Description
Card Holder Verification (CHV) is a security function defined within 3GPP specifications, primarily for Universal Integrated Circuit Cards (UICC) and Subscriber Identity Modules (SIM). Its core purpose is to authenticate the individual attempting to use the card, thereby protecting sensitive subscriber data, network access credentials, and stored applications. The CHV mechanism operates by requiring the user to present a secret, typically a Personal Identification Number (PIN), which is verified by the card itself before granting access to protected functionalities. This verification is a local process between the user equipment (e.g., mobile phone) and the card, not involving the network, which makes it a crucial first line of defense against device and service misuse.
The architecture of CHV is integrated into the UICC's security architecture. The card contains a CHV file (EF_CHV) that stores the reference PIN value and status information (e.g., enabled/disabled, number of remaining verification attempts). When a user enters a PIN via the device's interface, the device sends a VERIFY command (as per ISO/IEC 7816-4) to the UICC, presenting the entered value. The UICC's operating system compares this presented value against the stored reference. If they match, the verification is successful, and the card grants the appropriate level of access. If the verification fails, an attempt counter is decremented. After a configurable number of consecutive failed attempts (typically three or more), the CHV becomes blocked, requiring a PUK (PIN Unblocking Key) to reset it, preventing brute-force attacks.
CHV controls access to critical files and functionalities on the card. The primary CHV, often called CHV1 or the PIN, typically protects access to the phonebook (EF_ADN) and other user data files. A second CHV (CHV2 or ADM1) may be defined to protect administrative functions. The mechanism's role is foundational; it ensures that the physical possession of a SIM card alone is insufficient to access the mobile network or personal data. It works in conjunction with other security layers like the Authentication and Key Agreement (AKA) protocol for network authentication, creating a multi-layered security model where CHV provides user verification and AKA provides network-to-card mutual authentication.
From a procedural perspective, the management of CHV involves enabling, disabling, changing, and unblocking the PIN. These operations are performed through specific commands from the terminal to the UICC. The 3GPP specifications, particularly TS 31.101 (UICC-Terminal Interface) and the USIM application specifications (TS 31.102), detail the precise command-response sequences and file structures. The CHV mechanism is a standardized implementation of a challenge-response secret verification, ensuring interoperability across different card manufacturers and mobile devices while maintaining a consistent security baseline for subscriber identity modules.
Purpose & Motivation
CHV was created to address the critical need for user authentication at the device level in mobile telecommunications. Early cellular systems lacked robust personal security features for the SIM card itself. If a device was lost or stolen, anyone could insert the SIM into another phone and gain immediate access to the network, potentially incurring charges or impersonating the subscriber. The primary problem CHV solves is the separation of device ownership from service authorization; it ensures that the legitimate subscriber must authenticate themselves to use the subscription, even on their own or a new device.
The motivation for its standardization in 3GPP stemmed from the global rollout of GSM and the subsequent need for a uniform, secure method to protect the subscriber's identity module. By introducing a mandatory or user-enableable PIN, the system added a significant deterrent against casual theft and unauthorized use. It addressed the limitation of relying solely on the physical form factor of the SIM card as a security token. Before such verification, security was entirely network-centric (e.g., based on the IMSI and Ki), leaving the local user-device interface unprotected.
Historically, CHV established a fundamental principle in mobile security: the concept of a two-factor authentication model for service access, combining 'something you have' (the SIM card) with 'something you know' (the PIN). This was a pivotal step in consumer mobile security, fostering user trust and enabling more advanced services that stored personal data on the SIM. Its creation was driven by the need to protect both the network operator from fraud and the subscriber from privacy invasion and financial loss, forming an essential component of the overall trust model for digital mobile communications.
Key Features
- Local user authentication via PIN verification on the UICC/SIM
- Protection of sensitive card files (e.g., phonebook, SMS) from unauthorized access
- Configurable attempt counter with blocking after excessive failures
- Integration with PUK (PIN Unblocking Key) for secure recovery from a blocked state
- Standardized command set (VERIFY, CHANGE CHV, UNBLOCK CHV) as per ISO/IEC 7816-4
- Support for multiple CHV keys (e.g., CHV1 for user, CHV2 for administrative functions)
Evolution Across Releases
Introduced the standardized framework for Card Holder Verification within the 3GPP USIM and UICC specifications. Defined the basic architecture, including the EF_CHV file structure, the VERIFY command procedure, and the linkage to the PIN Unblocking Key (PUK) mechanism. Established CHV as a mandatory security feature for protecting access to the USIM application and user data stored on the card.
Defining Specifications
| Specification | Title |
|---|---|
| TS 21.905 | 3GPP TS 21.905 |
| TS 31.113 | 3GPP TR 31.113 |
| TS 31.900 | 3GPP TR 31.900 |