Ubigi and Truphone are examples of eSIM providers that support provisioning using a client app.
With Ubigi the QR code method (via email) is still supported if preferred, but in our Medium article we will explore how eSIM activation using a downloaded client app works on Android.
As Mode51 Software develops a Subscription Manager Data Preparation Plus (SM-DP+) server that will deliver eSIM profiles, we will document our findings.
The first series of articles covers the Common Mutual Authentication Procedure:
RSP (Remote SIM Provisioning) is an excellent mechanism for the delivery of sensitive data and that includes SIM apps resident within SIM profiles.
However, SIM/eUICC apps are still critically deprived of resources and... even strings... Even "large" eUICCs only have up to 1 MB of space (SGP.22 4.3).
This ETSI article may suggest that the eUICC could be resident within standard enclaves:
So could RSP also be used to deliver secure apps to standard enclaves?
And will SIM apps be able to take advantage of having a lot more resource, eg. resident within a Trustzone enclave?
Intel's SGX provides far more space, eg. 500MB and as high as multiple GBs, though as part of a server based Xeon chip. Could the eUICC be run in an Intel SGX enclave?
Virtual TPMs (vTPMs) are generally available for virtual machines running under eg. OpenStack/KVM and VMWare/ESXi. The security of these vTPM files is a whole separate topic that we won't discuss in this post. They are stored on the hypervisor's filesystem, and this represents an invitation for a better solution.
Certificate management for virtual machines can be an arduous process that at worst case may result in the credentials needed for certificate renewals being hard coded into images. Therefore, we propose that instead the hypervisor can be used to inject an AK (Attestation Key) and a signed CA certificate into the vTPM. This private key and client certificate (extracted) can then be used with OpenSSL v3.0's support for CMPv2 to automate certificate renewals.
The vTPM is a convenient bridge between the hypervisor and the virtual machine, especially for an evolving environment in which confidential computing will make the virtual machine inaccessible to the host. The vTPM is attached to the virtual machine by the host separately and so within a separate security perimeter that will remain accessible to both the hypervisor and the virtual machine though not simultaneously.
Check out our proof of concept on GitHub with step by step instructions for DevStack, the dev version of OpenStack.
HSMs can be used to tamper proof critical business logic as well as for the more common signing and encryption use cases.
Using Entrust's CodeSafe development kit mode51 Software will now provide development support for custom SEE modules for the nShield HSM.
We are actively investigating Square's subzero cryptocurrency cold storage wallet which builds on nShield, and looking forward to more news on their upcoming consumer hardware wallet service.
This augments our existing support for custom security module development which also includes Thales's SafeNet HSMs.
Please visit our website and get in touch if you would like to discuss your custom security requirements.
Sharing an initial release of our open source Vault PKI plugin written in Go and providing HSM backed certificate signing: https://github.com/mode51software/vaultplugin-hsmpki
We're also working on a supporting Go module called pkcs11helper: https://github.com/mode51software/pkcs11helper