1EAP-SIMAuthenticationH.HaverinenandJ.Salowey,EAPSIMAuthentication,RFC4186,January,2006()2Outline•Protocolfeatures•Background:GSMSIMAuthentication•EAP-SIMvs.GSMSIM•Protocolflow•Messageformat3EAP-SIMProtocolFeatures•Challenge-responsemechanism•UsingGSMSubscriberIdentityModule(SIM)•EnhanceGSMauthentication•KeyingmaterialisdifferentfromGSMSIM•Mutualauthentication•Re-authentication•Optionalidentity-privacysupport•Optionalless-expensiveauthenticationsupport4GSM/GPRSSIMAuthentication(1/2)MSIMSIRAND,SRES,KcMasterkeyKiMasterkeyKi(storedonSIM)A3RANDKiSRESKcA8VLR/SGSNHLRMS:MobileStationVLR:VisitorLocationRegisterHLR:HomeLocationRegisterSGSN:SupportingGPRSServiceNodeIMSI:InternationalMobileSubscriberIdentityKi:GSMsubscriberauthenticationkeyKc:GSMcipherkeySRES:signedresponses5GSM/GPRSSIMAuthentication(2/2)HLRMSVLR/SGSNRANDMasterkeyKiSRESCheckwhetherSRES==SRESA3RANDKiSRESKcA86GSMSecurityArchitecture7EAPSIMvs.GSMSIM•Same–UsingA3/A8algorithms–GenerateSRES(32-bitresult/response)andKc(64-bitcipherkey)•Different–ClientchoosesfreshrandomnumberNONCE_MT(mobileterminal)–SeveralRANDchallengestogenerateseveralKc–StrongerkeyingmaterialderivedfromNONCE_MTandnKc–MessageAuthenticationCode(MAC)–Mutualauthentication8ClientAuthenticatorEAP-Request/IdentityEAP-Response/Identity(User’sNAI)Roundtrip1EAP-Request/SIM/Start(AT_VERSION_LIST)EAP-Response/SIM/Start(AT_NONCE_MT,AT_SELECTED_VERSION)EAP-Request/SIM/Challenge(AT_RAND,AT_MAC)Roundtrip2ClientrunsGSMalgorithms,verifiesAT_MACandderivessessionkeysEAP-Response/SIM/Challenge(AT_MAC)EAP-SuccessRoundtrip3EAPSIMProtocolFlow9Station(Client)SIMKcSRESSHA1HMAC-SHA1MACMACAuthenticationServerHMAC-SHA1MACMACHLR/AuCRANDHMAC-SHA1HMAC-SHA1Equal?A8A3MKPRFK_encrSHA1MKPRFEqual?NONCE_MTEAP-SIM認證方法方塊圖(Packets:EAPpackettobesent;Packetr:receivedEAPpacket)nnK_autMSKEMSKnnnK_encrK_autMSKEMSKPacketrPacketsPacketsPacketrKcSRESA8A310IdentityManagement•Onlyforroundtrip1•Usingnetworkaccessidentifier(NAI)–參見RFC(RequestforComments)2486–所有RFC文件均可自免費下載–username@realm–EAP-SIMusesthreetypesofNAI•Permanent•Pseudonym•Re-authentication11IdentityManagement:UserPortion•PermanentID–MaybederivedfromIMSI(InternationalMobileSubscriberIdentity)•Format:“1”IMSI(leading“1”,ASCII0x31)–MaybenotbasedonIMSI•PseudonymID–Optionalidentityprivacysupport–EquivalenttobutseparatefromTMSI–ReceivedfromAT_NEXT_PSEUDONYM•Formatcouldbe”2”IMSI(ASCII0x32)•Re-authenticationID–ReceivedfromAT_NEXT_REAUTH_ID–One-timeidentity12IdentityManagement:RealmPortion•Operatormayreservespecificrealm•Clientmaychooserealm•ClientmayderiverealmfromIMSI–IMSI格式–例:–MCC:MobileCountryCode,MNC:MobileNetworkCode,MSIN:MobileStationIdentityNumber–Derivedrealm:456.123.owlan.org–MNCmaybe2-or3-digits–IANAhasreserved“owlan.org”forNAIrealmgeneratedfromIMSIMCCMNCMSIN12345678909876513ClientAuthenticatorServerdoesnothaveanysubscriberIDavailablewhenstartingEAP/SIMEAP-Request/IdentityEAP-Response/Identity(withoutuser’sNAI)EAP-Req/SIM/Start(AT_ANY_ID_REQ,AT_VERSION_LIST)(AT_FULLAUTH_ID_REQ(AT_PERMANENT_ID_REQEAP-Response/SIM/Start(AT_IDENTITY,AT_NONCE_MT,AT_SELECTED_VERSION)PERMANENTIDPSEUDONYMIDServerRequestsSubscriberID14ServerRequestsSubscriberID:WorstCaseServerdoesn’thaveanysubscriberIDavailablewhenstartingEAP/SIMClientAuthenticatorEAP-Request/SIM/Start(AT_ANY_ID_REQ,AT_VERSION-LIST)EAP-Response/SIM/Start(Re-authenticationID)Serverdoesn’tacceptthisre-authenticationIDEAP-Request/SIM/Start(AT_FULLAUTH_ID_REQ,AT_VERSION_LIST)EAP-Response/SIM/Start(PseudonymID,AT_NONCE_MT,AT_SELECTED_VERSION)ServerfailstodecodethispseudonymEAP-Request/SIM/Start(AT_PERMANENT_ID_REQ,AT_VERSION_LIST)EAP-Response/SIM/Start(PermanentID,AT_NONCE_MT,AT_SELECTED_VERSION)15VersionNegotiation•Performedinfullauthentication•AT_VERSION_LIST•ServerincludelistofversionsofEAP-SIMmethodsthatitimplements•Clientrespondswithselectedversionorsimplyignores•AT_SELECTED_VERSIONcontributestoMAC•Versioninthisdocument:0x000116Re-Authentication•Fullauthenticationiscostlyforfrequentuse•Lessexpensive(bypassusingA3/A8)•Fewerroundtrips•Fastreconnect•Upperlimitnumberofsubsequentre_auths–16-bitcounter(0xFFFF)•Optional17ClientAuthenticatorEAP-Request/IdentityEAP-Resp./Identity(re-authID)EAP-Request/SIM/Reauth(AT_IV,AT_ENCR_DATA,*AT_COUNTER,*AT_NONCE_S,*AT_NEXT_REAUTH_ID,AT_MAC)ServerrecognizesthisIDandagreesonusingfastre-authEAP-Response/SIM/Reauth(AT_IV,AT_ENCR_DATA,*AT_COUNTERwithsamevalue,AT_MAC)ClientverifiesAT_MACandthefreshnessofcounter.Clientmaystorethenewre-authIDfornextre-authSerververifiesAT_MACandcounterEAP-SuccessRe-AuthenticationMessageFlow18ClientAuthenticatorEAP-Req/IdentityEAP-Resp/Identity(re-authID)EAP-Request/SIM/Reauth(AT_IV,AT_ENCR_DATA,*AT_COUNTER,*AT_NONCE_S,*AT_NEXT_REAUTH_ID,AT_MAC)ServerrecognizestheIDandagreesonusingfastre-authEAP-Response/SIM/Reauth(AT_IV,AT_ENCR_DATA,*AT_COUNTER_TOO_SMALL,*AT_COUNTER,AT_MAC)AT_MACisvalidbutthecounterisnotfreshSerververifyAT_MACanddetectsAT_COUNTER_TOO_SMALLEAP-Req./SIM/Start(AT_VERSION_LIST)NormalfullauthenticationfollowsRe-Aut