Interface and security of graphical interface card based on SCWS technology

1 Introduction

With the advent of the 3G era of mobile communication technology, the three major telecom operators have launched new 3G services one after another, among which value-added services will replace voice services and become the main source of income for telecom operators. However, how to use the advantages of 3G networks to adopt different marketing methods from the 2G era, the three major telecom operators have adopted multimedia technology as the main promotion method to ensure that users are aware of and use the new 3G services.

Graphical interface SIM cards are different from the original ones that only use SMS technology [1]. Instead, they allow users to access the data information stored on the SIM card through the browser on their mobile phones, discover and select the operator's data services; at the same time, operators can use the background server to update data services in a timely manner, and can also segment user groups to achieve personalized service promotion and experience. Graphical interface SIM cards use SCWS (SMART Card Web Server) technology to combine the Internet, mobile network, and mobile server platform. Relying on the data transmission speed of the 3G network, various applications are placed on the SIM card. Users only need to replace the SIM card of their mobile phone to achieve the purpose of using these applications, allowing operators to take the initiative in promoting new value-added services. This article introduces the system application environment, interface technology, and security protocol of the graphical interface SIM card based on SCWS technology.

2 Graphical interface card

Early mobile phone SIM cards were mainly used as carriers of personal identity authentication and identification information. With the rapid development of chip technology and mobile technology, mobile phone SIM cards have increasingly become the carriers of mobile services such as value-added services and e-commerce. Currently, operators have embedded local services such as brand services, super number books, maps, directories, etc. in existing SIM cards, and also use SMS to update them, but their visibility and speed are not satisfactory.

The graphical interface SIM card allows users to use the browser on their mobile phones to browse the music, ringtones, videos, etc. pre-stored in the graphical interface SIM card in a graphical way, try out the data services of interest in the offline media library, and guide users to select and purchase the service. In their spare time, operators can segment user groups according to the business promotion situation and update the offline media library in the graphical interface SIM card in a timely manner, ensuring that operators can quickly promote new services and increase digital service revenue.

3 System Application Environment

The graphical interface SIM card system application environment [2] is shown in Figure 1.

1) Remote management server: This server is an OTA (Over-The-Air) server located in SCWS, used to achieve timely update, management, statistics, etc. of the content on the SIM card;

2) Mobile terminals supporting SCWS: used for communication between mobile terminals and SIM cards, enabling mobile terminals to access the contents of the card, and meeting all the necessary functional requirements of the SCWS Gateway software in the OMA-SMART_Card_Web_Server-V1_0-20080421-A [2] specification; at the same time, it also meets the requirements of the specification, provides a 3516 (HTTP) and 4116 (HTTPS) port to the outside world, and acts as a proxy for the SCWS card as an HTTP-server service;

3) Graphical interface SIM card: pre-installed SCWS application defined by the Open Mobile Alliance (OMA), which is located in the HTTP/1.1 WEB server on the SIM card side, providing static (xHTML and related files) and dynamic (generated by servlets) data information to the HTTP client software of the mobile terminal, realizing the communication between the mobile terminal and the graphical interface SIM card, and realizing logical separation without having to rely on the current telecommunications-based communication; at the same time, it allows the Full Admin Protocol defined by the Open Mobile Alliance (OMA) to manage the content of the graphical interface SIM card.

There are two types of SCWS working modes, namely server mode and client mode:

1) Server-side mode: When the terminal browser browses the graphical interface SIM card locally, SCWS is in BIP (Bearer Independent Protocol) server mode; through the BIP protocol, the mobile terminal allows transparent data transmission between the graphical interface SIM card and the remote server, which is more conducive to the transmission of high-speed mobile data services. At this time, SCWS provides static (xHTML and related files) and dynamic (generated by Servlets) content to the mobile browser. Servlet is a standard Java Card applet that allows the graphical interface SIM card to provide services such as usage tracking, advertising banner management, and dynamic page generation;

2) Client mode: When the operator/service provider updates the graphical interface SIM card through the remote server, SCWS is in BIP client mode. At this time, the mobile operator can regularly update the localized content of the SIM card. The mobile terminal user can also actively initiate an update request to the server to obtain data from the server. At this time, SCWS also works in client mode.

4 System communication interface

In the application environment of this system, there are two types of communications: graphical interface SIM card and remote management server; graphical interface SIM card and mobile terminal [3].

4.1 Graphical interface SIM card and remote management server communication interface

It is the communication interface between SCWS and the remote management server, used to manage SCWS content or update SCWS configuration. It uses HTTP protocol or BIP client mode and follows the Full Admin Protocol defined by OMA to open the channel between SCWS and the remote management server. It can also use the secure channel defined by HTTPs.

4.2 Graphical interface SIM card and mobile terminal communication interface

It is the communication interface between SCWS and mobile terminal, which is used to realize local browsing of graphical interface SIM card by mobile terminal browser. It uses HTTP protocol or BIP server mode.

The interface between SCWS and mobile terminals runs on a logically independent communication channel that is independent of the telecommunications channel, allowing mobile applications to communicate with the SCWS deployed by the operator in the smart card.

SCWS communicates with mobile terminals using HTTP protocol. Mobile terminal browsers do not need any additional functions to present SCWS content. Applications on mobile terminals can connect to SCWS via IP addresses. SCWS adopts an open architecture, allowing the selection of multiple "smart card-mobile phone" protocols as local bearers for transmitting HTTP requests and responses. SCWS responds to HTTP requests from HTTP applications (such as browsers) built into mobile terminals.

Mobile terminals access SCWS through a built-in gateway, which converts TCP/IP protocol into a local transmission protocol between mobile terminals and smart cards. HTTP requests and responses are sent directly to SCWS through the local transmission protocol between mobile terminals and smart cards. The local access URL passed from the terminal to SCWS is assigned two TCP ports: HTTP port 3516 and HTTP port 4116.

SCWS uses two protocols to communicate with HTTP applications on mobile phones: BIP server mode; TCP/IP transmission protocol.

1) BIP Server Mode If the smart card does not have its own IP address and does not directly support the TCP/IP protocol, the BIP gateway in the terminal can be used as a protocol converter. The TCP/IP protocol is used to implement the communication between the HTTP application in the terminal and the BIP gateway; the BIP protocol is used for the communication between the BIP gateway and the smart card.

HTTP applications (such as browsers) in mobile phones use the loopback IP address as BIP gateway addressing. BIP gateway*SCWS must open two ports: open ports for HTTP requests from HTTP applications in mobile phones; open ports for HTTP over TLS (HTTPs) requests. When an HTTP application in a mobile phone connects to SCWS via the BIP gateway and starts to exchange data, SCWS can open another BIP channel (using the Open Channel command) to allow other HTTP applications in the mobile phone to connect to SCWS, realizing simultaneous connection of multiple applications.

2) TCP/IP transport protocol If the smart card has its own IP address and directly supports TCP/IP, and the mobile terminal supports direct IP access from the smart card, TCP/IP is considered the preferred protocol for communication between the HTTP application on the mobile phone and the SCWS on the card.

There is a set of pre-set ports: port 80 for HTTP communication and port 443 for HTTPS communication are the default ports. In this case, the HTTP application in the terminal can communicate directly with SCWS without relying on the built-in BIP gateway of the mobile phone. Therefore, SCWS will use the default port and the secure port to respond to HTTP requests and HTTP over TLS requests from the mobile phone.

5 Security Protocol

To ensure the security of transmission, Transport Layer Security (TLS) is used to provide a secure and reliable transmission mechanism for both parties in communication to ensure the privacy and integrity of transmission. One-way or two-way authentication can also be used as required. TLS works in a client-server mode, where the end that initiates the authentication is called the client and the end that responds is called the server. In most cases, the TLS client uses a public key certificate to authenticate the server, while two-way authentication can use a public key certificate or a pre-shared key PSK-TLS method.

When SCWS is used as a local HTTPS server, it must be able to implement HTTP over TLS using public keys, or it can use PSK-TLS to implement HTTP over TLS.

1) HTTP over TLS using PSK-TLS

PSK-TLS is used when a symmetric key is shared between SCWS and a connected host (such as a remote management server).

SCWS must support the following encryption algorithms:

TLS_PSK_WITH_3DES_EDE_CBC_SHA [PSK-TLS]

TLS_PSK_WITH_AES_128_CBC_SHA [PSK-TLS]

2) Public key pair and device certificate

SCWS should be able to use a public key pair and store them in a secure area. These keys can only be used for TLS implementation or card application authentication, which is determined by the internal security policy of the card issuer. SCWS should also embed a device certificate for the public key, which is provided by the card issuer and signed by the authoritative issuer.

Public key pairs and device certificates should be used for server authentication on TLS (such as TLS secondary authentication). If SCWS uses public key pairs and device certificates, it must support all of the following encryption algorithms:

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

SCWS MUST support server authentication using TLS 1.0 and SHOULD be able to use WAP profiled X.509 server certificates [WAPCert].

3) Support for TLS extensions

If SCWS must determine a smaller maximum fragment length due to capacity constraints or bandwidth limitations, the extension allows the use of the following defined fragment lengths (the default value is 2^14):

2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)

The card management agent can use [RFC3546] to define the negotiated maximum fragment length, and the management server needs to support [RFC3546] to define the negotiated maximum fragment length. The HTTP client connected to SCWS can use [RFC3546] to define the negotiated maximum fragment length, and SCWS needs to support [RFC3546] to define the negotiated maximum fragment length, and can also support a minimum maximum fragment length of 512 bytes. If the client does not negotiate the definition, SCWS needs to accept the pre-defined 16K as the TLS fragment length.

4) Session recovery

SCWS should support session resumption defined by TLS and be able to use longer session periods (such as 12 hours). The session resumption process should comply with the relevant definitions in TLS1.0.

6 Conclusion

The use of graphical interface SIM card technology has broken through the limitation that SIM cards can only support SMS services. The graphical interface is introduced into SIM cards to support the promotion of GPRS, EDGE, and UMTS data network services, so that users do not have to connect to the network and can use them even in areas where the network is not covered, and without incurring any fees. At the same time, operators can customize SIM cards on demand and update the content of the smart card network server SCWS in a timely manner. It can track and count user usage behavior and send it to the server for statistical analysis on a regular basis to adjust business promotion strategies in real time, creating a controllable platform for operators to showcase the best services and solutions, and promoting the rapid development of 3G services.