WIM

Wireless Identity Module

Security
Introduced in Rel-2
A secure hardware or software component that stores the subscriber's identity (IMSI), authentication keys, and network applications for a 3GPP mobile device. It is the generic term encompassing physical SIM cards and their embedded (eSIM) and integrated (iSIM) successors. The WIM executes the authentication algorithms, securing the link between the user and the mobile network.

Description

The Wireless Identity Module (WIM) is the secure element in a User Equipment (UE) responsible for hosting the subscriber identity and critical authentication credentials for accessing 3GPP networks (GSM, UMTS, LTE, NR). It is a tamper-resistant component, historically a removable plastic card (UICC with SIM application) but evolving into embedded hardware (eUICC) or a integrated secure enclave (iUICC). The WIM's primary function is to securely store the International Mobile Subscriber Identity (IMSI) and the long-term secret key (K), which are provisioned by the mobile network operator. It also hosts the authentication and key agreement application (e.g., SIM for GSM, USIM for 3G/4G/5G, ISIM for IMS) which contains the cryptographic algorithms (e.g., Milenage, TUAK).

Architecturally, the WIM interacts with the UE's modem via a standardized electrical and logical interface (e.g., ISO/IEC 7816 for physical cards, or newer interfaces for embedded forms). When the UE attempts to attach to a network, the network sends a random challenge (RAND) to the UE. The modem passes this challenge to the WIM. The WIM's USIM application uses the stored secret key (K) and the RAND as inputs to the authentication algorithm to compute two critical values: a response (RES) and a ciphering/integrity key (CK/IK). The RES is sent back to the network for verification, while the CK/IK are used by the UE and network to derive the session keys that encrypt and integrity-protect all subsequent radio communications. This process, known as AKA, ensures mutual authentication and establishes a secure channel.

Key components within the WIM include the file system (MF, DF, EF) that stores the IMSI, operator-controlled applets, and network-specific files; the cryptographic processor for running algorithms; and the secure operating system that isolates applications. Its role is foundational to network security and subscriber management. It decouples subscriber identity from the device hardware, enabling users to change devices by moving the WIM (if removable) and allows operators to remotely provision credentials (via SM-DP+ for eSIM). The WIM is the root of trust for the entire mobile connection, preventing impersonation and eavesdropping. It also hosts other carrier services like the SIM Toolkit for value-added services.

Purpose & Motivation

The WIM was created to solve the fundamental problems of subscriber mobility, security, and service portability in cellular networks. In early analog systems, subscriber identity was tied to the device, making it insecure and inflexible. The introduction of the physical SIM card (a type of WIM) with GSM separated the user's subscription from the handset, enabling users to easily switch phones and allowing operators to securely distribute authentication credentials. The primary problem it addressed was secure, scalable authentication for millions of users.

The evolution from SIM to USIM to embedded WIMs has been motivated by ongoing challenges. Physical SIM cards consume space, are prone to damage, and are inconvenient for IoT devices. The WIM concept, formalized in 3GPP, generalizes the secure module to address these limitations. The eSIM (embedded WIM) solves the problem of remote provisioning, enabling devices to be factory-built and later connected to any operator over-the-air, which is crucial for automotive, wearable, and IoT markets. The iSIM (integrated WIM) further addresses space and cost constraints by integrating the secure element into the device's main system-on-chip. Each evolution maintains the core purpose: providing a standardized, secure, and portable anchor for subscriber identity and network authentication in an increasingly diverse device ecosystem.

Key Features

  • Secure storage of long-term subscriber identity (IMSI) and secret authentication key (K)
  • Execution of authentication and key agreement (AKA) algorithms (Milenage, TUAK)
  • Hosting of network applications (SIM, USIM, ISIM) for 2G, 3G, 4G, 5G, and IMS access
  • Tamper-resistant hardware design to prevent key extraction and cloning
  • Standardized interface (UICC, eUICC) for communication with the device modem
  • Support for remote provisioning and management of operator profiles (for eSIM)

Evolution Across Releases

Rel-2 Initial

Initial definition of the SIM (Subscriber Identity Module) as a smart card for GSM networks. Specified the physical form factor, electrical interface (ISO/IEC 7816), and basic file structure for storing the IMSI, authentication key (Ki), and algorithms (COMP128). Established the fundamental challenge-response authentication mechanism that formed the basis for all subsequent WIM evolution.

TS 21.905TS 23.140TS 24.109TS 31.113

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 23.140 3GPP TS 23.140
TS 24.109 3GPP TS 24.109
TS 31.113 3GPP TR 31.113