eSIM Provisioning Protocol

CoreESIM: LPA Strings Explained for Remote Profile Provisioning

3 min read

The Local Profile Assistant (LPA) plays a pivotal role in the lifecycle management of eSIM (embedded Universal Integrated Circuit Card) profiles. Operating within the eUICC, the LPA is responsible for interacting with the Subscription Manager – Data Preparation+ (SM-DP+) to download, enable, disable, and delete operational profiles. At the core of initiating a profile download is the LPA string, a precisely formatted data structure that directs the eUICC to the correct SM-DP+ for provisioning.

An LPA string serves as the bridge between a user's intent to activate an eSIM profile and the underlying infrastructure that delivers it. It encapsulates the necessary information for the eUICC to locate and communicate with the appropriate SM-DP+ server. This mechanism is critical for ensuring interoperability across different device manufacturers, eUICC vendors, and mobile network operators (MNOs), as mandated by GSMA specifications, primarily SGP.22 for remote SIM provisioning.

The structure and processing of LPA strings are rigorously defined to maintain security and consistency within the eSIM ecosystem. When an eUICC-enabled device receives an LPA string, typically via a QR code scan or manual input, the embedded LPA module parses this string. It then initiates a secure connection to the identified SM-DP+ server. This process involves mutual authentication between the eUICC and the SM-DP+, ensuring that only authorized profiles are downloaded to legitimate devices.

Key Components of an LPA String

  • Activation Code: This is the primary identifier, often presented as a combination of an SM-DP+ address and an optional matching ID. The SM-DP+ address explicitly points to the server responsible for managing and delivering the eSIM profile. The matching ID, if present, helps the SM-DP+ identify the specific profile intended for download.
  • SM-DP+ Address: A critical element, this is the fully qualified domain name (FQDN) or IP address of the Subscription Manager - Data Preparation+ server. It is essential for the eUICC to establish a connection to the correct server for profile management.
  • Optional Parameters: LPA strings can include additional, optional parameters that provide further context or instructions. These might include redirection information, specific profile attributes, or other data points that assist the SM-DP+ in delivering the correct profile variant or handling specific provisioning scenarios.

The secure handling and transmission of LPA strings are paramount. Any compromise could potentially lead to unauthorized profile downloads or redirection to malicious servers. Therefore, the standards emphasize secure communication channels (e.g., TLS/DTLS) for all interactions between the eUICC and the SM-DP+ initiated by an LPA string. This robust framework ensures the integrity and confidentiality of the provisioning process, upholding the security foundations of the CoreESIM architecture.