What is the difference between an eSIM and a SIM?

An eSIM is actually a SIM with Remote Provisioning, which means you can change carrier profiles remotely. No visit to the dealership and no replacement of the physical card. Most commonly found as a chip in an MFF2 case.
Note, eSIM is not MFF2! The MFF2 is the case in which the eSIM is sold, but the case could just as well be a regular SIM.

The key difference is the affiliation of the eSIM - it belongs to the device manufacturer or user, not the operator.
Since it does not belong to the operator - there is no operator-identifying data on it - this data must be installed by the user (eSIM consumer) or remotely by the operator (eSIM M2M).
This decentralization of control allows users more freedom to manage their subscriptions.
‍
Something that is a convenience for the end user is a nightmare for operators.

For the eSIM M2M version, an infrastructure on the operator's side to enable authorization and remote profile loading is required, which poses technological and organizational challenges.
The Remote SIM Provisioning (RSP) specification developed by the GSMA provides secure and efficient profile management, ensuring that cryptographic keys, which are the foundation of security, remain protected.
‍
And what are these keys?

Ki (Authorization Key)

• Description: 128bit key, used to authenticate the SIM/eSIM card to the operator's network. It is a symmetric key, meaning that the same key is used for both encryption and decryption of data.
• Storage: the Ki key is stored both on the SIM/eSIM card and in the operator's authentication system (called Authentication Center, AuC).
• Ownership: the key belongs simultaneously to the network operator (which has a copy of it in its AuC database) and to the user (as the key is stored on his SIM/eSIM card).

OPc (Operator Variant Algorithm Configuration Field).

• Description: the OPc is involved in generating a response to an authentication challenge (RAND, this process was shown in a previous article on SIM cards) sent by the network, working with the Ki key and A3/A8 algorithms to produce a signature, which is then sent back to the network for verification.
• Storage: the OPc key is stored on the SIM/eSIM card and is used locally by the card to generate the authentication response and encryption key.
• Ownership: Like the Ki key, the OPc is jointly owned by the operator and the user (SIM/eSIM cardholder), although directly the user does not have access to this key, and its operation is fully automated by the SIM/eSIM card and operator systems.

Kc (Ciphering Key)

• Description: the 64-bit Kc key is used to encrypt data transmitted between the device and the operator's network. It is generated during the authentication process using the Ki key and some other elements (such as the RAND number - random challenge).
• Storage: the Kc key is generated and temporarily stored on both the SIM/eSIM card and the operator's network.
• Ownership: Kc is generated jointly by the SIM/eSIM card and the operator's network and is used exclusively for the current session.

What is this RSP?

Remote SIM provisioning is a specification implemented by the GSMA that allows consumers to remotely activate a subscriber identity module (profile) embedded in a mobile device such as a smartphone, smartwatch, fitness band or tablet.
The process of handling such a profile : profile production → personalization → security → provisioning (uploading to eSIM).

A requirement of GSMA certification is that the personalization package is decoded inside the chip, so there is no way to dump Ki, OPc keys. Another important aspect is that the eSIM is owned by the enterprise, and this means that the enterprise now has full control over the security and applications on the eSIM and what operator profiles to use.

Remote Provisioning forces the exchange of sensitive data by strangers, such as:

• subscription data;
• operator profile data;
• certifications;

This is the main problem with eSIM implementation.

The operator needs the device data to create a profile and upload it. The eSIM manufacturer needs to upload profile management software. This software must be approved by the operator to "get along" with the eSIM.

The operator's sensitive data must be installed by the user (consumer version) or remotely by the operator (M2M version).

eSIM consumer

The eSIM consumer version is primarily dedicated to consumer devices such as smartphones and smartwatches.

Here the user interface (UI) plays a key role, and a camera is often required to scan the QR code and upload the operator profile. It is the user who conducts the orchestra, deciding which of the available operator profiles is active at any given time, making control of telecom services more intuitive and flexible. Profile updates can be done over both Wi-Fi and the cellular network, further emphasizing the freedom of choice and eSIM management.

System architecture:

Let's discuss the main components of the consumer version of eSIM .
‍
eUICCSIM (Embedded Universal Integrated Circuit Card)

• A module for remote management of operator profiles;
• enables downloading, storing and over-the-air (OTA) updating of multiple mobile operator profiles on the card;

LPA (Local Profile Assistant)

• a key figure in this architecture - a component embedded in the device for local retrieval and management of profile status (installation, activation, deactivation, deletion);
• is responsible for direct communication with SM-DP+ and can reside either in the device (more common) or in the eUICC (less common);

SM-DP+ (Subscription Manager - Data Preparation).

• The backend component responsible for the secure generation, storage and delivery of eSIM profiles;

SM-DS (Subscription Manager - Discovery Server).

• It directly uses a component that stores a list of ready-to-download profiles on the device;

The SM-DP+ block is responsible for creating, downloading, remotely managing (enabling, disabling, deleting, updating) a profile. The + sign in its name was added to emphasize that it includes the functionality of the SM-DP and SM-SR blocks from the M2M version.

The LPA, on the other hand, is a set of functions responsible for retrieving the encrypted profile by eUICC and implementing a user interface that allows it to manage the profile's status.

The SM-DS block, in turn, allows SM-DP+ to communicate with the eUICC without any information about which network the module is connected to. For this purpose, SM-DS allows SM-DP+ to send alerts to notify the LPA that a profile is available for download by the eUICC.
This is accomplished as follows: notifications are sent from SM-DP+ to SM-DS, and the LPA queries SM-DS for them at a frequency that depends on the eUICC 's mode of operation and user actions.

Simple, right? The matter gets slightly complicated in the M2M version.

eSIM M2M

M2M eSIM is distinguished by its application in the IoT domain, where devices communicate directly with the network without user interaction. Here, the process of configuration and profile management is more automated and top-down controlled by the operator, requiring a more complex telecommunications infrastructure.
Key features:

• No LPA (Local Profile Assitant) module - all responsibility for profile management on the side of the operator's subscription management servers;
• "push" model - the operator sends a profile to the device (no user interaction).
• The "Bootstrap" profile, already uploaded at the manufacturing stage of the device, enables basic communication, and the Bearer Independent Protocol (BIP), is used to update and manage profiles over the cellular network.
• GSMA-compliant test profile - for local testing of functionality without connecting to the operator;

A few words regarding the Bootstrap profile.
eSIMs are to be shipped in accordance with GSMA with a SIM profile containing a small amount of embedded connectivity (the title Bootstrap profile). This is crucial for activating these devices remotely or where there is no user interface.

With this profile uploaded to the eSIM card, the device can connect to the network as soon as it boots up.

• The first time an eSIM connection is made, it uses a preloaded boot profile,
• and then connects to the mobile network operator for an initial transaction of the correct profile.

In this way, eSIM allows more flexibility in design and implementation. From a practical point of view, there are still limitations, as operators do not want to open their IT systems to external control.

In Poland, the largest operator in the eSIM M2M market supports eSIM modules purchased only from it.
Having "insight" into the process of programming the chips disappears the problem of not trusting unknown eSIMs with Bootstrap profiles.

eSIM M2M network architecture

That is, how shifting responsibility outside complicates the system.

In the figure, we see the main elements of the M2M model, where the initiative is on the server side (push model), with arrows marking the flow of communication between them.

Let's discuss the main components of the system.

SM-DP (Subscription Manager - Data Preparation).

• A backend component responsible for securely creating and storing eSIM profiles (both existing and new profiles);
• Personalizes profiles with subscription data and prepares them for secure download and installation on the eUICC card;

SM-SR (Subscription Manager - Secure Routing).

• It acts as a gateway between the operator, SM-DP and the eUICC card on the device;
• It has a database of all eUICC cards under its control and sets of keys to manage them;
• Establishes a secure channel for each registered eUICC, which allows remote management of profiles (downloading, installation, enabling, disabling, deleting and other functions);

eUICC (Embedded Universal Integrated Circuit Card).

• Enables downloading, storing and updating of multiple mobile operator profiles on the SIM card in OTA (over-the-air) mode;
• Data between eSIM and SM-SR -> BIP (Bearer Independent Protocol) over SMS, CAT_TP or TCP/IP (3GPP 102.127);

MNO (Mobile Network Operator)

• He represents a mobile network operator;

The SM-DP (Subscription Manager - Data Preparation) block is responsible for preparing, storing and protecting operator profiles, including credentials. It is also responsible for downloading and installing them on the eUICC card.

The SM-SR (Subscription Manager - Secure Routing) block manages the status of profiles (enable, disable, delete) and secures the communication link between the eUICC and SM-DP.

In the case of eSIM for M2M, the data preparation and secure routing functions are separated into two separate components(SM-DP and SM-SR), while in eSIM for consumers they are integrated into a single module(SM-DP+). For this reason, migrating M2M devices to a new communications provider involves transferring the management of existing devices and their cryptographic keys to the new SM-SR platform. This procedure, also known as SM-SR swap, is technically complex and generates significant costs for both the network operator and the companies using IoT solutions.

The profile is "pushed" to the device via a remote command from the subscription management platform(SM-DP). This enables mass profile management in IoT deployments with multiple geographically dispersed endpoints.

The main problems of eSIM M2M

• First uploading a profile to an eSIM - how to provide the operator (and more so someone who supports SM-DP and SM-SR) with the data needed to create a profile and upload it securely; Who will provide the software for the eSIM?
• Profile administration - access to the operator's infrastructure by users;
• RVP - uploading and activating OTA profiles, is the exchange of sensitive data with external units (eSIM is on the device and does not belong to the operator);
• Swap profiles - transferring profiles between operators (flipping profiles from SM-SR1 to SM-SR2 at another operator). When migrating to a new communications provider, management of existing devices and their cryptographic keys will also have to be transferred to the new SM-SR platform;

At the start of the system, it is the SM-SR that is supposed to have data on all eUICCs in the network and their keys to get along with them remotely without a user.
Having a database of authenticated eUICCs handles their profiles (created by SM-DP).
‍

M2M eSIM - how about a virtual operator?

The problem in M2M is access to operator (MNO) infrastructure by users who want to manage or monitor their eSIMs. Operators do not want to give access to their infrastructure. The solution to this problem is MVNO (virtual MNO) - virtual operators. Instead of each user having access to the network, they are a layer that insulates them from it.
What characterizes a virtual operator:

• someone who makes a deal with the operator(s) and it is he who provides services to customers in exchange for an additional fee;
• SM-DP and SM-SR servers are on the MVNO side;
• MNVO provides a panel for monitoring and management;
• provides support for the generic Bootstrap profile (uploaded by default to eUICC) to be able to activate eSIM;

In this arrangement, the eSIM manufacturer makes a deal with the virtual operator, providing it with a list of the chips it produces. The virtual operator, thanks to its cooperation with the manufacturer, places the necessary keys for security "in production."
Thanks to such cooperation, you don't buy eSIMs from the operator (which at the moment involves buying them in the thousands). You buy them by the piece from manufacturers that have a partnership with a virtual operator that uses the physical network of local operators. By managing profile subscription servers, it isolates us from the operators.
‍
How to activate an eSIM with a virtual operator?
‍
Here's a list of steps to follow with one of the largest MVNOs, Truephone:

• You set up an account with the operator and select "subscription."
• You mount the eSIM M2M at your place;
• AT commands you read the ICCID number;
• You log in at Truphone and activate the ICCID you read;
• After about 15min your eSIM is aktwyny;

Other well-known virtual operators operating in Europe: emnify, onomondo.

References

• eSIM whitepaper
• eSIM remote provisioning SGP.01-v4.3
• Quectel eSIM implementation

‍

#IoT #eSIM
‍

‍

‍