📄 draft-haverinen-pppext-eap-sim-05.txt
字号:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AT_IV | Length = 5 | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Initialization Vector (optional) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AT_ENCR_DATA | Length | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Encrypted Data (optional) . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AT_MAC | Length = 5 | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | MAC | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 1 for Request Identifier See [1] Haverinen Expires in six months [Page 17]
Internet Draft EAP SIM Authentication June 2002 Length The length of the EAP packet. Type 18 Subtype 11 Reserved Set to zero when sending, ignored on reception. AT_RAND The AT_RAND attribute MUST be included. The value field of this attribute contains two reserved bytes followed by n GSM RANDs (each 16 bytes long). The reserved bytes are set to zero upon sending and ignored upon reception. The number of RAND challenges MUST be two or three. The client MAY silently ignore the EAP-Request/SIM/Challenge message, if the number of RAND challenges is two while the client's local policy requires three challenges to be used. AT_IV The AT_IV attribute is optional. See section 7.2. AT_ENCR_DATA The AT_ENCR_DATA attribute is optional. See section 7.2. The plaintext consists of nested attributes as described below. AT_MAC AT_MAC MUST be included in EAP-Request/SIM/Challenge for network authentication. See Section 7.1. The AT_IV, AT_ENCR_DATA and AT_MAC attributes are used for identity privacy. The plaintext of the AT_ENCR_DATA value field consists of nested attributes, which are shown below. Haverinen Expires in six months [Page 18]
Internet Draft EAP SIM Authentication June 2002 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AT_PSEUDONYM | Length | Actual Pseudonym Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Pseudonym . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AT_PADDING | Length | Padding... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ AT_PSEUDONYM The AT_PSEUDONYM attribute is optional. The value field of this attribute begins with 2-byte actual pseudonym length, which specifies the length of the pseudonym in bytes. This field is followed by a pseudonym username, of the indicated actual length, that the client can use in the next authentication, as described in Section 5. The username does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the pseudonym with zero bytes when necessary. AT_PADDING The encryption algorithm requires the length of the plaintext to be a multiple of 16 bytes. The sender may need to include the AT_PADDING attribute as the last attribute within AT_ENCR_DATA. The AT_PADDING attribute is not included if the total length of other nested attributes within the AT_ENCR_DATA attribute is a multiple of 16 bytes. As usual, the Length of the Padding attribute includes the Attribute Type and Attribute Length fields. The Length of the Padding attribute is 4, 8 or 12 bytes. It is chosen so that the length of the value field of the AT_ENCR_DATA attribute becomes a multiple of 16 bytes. The actual pad bytes in the value field are set to zero (0x00) on sending. The recipient of the message MUST verify that the pad bytes are set to zero, and silently drop the message if this verification fails. 12. EAP-Response/SIM/Challenge The format of the EAP-Response/SIM/Challenge packet is shown below. As specified in Section 7, EAP-Response/SIM/Challenge MAY include the AT_MAC attribute to integrity protect the EAP packet. Later Haverinen Expires in six months [Page 19]
Internet Draft EAP SIM Authentication June 2002 versions of this protocol MAY make use of the AT_ENCR_DATA and AT_IV attributes in this message to include encrypted (skippable) attributes. AT_MAC, AT_ENCR_DATA and AT_IV attributes are not shown in the figure below. If present, they are processed as in EAP- Request/SIM/Challenge packet. The EAP server MUST process EAP- Response/SIM/Challenge messages that include these attributes even if the server did not implement these optional attributes. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Subtype | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AT_MAC_SRES | Length = 5 | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | MAC_SRES | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 2 for Response Identifier See [1]. Length The length of the EAP packet. Type 18 Subtype 11 Reserved Set to zero when sending, ignored on reception. AT_MAC_SRES The AT_MAC_SRES attribute MUST be included. The value field of this attribute contains two reserved bytes followed by the Haverinen Expires in six months [Page 20]
Internet Draft EAP SIM Authentication June 2002 MAC_SRES response calculated by the client (Section 15), 16 bytes. The reserved bytes are set to zero upon sending and ignored upon reception. 13. Unsuccessful Cases As normally in EAP, the client is sent the EAP-Failure packet when the authentication procedure fails on the EAP Server. In EAP/SIM, this may occur for example if the EAP server is not able to obtain the GSM triplets for the subscriber or the EAP server receives an incorrect MAC_SRES. In general, if an error occurs on the client while processing a received EAP-Request packet, the client silently ignores the EAP packet and does not send any EAP messages to the network. Examples of such errors, specified in detail elsewhere in this document, are an invalid AT_MAC value, insufficient number of RAND challenges included in AT_RAND, and an unrecognized non-skippable attribute. As specified in [1], the EAP client must respond with EAP- Response/Nak when it receives an EAP Request of an undesired or unrecognized authentication type. 14. EAP/SIM Notifications The EAP-Request/Notification, specified in [1], can be used to convey a displayable message from the authenticator to the client. Because these messages are textual messages, it may be hard for the client to present them in the user苨 preferred language. Therefore, EAP/SIM uses a separate EAP/SIM message subtype to transmit localizable notification codes instead of the EAP- Request/Notification packet. The EAP server MAY issue an EAP-Request/SIM/Notification packet to the client. The client MAY delay the processing of EAP- Request/SIM/Notification and wait for other EAP/SIM requests. If a valid EAP/SIM request of another subtype is received, the client MAY silently ignore the EAP-Request/SIM notification and process the other EAP/SIM request instead. If the client decides to process the EAP-Request/SIM/Notification, then the client MAY show a notification message to the user and the client MUST respond to the EAP server with an EAP-Response/SIM/Notification packet. Some of the notification codes are authorization related and hence not usually considered as part of the responsibility of an EAP method. However, they are included as part of EAP/SIM because there are currently no other ways to convey this information to the user in a localizable way, and the information is potentially useful for the user. An EAP/SIM server implementation may decide never to send these EAP/SIM notifications. The format of the EAP-Request/SIM/Notification packet is shown below. Haverinen Expires in six months [Page 21]
Internet Draft EAP SIM Authentication June 2002 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Subtype | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |AT_NOTIFICATION| Length = 1 | Notification Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 1 for Request Identifier See [1]. Length The length of the EAP packet. Type 18 Subtype 12 Reserved Set to zero when sending, ignored on reception. AT_NOTIFICATION The AT_NOTIFICATION attribute MUST be included. The value field of this attribute contains a two-byte notification code. The following code values have been reserved. The descriptions below illustrate the semantics of the notifications. The client implementation MAY use different wordings when presenting the notifications to the user. The "requested service" depends on the environment where EAP/SIM is applied. 1024 - Visited network does not have a roaming agreement with user's home operator or a suitable roaming broker 1026 ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -