Today I spent some time investigating the cheap
16-in-1 SIM cards on which
we can set our own Ki. This means that those cards can be used for
cryptographic authentication with OpenBSC. Finally, we will have not only
IMSI-based identification, but actual authentication!
I tested some of those last week end and when I verified they work, I ordered a
100 bulk pack so that if anyone is interested I could re-distribute
them at events and such.
(They're the bare card, no reader included, I mostly wanted 10 or so
for myself to put in each of the test phone I use and didn't want to
pay for useless readers ...)
I've created a page in the Wiki about those
cards:
http://openbsc.gnumonks.org/trac/wiki/MagicSIM
I have two models :
- SuperSim 16-in-1
- Magic SIM 6-in-1
But it's weird, I didn't program them using the same EF/DF ... Me I
just have a EF 3f00 / 000c that contains all the data and not in the
same format.
Using this information, I could send the RUN GSM
ALGORITHM APDU to the card and
retreive SRES + Kc. The result matched what I can also obtain using the
COMP128v1 code from
http://www.scard.org/gsm/a3a8.txt
Beware that in this code, the test software (main function) swapped Ki and RAND.
By the way: It would really be great if somebody could
hack up a small command
line program that can be used to program the Operator Name, Ki, ICCID, IMSI and
preferred PLMN into the 16-in-1 SIM.
I've written something like that but it's for the card model I have:
http://www.246tnt.com/files/pySim.py
It's not command line, I executed the function "format_sim" from an
interactive python shell, I just wanted something easy where I could
easily send manual command and quickly formats a bunch of cards.
I'll see if I can make it more easy and adapt it to support both card model.
Sylvain