📄 rcf4186.txt
字号:
Network Working Group H. Haverinen, Ed.
Request for Comments: 4186 Nokia
Category: Informational J. Salowey, Ed.
Cisco Systems
January 2006
Extensible Authentication Protocol Method for
Global System for Mobile Communications (GSM)
Subscriber Identity Modules (EAP-SIM)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
IESG Note
The EAP-SIM protocol was developed by 3GPP. The documentation of
EAP-SIM is provided as information to the Internet community. While
the EAP WG has verified that EAP-SIM is compatible with EAP, as
defined in RFC 3748, no other review has been done, including
validation of the security claims. The IETF has also not reviewed
the security of the cryptographic algorithms.
Abstract
This document specifies an Extensible Authentication Protocol (EAP)
mechanism for authentication and session key distribution using the
Global System for Mobile Communications (GSM) Subscriber Identity
Module (SIM). GSM is a second generation mobile network standard.
The EAP-SIM mechanism specifies enhancements to GSM authentication
and key agreement whereby multiple authentication triplets can be
combined to create authentication responses and session keys of
greater strength than the individual GSM triplets. The mechanism
also includes network authentication, user anonymity support, result
indications, and a fast re-authentication procedure.
Haverinen & Salowey Informational [Page 1]
RFC 4186 EAP-SIM Authentication January 2006
Table of Contents
1. Introduction ....................................................4
2. Terms ...........................................................5
3. Overview ........................................................8
4. Operation ......................................................10
4.1. Version Negotiation .......................................10
4.2. Identity Management .......................................11
4.2.1. Format, Generation and Usage of Peer Identities ....11
4.2.2. Communicating the Peer Identity to the Server ......17
4.2.3. Choice of Identity for the EAP-Response/Identity ...19
4.2.4. Server Operation in the Beginning of
EAP-SIM Exchange ...................................19
4.2.5. Processing of EAP-Request/SIM/Start by the Peer ....20
4.2.6. Attacks Against Identity Privacy ...................21
4.2.7. Processing of AT_IDENTITY by the Server ............22
4.3. Message Sequence Examples (Informative) ...................23
4.3.1. Full Authentication ................................24
4.3.2. Fast Re-authentication .............................25
4.3.3. Fall Back to Full Authentication ...................26
4.3.4. Requesting the Permanent Identity 1 ................27
4.3.5. Requesting the Permanent Identity 2 ................28
4.3.6. Three EAP-SIM/Start Roundtrips .....................28
5. Fast Re-Authentication .........................................30
5.1. General ...................................................30
5.2. Comparison to UMTS AKA ....................................31
5.3. Fast Re-authentication Identity ...........................31
5.4. Fast Re-authentication Procedure ..........................33
5.5. Fast Re-authentication Procedure when Counter Is
Too Small .................................................36
6. EAP-SIM Notifications ..........................................37
6.1. General ...................................................37
6.2. Result Indications ........................................39
6.3. Error Cases ...............................................40
6.3.1. Peer Operation .....................................40
6.3.2. Server Operation ...................................41
6.3.3. EAP-Failure ........................................42
6.3.4. EAP-Success ........................................42
7. Key Generation .................................................43
8. Message Format and Protocol Extensibility ......................45
8.1. Message Format ............................................45
8.2. Protocol Extensibility ....................................47
9. Messages .......................................................48
9.1. EAP-Request/SIM/Start .....................................48
9.2. EAP-Response/SIM/Start ....................................49
9.3. EAP-Request/SIM/Challenge .................................49
9.4. EAP-Response/SIM/Challenge ................................50
9.5. EAP-Request/SIM/Re-authentication .........................51
Haverinen & Salowey Informational [Page 2]
RFC 4186 EAP-SIM Authentication January 2006
9.6. EAP-Response/SIM/Re-authentication ........................51
9.7. EAP-Response/SIM/Client-Error .............................52
9.8. EAP-Request/SIM/Notification ..............................52
9.9. EAP-Response/SIM/Notification .............................53
10. Attributes ....................................................53
10.1. Table of Attributes ......................................53
10.2. AT_VERSION_LIST ..........................................54
10.3. AT_SELECTED_VERSION ......................................55
10.4. AT_NONCE_MT ..............................................55
10.5. AT_PERMANENT_ID_REQ ......................................56
10.6. AT_ANY_ID_REQ ............................................56
10.7. AT_FULLAUTH_ID_REQ .......................................57
10.8. AT_IDENTITY ..............................................57
10.9. AT_RAND ..................................................58
10.10. AT_NEXT_PSEUDONYM .......................................59
10.11. AT_NEXT_REAUTH_ID .......................................59
10.12. AT_IV, AT_ENCR_DATA, and AT_PADDING .....................60
10.13. AT_RESULT_IND ...........................................62
10.14. AT_MAC ..................................................62
10.15. AT_COUNTER ..............................................63
10.16. AT_COUNTER_TOO_SMALL ....................................63
10.17. AT_NONCE_S ..............................................64
10.18. AT_NOTIFICATION .........................................64
10.19. AT_CLIENT_ERROR_CODE ....................................65
11. IANA Considerations ...........................................66
12. Security Considerations .......................................66
12.1. A3 and A8 Algorithms .....................................66
12.2. Identity Protection ......................................66
12.3. Mutual Authentication and Triplet Exposure ...............67
12.4. Flooding the Authentication Centre .......................69
12.5. Key Derivation ...........................................69
12.6. Cryptographic Separation of Keys and Session
Independence .............................................70
12.7. Dictionary Attacks .......................................71
12.8. Credentials Re-use .......................................71
12.9. Integrity and Replay Protection, and Confidentiality .....72
12.10. Negotiation Attacks .....................................73
12.11. Protected Result Indications ............................73
12.12. Man-in-the-Middle Attacks ...............................74
12.13. Generating Random Numbers ...............................74
13. Security Claims ...............................................74
14. Acknowledgements and Contributions ............................75
14.1. Contributors .............................................75
14.2. Acknowledgements .........................................75
14.2.1. Contributors' Addresses ...........................77
15. References ....................................................78
15.1. Normative References .....................................78
15.2. Informative References ...................................79
Haverinen & Salowey Informational [Page 3]
RFC 4186 EAP-SIM Authentication January 2006
Appendix A. Test Vectors .........................................81
A.1. EAP-Request/Identity .....................................81
A.2. EAP-Response/Identity ....................................81
A.3. EAP-Request/SIM/Start ....................................82
A.4. EAP-Response/SIM/Start ...................................82
A.5. EAP-Request/SIM/Challenge ................................83
A.6. EAP-Response/SIM/Challenge ...............................86
A.7. EAP-Success ..............................................86
A.8. Fast Re-authentication ...................................86
A.9. EAP-Request/SIM/Re-authentication ........................87
A.10. EAP-Response/SIM/Re-authentication ......................89
Appendix B. Pseudo-Random Number Generator .......................90
1. Introduction
This document specifies an Extensible Authentication Protocol (EAP)
[RFC3748] mechanism for authentication and session key distribution
using the Global System for Mobile Communications (GSM) Subscriber
Identity Module (SIM).
GSM is a second generation mobile network standard. Second
generation mobile networks and third generation mobile networks use
different authentication and key agreement mechanisms. EAP-AKA
[EAP-AKA] specifies an EAP method that is based on the Authentication
and Key Agreement (AKA) mechanism used in 3rd generation mobile
networks.
GSM authentication is based on a challenge-response mechanism. The
A3/A8 authentication and key derivation algorithms that run on the
SIM can be given a 128-bit random number (RAND) as a challenge. The
SIM runs operator-specific algorithms, which take the RAND and a
secret key Ki (stored on the SIM) as input, and produce a 32-bit
response (SRES) and a 64-bit long key Kc as output. The Kc key is
originally intended to be used as an encryption key over the air
interface, but in this protocol, it is used for deriving keying
material and is not directly used. Hence, the secrecy of Kc is
critical to the security of this protocol. For more information
about GSM authentication, see [GSM-03.20]. See Section 12.1 for more
discussion about the GSM algorithms used in EAP-SIM.
The lack of mutual authentication is a weakness in GSM
authentication. The derived 64-bit cipher key (Kc) is not strong
enough for data networks in which stronger and longer keys are
required. Hence, in EAP-SIM, several RAND challenges are used for
generating several 64-bit Kc keys, which are combined to constitute
stronger keying material. In EAP-SIM, the client issues a random
number NONCE_MT to the network in order to contribute to key
derivation, and to prevent replays of EAP-SIM requests from previous
Haverinen & Salowey Informational [Page 4]
RFC 4186 EAP-SIM Authentication January 2006
exchanges. The NONCE_MT can be conceived as the client's challenge
to the network. EAP-SIM also extends the combined RAND challenges
and other messages with a message authentication code in order to
provide message integrity protection along with mutual
authentication.
EAP-SIM specifies optional support for protecting the privacy of
subscriber identity using the same concept as the GSM, which uses
pseudonyms/temporary identifiers. It also specifies an optional fast
re-authentication procedure.
The security of EAP-SIM builds on underlying GSM mechanisms. The
security properties of EAP-SIM are documented in Section 11 of this
document. Implementers and users of EAP-SIM are advised to carefully
study the security considerations in Section 11 in order to determine
whether the security properties are sufficient for the environment in
question, especially as the secrecy of Kc keys is essential to the
security of EAP-SIM. In brief, EAP-SIM is in no sense weaker than
the GSM mechanisms. In some cases EAP-SIM provides better security
properties than the underlying GSM mechanisms, particularly if the
SIM credentials are only used for EAP-SIM and are not re-used from
GSM/GPRS. Many of the security features of EAP-SIM rely upon the
secrecy of the Kc values in the SIM triplets, so protecting these
values is key to the security of the EAP-SIM protocol.
The 3rd Generation Partnership Project (3GPP) has specified an
enhanced Authentication and Key Agreement (AKA) architecture for the
Universal Mobile Telecommunications System (UMTS). The 3rd
generation AKA mechanism includes mutual authentication, replay
protection, and derivation of longer session keys. EAP-AKA [EAP-AKA]
specifies an EAP method that is based on the 3rd generation AKA.
EAP-AKA, which is a more secure protocol, may be used instead of
EAP-SIM, if 3rd generation identity modules and 3G network
infrastructures are available.
2. Terms
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
The terms and abbreviations "authenticator", "backend authentication
server", "EAP server", "peer", "Silently Discard", "Master Session
Key (MSK)", and "Extended Master Session Key (EMSK)" in this document
are to be interpreted as described in [RFC3748].
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -