WIFI中EAP-SIM认证分析

WIFI中EAP-SIM认证分析

一  关键术语

AAA protocol

    Authentication, Authorization, and Accounting protocol

AuC

    Authentication Centre. The GSM network element that provides the authentication triplets for authenticating the subscriber.

Authentication vector

    GSM triplets can be alternatively called authentication  vectors.

Fast re-authentication

    An EAP-SIM authentication exchange that is based on keys derived upon a preceding full authentication exchange. The GSM authentication and key exchange algorithms are not used in the fast re-authentication procedure.

Fast Re-authentication Identity

   A fast re-authentication identity of the peer, including an NAI realm portion in environments where a realm is used.  Used on fast re-authentication only.

Fast Re-authentication Username

   The username portion of fast re-authentication identity, i.e., not including any realm portions.

Full authentication

   An EAP-SIM authentication exchange based on the GSM authentication and key agreement algorithms.

GSM

   Global System for Mobile communications.

GSM Triplet

   The tuple formed by the three GSM authentication values RAND, Kc, and SRES.

IMSI

   International Mobile Subscriber Identifier, used in GSM to identify subscribers.

MAC

   Message Authentication Code

NAI

   Network Access Identifier

Nonce

A value that is used at most once or that is never repeated within the same cryptographic context.  In general, a nonce can be predictable (e.g., a counter) or unpredictable (e.g., a random value). Since some cryptographic properties may depend on the randomness of the nonce, attention should be paid to         whether a nonce is required to be random or not. In this document, the term nonce is only used to denote random nonces, and it is not used to denote counters.

Permanent Identity

    The permanent identity of the peer, including an NAI realm portion in environments where a realm is used. The permanent identity is usually based on the IMSI. Used on full authentication only.

Permanent Username

   The username portion of permanent identity, i.e., not including any realm portions.

Pseudonym Identity

  A pseudonym identity of the peer, including an NAI realm portion in environments where a realm is used. Used on full authentication only.

Pseudonym Username

   The username portion of pseudonym identity, i.e., not including any realm portions.

SIM

   Subscriber Identity Module.  The SIM is traditionally a smart card distributed by a GSM operator.

二 包格式

EAP-SIM 的Type 为18

三 关键字段

3.1 AT_IDENTITY

3.2 AT_RAND

3.3 AT_MAC

3.4 AT_IV, AT_ENCR_DATA, and AT_PADDING

四 关键字段在消息中的分布

五 EAP-SIM消息交互流程

六 Algorithm A3

从Ki和RAND计算出SRES

Algorithm A3 is considered as a matter for GSM PLMN operators. Therefore, only external specifications are given. However a proposal for a possible Algorithm A3 is managed by GSM/MoU and available upon appropriate request.

6.1 Purpose

As defined in GSM 03.20, the purpose of Algorithm A3 is to allow authentication of a mobile subscriber's identity.

To this end, Algorithm A3 must compute an expected response SRES from a random challenge RAND sent by the network. For this computation, Algorithm A3 makes use of the secret authentication key Ki.

6.2 Implementation and operational requirements

On the MS side, Algorithm A3 is contained in a Subscriber Identity Module, as specified in GSM 02.17.

On the network side, it is implemented in the HLR or the AuC. The two input parameters (RAND and Ki) and the output parameter (SRES) of Algorithm A3 shall use the following formats:

-     length of Ki:            128 bits;

-     length of RAND:    128 bits;

-     length of SRES:       32 bits.

The run-time of Algorithm A3 shall be less than 500 ms.

七 Algorithm A8

从Ki和RAND计算出Kc

Algorithm A8 is considered as a matter for GSM PLMN operators as is Algorithm A3.

A proposal for a possible Algorithm A8 is managed by GSM/MoU and available upon appropriate request.

7.1 Purpose

As defined in GSM 03.20, Algorithm A8 must compute the ciphering key Kc from the random challenge RAND sent during the authentication procedure, using the authentication key Ki.

7.2 Implementation and operational requirements

On the MS side, Algorithm A8 is contained in the SIM, as specified in GSM 02.17.

On the network side, Algorithm A8 is co-located with Algorithm A3.

The two input parameters (RAND and Ki) and the output parameter (Kc) of Algorithm A8 shall follow the following formats:

-     length of Ki:  128 bits;

-     length of RAND:    128 bits;

-     length of Kc:   64 bits.

Since the maximum length of the actual ciphering key is fixed by GSM/MoU, Algorithm A8 shall produce this actual ciphering key and extend it (if necessary) into a 64 bit word where the non-significant bits are forced to zero. It is assumed that any non-significant bits are the least significant bits and that, the actual ciphering key is contained in the most significant bits. For signalling and testing purposes the ciphering key Kc has to considered to be 64 unstructured bits.

八 TCPDUMP包

具体TCPDUMP包见https://download.csdn.net/download/bobhu4201/89730088