📄 draft-haverinen-pppext-eap-sim-05.txt
字号:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_IV | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Initialization Vector (optional) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_ENCR_DATA | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Encrypted Data (optional) .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_MAC | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| MAC |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
1 for Request
Identifier
See [1]
Haverinen Expires in six months [Page 17]
Internet Draft EAP SIM Authentication June 2002
Length
The length of the EAP packet.
Type
18
Subtype
11
Reserved
Set to zero when sending, ignored on reception.
AT_RAND
The AT_RAND attribute MUST be included. The value field of this
attribute contains two reserved bytes followed by n GSM RANDs
(each 16 bytes long). The reserved bytes are set to zero upon
sending and ignored upon reception.
The number of RAND challenges MUST be two or three. The client
MAY silently ignore the EAP-Request/SIM/Challenge message, if the
number of RAND challenges is two while the client's local policy
requires three challenges to be used.
AT_IV
The AT_IV attribute is optional. See section 7.2.
AT_ENCR_DATA
The AT_ENCR_DATA attribute is optional. See section 7.2. The
plaintext consists of nested attributes as described below.
AT_MAC
AT_MAC MUST be included in EAP-Request/SIM/Challenge for network
authentication. See Section 7.1.
The AT_IV, AT_ENCR_DATA and AT_MAC attributes are used for identity
privacy. The plaintext of the AT_ENCR_DATA value field consists of
nested attributes, which are shown below.
Haverinen Expires in six months [Page 18]
Internet Draft EAP SIM Authentication June 2002
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_PSEUDONYM | Length | Actual Pseudonym Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Pseudonym .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_PADDING | Length | Padding... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
AT_PSEUDONYM
The AT_PSEUDONYM attribute is optional. The value field of this
attribute begins with 2-byte actual pseudonym length, which
specifies the length of the pseudonym in bytes. This field is
followed by a pseudonym username, of the indicated actual length,
that the client can use in the next authentication, as described
in Section 5. The username does not include any terminating null
characters. Because the length of the attribute must be a
multiple of 4 bytes, the sender pads the pseudonym with zero
bytes when necessary.
AT_PADDING
The encryption algorithm requires the length of the plaintext to
be a multiple of 16 bytes. The sender may need to include the
AT_PADDING attribute as the last attribute within AT_ENCR_DATA.
The AT_PADDING attribute is not included if the total length of
other nested attributes within the AT_ENCR_DATA attribute is a
multiple of 16 bytes. As usual, the Length of the Padding
attribute includes the Attribute Type and Attribute Length
fields. The Length of the Padding attribute is 4, 8 or 12 bytes.
It is chosen so that the length of the value field of the
AT_ENCR_DATA attribute becomes a multiple of 16 bytes. The actual
pad bytes in the value field are set to zero (0x00) on sending.
The recipient of the message MUST verify that the pad bytes are
set to zero, and silently drop the message if this verification
fails.
12. EAP-Response/SIM/Challenge
The format of the EAP-Response/SIM/Challenge packet is shown below.
As specified in Section 7, EAP-Response/SIM/Challenge MAY include
the AT_MAC attribute to integrity protect the EAP packet. Later
Haverinen Expires in six months [Page 19]
Internet Draft EAP SIM Authentication June 2002
versions of this protocol MAY make use of the AT_ENCR_DATA and AT_IV
attributes in this message to include encrypted (skippable)
attributes. AT_MAC, AT_ENCR_DATA and AT_IV attributes are not shown
in the figure below. If present, they are processed as in EAP-
Request/SIM/Challenge packet. The EAP server MUST process EAP-
Response/SIM/Challenge messages that include these attributes even
if the server did not implement these optional attributes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Subtype | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_MAC_SRES | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| MAC_SRES |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
2 for Response
Identifier
See [1].
Length
The length of the EAP packet.
Type
18
Subtype
11
Reserved
Set to zero when sending, ignored on reception.
AT_MAC_SRES
The AT_MAC_SRES attribute MUST be included. The value field of
this attribute contains two reserved bytes followed by the
Haverinen Expires in six months [Page 20]
Internet Draft EAP SIM Authentication June 2002
MAC_SRES response calculated by the client (Section 15), 16
bytes. The reserved bytes are set to zero upon sending and
ignored upon reception.
13. Unsuccessful Cases
As normally in EAP, the client is sent the EAP-Failure packet when
the authentication procedure fails on the EAP Server. In EAP/SIM,
this may occur for example if the EAP server is not able to obtain
the GSM triplets for the subscriber or the EAP server receives an
incorrect MAC_SRES.
In general, if an error occurs on the client while processing a
received EAP-Request packet, the client silently ignores the EAP
packet and does not send any EAP messages to the network. Examples
of such errors, specified in detail elsewhere in this document, are
an invalid AT_MAC value, insufficient number of RAND challenges
included in AT_RAND, and an unrecognized non-skippable attribute.
As specified in [1], the EAP client must respond with EAP-
Response/Nak when it receives an EAP Request of an undesired or
unrecognized authentication type.
14. EAP/SIM Notifications
The EAP-Request/Notification, specified in [1], can be used to
convey a displayable message from the authenticator to the client.
Because these messages are textual messages, it may be hard for the
client to present them in the user苨 preferred language. Therefore,
EAP/SIM uses a separate EAP/SIM message subtype to transmit
localizable notification codes instead of the EAP-
Request/Notification packet.
The EAP server MAY issue an EAP-Request/SIM/Notification packet to
the client. The client MAY delay the processing of EAP-
Request/SIM/Notification and wait for other EAP/SIM requests. If a
valid EAP/SIM request of another subtype is received, the client MAY
silently ignore the EAP-Request/SIM notification and process the
other EAP/SIM request instead. If the client decides to process the
EAP-Request/SIM/Notification, then the client MAY show a
notification message to the user and the client MUST respond to the
EAP server with an EAP-Response/SIM/Notification packet.
Some of the notification codes are authorization related and hence
not usually considered as part of the responsibility of an EAP
method. However, they are included as part of EAP/SIM because there
are currently no other ways to convey this information to the user
in a localizable way, and the information is potentially useful for
the user. An EAP/SIM server implementation may decide never to send
these EAP/SIM notifications.
The format of the EAP-Request/SIM/Notification packet is shown
below.
Haverinen Expires in six months [Page 21]
Internet Draft EAP SIM Authentication June 2002
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Subtype | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_NOTIFICATION| Length = 1 | Notification Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
1 for Request
Identifier
See [1].
Length
The length of the EAP packet.
Type
18
Subtype
12
Reserved
Set to zero when sending, ignored on reception.
AT_NOTIFICATION
The AT_NOTIFICATION attribute MUST be included. The value field
of this attribute contains a two-byte notification code. The
following code values have been reserved. The descriptions below
illustrate the semantics of the notifications. The client
implementation MAY use different wordings when presenting the
notifications to the user. The "requested service" depends on the
environment where EAP/SIM is applied.
1024 - Visited network does not have a roaming agreement with
user's home operator or a suitable roaming broker
1026 ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -