Skip to content

Key Sets⚓︎

Keysets are collections of encryption keys and algorithms used to authenticate SIM cards and establish secure communication between Mobile Assets and the network. They ensure mutual trust and encrypted interactions, safeguarding the integrity of the system.

This section provides tools to manage Keysets, including adding new Keysets, mapping them to HSS Keyset Identifiers at specific Sites, and applying them during Mobile Asset setup. Proper Keyset management is essential for secure and efficient network operations.

 

Enable Keyset Authentication⚓︎

Keyset authentication ensures secure communication and mutual trust between the SIM card and the network. It uses encryption keys and algorithms to verify the authenticity of Mobile Assets. Keysets are collections of encryption keys and algorithms that ensure secure SIM authentication and network integrity.

  • Loading Keysets: Performed by the Expeto Site Installer during site setup.
  • Adding and Mapping Keysets: Performed by a Network Administrator with Keyset permissions using Expeto xControl. The Site must have Keyset Mapping enabled by the Expeto Site Installer.
  • Applying Keysets: Network Administrators assign Keysets when adding Mobile Assets (individually or via Bulk Import).

Note

A Keyset can only be assigned once to a Mobile Asset and cannot be changed.

Add a Keyset⚓︎

Keysets are essential for enabling encrypted authentication and ensuring secure communication between Mobile Assets and the network. Adding a Keyset creates a reference that can be used during Mobile Asset configuration.

  1. Navigate to the Keysets section in Expeto xControl. The list of existing Keysets will be displayed.

  2. Click New to create a new Keyset.

  3. Enter the following details:

    • Name: Provide a unique name for the Keyset.
    • Customer: Select the Customer that will use this Keyset.

  4. Click Submit to save the new Keyset.

Once added, the Keyset will appear in the Keyset list and can be used for Mobile Assets at any Site belonging to the selected Customer.

Note

To enable encrypted authentication, the Keyset must be mapped to the HSS Keyset Identifier. See the next section for details.

 

Map a Keyset⚓︎

Mapping a Keyset links it to the corresponding HSS Keyset Identifier (KSI) at a specific Site, enabling secure authentication for Mobile Assets. This step is essential to complete the Keyset configuration process.

Note

The Add Mobile Asset permission is required to perform this task. The CUSTOMER_ADMIN role does not include the Add Keyset Mapping permission.

Before You Begin⚓︎

Ensure the following prerequisites are met:

  • Keyset Mapping: Must be enabled for the Site by a Site Installer.
  • Keyset Loading: The Site Installer must load the Keyset into the HSS.
  • HSS Keyset Identifier: The Site Installer must provide the HSS Keyset Identifier.

To Map a Keyset:⚓︎

  1. Navigate to the Sites section in Expeto xControl.
  2. Select the Site where the Keyset will be mapped.

  3. In the Keysets section, click Add Keyset Mapping.

    The New Keyset Mapping panel will appear.

  4. Enter the HSS Keyset Identifier provided by the Site Installer.

    This value cannot be selected; it must be provided manually.

  5. Optionally, enter a description for the Keyset (e.g., Keyset for SIM batch 12).

  6. Select the Keyset name from the list.

    If no Keyset names are available, ensure you have added a Keyset.

  7. Click Submit to save the mapping.

Note

  • The same Keyset can be referenced by multiple Sites owned by the same Customer.
  • Keysets must be loaded individually into each Site's HSS database.
  • The Keyset name must remain consistent across Sites, but the HSS Keyset Identifier may vary depending on how the Keyset was loaded.

Mapping ensures that the Keyset is properly associated with the Site and can be used for Mobile Asset authentication.

 

Understanding SIM Authentication Security⚓︎

Ensuring secure communication and trust between the SIM card and the network is critical for mobile asset authentication. This involves mutual authentication, where both the SIM card and the network verify each other’s identity.

Key Security Concerns⚓︎

  • Secret Key Exposure: Preventing unauthorized access to private cryptographic keys.
  • Replay Attacks: Protecting against repeated use of intercepted authentication data.
  • HSS Spoofing: Ensuring the authenticity of the Home Subscriber Server (HSS).

The Authentication Process⚓︎

  1. Mutual Authentication

    • The SIM card and the HSS database validate each other using a shared secret key (K) and an Operator Code (OP), which together generate an OPc value.
    • Authentication also relies on a sequence number that increments with each challenge to prevent replay attacks.

  2. Encryption and Decryption

    • The referenced Keyset contains private keys and algorithms for encrypting and decrypting authentication data.
    • These keys ensure that sensitive values like K and OPc remain secure and are never exposed publicly.

  3. Challenge-Response Mechanism

    • The HSS sends an encrypted challenge (AUTN) to the SIM card.
    • The SIM decrypts the challenge using the Keyset and generates a response.
    • The SIM’s response is sent back to the HSS via the MME (Mobility Management Entity).

  4. Verification

    • The HSS decrypts the response and verifies it against the expected result.
    • If the response matches, the SIM card is authenticated, and the Mobile Asset is allowed to attach to the network.

Key Takeaways⚓︎

This process ensures that:

  • Only trusted SIM cards can connect to the network.
  • Sensitive authentication data is encrypted and protected at all times.
  • Network integrity is maintained by verifying both the SIM card and the network.

Properly implemented SIM authentication is essential for securing mobile assets and protecting against unauthorized access or attacks.