP interface, the router in the ME only has to redirect certain HTTP
requests from the ME browser to the local available SCWS. HTTP requests on a
certain TCP port are sent to the SCWS on the (U)SIM, and the HTML page in the
response is generated by the SCWS. HTTP requests not using the TCP port dedicated
to BIP are directed to a server on the Internet.
Routing is different when the USB protocol is used in combination with a full TCP/IP
stack on the (U)SIM. In this case, the ME has the same IP gateway functionality as
other computers connecting an intranet to the Internet. The ME gateway also
depends on the IP protocol version used, i.e. IPv4 or IPv6. In comparison to BIP, the
full TCP/IP stack also offers the possibility to route requests from the (U)SIM to the
Internet, which is the basis for the security gateway use case.
-8-
The SCWS can send out static or dynamic HTML pages.
Static HTML pages are never modified and are sent out in the same format as stored
in the NVM (non-volatile memory) of the (U)SIM.
Dynamic HTML pages are generated according the incoming HTTP request by an
application running on the smart card. For the SCWS, this application is a Java™
applet that interacts with the SCWS over a dedicated API specified in ETSI TS 102
588. This API allows the Java™ applet to receive an HTTP request and to send out
the dynamically generated HTML page. This dynamic behavior can be enhanced by
an XML processor for Web services on the (U)SIM. In this case, the XML output
formatted by the Java™ applet is transmitted with the HTTP response.
-9-
5 SCWS Standardization
The topic of Internet-enabled smart cards and SCWS has been treated by several
standardization bodies.
The HTTP profile that the Smart Card Web Server needs to implement
A secure remote administration protocol for the Smart Card Web Server
User, or principal, authentication with the Smart Card Web Server and
related security protocols
ETSI Specifications
The work of the ETSI is mainly dedicated to the transfer protocols that can be used
by the SCWS to enable communication between HTTP applications on the mobile
device and the Smart Card Web Server. BIP has already been completely
standardized in TS 102 223, and the USB Ethernet Emulation Model in conjunction
with a full TCP/IP stack is currently being finalized by the ETSI. The Java
programming interface required for the Java™ applet providing dynamic content is
described in ETSI specification TS 102 588.
- 10 -
6 SCWS Administration
OMA standardization has specified a special administrative protocol. The aim of this
protocol is the ability to upload new data (e.g. xHTML pages), delete data, and
change configuration parameters for the SCWS. Commands are sent using the OMA
admin protocol and are divided into single administrative commands, such as
installing or deleting a HTML page, and special admin commands, such as defining
access control parameters. The OMA admin protocol can use three different bearers:
Lightweight admin protocol over the bearer SMS
The lightweight administration protocol can be used for sending short
administration commands for setting or changing a small number of configuration
parameters for the SCWS. It is suitable for the exchange of a small amount of data
between the administration application and the SCWS. Nevertheless it supports the
same command set as the full admin protocol.
Full admin protocol over BIP or TCP/IP
The full administration protocol is suitable for the exchange of a large amount of
data between the administration application and the SCWS. The full administration
protocol can also be used for securely exchanging or updating data with the Java™
applet registered to the SCWS via the ETSI API. This may be useful for securely
updating data used by these applications or for securely retrieving data from them.
The full administration protocol enables the use of a standard Web server as the
remote administration server implementation. The full administration protocol (and
its card administration agent) has the following characteristics:
End-to-end security is based on the standard Internet security layer SSL/TLS
A special administration agent on the (U)SIM is a real HTTP client and
manages the connection establishment between the remote administration
server and the SCWS.
The card administration agent is able to encapsulate and transparently
transport any HTTP exchange between the two servers, i.e. the SCWS and
admin server.
The card administration agent is responsible for retry and reconnection
management in the event of a communication breakdown.
The card administration agent can be triggered either by external events
(e.g. SMS) or by internal events (generated internally by the card) for
initializing a connection to the remote administration server.
- 11 -
- 12 -
7 Glossary
IP Internet Protocol
- 13 -
8 About Giesecke & Devrient
Security and competence are the international high-tech group’s core concepts. Its © Giesecke & Devrient
customer-focused products, systems, and services make G&D a reliable partner for GmbH, 2007. GalaxSIM®,
any organization needing to solve complex problems in security-related fields. ProxSIM® are registered
trademarks of Giesecke &
For more information about the subject of this white paper, please contact Devrient GmbH. Java™ is
a registered trademark of
telecom@gi-de.com Sun Microsystems, Inc.
Lotus Notes® is a
registered trademark of
IBM Corp. Outlook® is a
registered trademark of
Microsoft Corporation in
the United States and/or
other countries. Technical
data subject to
modification. G&D
patents.
- 14 -