[guardian-dev] "securely" stored on the SIM

Tue Mar 11 17:39:08 EDT 2014

I saw this about the Vodafone Secure SIM and it's cool because Vodafone
is enabling encryption by default.   Saying the digital private key and
corresponding certificates are "securely" stored on the SIM doesn't make
sense to me.   SIM storage capacity is limited and keys are likely small
enough to be vulnerable to brute force attacks.  What I would have said
in this press release is "Vodafone Germany rolls out SIM Card-based
end-to-end Encryption so customers can communicate securely as long as
they don't piss of anybody who downloads John the Ripper".
A

 G&D Supplies Vodafone Germany with SIM Card-Based System for Mobile
Communication Encryption

Munich, March 9, 2014 – Vodafone Germany is the first telecommunications
group to offer its corporate and public sector customers SIM card based
end-to-end encryption for their mobile communication. Giesecke &
Devrient (G&D), an international leader in mobile security solutions,
developed the product in collaboration with Düsseldorf-based network
operator Vodafone. Secure SIM Data encrypts and signs emails, documents,
data carriers, and VPN connections. This is the second product for
securing mobile communication that Vodafone has brought out in
collaboration with its security partner G&D. The existing solution has
been providing Vodafone customers with secure login access to corporate
networks and the data cloud for some time now – there, too, G&D’s latest
SIM technology provided the key.

As mobile working becomes more common, companies are increasingly forced
to find more effective ways to protect sensitive data. Solutions are
called for that can be implemented on different devices simply and
flexibly. Vodafone is now offering a standardized, flexible and above
all cost-efficient product for daily use that is based on G&D technology.

“We created Vodafone Secure SIM Data as a simple, cost-efficient and
above all secure value-added service based on the Vodafone SIM card for
the telecommunications group’s corporate customers. It regulates access
to sensitive data while also protecting mobile data communication
effectively against attack,” says Carsten Ahrens, Group Senior Vice
President, Server Software and Services (3S) division.

Unlike the majority of products that are already available, this
solution does not require users to possess separate smartcards or
security tokens. The digital private key and corresponding certificates
are securely stored on the SIM in the user’s notebook or tablet,
eliminating the need for additional hardware such as card readers etc.
Vodafone is presenting the solution for the first time at this year’s
CeBIT trade show in Hannover, where it will be demonstrated using a
Windows 8-based standard Lenovo notebook.

Secure SIM Data encrypts emails and documents in such a way that they
are unreadable to unauthorized third parties. The customer simply enters
a PIN in order to encrypt and add a signature as well as to decrypt
their communication. The solution uses the widespread S/MIME encryption
program for email exchanges, and in the future, encryption via PGP will
also be possible. Users also have the option to authenticate emails in
order to verify origins and that email content remains unaltered.

Besides electronic data traffic, the solution can also be used to
encrypt storage media such as USB sticks or hard drives. This ensures,
for instance, that a sales representative’s confidential contract
paperwork remains protected against unauthorized access even in the
event of theft or loss of the notebook.