FreeCalypso > hg > fc-sim-tools

comparison doc/GrcardSIM2-security-model @ 18:da6e9d0b2ee6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
data, doc, scripts: import from previous fc-pcsc-tools repo
author Mychaela Falconia <falcon@freecalypso.org>
date Sun, 14 Mar 2021 07:57:09 +0000
parents
children
comparison
equal deleted inserted replaced
17:372ecc4aa2c4 18:da6e9d0b2ee6
1 GrcardSIM2 cards (previously sold as sysmoSIM-GR2 and now being reintroduced as
2 FCSIM1) have two different ADM access levels, each guarded by a separate secret
3 code. These two ADM access levels are referred to as ADM and SUPER ADM in the
4 Osmocom wiki page for GrcardSIM2, but they can also be called ADM5 and ADM11,
5 as the access level numbers appear in the actual APDUs.
6
7 If you successfully authenticate with ADM5 secret code, you gain the following
8 abilities:
9
10 * You can change the ADM5 secret code itself;
11 * You can reset PIN1, PIN2, PUK1 and PUK2 to new codes without having to know
12 any previous ones.
13
14 If you successfully authenticate with ADM11 secret code, you gain the following
15 abilities:
16
17 * You can change the ADM11 secret code itself;
18 * You can reset PIN1, PIN2, PUK1, PUK2 and ADM5 to new codes without having to
19 know any previous ones.
20
21 Most admin-write-only files are writable after either ADM5 or ADM11
22 authentication, but some files (particularly EF.WEKI that holds Ki) can only be
23 read and written with ADM11. More precisely, if a given access condition
24 (returned in response to SELECT) is listed as ADM11, then you need to
25 authenticate with ADM11, but if it is listed as ADM5, then either ADM5 or ADM11
26 is acceptable. Because of this permissive design whereby ADM11 alone is
27 sufficient, one can typically ignore ADM5 altogether for programming purposes.
28
29 Both ADM5 and ADM11 can be set to any arbitrary string of 8 bytes, i.e., each
30 is effectively a 64-bit key. However, it is common for users to treat ADM5
31 and/or ADM11 as being a string of 8 ASCII-encoded decimal digits like standard
32 PUK1/PUK2 - the initial default ADM11 secret code from Grcard factory is set to
33 64-bit hex string 3838383838383838, which corresponds to PIN/PUK-style decimal
34 88888888.
35
36 fc-simtool provides commands to set and verify ADM5 and ADM11 secret codes in
37 either full hex or ASCII-encoded decimal representation; the former allows any
38 arbitrary 64-bit key to be entered, whereas the latter is restricted to those
39 64-bit keys which correspond to 8 ASCII-encoded decimal digits. The commands
40 are:
41
42 verify-ext 5 XXXXXXXX # authenticate as ADM5, decimal format
43 verify-hex 5 xxxxxxxxxxxxxxxx # authenticate as ADM5, arbitrary hex format
44
45 verify-ext 11 XXXXXXXX # authenticate as ADM11, decimal format
46 verify-hex 11 xxxxxxxxxxxxxxxx # authenticate as ADM11, arbitrary hex format
47
48 grcard2-set-adm5 XXXXXXXX # set new ADM5, decimal format
49 grcard2-set-adm5-hex xxxxxxxxxxxxxxxx # set new ADM5, arbitrary hex format
50
51 grcard2-set-super XXXXXXXX # set new ADM11, decimal format
52 grcard2-set-super-hex xxxxxxxxxxxxxxxx # set new ADM11, arbitrary hex format
53
54 ADM11 MF quirk
55 ==============
56
57 The operation of authenticating with ADM11 (verify-ext 11 or verify-hex 11) is
58 only allowed when the currently selected directory is MF - either as the very
59 first command in an fc-simtool session, or after an explicit 'select MF'. If
60 the current directory is DF_GSM or DF_TELECOM, the command to authenticate with
61 ADM11 (VERIFY CHV with P2=0x0B) fails with SW of 0x9802.
62
63 Setting PIN1/PIN2/PUK1/PUK2
64 ===========================
65
66 The following commands reset standard PIN and PUK secret codes after
67 authenticating with either ADM5 or ADM11:
68
69 grcard2-set-pin1 XXXX
70 grcard2-set-pin2 XXXX
71 grcard2-set-puk1 XXXXXXXX
72 grcard2-set-puk2 XXXXXXXX
73
74 These 4 commands take decimal string arguments and send them to the card in
75 ASCII encoding per standard SIM spec definition of PIN1/PIN2/PUK1/PUK2.
76
77 The underlying command APDUs sent by fc-simtool grcard2-set-* commands are
78 proprietary to Grcard. If you craft the right APDUs manually in hex (which our
79 low-level apdu command allows), you can set PIN1/PIN2/PUK1/PUK2 to arbitrary
80 64-bit hex strings which do not correspond to ASCII-encoded decimal - however,
81 doing so would produce a SIM that violates the public interface definition for
82 standard PIN1/PIN2/PUK1/PUK2, hence we do not provide such ability in our
83 high-level grcard2-set-* command set.
84
85 FCSIM1 default PINs
86 ===================
87
88 The initial default ADM11 secret code from Grcard factory is decimal 88888888,
89 meaning that you need to authenticate as follows:
90
91 select MF
92 verify-ext 11 88888888
93
94 If your card is unprogrammed (if you haven't programmed it yourself with
95 fc-simtool), all other secret codes should be regarded as unknown - you need to
96 reset them yourself in your own card programming or provisioning operation.
97 Our fcsim1-default-pins command script sets the following FCSIM1 official
98 defaults:
99
100 grcard2-set-pin1 1234
101 grcard2-set-pin2 6666
102 grcard2-set-puk1 00099933
103 grcard2-set-puk2 00099944
104 grcard2-set-adm5 55501234
105
106 For as long as you keep the ADM11 secret code at its default of 88888888, there
107 is no PIN security - even if you set PIN1/PIN2/PUK1/PUK2 to your own secrets,
108 anyone can authenticate with the unchanged default ADM11 and then freely reset
109 all lower PINs. However, in the Mother's opinion there is very little need for
110 PIN security in actual operational usage in this day and age - almost no one
111 enables their PIN1, making it moot, and no one ever uses SIM "parental control"
112 features controlled by PIN2. In the present circumstances, the only real use
113 for knowing SIM PINs is to exercise and test phone firmware code paths dealing
114 with these PINs - and for this purpose having known fixed "secret" codes is
115 very convenient.
116
117 However, if someone does desire real PIN security, it *is* possible on FCSIM1
118 cards - but then you have to not only set PIN1/PIN2/PUK1/PUK2 to your own
119 secrets, but also set both ADM5 and ADM11 to your own truly-secret codes as
120 well. But be careful - if you set your own ADM11 secret code and then forget
121 it, there is no recovery! Maintaining a database of per-card secret codes is a
122 development job which the Mother gladly leaves to other programmers, to be
123 undertaken if and when someone actually needs such added complexity.
124
125 How to (not) brick your card
126 ============================
127
128 The following actions will brick your card beyond recovery:
129
130 * If you enter ADM11 incorrectly 3 times in a row, ADM11 access is lost with no
131 possibility of recovery - this bricking mode is generally expected, there can
132 be no other way.
133
134 * If you enter ADM5 incorrectly 3 times in a row, you unrecoverably lose the
135 ability to use ADM5 ever again - even if you successfully authenticate with
136 ADM11 and reset ADM5 with grcard2-set-adm5, the attempt counter does not get
137 reset, and ADM5 remains blocked.
138
139 * If you enter standard PUK1 or PUK2 incorrectly 10 times in a row, it is
140 similarly blocked beyond recovery, with no help from ADM5 or ADM11 -
141 grcard2-set-puk[12] commands reset the secret code, but not the associated
142 attempt counter.