GSMA Embedded SIM for Internet of Things 02 - eSIM Architecture

for Consumer & M2M Solutions

eSIM is the upfront SIM technology that is deemed to be adopted

globally for long-range and mobile M2M/IoT applications. The
fundamental feature of eSIM technology is remote SIM provisioning.
A complete eSIM ecosystem is all about subscription management
solution. At present, both proprietary and GSMA-compliant
subscription management solutions are under development. The
proprietary systems are developed by major device manufacturers
and mobile network operators. Most of the proprietary solutions are
incompatible with other eSIM solutions. As such subscription
solutions lack interoperability, they operate within closed and
isolated environments.

GSMA-compliant solutions are developed in compliance with GSMA's

Embedded SIM Remote Provisioning Architecture. Supported by
around 800 communication service providers all around the world,
GSMA eSIM subscription solution is sure to facilitate global
connectivity and full interoperability for M2M/IoT devices.

The GSMA-compliant subscription solutions are available as two

separate variants according to the market segment they are
developed for. There are two different eSIM solutions for Machine-
to-Machine communication and consumer devices. The M2M
segment includes industrial IoT devices like sensors, trackers, cellular
modules, meters and other industrial non-end-user devices. The
M2M solution is based on GSMA's M2M dedicated specifications -
SGP.01, SGP.02 and SGP.11. Consumer segment includes consumer
electronics devices like smartphones, wearables, laptops and tablets.
The consumer solution is based on GSMA's consumer dedicated
technical specifications - SGP.21, SGP.22 and SGP.23.
Both variants have different backend infrastructure platforms. The
M2M solution has Subscription Manager - Data Preparation (SM-DP,
which acts on behalf of Mobile Network Operator) and Subscription
Manager - Secure Routing (SM-SR) as the backend infrastructure
platforms. These platforms coordinate with eUICC manufacturer,
certificate issuer and mobile network operator to provide remote
SIM provisioning.

The consumer solution has Subscription Manager - Data Preparation

& Secure Routing (SM-DP+) and Subscription Manager - Discovery
Service (SM-DS) as the backend infrastructure platforms. These
backend platforms coordinate with eUICC manufacturer, certificate
issuer, mobile network operator and the end user to provide remote
SIM provisioning where the Local Profile Assistant (LPA) may be
integrated in the consumer device or the eUICC itself.

In both solutions, backend infrastructure platforms have different

roles and eSIM is configured differently to cater the target solution.
The M2M solution is server-driven and is based on Push-Model. This
means that in M2M solution, the eSIM profiles are managed by
backend SM-DP/SM-SR servers for any subscription management
operations. The consumer solution is client-driven and is based on
Pull-Model. This means that Local Profile Assistant (LPA) integrated
in the consumer device or the eUICC manages eSIM profiles for any
subscription management operations.

eSIM Architecture for M2M solutions -

For M2M solutions, GSMA has specified remote SIM provisioning
architecture as illustrated in the diagram below -
Let us discuss about different entities and their roles in this
architecture -

1. eUICC manufacturer :- The eUICC manufacturer (EUM) provides

the eUICC that contain provisioning profile and/or one/more
operational profiles. The eUICCs are delivered to M2M device
manufacturer. The eUICC manufacturer is responsible for initial
cryptographic configuration and security architecture of the eUICC. It
is the eUICC manufacturer that has to provide services, tools and
documentation to SM-DP for creating un-personalized profile for
eUICC. EUM does not create un-personalized profile on behalf of SM-
DP. EUM is also responsible for forwarding platform management
credentials associated with each eUICC to the SM-SR. EUM also need
to issue eUICC certificate for eUICC authentication and certification
to other entities, authenticated keyset establishment between eUICC
and SM-DP, and authenticated keyset establishment between eUICC
and SM-SR.
2. Machine-to-Machine Device Manufacturer :- The M2M device
manufacturer builds M2M/IoT device which comprises of eUICC and
communication module. eUICC must have a default provisioning
profile and/or operational profile that must be as per the agreement
with respective Mobile Network Operator (MNO/CSP).

3. Mobile Network Operator (MNO) :- Mobile Network Operator

(MNO/CSP) provides mobile network connectivity. It has to select at-
least one SM-DP and have direct interface to SM-SR. When customer
selects MNO, it initiates download of a particular provisioning profile
to the target eUICC. On the request of download, MNO checks and
validates certification and capabilities of the target eUICC. Once the
download and installation of provisioning/operational profile is
complete, eUICC sends a confirmation to MNO and MNO is able to
manage the enabled profile on the target eUICC over the air (OTA).
MNO is able to provide only limited service to the M2M/IoT device as
per the respective provisioning profile.

4. MNO Customer :- MNO customer is the contract partner with

MNO for subscription. It may not be the end-user. The customer uses
M2M device equipped with eUICC from the device manufacturer and
the profile subscription from the MNO. It is the MNO customer that
is responsible for identification of M2M device and the identification
of eUICC.

5. End-User : - End-user is the one who ultimately uses the M2M/IoT

device and the services related to the enabled (eSIM) profile. End-
user can be the MNO customer itself. Therefore, end-user either
directly relates MNO or relates to a MNO customer.

6. SM-DP : - SM-DP acts on behalf of MNO. It receives a profile

description from MNO and creates un-personalized provisioning
profile for eUICC accordingly. For creating profile for eUICC, SM-DP
has to utilize tools provided by EUM. The tools and documentation
exchanged between SM-DP and EUM are not standardized and may
differ between different entities. SM-DP also builds personalized
profiles for the target eUICC and generates personalization data (like
network access credentials) based on data input from MNO. It is also
responsible for installing personalised profile on eSIM through SM-
SR. The SM-DP must be at least GSMA SAS certified. SM-DP provides
secure and authenticated channel to eUICC to download and install
profiles to eUICC. On the behalf of MNO, it is SM-DP that is
responsible for managing profile enabling and deletion requests from
eUICC through SM-SR.

7. SM-SR :- SM-SR is responsible for establishing secure and

authenticated transport channel to the eUICC to manage the eUICC
platform. SM-SR receives platform management credentials from
EUM or previous SM-SR. Only one SM-SR can be associated with a
eUICC at a point in time, however SM-SR can be changed during life-
time of the eSIM. It loads, enables, disables and deletes Profiles on
the eUICC according MNO's policy rules.

8. Certificate Issuer - It is a trusted third-party that provides

certificates for the EUM, SM-DP, SM-SR and MNO. It is responsible
for the authentication of entities (EUM, SM-DP-MNO, SM-SR) in the
eSIM ecosystem.

9. Initiator - Initiator can be any entity (EUM, SM-DP, SM-SR, MNO)

that initiates a procedure (related to Remote SIM provisioning) in the
eSIM ecosystem. It be any entity, it is authorized and authenticated
by SM-SR at any time.

eSIM Hardware and Working -

eSIM is basically smart card based on GlobalPlatform Card
Specifications (GPCS). It is manufactured as per standardized ETSI
form factors (2FF, 3FF, 4FF, MFF2). It is loaded with a SIM operating
system and other software components like security domains and
MNO enabled profiles. Within an M2M/IoT device, eSIM has a
terminal interface that may be compliant with class A, class B or class
C operating conditions. In class A, eUICC has terminals (contact pins)
for supply voltage (contact C1), reset (contact C2), programming
voltage (Contact C6), clock (Contact C3) and I/O (Contact C7). In class
B and class C, eUICC has terminals (contact pins) for supply voltage
(contact C1), reset (contact C2), clock (Contact C3) and I/O (Contact
C7). For example, the following diagram show terminals of an eSIM
in MFF2 form factor -

The SIM exchanges commands with the IoT/M2M device controller

to manage various subscription and services related functions. The
commands can be associated with implementation of various
transmission protocols, management of application and file
structure, and implementation of different security features. The
structure of commands and responses is determined by the ETSI
specifications (TS 102 221).

eSIM Card Architecture for M2M Solutions -

eSIM designed for M2M solutions have separate card architecture.
By card architecture refers to the software architecture of the eUICC
smart card. The following diagram shows eSIM card architecture for
M2M solutions -

The eUICC is loaded with a eUICC operating system (SIM operating

system) that supports all features defined in the GlobalPlatform Card
Specifications (GPCS). As a SIM operating system, it includes telecom
framework, platform service manager and policy rules enforcer. The
OS is responsible to manage security domains and MNO enabled
Profiles (Provisioning/Operational profiles).

Security domains are on-card representatives of off-card entities that

provide secure storage for cryptographic keys, security services for
applications, mechanism for loading applications, and access for off-
card entities (SM-DP, SM-SR, MNO) using secure channel protocols.
security domains define properties that let security domain
represent entities (SM-DP, SM-SR, MNO) for various roles in remote
SIM provisioning architecture.

ECASD (eUICC Certificate Authority Security Domain) is created with

eUICC at the time of its manufacture by EUM. It cannot be deleted or
disabled after delivery to M2M device manufacturer. This security
domain contains non-modifiable eUICC private key, root public keys,
associates certificates and EUM keyset for key/certificate renewal. It
is also required for establishment of new keysets in the ISD-P(s) and
ISD-R.

Issuer Security Domain - Root (ISD-R) is on-card representative of

SM-SR and it is responsible for execution of Platform Management
commands. ISD-R is also created within eUICC at the time of
manufacture and is associated to a default SM-SR. It cannot be
deleted or disabled. It provides secure OTA channel to SM-SR
according to Platform Management Credentials (SCP80, SCP81 under
GPCS). It also implement a key establishment protocol to change SM-
SR.

MNO enabled profile that is responsible for subscription provisioning

and management includes ISD-P security domain, MNO-SD security
domain and various applications like file-system, NAA(s), CASD, SSD,
Policy Rules and SIM Applets.

Issuer Security Domain - Profile (ISD-P) is the on-card representative

of MNO or SM-DP delegated by the MNO. It is a separate and
independent entity of eUICC. It contains a Profile that includes file
system, Network Access Applications (NAAs), and Policy Rules. This
security domain contains a state machine for creating, enabling and
disabling Profiles, keys for Profile management, key establishment
protocol for personalisation of ISD-P.

MNO-SD is on-card representative of the MNO. It contains MNO OTA

keys and provide secure OTA channel with mobile network operator
(MNO/CSP). Once a provisioning profile from a MNO/CSP is installed
on eUICC, ISD-P and the Profile work in union.

eUICC contains two MNO profiles of which one is enabled while

other remains disabled. At a time only one MNO Profile can operate
and manage services according to the contract and subscription with
a communication service provider (MNO/CSP).

How eSIM works in M2M devices -

eSIM/eUICC comes loaded with SIM operating system, ECASD and
ISD-R at the time of manufacture from EUM. The eUICCs are
delivered to IoT/M2M device manufacturers. IoT/M2M device
manufacturer contracts with a MNO and loads a default MNO Profile
to the eUICC. The profile can be changed anytime in the lifetime of
eUICC by changing contract and subscription to a different MNO.
When the IoT/M2M device is bootstrapped, it connects with default
SM-DP/SM-SR servers and initiates subscribed services. Once the
MNO Profile is downloaded and installed, it manages various services
and applications accordingly. As M2M solutions are based on Push
Model, all management operations on eUICC are handled by the SM-
DP and SM-SR servers.

While SIM operating system contain all essential functionalities and

services, IoT/M2M developers can design various SIM applets to
enable different M2M-solution specific services and applications.
These SIM apps (SIM applets) can be designed for value-added
services like SIM health reporting, geofancing, quality of service
reporting, mobile banking, TLS authentication etc. SIM apps are
based on Java Card, which is a subset of Java language. The SIM
operating system itself is an applet written in Java Card.

Meta Tags
Title: Embedded SIM Architecture for M2M solutions
Post-Heading: GSMA Embedded SIM for Internet of Things 02 - eSIM
Architecture for Consumer & M2M Solution
Permalink: eSIM-embedded-SIM-Architecture-M2M-solutions

Meta Keywords
eSIM, embedded SIM, eSIM IoT, embedded SIMM for IoT, Internet of
Things, eSIM architecture M2M solutions, GSMA-compliant
subscription solutions, eSIM Architecture for M2M solutions, SM-DP,
SM-SR, eSIM hardware, eSIM hardware specifications, ETSI
embedded SIM specifications, eSIM card architecture, eSIM card
architecture for M2M Solutions, SIM operating system, ECASD, ISD-R,
ISD-P, MNO Profiles, GPCS Security Profiles, SIM Profiles, eSIM MNO
profile, SIM applets, Java Card, How eSIM operates, How eSIM
works, How eSIM works in M2M solutions

Meta Description
Learn about eSIM architecture for M2M-IoT solutions, eSIM
hardware specifications and eSIM card architecture.

Meta Abstract
What is eSIM architecture for Remote SIM provisioning in M2M-IoT
solutions.

Links
Anchor text : eSIM
Link: 1st article on eSIM

Image-Tags
TCH02-01:
File-Name: eSIM-M2M-Architecture
Alt: Embedded SIM Architecture for M2M-IoT solutions
Caption: Embedded SIM Architecture for M2M-IoT solutions;
Courtesy - GSMA Specifications

TCH02-02:
File-Name: MFF2-SIM-Form-Factor
Alt: eUICC Terminals in MFF2 Form Factor
Caption: eUICC Terminals (Contact Pins) in MFF2 Form Factor
Courtesy - ETSI Specifications

TCH02-03:
File-Name: eSIM-Card Architecture-M2M
Alt: eSIM Card Architecture for M2M Solutions
Caption: eSIM Card Architecture for M2M Solutions; Courtesy -
GSMA Specifications