Telecom Infrastructure · Dual-Context Identity12 min readAmbiSecure

Telecom Authentication and Enterprise Identity: Where LTE and PKI Meet

Overview

A connected device operating on an LTE network carries two distinct identity credentials. Most device architectures treat them as independent systems. They are not — the boundary between them is where the most interesting, and most frequently underspecified, architecture problems occur.

The first credential is the network identity: the USIM credential held in the SIM or eUICC, used by the LTE network to authenticate the device during the attach procedure. The second is the device identity: a PKI certificate bound to the device's hardware, issued during manufacturing, used by enterprise systems and fleet management infrastructure to identify and authenticate the device for operational purposes.

These two credentials were designed by different standards bodies, governed by different authorities, and validated through different protocols. They share one thing: the physical device. And that creates an integration point with real security and architectural implications that must be explicitly designed.

Definitions

USIM (Universal Subscriber Identity Module)
The application running on a SIM or eUICC that implements the 3GPP authentication protocol. The USIM holds the subscriber's Ki (authentication key) and IMSI, and implements the AKA (Authentication and Key Agreement) algorithm for network authentication.

AKA (Authentication and Key Agreement)
The 3GPP mutual authentication protocol used for LTE network access. The network (via the HLR/HSS) sends a challenge consisting of RAND (random number) and AUTN (authentication token). The USIM uses its Ki to compute a response (RES) and session keys (CK, IK). The network verifies RES against its own computation. Mutual authentication: the USIM also verifies AUTN, confirming it is communicating with a legitimate network.

HLR/HSS (Home Location Register / Home Subscriber Server)
The network-side subscriber database that holds the authentication vectors for each subscriber (IMSI, Ki, and computed AKA challenge-response pairs). Controlled by the mobile network operator (MNO).

Device PKI certificate
An X.509 certificate binding the device's public key to its hardware identifier, issued by an enterprise or fleet CA during manufacturing. Used for mutual TLS authentication with fleet management infrastructure, OTA provisioning channels, and enterprise application endpoints.

Security domain (GlobalPlatform)
An isolated credential management partition within a secure element or eUICC. GlobalPlatform defines a hierarchy of security domains with defined relationships and access controls. Where the USIM and enterprise credentials co-reside in the same physical SE, they must reside in separate security domains with no cross-domain data access.

The Two Identity Contexts

Context 1 — Network identity (LTE / USIM)

The network identity context is entirely under MNO control.

The USIM credential — Ki and IMSI — is provisioned by the MNO, either at SIM manufacture time (for physical SIMs) or via RSP (for eSIM/eUICC). The Ki is a symmetric key that never leaves the USIM — authentication operations are performed within the USIM, and only the computed response (RES) is returned to the network. The HLR/HSS holds the corresponding Ki and verifies authentication responses.

Revocation of a network credential is performed by the MNO via the HLR/HSS — deactivating the IMSI entry or updating the authentication vectors. The device has no role in this operation. The device owner or fleet operator may have no visibility into, and no control over, the timing or execution of MNO revocation actions.

What the LTE authentication context asserts: the USIM is present, the Ki matches the HLR record, and the device can attach to the network and exchange data. It asserts nothing about the software state of the device, the integrity of the application layer, the provenance of any enterprise credential, or the operational authorisation of the device within the enterprise context.

Context 2 — Enterprise device identity (PKI)

The enterprise identity context is under fleet operator or device owner control.

The PKI device certificate is issued by the enterprise CA during manufacturing. The corresponding private key is held in the secure element, hardware-bound to the device. Certificate revocation is managed by the enterprise CA through CRL or OCSP.

What the enterprise identity context asserts: the device's private key matches the certificate, the certificate was issued by an authorised CA, and the device's identity is within the current revocation state of the issuing CA chain. With appropriate attestation, it can additionally assert the device's software integrity state.

Integration Design Decisions

Decision 1 — Which identity governs which authentication context

The most critical architectural decision at the integration boundary is ensuring that network presence is not used as a proxy for enterprise identity validity — and that this is enforced by design, not by convention.

A device that has a valid USIM credential can attach to the network. A device that has a revoked enterprise PKI certificate should not be authorised for enterprise operations. These two states are independent. A device can be network-attached and enterprise-revoked simultaneously — and this is an expected, normal operational state for a decommissioned or compromised device.

Fleet management infrastructure must handle the state where a device has network presence but invalid enterprise identity. The correct behaviour is: network-authenticated data transport succeeds (enabling revocation delivery and forensic communication), but enterprise-authenticated operations fail. This requires explicit state management — not relying on network layer security to imply enterprise authorisation.

Decision 2 — Revocation propagation across both contexts

Revocation of the enterprise PKI certificate — due to device compromise, loss, or decommissioning — does not automatically affect the LTE network credential. The device will continue to attach to the network after enterprise revocation.

This is the correct behaviour. The LTE network should remain accessible to enable:

The architecture must explicitly account for the state where network access is maintained and enterprise identity is revoked, rather than assuming that revocation in one context propagates to the other.

MNO revocation (deactivating the IMSI) is a separate action, controlled by the MNO, that should be coordinated with enterprise revocation for devices that are being permanently decommissioned — but must not be assumed to be automatic.

Decision 3 — Security domain partitioning in co-resident implementations

For deployments where the USIM/eUICC and the enterprise credential SE are the same physical chip, the GlobalPlatform security domain architecture governs the partitioning.

The USIM application and the enterprise credential applet must reside in separate security domains with no cross-domain data access. The GSMA and GlobalPlatform specifications define this partitioning for eUICC implementations. However, compliance with these specifications varies across eUICC vendors, and implementation verification is a deployment-time responsibility, not a specification-time guarantee.

Verification requirements:

Deployment Pattern: eSIM with Enterprise Certificate

In an eSIM-integrated device carrying both credentials on the eUICC:

  1. At manufacturing: the eUICC receives its initial key material (for enterprise OTA channel) via the manufacturing HSM. The EID is registered in the fleet management backend.
  2. At activation: the LPA queries the SM-DS using the EID and downloads the MNO profile via the SM-DP+ RSP flow. The enterprise PKI certificate is issued by the enterprise CA and installed in the enterprise security domain via the SCP03-protected OTA channel.
  3. In operation: LTE network authentication uses the USIM credential in the MNO security domain. Fleet management authentication uses the enterprise PKI certificate in the enterprise security domain. The two operations use different key material, different protocols, and different validation chains — but both operate on the same physical eUICC.
  4. On revocation: enterprise certificate revocation is executed by the enterprise CA. The device remains network-attached. Fleet management operations are declined. OTA commands for remote wipe or lifecycle termination are delivered via the still-active network channel.

Summary

The LTE network identity and the enterprise device identity are independent credential systems that happen to co-reside on the same physical device. Their independence is not a design gap — it is a deliberate architectural property that enables independent revocation, independent governance, and the maintenance of a network channel for device management operations after enterprise identity is revoked.

Correctly integrating these two contexts requires explicit design at three points: the authentication context boundary (network presence is not enterprise authorisation), revocation propagation (independent, coordinated, not automatic), and security domain partitioning (specification compliance and implementation verification).

These decisions made explicitly, during system design, produce a correctly architected dual-context identity system. Left to defaults, they produce integration points that behave unpredictably at the specific moments — revocation, incident response, decommissioning — when correct behaviour matters most.

LTE USIM PKI Security Domain Dual-context identity

Related Articles

Related capability: Telecom Integration · eSIM / eUICC

Work With AmbiSecure

AmbiSecure architects dual-context identity systems for eSIM-integrated devices, telecom-connected platforms, and enterprise fleet deployments where LTE and PKI identity contexts must be correctly integrated.

Discuss integration requirements