pppext-eap-sim-12.txt

使用最广泛的radius的linux的源码

Network Working Group                             H. Haverinen (editor) 
Internet Draft                                                    Nokia 
                                                    J. Salowey (editor) 
                                                                  Cisco 
Expires: 27 April, 2004                                27 October, 2003 
                                                                       


                         EAP SIM Authentication 
                 draft-haverinen-pppext-eap-sim-12.txt 


Status of this Memo 

   This document is an Internet-Draft and is subject to all provisions 
   of Section 10 of RFC2026. 

   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF), its areas, and its working groups. Note that 
   other groups may also distribute working documents as Internet-
   Drafts. 

   Internet-Drafts are draft documents valid for a maximum of six 
   months and may be updated, replaced, or obsoleted by other documents 
   at any time. It is inappropriate to use Internet- Drafts as 
   reference material or to cite them other than as "work in progress." 

   The list of current Internet-Drafts can be accessed at: 
        http://www.ietf.org/ietf/1id-abstracts.txt 

   The list of Internet-Draft Shadow Directories can be accessed at: 
        http://www.ietf.org/shadow.html. 

   Comments should be submitted to the eap@frascone.com mailing list. 

   Distribution of this memo is unlimited. 

Abstract 

   This document specifies an Extensible Authentication Protocol (EAP) 
   mechanism for authentication and session key distribution using the 
   GSM Subscriber Identity Module (SIM). The mechanism specifies 
   enhancements to GSM authentication and key agreement whereby 
   multiple authentication triplets can be combined to create 
   authentication responses and session keys of greater strength than 
   the individual GSM triplets. The mechanism also includes network 
   authentication, user anonymity support and a re-authentication 
   procedure. 






 
Haverinen and Salowey                                         [Page 1] 


Internet Draft          EAP SIM Authentication        27 October, 2003 


Table of Contents 

    
   Status of this Memo.........................................1 
   Abstract....................................................1 
   Table of Contents...........................................2 
   1. Introduction.............................................3 
   2. Terms....................................................4 
   3. Overview.................................................6 
   4. Operation................................................8 
   4.1. Version Negotiation....................................8 
   4.2. Identity Management....................................9 
   4.3. Re-Authentication.....................................25 
   4.4. EAP/SIM Notifications.................................30 
   4.5. Error Cases...........................................31 
   4.6. Key Generation........................................33 
   5. Message Format and Protocol Extensibility...............35 
   5.1. Message Format........................................35 
   5.2. Protocol Extensibility................................37 
   6. Messages................................................37 
   6.1. EAP-Request/SIM/Start.................................37 
   6.2. EAP-Response/SIM/Start................................38 
   6.3. EAP-Request/SIM/Challenge.............................38 
   6.4. EAP-Response/SIM/Challenge............................39 
   6.5. EAP-Request/SIM/Re-authentication.....................40 
   6.6. EAP-Response/SIM/Re-authentication....................40 
   6.7. EAP-Response/SIM/Client-Error.........................40 
   6.8. EAP-Request/SIM/Notification..........................40 
   6.9. EAP-Response/SIM/Notification.........................41 
   7. Attributes..............................................41 
   7.1. Table of Attributes...................................41 
   7.2. AT_MAC................................................42 
   7.3. AT_IV, AT_ENCR_DATA and AT_PADDING....................43 
   7.4. AT_VERSION_LIST.......................................45 
   7.5. AT_SELECTED_VERSION...................................46 
   7.6. AT_NONCE_MT...........................................46 
   7.7. AT_PERMANENT_ID_REQ...................................46 
   7.8. AT_ANY_ID_REQ.........................................47 
   7.9. AT_FULLAUTH_ID_REQ....................................47 
   7.10. AT_IDENTITY..........................................47 
   7.11. AT_RAND..............................................48 
   7.12. AT_NEXT_PSEUDONYM....................................49 
   7.13. AT_NEXT_REAUTH_ID....................................49 
   7.14. AT_COUNTER...........................................50 
   7.15. AT_COUNTER_TOO_SMALL.................................50 
   7.16. AT_NONCE_S...........................................50 
   7.17. AT_NOTIFICATION......................................51 
   7.18. AT_CLIENT_ERROR_CODE.................................52 
   8. IANA Considerations.....................................52 
   9. Security Considerations.................................54 
   9.1. Identity Protection...................................54 
   9.2. Mutual Authentication and Triplet Exposure............54 
   9.3. Key Derivation........................................55 
 
Haverinen and Salowey  Expires: 27 April, 2004               [Page 2] 


Internet Draft          EAP SIM Authentication        27 October, 2003 


   9.4. Dictionary Attacks....................................56 
   9.5. Credentials Reuse.....................................56 
   9.6. Integrity and Replay Protection, and Confidentiality..57 
   9.7. Negotiation Attacks...................................57 
   9.8. Fast Reconnect........................................58 
   9.9. Acknowledged Result Indications.......................58 
   9.10. Man-in-the-middle Attacks............................58 
   9.11. Generating Random Numbers............................59 
   10. Security Claims........................................59 
   11. Intellectual Property Right Notice.....................59 
   12. Acknowledgements and Contributions.....................59 
   12.1. Contributors.........................................59 
   12.2. Acknowledgements.....................................60 
   Normative References.......................................60 
   Informative References.....................................61 
   Editors' and Contributors' Contact Information.............63 
   Annex A. Test Vectors......................................64 
   Annex B. Pseudo-Random Number Generator....................72 
    
1. Introduction 

   This document specifies an Extensible Authentication Protocol (EAP) 
   [EAP] mechanism for authentication and session key distribution 
   using the GSM Subscriber Identity Module (SIM). 

   GSM authentication is based on a challenge-response mechanism. The 
   A3/A8 authentication algorithms that run on the SIM can be given a 
   128-bit random number (RAND) as a challenge. The SIM runs an 
   operator-specific algorithm, which takes the RAND and a secret key 
   Ki stored on the SIM as input, and produces a 32-bit response (SRES) 
   and a 64-bit long key Kc as output. The Kc key is originally 
   intended to be used as an encryption key over the air interface, but 
   in this protocol it is used for deriving keying material and not 
   directly used. Hence the secrecy of Kc is critical to the security 
   of this protocol. Please find more information about GSM 
   authentication in [GSM 03.20]. 

   The lack of mutual authentication is a weakness in GSM 
   authentication. The 64 bit cipher key (Kc) that is derived is not 
   strong enough for data networks where stronger and longer keys are 
   required. Hence in EAP/SIM, several RAND challenges are used for 
   generating several 64-bit Kc keys, which are combined to constitute 
   stronger keying material. In EAP/SIM the client issues a random 
   number NONCE_MT to the network, in order to contribute to key 
   derivation, and to prevent replays of EAP/SIM requests from previous 
   exchanges. The NONCE_MT can be conceived as the client's challenge 
   to the network. EAP/SIM also extends the combined RAND challenges 
   and other messages with a message authentication code in order to 
   provide message integrity protection along with mutual 
   authentication. 

   EAP/SIM specifies optional support for protecting the privacy of 
   subscriber identity using the same concept as GSM, which is using 
 
Haverinen and Salowey  Expires: 27 April, 2004               [Page 3] 


Internet Draft          EAP SIM Authentication        27 October, 2003 


   pseudonyms/temporary identifiers. It also specifies an optional re-
   authentication procedure. 

   The security of EAP/SIM builds on underlying GSM mechanisms. The 
   security properties of EAP/SIM are documented in Section 9 of this 
   document. Implementers and users of EAP/SIM are advised to carefully 
   study the security considerations in Section 9 in order to determine 
   whether the security properties are sufficient for the environment 
   in question, especially as the secrecy of Kc keys is key to the 
   security of EAP/SIM. In brief, EAP/SIM is in no sense weaker than 
   the GSM mechanisms. In some cases EAP/SIM provides better security 
   properties than the underlying GSM mechanisms, particularly if the 
   SIM credentials are only used for EAP/SIM and not re-used from 
   GSM/GPRS. Many of the security features of EAP_SIM rely upon the 
   secrecy of the Kc values in the SIM triplets, so protecting these 
   values is key to the security of the EAP-SIM protocol. In any case, 
   if the GSM authentication mechanisms are considered to be sufficient 
   for use on the cellular networks, then EAP/SIM is expected to be 
   sufficiently secure for other networks. 

   The 3rd Generation Partnership Project (3GPP) has specified an 
   enhanced Authentication and Key Exchange (AKA) architecture for the 
   Universal Mobile Telecommunications System (UMTS). The UMTS AKA 
   mechanism includes mutual authentication, replay protection and 
   derivation of longer session keys. EAP AKA [EAP AKA] specifies an 
   EAP method that is based on UMTS AKA. EAP AKA, which is a more 
   secure protocol, may be used instead of EAP/SIM, if USIMs and 3G 
   network infrastructure are available. 

2. Terms 

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
   document are to be interpreted as described in [RFC 2119]. 

   The terms and abbreviations "authenticator", "backend authentication 
   server", "EAP server", "Silently Discard", "Master Session Key 
   (MSK)", and "Extended Master Session Key (EMSK)" in this document 
   are to be interpreted as described in [EAP]. 

   This document frequently uses the following terms and abbreviations: 

   AAA protocol 

      Authentication, Authorization and Accounting protocol 

   AuC 

      Authentication Centre. The GSM network element that provides the 
      authentication triplets for authenticating the subscriber. 



 
Haverinen and Salowey  Expires: 27 April, 2004               [Page 4] 


Internet Draft          EAP SIM Authentication        27 October, 2003 


   Authentication vector 

      GSM triplets can be alternatively called authentication vectors. 

   EAP 

      Extensible Authentication Protocol. 

   GSM 

      Global System for Mobile communications. 

   GSM Triplet 

      The tuple formed by the three GSM authentication values RAND, Kc 
      and SRES 

   IMSI 

      International Mobile Subscriber Identifier, used in GSM to 
      identify subscribers. 

   MAC 

      Message Authentication Code 

   NAI 

      Network Access Identifier 

   Permanent Identity 

      The permanent identity of the peer, including an NAI realm 
      portion in environments where a realm is used. The permanent 
      identity is usually based on the IMSI. Used on full 
      authentication only. 

   Permanent Username 

      The username portion of permanent identity, ie. not including any 
      realm portions.  

   Pseudonym Identity