Can anyone point in the direction of a whitepaper or other resource which discusses exactly what happens when a PIN is applied to a SIM card and how it affects I/O?
I'm also looking for as much detail as possible about how PUK codes are assigned to SIMs.
I've done some research in both areas, but havn't found anything substantial yet. Thanks in advance!
Jeff, these are proprietory issues.
PIN is based upon a shared secret and asymmetric, if you will. PIN is prescribed at random by the user. PIN works on the principle what the user inputs cannot be retrieved (what goes in cannot come out). PIN is not hex or binary, but a frequency.
PUK is different in that is it is associated with ICCID. Basically, as manufacturers supply ICCs (the Cards if you will with OSs) to operators, the operators can chose to select a PUK range or leave it to the manufactuer to randomly generate a PUK. The requirements are set out in a Mask template and sent back to the manufacturer who implement from there. When the ICCs are supplied back to the operators they are accompanied with a data list, if you will, of an ICC corresponding to a PUK that the operator can use to look up when a PUK is requested from them by a user.
PUK and PIN should have no physical connection.
I would be surprised if a white paper has been published to the degree that it would explicitly describe the technical workings of both PIN and PUK. However, I could be wrong and would be interested to read such a paper.
Jeff, these are proprietory issues.
Proprietary to whom? Who owns the patents?
PIN is based upon a shared secret and asymmetric, if you will.
Was that a typo? Encryption based on a shared secret is generally instituted using a symetric algorithm and not an asymetric one. Asymetric algorithms use public and private certificates.
PIN is prescribed at random by the user. PIN works on the principle what the user inputs cannot be retrieved (what goes in cannot come out). PIN is not hex or binary, but a frequency.
Interesting, so somehow the numbers are converted into some other data structure, as opposed to binary values based on a standard encoding such as ASCII? Is the PIN hashed or salted at all before it is stored to the SIM? What exactly is it that is inherent to SmartCard technology which does not allow someone to get access to the data [in this case, the PIN], even if they have physical access to the SIM?
PUK is different in that is it is associated with ICCID. Basically, as manufacturers supply ICCs (the Cards if you will with OSs) to operators, the operators can chose to select a PUK range or leave it to the manufactuer to randomly generate a PUK.
Is the generation of a PUK code based on an algorithm which uses characteristics of the SIM as input or is it randomly generated and then assigned to the particular SIM?
The requirements are set out in a Mask template and sent back to the manufacturer who implement from there.
Mask template? I'm guessing this is the standard which is followed by the manufacturer's to generate PUKs. Every manufacturer has their own then? Are they radically different?
When the ICCs are supplied back to the operators they are accompanied with a data list, if you will, of an ICC corresponding to a PUK that the operator can use to look up when a PUK is requested from them by a user.
I knew that much. 😉
PUK and PIN should have no physical connection.
Right.
I would be surprised if a white paper has been published to the degree that it would explicitly describe the technical workings of both PIN and PUK. However, I could be wrong and would be interested to read such a paper.
Ditto.
Jeff
May be you may wish to write to each of the SIM manufacturers regarding their proprietory methods and patents.
This is an interesting topic, and certainly one where I could do with learning more!
If I understand things so far it's the SIM manufacturer who determines exactly how the PIN is applied to the card (rather than the handset manufacturer or even network operator)? Out of interest, who are the major SIM card manufacturers?
Jamie
If I understand things so far it's the SIM manufacturer who determines exactly how the PIN is applied to the card (rather than the handset manufacturer or even network operator)? Out of interest, who are the major SIM card manufacturers?
Yes.
The major names are these below but there have been some amalgamations over the last number of years, but SIM Cards issued prior to amalgamation/s are still in wide use and old stocks are still being sold off.
- Schlumberger Smart Cards
- axalto (formerly Schlumberger Smart Cards)
- Gemplus (joined with axalto)
- Gemalto
- Orga (joined with Orga)
- Sagem Orga
- Giesecke & Devrient
- Oberthur
However, China has a large number of SIM manufacturers as well but the above names are still the major players (at the moment).
Thanks for that, I recognise one or two names from a time when I was investigating smart card options for a previous (non-forensic) employer.
Jamie