draft-haverinen-pppext-eap-sim-11.txt

Linux上的802.1x 的supplicant的实现。很多supplicant程序都是基于它开发的

Point-to-Point Extensions Working Group           H. Haverinen (editor) 
Internet Draft                                                    Nokia 
                                                    J. Salowey (editor) 
                                                                  Cisco 
                                                              June 2003 
                                                                        
 
 
                         EAP SIM Authentication 
                 draft-haverinen-pppext-eap-sim-11.txt 
 
 
Status of this Memo 

   This document is an Internet-Draft and is subject to all provisions 
   of Section 10 of RFC2026. 

   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF), its areas, and its working groups. Note that 
   other groups may also distribute working documents as Internet-
   Drafts. 

   Internet-Drafts are draft documents valid for a maximum of six 
   months and may be updated, replaced, or obsoleted by other 
   documentsat any time. It is inappropriate to use Internet- Drafts as 
   reference material or to cite them other than as "work in progress." 

   The list of current Internet-Drafts can be accessed at: 
        http://www.ietf.org/ietf/1id-abstracts.txt 

   The list of Internet-Draft Shadow Directories can be accessed at: 
        http://www.ietf.org/shadow.html. 

   This document is an individual submission for the Point-to-Point 
   Extensions Working Group of the Internet Engineering Task Force 
   (IETF).  Comments should be submitted to the ietf-ppp@merit.edu 
   mailing list. 

   Distribution of this memo is unlimited. 

Abstract 

   This document specifies an Extensible Authentication Protocol (EAP) 
   mechanism for authentication and session key distribution using the 
   GSM Subscriber Identity Module (SIM). The mechanism specifies 
   enhancements to GSM authentication and key agreement whereby 
   multiple authentication triplets can be combined to create 
   authentication responses and session keys of greater strength than 
   the individual GSM triplets. The mechanism also includes network 
   authentication, user anonymity support and a re-authentication 
   procedure. 



  
Haverinen and Salowey   Expires in six months                [Page 1] 


Internet Draft          EAP SIM Authentication               June 2003 
 
 
Table of Contents 

    
   Status of this Memo.........................................1 
   Abstract....................................................1 
   Table of Contents...........................................2 
   1. Introduction.............................................3 
   2. Terms....................................................4 
   3. Overview.................................................5 
   4. Version Negotiation......................................7 
   5. Identity Management......................................8 
   5.1. User identity in EAP-Response/Identity.................8 
   5.2. Obtaining Subscriber Identity via EAP/SIM Messages....10 
   5.3. Identity Privacy Support..............................13 
   6. Re-Authentication.......................................20 
   7. Message Format..........................................25 
   8. Message Authentication and Encryption...................26 
   8.1. AT_MAC Attribute......................................26 
   8.2. AT_CHECKCODE Attribute................................27 
   8.3. AT_IV, AT_ENCR_DATA and AT_PADDING Attributes.........29 
   9. EAP-Request/SIM/Start...................................30 
   10. EAP-Response/SIM/Start.................................32 
   11. EAP-Request/SIM/Challenge..............................34 
   12. EAP-Response/SIM/Challenge.............................38 
   13. EAP-Request/SIM/Re-authentication......................39 
   14. EAP-Response/SIM/Re-authentication.....................43 
   15. Error Cases and the Usage of EAP-Failure and EAP-Success45 
   15.1. Processing Erroneous Packets.........................45 
   15.2. EAP-Failure..........................................46 
   15.3. EAP-Success..........................................46 
   16. EAP/SIM Notifications..................................46 
   17. Key Generation.........................................50 
   18. IANA Considerations....................................52 
   19. Security Considerations................................53 
   19.1. Identity Protection..................................53 
   19.2. Mutual Authentication and Triplet Exposure...........53 
   19.3. Key Derivation.......................................54 
   19.4. Dictionary Attacks...................................56 
   19.5. Credentials Reuse....................................56 
   19.6. Integrity Protection, Replay Protection and Confidentiality
       56 
   19.7. Negotiation Attacks..................................57 
   19.8. Fast Reconnect.......................................57 
   19.9. Acknowledged Result Indications......................58 
   19.10. Man-in-the-middle Attacks...........................58 
   19.11. Generating Random Numbers...........................58 
   20. Security Claims........................................58 
   21. Intellectual Property Right Notice.....................59 
   22. Acknowledgements and Contributions.....................59 
   References.................................................60 
   Editors' and Contributors' Contact Information.............62 
   Annex A. Test Vectors......................................63 
   Annex B. Pseudo-Random Number Generator....................64 
  
Haverinen and Salowey   Expires in six months                [Page 2] 


Internet Draft          EAP SIM Authentication               June 2003 
 
 
    
1. Introduction 

   This document specifies an Extensible Authentication Protocol (EAP) 
   [1] mechanism for authentication and session key distribution using 
   the GSM Subscriber Identity Module (SIM). 

   GSM authentication is based on a challenge-response mechanism. The 
   A3/A8 authentication algorithms that run on the SIM can be given a 
   128-bit random number (RAND) as a challenge. The SIM runs an 
   operator-specific algorithm, which takes the RAND and a secret key 
   Ki stored on the SIM as input, and produces a 32-bit response (SRES) 
   and a 64-bit long key Kc as output. The Kc key is originally 
   intended to be used as an encryption key over the air interface, but 
   in this protocol it is used for deriving keying material and not 
   directly used. Please find more information about GSM authentication 
   in [2]. 

   In EAP/SIM, several RAND challenges are used for generating several 
   64-bit Kc keys, which are combined to constitute stronger keying 
   material. EAP/SIM also enhances the basic GSM authentication 
   mechanism by accompanying the RAND challenges and other messages 
   with a message authentication code in order to provide mutual 
   authentication. 

   EAP/SIM specifies optional support for protecting the privacy of 
   subscriber identity and an optional re-authentication procedure. 

   The security of EAP/SIM builds on underlying GSM mechanisms. The 
   security properties of EAP/SIM are documented in Section 19 of this 
   document. Implementers and users of EAP/SIM are advised to carefully 
   study the security considerations in Section 19 in order to 
   determine whether the security properties are sufficient for the 
   environment in question. In brief, EAP/SIM is in no sense weaker 
   than the GSM mechanisms. In some cases EAP/SIM provides better 
   security properties than the underlying GSM mechanisms, particularly 
   if the SIM credentials are only used for EAP/SIM and not re-used 
   from GSM/GPRS. In any case, if the GSM authentication mechanisms are 
   considered to be sufficient for use on the cellular networks, then 
   EAP/SIM is expected to be sufficiently secure for other networks. 

   The 3rd Generation Partnership Project (3GPP) has specified an 
   enhanced Authentication and Key Exchange (AKA) architecture for the 
   Universal Mobile Telecommunications System (UMTS). The UMTS AKA 
   mechanism includes mutual authentication, replay protection and 
   derivation of longer session keys. EAP AKA [21] specifies an EAP 
   method that is based on UMTS AKA. EAP AKA may be used instead of 
   EAP/SIM if the security properties of EAP/SIM are not considered 
   sufficient. 




  
Haverinen and Salowey   Expires in six months                [Page 3] 


Internet Draft          EAP SIM Authentication               June 2003 
 
 
2. Terms 

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
   document are to be interpreted as described in RFC 2119 [3]. 

   This document frequently uses the following terms and abbreviations: 

   AAA protocol 

      Authentication, Authorization and Accounting protocol 

   AAA server 

      In this document, AAA server refers to the network element that 
      resides on the border of Internet AAA network and GSM network. 
      Cf. EAP server 

   AuC 

      Authentication Centre. The GSM network element that provides the 
      authentication triplets for authenticating the subscriber. 

   Authentication vector 

      GSM triplets can be alternatively called authentication vectors. 

   Client 

      The entity that processes the EAP protocol on the supplicant. 
      Typically, it is the end that needs to be authenticated by the 
      authenticator. The Client includes a SIM that provides the 
      subscriber credentials and securely executes sensible 
      cryptographic calculations. 

   EAP 

      Extensible Authentication Protocol. 

   EAP Server 

      The network element that terminates the EAP protocol and performs 
      the authentication of the EAP/SIM client. In this document, we 
      assume that  the EAP server functionality is implemented in a AAA 
      server. 

   GSM 

      Global System for Mobile communications. 




  
Haverinen and Salowey   Expires in six months                [Page 4] 


Internet Draft          EAP SIM Authentication               June 2003 
 
 
   GSM Triplet 

      The tuple formed by the three GSM authentication values RAND, Kc 
      and SRES 

   IMSI 

      International Mobile Subscriber Identifier, used in GSM to 
      identify subscribers. 

   MAC 

      Message Authentication Code 

   NAI 

      Network Access Identifier 

   SIM 

      Subscriber Identity Module. The SIM is an application 
      traditionally resident on smart cards distributed by GSM 
      operators. 

3. Overview