Remote Control Soufflés: Challenge of M2M Authentication & Authorisation and Mobile data offloading

Some M2M devices will always connect to the internet using a fixed network connection / Wifi and others will always connect using a mobile network connection using an eUICC but there will be some that will offer both wifi and mobile network. It is these devices that will need to support wifi offloading where possible.  It is for these devices where providing a standard API gateway and AuthN & AuthZ capability will be most complex.

For example, my oven is always positioned in my kitchen and connects to the wifi network to allow me to view inside by a mobile app so that I don’t have to open the oven door during the fifteen minutes a soufflé takes to rise that would cause the temperature to change and my soufflé to collapse. This way I can inspect and control the temperature remotely. It also mean I have an excuse to check my phone during boring dinner parties. Only my app is paired to the oven so only I am authenticated and authorised to remotely check on my soufflé thus there is no potential risk of a malicious guest could accessing my oven app and destroy the soufflé by changing the temperature.

Remote viewing would decrease flop rate
An M2M oven with embedded camera would decrease flops

The majority of my home m2m devices will be static devices, I rarely travel with my oven, and these will in the majority of cases be Wifi enabled. Unfortunately I cannot guarantee wifi coverage throughout my architect’s ivory tower so some mobile internet devices will need to connect over 3G/4G (for example the BBQ in the lower field). The problem for my oven and BBQ manufacturers is that they would need to support both Wifi and the GSMA standard for M2M / smart device SIMs (eUICC). It would then be responsibility of the m2m device to support wifi offload where available.

Authorisation may be necessary when the function of the device is shared amongst a group with one or many people acting as the super administrator. If I sell my oven all of my authentication and authorisation permissions have to be removed from the M2M device but as I will likely buy a new oven with more soufflé capacity I would like to keep my existing settings.  Furthermore if my soufflé skills increased I may take a job in Paris and would need to reregister my oven’s eUICC or wifi connection. In this case I would definitely want to keep all of my authorisation permissions and maybe grant further permissions for all the extra soufflés I’d be baking.

Device resale and device portability are supported by the eUICC specification as they are necessary for widespread adoption of M2M devices. What is less supported is a common standard for AuthN & AuthZ that would allow me to keep my device preferences when I either move with or my devices or sell them and replace them with newer devices.

This is where OpenID Connect may be useful as it enables profile information on top of the authorisation model provided by OAuth 2.0. OpenID Connect 1.0 extends OAuth 2.0 so the client can verify claims about the identity of the end user, get profile information about the end user, and log the user out at the end of the OpenAM session. OpenID Connect also makes it possible to discover the provider for an end user, and to register client applications dynamically. OpenID connect services are built on OAuth 2.0, JSON Web Token (JWT), WebFinger and well-Known URIs.

It remains to be seen whether OpenID Connect will be integrated with the standards for eUICC as part of the GSMA Mobile Connect. Furthermore it will need to be supported by the wifi offloading devices (e.g. my BBQ’s manufacturer) as the standard for all M2M AuthN & AuthZ. It seems likely at first that device authorisation and later home M2M gateways will implement proprietary technologies and will maintain identity in individual walled gardens. My architecture ivory tower has a few of those too.

Enterprise M2M Use Cases: #2 Corporate Customer Fleet Management Change M2M Device MNO

GSMA Official Document 12FAST.13 – Embedded SIM Remote Provisioning Architecture published in December 2013 provides a technical specification to enable the remote provisioning and management of Embedded SIMs to allow the “over the air” provisioning of an initial operator subscription and the subsequent change of subscription from one operator to another.  The technical specification includes technical use cases for the provisioning of the Embedded Universal Integrated Circuit Card.  The following are worked examples of business use cases for M2M provisioning.

Use Case #2: Corporate Customer Fleet Management Change MNO

Pamela wishes to upgrade the telematics capabilities of City Deliveries’ existing vehicles.  The existing vehicles are after-market fitted with an M2M device including an eUICC embedded SIM provisioned to MNO B.

Pamela wishes to migrate these subscriptions from MNO B to MNO A to take advantage of dedicated telematics software provided by MNO A.

Use Case Flow:

  1. City Deliveries enters into a subscription with MNO A for the after-market devices
  2. MNO A knows the eUICC-IDs for the devices and the ID of the registered SM-SR
  3. The eUICC is registered with a common SM-SR between MNO A and MNO B
  4. MNO A initiates provisioning of the devices
  5. MNO A initiates the Profile Download and Installation which results in an ISD-P created in the eUICC for the MNO, containing a Profile in disabled or enabled state. The SM-SR has updated the EIS for this eUICC accordingly.
  6. MNO A activates the subscription and all the devices are operative with MNO A
  7. MNO B initiates de-provisioning for all the eUIDDs
  8. MNO A’s profile is cleared from all devices

Alternative Flow (Step 3):  The eUICC is registered with a different SM-SR

  • Note: To allow remote access to the eUICC the eUICC Manufacturer (EUM) registers the eUICC at a selected Subscription Manager Secure Routing (SM- SR). This means that related information which is relevant throughout its further lifetime, in particular the Platform Management Credentials, Provisioning MSISDN, are stored in the SM-SR database. Without this step, remote access to the eUICC will be impossible
  1. If MNO A manages their profiles with a different SM-SR than MNO B then the management of the eUICCs will be handed over.  In this case SM-SR X will request the necessary data to manage the eUICCs (e.g. the appropriate access credentials, characteristics of the eUICCs, previous SM-SRs) in the M2M devices from SM-SR Y.  SM-SR X will not want the SM-SR Y to have knowledge of the eUICC profile management credentials it will have.  Therefore SM-SR Y and SM-SR X perform a change of eUICC management responsibilities involving the eUICCs in the process.  As a consequence SM-SR X becomes the entity managing the eUICCs on behalf of the MNO A.

More detail is provided by the macro procedures E.5 in GSMA Official Document 12FAST.13 – Embedded SIM Remote Provisioning Architecture 

Enterprise M2M Use Cases: #1 Corporate Customer Fleet Management New M2M Order Provisioning

GSMA Official Document 12FAST.13 – Embedded SIM Remote Provisioning Architecture published in December 2013 provides a technical specification to enable the remote provisioning and management of Embedded SIMs to allow the “over the air” provisioning of an initial operator subscription and the subsequent change of subscription from one operator to another.  The technical specification includes technical use cases for the provisioning of the Embedded Universal Integrated Circuit Card.  The following are worked examples of business use cases for M2M provisioning.

Use Case #1: Corporate Customer Fleet Management New Order

Pamela, the purchasing manager of City Deliveries purchases a number of M2M enabled vehicles for their company’s fleet.  The new vehicles include an embedded SIM provisioned to Mobile Network Operator A.

Pamela is happy as MNO A is there existing network operator and enters into a subscription with MNO A for the M2M enabled vehicle devices.

Use case flow:

  1. MNO A initiates the provisioning of a number of devices included in City Deliveries subscription
  2. MNO A already use Subscription Manager Secure Routing (SM- SR) to which the eUICC is registered and hence the SM-SR does not need changing.
  3. The MNO Profile is downloaded and installed to the eUICC by the SM-SD.  The ISD-P created in eUICC for MNO, containing profile in disabled state, SM- SR updated EIS.
  4. Target profile is enabled on the eUICC. As this is a new eUICC on the first MNO then no previously enabled profile requires disabling.
  5. MNO A activates the subscription

More detail is provided by the macro procedures 1, 2 & 3  in GSMA Official Document 12FAST.13 – Embedded SIM Remote Provisioning Architecture 

Embedded SIM SM-DP & SM-SR

The GSMA has united the mobile operators and SIM suppliers behind a single Embedded SIM specification to avoid costly, fragmented & incompatible technical solutions and help accelerate the M2M market.  In order to support M2M use cases with no human intervention and to facilitate the secure over the air installation of mobile operator credentials into a SIM, two new key network elements have been specified by the GSMA:

Subscription Manager Data Preparation (SM-DP):

  • Role that securely creates and encrypts operator Profiles and then securely installs them into the eUICC
  • The SM-DP securely packages profiles to be provisioned on the eUICC. The SM-DP manages the installation of these profiles onto the eUICC
  • The Profile Enabling procedure between the MNO and the SM-DP is used to enable a Profile previously downloaded and installed on an eUICC. The procedure is initiated by the MNO owning the Profile to be enabled.

Subscription Manager Secure Routing (SM-SR)

  • Role that which enables secure download, enablement, disablement and deletion of Profiles on the eUICC
  • The SM-SR ensures the secure transport of both eUICC platform and eUICC profile management commands in order to load, enable, disable and delete profiles on the eUICC

Certificates & Credentials:

  • The Embedded Universal Integrated Circuit Card (eUICC) Certificate is issued by the eUICC Manufacturer for a specific individual eUICC and is certified by the eUICC Manufacturer Certificate which are issued to a GSMA accredited eUICC Manufacturer.  The eUICC Certificate enables eUICC authentication and certification to other entities; the authenticated key set establishment between a SM-DP and an eUICC and authenticated key set establishment between a SM-SR and an eUICC
  • Download and installation are protected by Profile Installer Credentials shared between the SM-DP and the Issuer Security Domain Profile
  • The architecture of the eUICC and its remote Provisioning system complies with the requirements of 3GPP TS 21.133 [21133] “3G Security, Security Threats and Requirements”