Comprehensive technical knowledge base covering 12 GSMA eSIM specifications. 84+ articles on Remote SIM Provisioning — SGP.02, SGP.22, SGP.32, SGP.41, SGP.29, SGP.23, SGP.25, SGP.26 and more.
You’re sending your best friend a secret message. But there’s a catch: the only way to deliver it is through a hallway full of nosy strangers who might try to read it or change it. How do you make sure only your friend can read the real message?
This is exactly the problem eSIM solves: except the “hallway” is the entire internet, and the “secret message” is a digital key worth protecting from hackers around the world!
Every security system needs a starting point: a root of trust. In the eSIM world, that’s the GSMA Certificate Issuer. Think of it as the king who can officially declare: “Yes, this person is who they claim to be.”
The king’s public master key is burned into every eSIM chip at the factory. It can’t be changed. It can’t be deleted. It’s the one thing every chip trusts absolutely.
Everyone in the eSIM world carries a special ID badge called a certificate. There are seven different types:
Every badge has a chain of signatures leading back to the king. If the chain breaks anywhere, the badge is rejected.
When your phone meets the Key Maker server, they perform a mutual authentication : a cryptographic handshake where both sides prove their identity.
Here’s the critical rule: the server goes first. Your phone’s chip is forbidden from revealing anything about itself until it has verified the server is legitimate. This prevents a classic spy trick where a fake server tricks the chip into exposing secrets.
The handshake works like this:
Both sides now have mathematical proof they’re talking to the real deal.
After both sides are verified, they create session keys : secret codes that exist for one conversation only. These are generated using a math trick called ECDH (Elliptic Curve Diffie-Hellman), where both sides combine their temporary secret numbers to create the same result, without ever sending the secrets across the internet.
Once the download is done, these session keys are thrown away forever. Even if hackers later steal the Key Maker’s long-term secret, they can’t unlock old downloads. This is called Perfect Forward Secrecy.
The system has a plan! The GSMA publishes a Certificate Revocation List : basically a “do not trust” list. If a server gets hacked, its badge is added to the list. Chips check this list before trusting anyone.
eSIM uses a special kind of math called elliptic curves (specifically one named “P-256”). It’s so strong that even if every computer on Earth worked together for billions of years, they couldn’t crack a single key. Some security experts call it “military-grade” : but it’s actually even stronger than that!
Kid-friendly version of GSMA SGP.22, Sections 2.6, 4.5, and 4.6: Security