FreeCalypso > hg > fc-pcsc-tools
comparison doc/GrcardSIM2-security-model @ 186:c925f7808285
doc/GrcardSIM2-security-model article written
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Sat, 06 Mar 2021 20:59:23 +0000 |
| parents | |
| children | f756bafde7a9 |
comparison
equal
deleted
inserted
replaced
| 185:e92ff25199b9 | 186:c925f7808285 |
|---|---|
| 1 GrcardSIM2 cards (previously sold as sysmoSIM-GR2 and now being reintroduced as | |
| 2 FCSIM1) have two different ADM access levels, each guarded by a separate secret | |
| 3 code. These two ADM access levels are referred to as ADM and SUPER ADM in the | |
| 4 Osmocom wiki page for GrcardSIM2, but they can also be called ADM5 and ADM11, | |
| 5 as the access level numbers appear in the actual APDUs. | |
| 6 | |
| 7 If you successfully authenticate with ADM5 secret code, you gain the following | |
| 8 abilities: | |
| 9 | |
| 10 * You can change the ADM5 secret code itself; | |
| 11 * You can reset PIN1, PIN2, PUK1 and PUK2 to new codes without having to know | |
| 12 any previous ones. | |
| 13 | |
| 14 If you successfully authenticate with ADM11 secret code, you gain the following | |
| 15 abilities: | |
| 16 | |
| 17 * You can change the ADM11 secret code itself; | |
| 18 * You can reset PIN1, PIN2, PUK1, PUK2 and ADM5 to new codes without having to | |
| 19 know any previous ones. | |
| 20 | |
| 21 Most admin-write-only files are writable after either ADM5 or ADM11 | |
| 22 authentication, but some files (particular EF.WEKI that holds Ki) can only be | |
| 23 read and written with ADM11. More precisely, if a given access condition | |
| 24 (returned in response to SELECT) is listed as ADM11, then you need to | |
| 25 authenticate with ADM11, but if it is listed as ADM5, then either ADM5 or ADM11 | |
| 26 is acceptable. Because of this permissive design whereby ADM11 alone is | |
| 27 sufficient, one can typically ignore ADM5 altogether for programming purposes. | |
| 28 | |
| 29 Both ADM5 and ADM11 can be set to any arbitrary string of 8 bytes, i.e., each | |
| 30 is effectively a 64-bit key. However, it is common for users to treat ADM5 | |
| 31 and/or ADM11 as being a string of 8 ASCII-encoded decimal digits like standard | |
| 32 PUK1/PUK2 - the initial default ADM11 secret code from Grcard factory is set to | |
| 33 64-bit hex string 3838383838383838, which corresponds to PIN/PUK-style decimal | |
| 34 88888888. | |
| 35 | |
| 36 fc-simtool provides commands to set and verify ADM5 and ADM11 secret codes in | |
| 37 either full hex or ASCII-encoded decimal representation; the former allows any | |
| 38 arbitrary 64-bit key to the entered, whereas the latter is restricted to those | |
| 39 64-bit keys which correspond to 8 ASCII-encoded decimal digits. The commands | |
| 40 are: | |
| 41 | |
| 42 verify-ext 5 XXXXXXXX # authenticate as ADM5, decimal format | |
| 43 verify-hex 5 xxxxxxxxxxxxxxxx # authenticate as ADM5, arbitrary hex format | |
| 44 | |
| 45 verify-ext 11 XXXXXXXX # authenticate as ADM11, decimal format | |
| 46 verify-hex 11 xxxxxxxxxxxxxxxx # authenticate as ADM11, arbitrary hex format | |
| 47 | |
| 48 grcard2-set-adm XXXXXXXX # set new ADM5, decimal format | |
| 49 grcard2-set-adm-hex xxxxxxxxxxxxxxxx # set new ADM5, arbitrary hex format | |
| 50 | |
| 51 grcard2-set-super XXXXXXXX # set new ADM11, decimal format | |
| 52 grcard2-set-super-hex xxxxxxxxxxxxxxxx # set new ADM11, arbitrary hex format | |
| 53 | |
| 54 Setting PIN1/PIN2/PUK1/PUK2 | |
| 55 =========================== | |
| 56 | |
| 57 The following commands reset standard PIN and PUK secret codes after | |
| 58 authenticating with either ADM5 or ADM11: | |
| 59 | |
| 60 grcard2-set-pin1 XXXX | |
| 61 grcard2-set-pin2 XXXX | |
| 62 grcard2-set-puk1 XXXXXXXX | |
| 63 grcard2-set-puk2 XXXXXXXX | |
| 64 | |
| 65 These 4 commands take decimal string arguments and send them to the card in | |
| 66 ASCII encoding per standard SIM spec definition of PIN1/PIN2/PUK1/PUK2. | |
| 67 | |
| 68 The underlying command APDUs sent by fc-simtool grcard2-set-* commands are | |
| 69 proprietary to Grcard. If you craft the right APDUs manually in hex (which our | |
| 70 low-level apdu command allows), you can set PIN1/PIN2/PUK1/PUK2 to arbitrary | |
| 71 64-bit hex strings which do not correspond to ASCII-encoded decimal - however, | |
| 72 doing so would produce a SIM that violates the public interface definition for | |
| 73 standard PIN1/PIN2/PUK1/PUK2, hence we do not provide such ability in our | |
| 74 high-level grcard2-set-* command set. | |
| 75 | |
| 76 FCSIM1 default PINs | |
| 77 =================== | |
| 78 | |
| 79 The initial default ADM11 secret code from Grcard factory is decimal 88888888, | |
| 80 meaning that you need to authenticate as follows: | |
| 81 | |
| 82 verify-ext 11 88888888 | |
| 83 | |
| 84 If your card is unprogrammed (if you haven't programmed it yourself with | |
| 85 fc-simtool), all other secret codes should be regarded as unknown - you need to | |
| 86 reset them yourself in your own card programming or provisioning operation. | |
| 87 Our fcsim1-default-pins command script sets the following FCSIM1 official | |
| 88 defaults: | |
| 89 | |
| 90 grcard2-set-pin1 1234 | |
| 91 grcard2-set-pin2 6666 | |
| 92 grcard2-set-puk1 00099933 | |
| 93 grcard2-set-puk2 00099944 | |
| 94 grcard2-set-adm 55501234 | |
| 95 | |
| 96 For as long as you keep the ADM11 secret code at its default of 88888888, there | |
| 97 is no PIN security - even if you set PIN1/PIN2/PUK1/PUK2 to your own secrets, | |
| 98 anyone can authenticate with the unchanged default ADM11 and then freely reset | |
| 99 all lower PINs. However, in the Mother's opinion there is very little need for | |
| 100 PIN security in actual operational usage in this day and age - almost no one | |
| 101 enables their PIN1, making it moot, and no one ever uses SIM "parental control" | |
| 102 features controlled by PIN2. In the present circumstances, the only real use | |
| 103 for knowing SIM PINs is to exercise and test phone firmware code paths dealing | |
| 104 with these PINs - and for this purpose having known fixed "secret" codes is | |
| 105 very convenient. | |
| 106 | |
| 107 However, if someone does desire real PIN security, it *is* possible on FCSIM1 | |
| 108 cards - but then you have to not only set PIN1/PIN2/PUK1/PUK2 to your own | |
| 109 secrets, but also set both ADM5 and ADM11 to your own truly-secret codes as | |
| 110 well. But be careful - if you set your own ADM11 secret code and then forget | |
| 111 it, there is no recovery! Maintaining a database of per-card secret codes is a | |
| 112 development job which the Mother gladly leaves to other programmers, to be | |
| 113 undertaken if and when someone actually needs such added complexity. | |
| 114 | |
| 115 How to (not) brick your card | |
| 116 ============================ | |
| 117 | |
| 118 The following actions will brick your card beyond recovery: | |
| 119 | |
| 120 * If you enter ADM11 incorrectly 3 times in a row, ADM11 access is lost with no | |
| 121 possibility of recovery - this bricking mode is generally expected, there can | |
| 122 be no other way. | |
| 123 | |
| 124 * If you enter ADM5 incorrectly 3 times in a row, you unrecoverably lose the | |
| 125 ability to use ADM5 ever again - even if you successfully authenticate with | |
| 126 ADM11 and reset ADM5 with grcard2-set-adm, the attempt counter does not get | |
| 127 reset, and ADM5 remains blocked. | |
| 128 | |
| 129 * If you enter standard PUK1 or PUK2 incorrectly 10 times in a row, it is | |
| 130 similarly blocked beyond recovery, with no help from ADM5 or ADM11 - | |
| 131 grcard2-set-puk[12] commands reset the secret code, but not the associated | |
| 132 attempt counter. |