Does SM-DP+ has access to MNO specific keys in the eSIM realm?

As you know in the eSIM realm, for the customer model, SM-DP+ is responsible for loading the MNO provided profile into the eSIM chip; and, after loading such profile, the final end-user, can authenticate himself/herself to the MNO network in order to utilize operator services. Additionally, utilizing such profile in the eSIM, the MNO is provided with the capability to communicate securely with the eSIM, on a communication channel different from the one SM-DP+ utilized.

My question is about the separation of the accesses. More specifically, given that the profile is loaded by the SM-DP+, I am curios to know whether the SM-DP+ has access to the user's authentication keys for the MNO network authentication (such as Ki)? And whether the SM-DP+ has access to the MNO-SD OTA keys?

One may answer "No" to both questions I asked above; but, in that case, given that the profile is loaded by the SM-DP+, I can imagine only two scenarios to prevent such problem:

1. MNO provides the profile containing network authentication keys and MNO-SD OTA keys in an encrypted format that the SM-DP+ is not able to decrypt.
2. The profile MNO provides to the SM-DP+, does not have these field inside, but only some primary initial information that helps the user to load such parameters on a different channel.

For the first approach, the eSIM shall already contain a pre-shared key between the MNO and the eSIM, which is not the case; the manufacturer only loads the eSIM with SM-DP+ authentication keys in first step.

And for the second approach, the SM-DP+ still has access to the keys that can be misused by it to obtain MNO and user credentials that are not necessary for SM-DP+ functionalities.

So, can someone please clarify how the access to the MNO credentials are controlled in eSIM realm? Are SM-DP+ entities fully trusted by different MNOs to have all the keys in plaintext?

the IPP that is transferred through ES8+ to eSIM contains everything. and DP+ is the one encrypting it. so it is the trusted party in the ecosystem. in case other keys are generated/put through OTA in the enabled ISD-P (after installation), then with a proper implementation its not possible to extract them in a commercial eSIM, but it cannot include the Ki.

The SM-DP+ is responsible for the entire chaing from the plain-text profile (called UPP, unprotected profile package) to the PPP (protected prfile package) and BPP (bound profile package).

So yes, the SM-DP+ is the very entity that has full access to all of the key material that goes into an eSIM profile:

• the K+OPc for USIM authentication to the cellular network
• any SCP80/81/02/03 keys of the MNO-SD/ISD-P for secure channel access
• any other key materials the eSIM profile issuing operator might be putting in their eSIM profile.

Regarding the "sources to back this up comment": Simply follow the SGP.21 and SGP.22 specs, which describe the entire process. I've implemented it in https://osmocom.org/projects/pysim/wiki/Osmo-smdpp in case you prefer reading source code.