UID of a NFC/SWP-accessed SIM card

Question

SIM card is used as a secure element in my project. It is accessed through NFC-SWP contactless interface from a terminal device.

I need to identify the SIM card somehow with a unique and permanent identifier and I need to be able to read the identifier through NFC. ICCID seems to be the best choice, but I would have to expose the EF ICCID file through the contactless interface, which might be dangerous. Moreover, the EF ICCID file is out of my scope on SIM card - access to my dedicated security domain is all I have.

I also tried to use the 4-byte long UID specified in ISO/IEC 14443 Type A, but I get a different UID each time I read the SIM card through NFC. Why?

Another solution would be accessing the card serial number through Global Platform Get Data command (Card Production Life Cycle Data (CPLC)), but I would have to be able to select the card manager through contactless interface, which is forbidden by default and not recommended because of security.

Is there any typical way to solve this issue?

Answer 1

The 4 byte UID for type A (same for PUPI for type B) is allowed to be random (ISO 14443-3, chap. 6.4.4 "fixed unique number or random number"). Their purpose is only, to select one of several cards currently in the field of the reader. Therefore the description of UID is in the anticollision chapter.

Getting the serial number of the card is surely the solution, but since this allows card tracking ( I do not know, who this is, but she was present 10 minutes ago already ) in privacy-aware context it is frequently only allowed after some kind of authentication (and possibly establishing a secure channel, so eavesdroppers don't benefit). For ideas, how to handle this, take a look at the ICAO specifications under BAC or EAC. I would not expect to find a privacy-aware solution for a card without being able to place specific information onto it.