Switching between mobile operators
At present, if you wish to change your operator (e.g. from KPN to Vodafone), you need to replace the SIM in the device itself. Each device (telephone, tablet, smart meter, navigation, etc.) needs to be opened, and the SIM issued by the old mobile operator has to be replaced with a SIM from the new operator. This is not a problem for a consumer, but is a major operation for medium to large institutions that issue their employees with mobile subscriptions.
The new E-SIM design works using profiles. As the owner of the SIM and accompanying keys, SURFnet would be able to manage the SIM and overwrite profiles remotely. Overwriting the profile results in the telephone using the radio network of a different mobile operator.
We performed an experiment together with Aspider and BTG in summer 2016. We were able to create and activate a different profile on the SIM over the air, which enabled the owner of the device to migrate from one Dutch mobile operator to a different one without replacing the SIM. The results were limited to Android devices (Android 5 and higher), as iPhones do not support the bearer independent protocol, which is required for managing the SIM in a secure manner.
Access to eduroam via the SIM
The primary aim of the SIM is authentication on a communication network. This is currently limited to 2G/3G/4G, though the situation does not have to remain like this. As the SIM communicates with the authentication servers connected to SURFnet, the encryption keys on the SIM can be used for authentication for every network – including Wi-Fi (eduroam). We tested this for eduroam and it worked well on both Android and iPhone devices. The key operation is selecting EAP-SIM as the authentication method on the device, after which the device will go online. Technically speaking, the process works because the telecommunications industry has designed rules that are well-suited to eduroam. For EAP-SIM, a network identifier takes the following form:
Around 15,000 requests of this kind enter our core eduroam proxies each day, which we are disregarding at present. However, for the SIMs in our pilot, we send the requests via RADIUS to the same database that is used to obtain access to 2G/3G/4G networks. The encryption keys on the SIM are compared with the keys derived from that database. This is the same as what happens now in an institution’s RADIUS server if somebody is at a location where eduoroam is offered. The benefit of the SIM as an authentication method is that the keys on the SIM are much more secure than a username/password combination, thereby making password retention redundant. This relieves the burden on the RADIUS servers of the institution in question.
The drawback is that requests are sent to an external server whose availability is unable to be guaranteed. This is why we want to create a special eduroam profile on the SIM that can be verified by a RADIUS server within SURFnet and that is separate from the mobile operator offering 2G/3G/4G.
This pilot marked the first step in exploring the options for creating our own SURFsim. An analysis of the process of switching between operators shows that although it is technically feasible, things can sometimes go wrong. We want to find out why this happens (timing, communication, influence of operating system, device, etc.). We also believe that ownership of our own SIM yields many more opportunities, such as two-factor authentication, our own certificate in a secure element on the SIM and indoor communication. We will continue to analyse these opportunities in collaboration with various institutions.