7 HPSIM commands

31.1043GPPCharacteristics of the Hosting Party Subscription Identity Module (HPSIM) applicationRelease 17TS

7.0 Generic commands

The commands specified in TS 31.101 [3] are supported by HPSIM, with the restrictions identified in clause 7 of the present document.

7.1 AUTHENTICATE

7.1.1 Command description

The function can be used in the following security context:

– AKA security context during the procedure for authenticating the HPSIM to the Home Network and vice versa when AKA authentication data are available. The function shall be used whenever an AKA context shall be established, i.e. when the terminal receives a challenge from the AKA. A cipher key and an integrity key are calculated. For the execution of the command the HPSIM uses the subscriber authentication key K, which is stored in the HPSIM. The same AKA security context is used for HNB and H(e)NB authentication.

The function is related to a particular HPSIM and shall not be executable unless the HPSIM application has been selected and activated, and the current directory is the HPSIM ADF or any subdirectory under this ADF and a successful PIN verification procedure has been performed (see clause 6.1).

The HPSIM first computes the anonymity key AK = f5K (RAND) and retrieves the sequence number
SQN = (SQN  AK)  AK.

Then the HPSIM computes XMAC = f1K (SQN || RAND || AMF) and compares this with the MAC which is included in AUTN. If they are different, the HPSIM abandons the function.

Next the HPSIM verifies that the received sequence number SQN is previously unused. If it is unused and its value is lower than SQNMS, it shall still be accepted if it is among the last 32 sequence numbers generated. A possible verification method is described in TS 33.102 [5].

NOTE: This implies that the HPSIM has to keep a list of the last used sequence numbers and the length of the list is at least 32 entries.

If the HPSIM detects the sequence numbers to be invalid, this is considered as a synchronisation failure and the HPSIM abandons the function. In this case the command response is AUTS, where:

AUTS = Conc(SQNMS ) || MACS;

Conc(SQNMS) = SQNMS ⊕ f5*K(RAND) is the concealed value of the counter SQNMS in the HPSIM; and

MACS = f1*K(SQNMS || RAND || AMF) where:

RAND is the random value received in the current user authentication request;

If the sequence number is considered in the correct range, the HPSIM computes RES = f2K (RAND), the cipher key CK = f3K (RAND) and the integrity key IK = f4K (RAND) and includes these in the command response. Note that if this is more efficient, RES, CK and IK could also be computed earlier at any time after receiving RAND.

The use of AMF is HN specific and while processing the command, the content of the AMF has to be interpreted in the appropriate manner. The AMF may e.g. be used for support of multiple algorithms or keys or for changing the size of lists, see TS 33.102 [5]. The AMF contains the EPS AKA indication bit, see TS 33.401 [13]. This bit is not interpreted by HPSIM.

7.1.2 Command parameters and data

Editor’s note : HPSIM does not need to support ODD instruction code.

Code

Value

CLA

As specified in TS 31.101 [3]

INS

’88’

P1

’00’

P2

See table below

Lc

See below

Data

See below

Le

’00’, or maximum length of data expected in response

Parameter P2 specifies the authentication context as follows:

Coding of the reference control P2:

Coding

b8-b1

Meaning

‘1——-‘

Specific reference data (e.g. DF specific/application dependant key)

‘-XXXX—‘

‘0000’

‘—–XXX’

Authentication context:

001 AKA

All other codings are RFU.

Parameter P1 is used to control the data exchange between the terminal and the UICC as defined in TS 31.101 [3].

Parameter P2 is set to ’81’.

Command parameters/data:

Byte(s)

Description

Length

1

Length of RAND (L1)

1

2 to (L1+1)

RAND

L1

(L1+2)

Length of AUTN (L2)

1

(L1+3) to (L1+L2+2)

AUTN

L2

The coding of AUTN is described in TS 33.102 [5]. The most significant bit of RAND is coded on bit 8 of byte 2. The most significant bit of AUTN is coded on bit 8 of byte (L1+3).

Response parameters/data, case 1, command successful:

Byte(s)

Description

Length

1

"Successful 3G authentication" tag = ‘DB’

1

2

Length of RES (L3)

1

3 to (L3+2)

RES

L3

(L3+3)

Length of CK (L4)

1

(L3+4) to (L3+L4+3)

CK

L4

(L3+L4+4)

Length of IK (L5)

1

(L3+L4+5) to (L3+L4+L5+4)

IK

L5

The most significant bit of RES is coded on bit 8 of byte 3. The most significant bit of CK is coded on bit 8 of byte (L3+4). The most significant bit of IK is coded on bit 8 of byte (L3+L4+5).

Response parameters/data, case 2, synchronization failure:

Byte(s)

Description

Length

1

"Synchronisation failure" tag = ‘DC’

1

2

Length of AUTS (L1)

1

3 to (L1+2)

AUTS

L1

The coding of AUTS is described in TS 33.102 [5]. The most significant bit of AUTS is coded on bit 8 of byte 3.

7.1.3 Status Conditions Returned by the HPSIM

7.1.3.0 Status Condition structure

Status of the card after processing of the command is coded in the status bytes SW1 and SW2. Clause 7.1.3 of the present document specifies coding of the status bytes in the following tables.

7.1.3.1 Security management

SW1

SW2

Error description

’98’

’62’

‑ Authentication error, incorrect MAC

7.1.3.2 Status Words of the Commands

The following table shows for each command the possible status conditions returned (marked by an asterisk *).

Commands and status words

Status Words

AUTHENTICATE

90 00

*

91 XX

*

93 00

98 50

98 62

*

62 00

*

62 81

62 82

62 83

62 F1

*

62 F3

*

63 CX

63 F1

*

64 00

*

65 00

*

65 81

*

67 00

*

67 XX – (see note)

*

68 00

*

68 81

*

68 82

*

69 81

69 82

*

69 83

69 84

*

69 85

*

69 86

6A 80

6A 81

*

6A 82

6A 83

6A 86

*

6A 87

6A 88

*

6B 00

*

6E 00

*

6F 00

*

6F XX – (see note)

*

NOTE: Except SW2 = ’00’.