Comprehensive technical knowledge base covering 12 GSMA eSIM specifications. 84+ articles on Remote SIM Provisioning — SGP.02, SGP.22, SGP.32, SGP.41, SGP.29, SGP.23, SGP.25, SGP.26 and more.
Imagine… you’re sending a secret message to a friend. How do they know it’s really from you and not an imposter? You use a secret handshake that only the two of you know! IoT devices use the same idea: digital secret handshakes: to make sure commands are genuine and nobody can spy on them.
In the phone world, there are already digital ID cards (certificates) for the profile factories and discovery servers. IoT adds a brand new one: the eIM Certificate : a digital ID card for the remote control centre.
It actually comes in two flavours:
Two separate keys for two separate jobs: like having a lock for your front door and a different lock for your diary.
Not all devices have the same computer power. So there are three levels of security:
Linux-powered gateways with full computers can validate entire certificate chains, just like a web browser checks a website’s identity.
Most IoT devices store one specific certificate and say “I only trust this one.” Like only accepting a handshake from someone you’ve met before.
Ultra-tiny sensors with barely any memory store just the raw secret code: no fancy certificate parsing needed. Simple but effective!
Your phone uses TLS (Transport Layer Security) over TCP: that’s the padlock in your browser. But IoT devices on battery-saving networks use DTLS (Datagram TLS) over UDP: a lightweight version that works even when the device keeps falling asleep and waking up.
The magic trick? Connection ID. Like leaving your jacket on a chair to save your spot, Connection ID lets a device resume its secure connection after a nap: even if its IP address changed while it was sleeping!
Here’s a brilliant safety feature: if a profile switch goes wrong and the device loses all connectivity, the eSIM chip can automatically switch to a Fallback Profile : a backup profile that’s always there for emergencies.
This happens without any server involvement. The chip just does it on its own: like an automatic parachute that opens when it detects you’re falling.
What about bad actors? The system protects against:
DTLS with Connection ID means a device could change IP addresses: like moving to a different WiFi network: and still keep its secure conversation going without starting over!