The Global System for Mobile Communication (GSM) is a standard for digital wireless communications with services, such as voice telephony. GSM, together with other technologies, is part of an evolution including e.g. General Packet Radio Service (GPRS), and Universal Mobile Telecommunications Service (UMTS). UMTS is the next (3rd) generation mobile communication system, which provides an enhanced range of multimedia services, such as video.
The Subscriber Identity Module (SIM) is a smart card that saves subscriber information about identity, subscription, subscription environment, radio environment and other information. The information in the SIM is stored in a logical structure of files.
UMTS has specified the use of the USIM (UMTS Subscriber Identity Module) as the evolution of SIM. In GSM and UMTS networks, the (U)SIM card is central both for subscriber identification and for providing value added services to users. The SIM card is the user subscription to the GSM mobile network and the USIM card is the user subscription to the UMTS mobile network. Sometimes the word “SIM” is meant to cover “USIM” as well.
The development of GSM Networks and terminals to support more advanced data bearer technologies has allowed for the introduction of new exciting data services, such as communications, financial management, information retrieval, entertainment and game playing. Therefore, the U(SIM) cards might have a lot of subscriber specific information stored.
The Mobile Station (MS), also referred to as the “device”, represents the only equipment the GSM user ever sees from the whole system. It actually consists of two distinct entities. The actual hardware is the Mobile Equipment (ME), also referred to as the “terminal” or the “handset”, which consists of the physical equipment, such as the radio transceiver, display and digital signal processors. The subscriber information is stored in the Subscriber Identity Module (SIM), implemented as a Smart Card.
When a new (U)SIM is issued, a lot of information, both personal and to some extent operator defined, is lost, unless this information is copied from the old (U)SIM to the new (U)SIM. This could for example be the phone book. Introducing a new terminal has other problems—since it is not personalized as (U)SIM cards are. Hence it is required to be configured with network settings to be enabled to use the different services the Mobile Service Provider offers. Apart from that, the same problem with personal information and services, as with the (U)SIM Cards, applies.
Some problems arise when an end user wants to change either subscription or terminal or both as data stored in the old terminal and/or old (U)SIM card can get lost.
A problem arises when the subscriber considers the data stored on his device as sensitive. Therefore, the subscriber does not feel comfortable with transmitting the data or to allow the data to be stored in some storage for retrieval.
This problem requires the data to be encrypted for transfer and storage.
Most encryption algorithms are key-based. In them, a ‘key’ or ‘password’ of some kind is specified, and the encryption algorithm works in such a way that each ‘key’ or ‘password’ produces a different encrypted output, which requires a unique ‘key’ or ‘password’ to decrypt. There are symmetrical and asymmetrical encryption methods, in which the keys used either consists of a ‘symmetrical’ key (in the symmetric method) where both encryption and decryption use the same key or ‘asymmetrical’ ones (in the asymmetric method) where encryption and decryption keys are different.
The popular ‘PGP’ public key encryption method, and the ‘RSA’ encryption that it is based on, uses ‘asymmetrical’ keys. The encryption key, also called the ‘public key’, is significantly different from the decryption key, which is called the ‘private key’, such that attempting to derive the private key from the public key involves so many hours of computing time, that it usually is considered unfeasible to derive it. The principle of such infrastructures can be that everyone in the communication system has their own public key, that is known to everyone in the system and which is used to encrypt messages, and a private key, that is only known to the user, for decrypting messages that are encrypted with the user's public key.
When using the term secret key in the following, that refers to either the private key in an asymmetric cryptosystem or the shared key in a symmetric cryptosystem.
A secret key consists, in essence, of a sequence of numbers each of which has a value from 0 to 255 (such numbers are called bytes) and is often called a secret key. The required length of a secret key is determined by the algorithm which is used for the encryption and the level of security desired. The required length of a key for algorithms used can vary e.g. from 16 bytes (IDEA algorithm) to 255 bytes (RC-6 algorithm).
Secret keys of sufficient length to produce acceptable levels of protection for the encrypted data are almost impossible to memorize. Therefore, secret keys are usually stored on floppy disks or other removable media, and these media in turn are stored in safe places with restricted access.
It is a common practice in everyday life not to deal directly with the secret keys, but generate them when they are needed for encryption or decryption from passwords or to protect the keys with a password. But here, the tradeoff is in terms of security: in order to perform secure encryption with a password, it must include a great variety of different symbols and it must be as long as possible.
The subscriber must be able to ensure that the secret key is only accessible for him. When the data later is to be restored on the mobile station either a new one (SIM card or terminal changed) or the same one, it must be possible to decrypt the data.
If the secret keys needed for the decryption are stored on the terminal or on the SIM specifically, and the user loses his mobile station, the keys will be lost as well.
One solution would be to for the user to make a copy of his secret key and keep it on a floppy disk or on a thumb drive that is kept in a safe place. However, that solution involves the risk for not being used in which case the secret key is permanently lost and thus the data is lost as well.