RSP Fundamentals

CoreESIM: Technical Reference on eSIM Provisioning Mechanisms

3 min read

eSIM provisioning, managed by the Embedded Universal Integrated Circuit Card (eUICC), fundamentally alters how mobile subscriber identities are managed, replacing physical SIM cards with programmable, secure elements. This process, governed primarily by GSMA Remote SIM Provisioning (RSP) specifications, enables over-the-air (OTA) download, activation, and management of operator profiles, facilitating dynamic network access.

eSIM Provisioning Architecture and Protocols

The core architecture for eSIM provisioning is defined by GSMA SGP.22 (RSP for Consumer Devices) and SGP.21 (RSP for Machine-to-Machine, M2M). Key entities in this ecosystem include:

  • eUICC: The secure hardware element in the device, storing multiple operator profiles and executing cryptographic operations.
  • Subscription Manager - Data Preparation+ (SM-DP+): Responsible for creating, storing, and securely delivering operator profiles to the eUICC, acting as the repository for all profile data (e.g., ICCID, IMSI, Ki, OPC, authentication algorithms).
  • Subscription Manager - Secure Routing (SM-SR): Primarily for M2M, manages profile lifecycle on eUICCs, orchestrating downloads, activations, and deactivations remotely.
  • Local Profile Assistant (LPA): A software component within the device OS, initiating profile downloads from the SM-DP+, interacting with the eUICC, and managing profile selection (LPD/LUI components).
  • Mobile Network Operator (MNO): Provides subscriber profile data and network access.

For consumer devices (SGP.22), the provisioning workflow typically begins with the end-user initiating a profile download via a QR code, a dedicated application, or manual entry of an activation code. The LPA on the device discovers the SM-DP+ server and requests a profile. The SM-DP+ authenticates the request, encrypts the chosen operator profile, and securely transmits it to the eUICC. The eUICC then verifies the profile's integrity and authenticity, installs it, and activates it, making the device ready for network registration. This ensures a robust chain of trust from the MNO to the eUICC.

In M2M scenarios (SGP.21), provisioning is largely automated and centrally managed. The SM-SR orchestrates profile lifecycle management without direct user intervention. It issues commands to the eUICC, via a secure communication channel, to download, enable, disable, or delete profiles based on business logic or platform directives. This allows for flexible connectivity management across large fleets of IoT devices, adapting to changing geographical or operational requirements.

Security is paramount throughout the entire provisioning process. All communications between the eUICC, SM-DP+, and SM-SR are secured using strong cryptographic protocols, including mutual authentication and end-to-end encryption. The eUICC itself is a tamper-resistant secure element, designed to protect sensitive subscriber data and cryptographic keys from unauthorized access, ensuring the integrity and confidentiality of the mobile identity.