SIM card used as secure storage with AVR

Question

I would like to use a regular SIM card to store an AES key to be used by an AVR micro-controller. I think that a SIM is secure enough (isn't it?).

My problem is that I can find nothing about interfacing a SIM card with Arduino (for prototyping) as secure storage and not as GSM. Do I have to flash a custom OS to the SIM card? Or should I just buy an ordinary smart card and just cut it in SIM card dimensions?

What's wrong with [Atmel's security solutions](http://www.atmel.com/products/security-ics/default.aspx)? — Ignacio Vazquez-Abrams, Jan 04 '15 at 19:01
I took a look at the AES CryptoAuthentication module and it's not for my use. It's regular AES implementation, so to be secure enough it requires a random key, and what I want to do is store somewhere the random key used in my AES application — dzervas, Jan 04 '15 at 20:02
Why not store the key in the AVR? It's probably not 100% secure, but it is no less secure than reading a key from something else over wires that can be snooped. Even if you encrypt the key as it traverses the wire, the key to decrypt that has to be on the AVR and so depend on its security mechanism. — Chris Stratton, Jan 04 '15 at 20:14
There has to be a way of authentication. If I require a PIN, will it be safe. Also the EEPROM is very easily readable, isn't it? — dzervas, Jan 04 '15 at 22:38
Interesting project; I'd start by reading the 3GPP documents which specify the SIM card interface. — pjc50, Jan 05 '15 at 00:00
3gpp is communication standar, not what I'm searching... thanks tho — dzervas, Jan 05 '15 at 01:22
@ChrisStratton: I think everyone agrees that sending a key over a wire is less secure than keeping a key inside a chip. I think you're missing the point that SIM cards are designed to store a unique key that never leaves the SIM card -- the phone passes data to the SIM, the SIM uses its internal key to sign the data, and the SIM card passes the signed data back to the phone. — davidcary, Jun 02 '15 at 17:20
@ChrisStratton: While storing a key in the AVR is a good idea and may be better than a SIM for ttouch's application, it seems likely to me that a typical person writing AVR firmware will have more security bugs in his code than a typical person writing SIM firmware, and therefore key-in-AVR is likely to be less secure than key-in-SIM. — davidcary, Jun 02 '15 at 17:23
@Davidcary - using the SIM as an encryption engine is an interesting idea, though a bit different from the wording of the question. I think my concern would be that while the *key* could conceivably be more secure, any *cleartext* or *message* transmitted to the SIM for encryption or signing can probably be recovered in transit with a $20 logic analyzer, or substituted with a $5 micro controller. The fact that the key may be irretrievable is thus not a lot of benefit, unless your concern is about an attacker who only wants to copy the credentials of a device they will then return. — Chris Stratton, Jun 02 '15 at 17:32

score 2 · Answer 1 · edited Mar 17 '17 at 10:46

literal answer

The "SIM Reader" and a few wires appears to be all the hardware needed to interface a SIM card to an Arduino. There seem to be some Python scripts designed to talk to it over a serial port; perhaps you wouldn't find it too difficult to translate to something (C++) that runs on an Arduino.

Or should I just buy an ordinary smart card ...?

"A SIM card is a smart card." -- Thomas Pornin. "Is there cryptographic material in a phone's SIM card that can be used with RSA encryption?"

Most SIM cards today have "applications" that run on the little CPU in the SIM card stored in the flash of the SIM card. -- "A brief introduction to the SIM-cards"

SIM card used as secure storage with AVR

1 Answers1

literal answer

more general answer