SIM cards tutorial Part 5: Security features

SIM cards acts as security key in mobile networks.  Do you know how SIM cards help in implementing such a high security? In this post we discuss about security features in SIM cards.

Prime purpose of SIM card is to provide user authentication in mobile networks. Whenever mobile equipment (ME, which refers to mobile phones and similar device which uses SIM cards) is switched on, it searches for network availability. On finding a registered network, it will request for a channel. Upon receiving this request, network operator will initiate an authentication procedure with the requested ME. If this authentication procedure succeeds, user is identified and allowed to use the network. From now onwards, user can make/receive calls, send SMS and access many other value added services. For performing the above mentioned authentication procedure, mobile equipment uses SIM card.

Authentication Key – Ki

Every SIM card will be having a unique key called Ki. Ki is a 128-bit value used in authenticating the SIM cards on the mobile network. Ki is stored inside SIM card. SIM cards are designed in such a way that, there are no means to read this Ki. Only the network operator who provides the SIM card knows the Ki of a registered SIM. If it cannot be read, what is the use of this key Ki? This is explained below.

For authentication purpose, SIM cards support a command for encrypting a random number (RAND). ME sends this command to SIM along with RAND. When a SIM receive this command, it uses A3 algorithm with Ki as key to encrypt RAND to produce an output called SRES_2. At the same time network operator who send this RAND will also does the same procedure to produce SRES_1. Mobile equipment will send back this SRES_2 to network operator. If both match, authentication is success. This is how SIM card take part in authentication procedure. And it is because of this SIM card is called - a security key.

SIM card PIN (Personal Identification number) or CHV (Card holder verification information) 

SIM cards can be protected from unauthorized use by setting a password called PIN or CHV. PIN is an old name and CHV is the currently used one according to standards. User of SIM card can enable this security feature at any time. By default, when a new SIM card is provided, this feature is disabled. While enabling CHV feature, user is asked to provide 4 to 8 digit number as a password. After enabling CHV feature, every time SIM card is inserted into ME, it will request for this CHV. If user provides an incorrect CHV, critical data (like IMSI) required for registering into mobile network cannot be read from the SIM cards. This in fact makes SIM cards useless for a person who doesn’t know CHV.

There are only 3 wrong attempts allowed while entering CHV. Once user enters more than 3 wrong passwords, SIM will be blocked. Some newer SIM cards allows up to 10 wrong attempts. Once a SIM is blocked, there is no use in knowing CHV. To unlock a blocked SIM card, PUK (PIN Unlocking Key) is required. PUK is provided by the service provider on submitting proper user ID proofs. PUK is an 8 digit number. For PUK 10 wrong attempts are allowed. Once this is crossed, SIM is blocked forever. Only thing which user can do further is to get a new SIM card from service provider.

PIN1 vs. PIN2 (CHV1 vs. CHV2)

CHV1 (PIN1) protects unauthorized use of SIM cards. CHV2 (PIN2) is similar to CHV1. But those data protected by CHV are not critical ones. It just provides some additional features. Apart from CHV1, CHV2 is enabled by default. But normally mobile phones won’t ask CHV2, since it is not required for normal operation. Like CHV1,CHV2  also has 3 or 10 wrong attempts allowed. Once this limit in crossed, that particular SIM card will be CHV2 blocked. Still SIM card can be used as normal. In order to unlock a CHV2 blocked SIM card, PUK2 is required.

