The need to establish a secure channel between a UICC Hosting Device and a Remote Device connected via a local interface has been identified by the Personal Network Management work (see TS 22.259), in order to protect the communication between the UICC Hosting Device and the Remote Device.
This document describes key establishment between a UICC Hosting Device and a Remote Device.
The present document describes the security features and mechanisms to provision a shared key between a UICC Hosting Device and a Remote Device connected via a local interface. The shared secret is then intended to be used to secure the interface between the Remote Device and the UICC hosting device. Candidate applications to use this key establishment mechanism include but are not restricted to Personal Network Management (see TS 22.259).
The scope of this specification includes an architecture overview and the detailed procedure how to establish the shared key between the UICC Hosting Device and the Remote Device. This is different from the Technical Specification TS 33.110 that describes an architecture overview and the detailed procedure how to establish the shared key between the UICC itself and the terminal hosting the UICC. The use cases utilizing the mechanisms described in this specification are seen to be different to the use cases where "Key establishment between a UICC and a terminal", PSK TLS as specified in TS 33.310, is utilized.
The solution described in this document is built on the existing infrastructure defined in "GBA", TS 33.220.
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
TR 33.905: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Recommendations for trusted open platforms".
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
NAF Key Centre:
Dedicated NAF in charge of performing the key establishment between a UICC Hosting Device and a Remote Device.
UICC Hosting Device:
The entity, which is physically connected to the UICC used for key establishment between UICC Hosting Device and Remote Device. The UICC Hosting Device may be the MT or the ME.
Remote Device:
A Remote Device is physically separated from the UICC Hosting Device (e.g. PNE as defined in TS 22.259). The Remote Device may host a UICC by itself but this UICC is not involved in the key establishment between the UICC Hosting Device and the Remote Device. For the purposes of the present document, the term Remote Device denotes a trusted device that can establish a shared key with a UICC Hosting Device.
Device_ID:
It identifies uniquely the Remote Device. The Device_ID of a ME or MT is the IMEI and shall be encoded using BCD coding as defined in clause 10.5.1.4 of TS 24.008.
Local interface:
The interface between the Remote Device and the UICC Hosting Device is named the local interface.
Appl_ID:
It uniquely identifies an application in the UICC Hosting Device and Remote Device. The Appl_ID is an octet string.
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
B-TID
Bootstrapping Transaction Identifier
BSF
Bootstrapping Server Function
GBA
Generic Bootstrapping Architecture
GBA_ME
ME-based GBA
GBA_U
GBA with UICC-based enhancements
HSS
Home Subscriber System
KDF
Key Derivation Function
Ks_ext_NAF
Derived key in GBA_U
Ks_NAF
Derived key in GBA_ME
Ks_(ext)_NAF
Combined abbreviation denoting Ks_NAF in case of GBA_ME and Ks_ext_NAF in case of GBA_U
Ks_local_device
Derived key, which is shared between a UICC hosting device and a Remote Device
Ks_local_device_appl
Derived key, which is shared between an application residing in the UICC hosting device and the Remote Device