E.2 RP

31.1133GPPRelease 8TSUniversal Subscriber Identity Module Application Toolkit (USAT) interpreter byte codes

E.2.1 Plug-in Execution

The flow diagram below illustrates briefly the different steps of the RP execution.

Figure E.2: RP Flow Diagram

The termination states shall be mapped to output variables according to:

State

Plug-in Status Code

Functional Output

Description

FINISHED

"PS: OK"

Indicates success.

NO KEY

"PS: No such key"

“error:noKey”

Can not locate target PIN.

In case of a serious error not listed above, an implementation may use any of the Error Codes listed in the error code table in subclause 8.8.

Changing the PIN value is simply copying the new PIN value to the appropriate location, possibly stripping of the padding bytes and/or converting the PIN value to an internal format. The "remaining attempts" counter shall always be reset to its maximum value at the same time.

The maximum and minimum length restrictions on the PIN value shall be checked. If violated, the plug-in shall set the Error Code to "Execution Error" and terminate.

E.2.2 Decryption and Verification

This procedure includes decryption of the encrypted PIN data, as well as verification of it’s authenticity.

To decrypt and verify the encrypted PIN data, select the correct algorithm based on the algorithm identifier and thereafter decrypt and verify according to the selected algorithm.

An implementation shall support at least one algorithm.

Algorithms employing SHA-1 are preferred prior to algorithms employing ISO/IEC 9797.

E.2.2.1 3DES EDE CBC with two keys + SHA-1 MDC

The decrypted PIN data shall be formatted according to the table below:

Bytes

Description

M/O

Length

1 – 8

Nonce. 8 bytes of random data.

M

8

9 – 16

PIN value. Each digit in the PIN shall be encoded with its corresponding GSM default alphabet value. All unused digits at the end shall be encoded as ‘FF’.

M

8

17 – 24

PIN checksum. Truncated SHA-1 MDC.

M

8

To decrypt and verify the PIN data, do the following:

  1. Calculate the decrypted PIN data

    DP = TDEA_DECR(EP)

    using the following cipher parameterisation:

Keys

K1, K2

Cipher mode

Outer CBC using two keys in EDE operation.

IV

’00 … 00’ (this is not a weakness since the nonce effectively becomes a randomly chosen IV).

  1. Calculate

    MD = SHA1(unencrypted parameters || DP<1..16>).

    The unencrypted parameters ("Key identifier type", "Key identifier" and "Options") shall be included in the checksum calculation to avoid certain replay attacks.

  2. Calculate the PIN checksum

    PC = MD<1..8>

  3. Compare PC with DP<17..24>. If identical, proceed to the next step. Otherwise, set Error Code to "Execution Error" and terminate.
  4. Success. The new PIN is DP<9..16>.

E.2.2.2 3DES EDE CBC with two keys + ISO/IEC 9797 MAC

The decrypted PIN data shall be formatted according to the table below:

Bytes

Description

M/O

Length

1 – 8

Nonce. 8 bytes of random data.

M

8

9 – 16

PIN value. Each digit in the PIN shall be encoded with its corresponding GSM default alphabet value. All unused digits at the end shall be encoded as ‘FF’.

M

8

17 – 24

PIN checksum . ISO/IEC 9797 MAC.

M

8

To decrypt and verify the PIN data, do the following:

  1. Calculate the decrypted PIN data

    DP = TDEA_DECR(EP)

    using the following cipher parameterisation:

Keys

K1, K2

Cipher mode

Outer CBC using two keys in EDE operation.

IV

’00 … 00’ (this is not a weakness since the nonce effectively becomes a randomly chosen IV).

  1. Calculate

    PM = ISO_IEC_9797_PAD2(unencrypted parameters || DP<1..16>).

    The unencrypted parameters (‘Key identifier type’, ‘Key identifier’ and ‘Options’) shall be included in the checksum calculation to avoid certain replay attacks.

  2. Calculate

    PC = ISO_IEC_9797_ALG3(PM).

    Using terminology from [10], keys K and K’ shall be derived by complementing alternate sub-strings of four bits of K1 and K2 respectively, commencing with the four most significant bits.

    8 bytes of output from the MAC calculation shall be used (i.e. m=64 using ISO/IEC 9797 terminology).

  3. Compare PC with DP<17..24>. If identical, proceed to the next step. Otherwise, set the Error Code to ‘Execution Error’ and terminate.
  4. Success. The new PIN is DP<9..16>.

E.2.2.3 3DES EDE CBC with three keys + SHA-1 MDC

This algorithm is identical to the algorithm described in E.6.2.1, except that the 3DES cipher shall be parameterized with three DES keys.

E.2.2.4 3DES EDE CBC with three keys + ISO/IEC 9797 MAC

This algorithm is identical to the algorithm described in E.6.2.2, except that the 3DES cipher shall be parameterized with three DES keys. For the MAC calculation, only K1 and K2 shall be used.