YD/T 4513-2023
Technical requirements for security capabilities of embedded universal integrated circuit cards (eUICC) for consumer electronic devices (English Version)

Standard No.

YD/T 4513-2023

Language

Chinese, Available in English version

Release Date

2023

Published By

Professional Standard - Post and Telecommunication  CN  /  YD

Latest

YD/T 4513-2023

Introduction

Analysis of the core content of the standard

Scope of application of the standard

This document specifies the security technical requirements for consumer electronic device embedded universal integrated circuit cards (eUICC), including:

• Definition of security issues: The system identifies 6 major types of security threats
• Security goals: Proposes 7 TOE security goals and 11 environmental security goals
• Technical requirements: Covers security functions and security assurance requirements

Applicable to the entire life cycle of design, development, test and evaluation of eUICC products.

---

Key Technology Architecture

Core Components	Functional Description	Security Requirements
ECASD	Certificate Security Storage Domain, Storing eUICC Keys and Certificates	Anti-tampering/anti-leakage, EAL4+ assurance
ISD-R	Root Security Domain, Managing Profile Lifecycle	Non-deletable, mandatory access control
ISD-P	Operator Profile container, each corresponding to a unique Profile	Domain isolation, independent key system
LPA	Local Profile Agent (device side/eUICC side)	Trusted channel, ES10 interface protection

---

Security threat model

6 major core threats

1. Unauthorized Profile management: including 4 sub-threats such as T.UNAUTHORIZED-PROFILE-MNG
2. Identity tampering: illegal access to keys/certificates (T.UNAUTHORIZED-IDENTITY-MNG)

Cryptographic protection	Use the ECDSA algorithm for identity authentication, in accordance with 3GPP TS 35.206/231 specification
Domain isolation	Physical isolation between profiles through GlobalPlatform standard
Lifecycle management	Enforce PPR policy rules to ensure the security of Profile state transition
Secure channel	ES8+ interface uses SCP03 protocol, and ES6 interface uses SCP80/81

---

Implementation suggestions

Key points of product development

1. Hardware security foundation: Choose a security chip with CC EAL4+ certification
2. Key management system: Strictly follow the GSMA SGP.22 specification to implement key derivation
3. Profile security: Implement code signature verification in the SM-DP+ link
4. Interface protection: LPAd implementation must include ES10 instruction integrity check

Test verification points

• Perform AVA_VAN.5 advanced vulnerability analysis
• Verify PPE's enforcement of RAT rules
• Side channel analysis test (such as power consumption analysis)

Standard evolution analysis

This standard is coordinated with international specifications such as GSMA SGP.02/22 and ETSI TS 102 225/226. The main innovations include:

• For the first time, it clearly definesLPAe (LPA on the eUICC side) security requirements
• Refine the verification mechanism of PPR policy rules
• Add support requirements for Chinese commercial encryption algorithms

YD/T 4513-2023 Referenced Document

• GB/T 18336.2-2015 Information technology.Security techniques.Evaluation criteria for IT security.Part 2: Security functional components
• GB/T 18336.3-2015 Information technology.Security techniques.Evaluation criteria for IT security.Part 3:Security assurance components

YD/T 4513-2023 history

• 2023 YD/T 4513-2023 Technical requirements for security capabilities of embedded universal integrated circuit cards (eUICC) for consumer electronic devices

Standard and Specification