Extensible Authentication Protocol
EAP是一个认证框架,EAP本身不是认证协议,它自己不支持认证功能,它是为了承载多种认证协议而生的
EAP 提供一些公共的功能,并且允许协商所希望的认证机制。这些机制被叫做 EAP 方法,现在大约有 40 种不同的方法:
EAP-MD5—MD5Hash函数容易受到字典攻击,它被使用在不支持动态WEP的EAP中
….
EAP-SIM
EAP-AKA
EAP-AKA`
主要关注 EAP-SIM/AKA
EAP-SIM/AKA 使用从移动网络中获得的鉴权三元组(EAP-SIM认证)或者五元组(EAP-AKA),得到认证需要MAC值,以及加密用的密钥
RFC 4186
RFC 4187 EAP-AKA Authentication
EAP-SIM用于GSM网络,只支持单向认证,即支持网络认证UE,但是不支持UE认证网络。
EAP-AKA是EAP-SIM的升级版本,用于3G网络中的用户认证,支持双向认证。
EAP-AKA’是一种新的EAP认证方法,在RFC5448中定义
Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement
1. 终端,发送 UMTS AKA 认证请求给USIM卡
2. USIM对AUTN 进行验证, 从而来认证网络
2.1 AUTN 不正确, 终端将拒绝这次认证;
如果SQN 失效, 将重新发起 SQN同步
2.2 如果AUTH正确, USIM将计算出 RES, IK, CK , 返回给终端
3. 终端 从 CK 和 IK 导出所需新的密钥材料
4. 解密新的临时标识符并保存以备下次使用验证
5. 发送 含有 RES 的 EAP Response/AKA-challenge 给认证服务器
XKEY = SHA-1 (Identity | CK | IK)
FIPS 186-2 伪随机数生成器
https://www.rfc-editor.org/rfc/rfc4187.html
In the 3rd generation mobile networks, AKA is used for both radio network authentication and IP multimedia service authentication purposes.
Different user identities and formats are used for these;
the radio network uses the International Mobile Subscriber Identifier (IMSI), whereas the IP multimedia service uses the Network Access Identifier (NAI)
1. 终端向 认证服务器 发送 EAP-Request/Identity 来报告自己的身份。
2. 服务器返回 EAP-Response/Identity (包括用户的NAI)
3. 服务器运行 AKA算法,生成rand和autn
4. 服务器,下发 EAP-Request/AKA-Challenge ,里面包含
AT_RAND, AT_AUTN, AT_MAC
5. 客户端, 运行AKA算法, 验证 AUTN和MAC, 并生成RES和 session key
6. 客户端发送 EAP-Response/AKA-Challenge (包含AT_RES, AT_MAC)给服务器
7. 服务器验证RES和MAC, 发现是正确, 双方认证成功
——————–
客户端触发:
设备启动(或者设备没有重启,但是换了张 SIM卡), 并且该用户没有可用的配置时,
设备将发送一个初始http请求
—————–
永久用户名的格式
‘0’ IMSI
也就说说用户名的第一个字节是 0x30, 然后就是ascii编码的IMSI
———————–
EAP的包格式
第1个字节: Code
可能的值为
1 Request
2 Response
3 Success
4 Failure
其他值,忽略
第2个字节: Identifier
用来匹配 Request和Respone的,不然乱套了,不知道到谁是谁的响应
第3-4字节: Length
整个包的长度,包括 Code, Identifier, Length , Data
Integrity protection (AT_MAC) is based on a keyed message authentication code.
Confidentiality (AT_ENCR_DATA and AT_IV) is based on a block cipher.
The MAC algorithm is HMAC-SHA1-128 [RFC2104] keyed hash value.
(The HMAC-SHA1-128 value is obtained from the 20-byte HMAC-SHA1 value by truncating the output to 16 bytes. Hence, the length of the MAC is 16 bytes.)
The derivation of the authentication key (K_aut) used in the calculation of the MAC
On EAP-AKA full authentication, a Master Key (MK) is derived from the underlying AKA values (CK and IK keys), and the identity, as follows.
MK = SHA1(Identity|IK|CK)
The Master Key is fed into a Pseudo-Random number Function (PRF),
which generates separate Transient EAP Keys (TEKs) for protecting
EAP-AKA packets, as well as a Master Session Key (MSK) for link layer
security and an Extended Master Session Key (EMSK) for other
purposes. On fast re-authentication, the same TEKs MUST be used for
protecting EAP packets, but a new MSK and a new EMSK MUST be derived
from the original MK and from new values exchanged in the fast
re-authentication.
EAP-AKA requires two TEKs for its own purposes: the authentication
key K_aut, to be used with the AT_MAC attribute, and the encryption
key K_encr, to be used with the AT_ENCR_DATA attribute. The same
K_aut and K_encr keys are used in full authentication and subsequent
fast re-authentications.
Key derivation is based on the random number generation specified in
NIST Federal Information Processing Standards (FIPS) Publication
186-2 [PRF]. The pseudo-random number generator is specified in the
change notice 1 (2001 October 5) of [PRF] (Algorithm 1). As
specified in the change notice (page 74), when Algorithm 1 is used as
a general-purpose pseudo-random number generator, the “mod q” term in
step 3.3 is omitted. The function G used in the algorithm is
constructed via Secure Hash Standard as specified in Appendix 3.3 of
the standard. It should be noted that the function G is very similar
to SHA-1, but the message padding is different. Please refer to
[PRF] for full details. For convenience, the random number algorithm
with the correct modification is cited in Annex A.
160-bit XKEY and XVAL values are used, so b = 160. On each full
authentication, the Master Key is used as the initial secret seed-key
XKEY. The optional user input values (XSEED_j) in step 3.1 are set
to zero.
On full authentication, the resulting 320-bit random numbers x_0,
x_1, …, x_m-1 are concatenated and partitioned into suitable-sized
chunks and used as keys in the following order: K_encr (128 bits),
K_aut (128 bits), Master Session Key (64 bytes), Extended Master
Session Key (64 bytes).
On fast re-authentication, the same pseudo-random number generator
can be used to generate a new Master Session Key and a new Extended
Master Session Key. The seed value XKEY’ is calculated as follows:
XKEY’ = SHA1(Identity|counter|NONCE_S| MK)
In the formula above, the Identity denotes the fast re-authentication
identity, without any terminating null characters, from the
AT_IDENTITY attribute of the EAP-Response/AKA-Identity packet, or, if
EAP-Response/AKA-Identity was not used on fast re-authentication, it
denotes the identity string from the EAP-Response/Identity packet.
The counter denotes the counter value from the AT_COUNTER attribute
used in the EAP-Response/AKA-Reauthentication packet. The counter is
used in network byte order. NONCE_S denotes the 16-byte random
NONCE_S value from the AT_NONCE_S attribute used in the
EAP-Request/AKA-Reauthentication packet. The MK is the Master Key
derived on the preceding full authentication.
On fast re-authentication, the pseudo-random number generator is run
with the new seed value XKEY’, and the resulting 320-bit random
numbers x_0, x_1, …, x_m-1 are concatenated and partitioned into
64-byte chunks and used as the new 64-byte Master Session Key and the
new 64-byte Extended Master Session Key. Note that because K_encr
and K_aut are not derived on fast re-authentication, the Master
Session Key and the Extended Master Session key are obtained from the
beginning of the key stream x_0, x_1, ….
The first 32 bytes of the MSK can be used as the Pairwise Master Key
(PMK) for IEEE 802.11i.
When the RADIUS attributes specified in [RFC2548] are used to
transport keying material, then the first 32 bytes of the MSK
correspond to MS-MPPE-RECV-KEY and the second 32 bytes to
MS-MPPE-SEND-KEY. In this case, only 64 bytes of keying material
(the MSK) are used.