1. EAP-SIM
Using EAP-SIM for WLAN
Authentication
yliqiang@gmail.com
2005-9-13
EAP-SIM
1

2. Definition( 定义 )
• EAP-SIM is an Extensible Authentication
Protocol (EAP) [RFC3748] mechanism for
authentication and session key
distribution using the Global System for
Mobile communications (GSM)
Subscriber Identity Module (SIM).
用 GSM-SIM 卡作为 EAP 的认证和密匙
分发机制
EAP-SIM
2

3. EAP Introduction ( 简介 )
• EAP is an authentication framework which
supports multiple authentication methods.
支持多种认证机制的认证框架。
• EAP typically runs directly over data link
layers such as Point-to-Point Protocol (PPP)
or IEEE 802
EAP 通常直接运行在数据链路层如 PPP 或
IEEE 802
EAP-SIM
3

4. EAP Introduction ( 简介 )
• EAP permits the use of a backend
authentication server,with the authenticator
acting as a pass-through for some or all
methods and peers.
EAP 允许使用后台认证服务器，把认证端作为
一些或全部认证机制的转发者。
• Conceptually, EAP implementations consist
of the following components:
从概念上讲， EAP 的实现有下面这些组件构
成。
EAP-SIM
4

5. EAP-MD5
EAP-TLS
EAP-SIM
...
EAP-MD5
EAP-TLS
EAP-SIM
EAP Peer
EAP Auth.
EAP Layer
EAP Layer
IEEE 802.1X EAPOL
IEEE Logical Link
802.1X EAPOL
802.2
PPP
...
IP
802.3 802.4 802.5
802.6 802.11 ...
802.2 Logical Link
Lower Layer
Peer( 被认证者 )
EAP-SIM
PPP
802.3 802.4 802.5
802.6 802.11 ...
IP
Authenticator ( 认证
者)
5

6. EAP-MD5
EAP-TLS
EAP-SIM
...
EAP Peer
EAP Auth.
EAP Auth.
EAP Layer
EAP Layer
EAP Layer
IEEE 802.1X EAPOL
IEEE Logical Link
802.1X EAPOL
802.2
PPP
IP
802.3 802.4 802.5
802.6 802.11 ...
Peer( 被认证者 )
( 认证服务器 )
AAA:Authentication( 认
证） , Authorization ( 授
权 ), and Accounting ( 记
帐)
IP
802.3 802.4 802.5
802.6 802.11 ...
AAA/IP
Pass-through Authenticator ( 认证
者)
EAP-MD5 EAP-TLS
EAP-SIM
Radius Protocol
Authentication
Server
PPP
Lower Layer
802.2 Logical
Link
...
EAP Auth.
EAP Layer
AAA/IP
EAP-SIM
6

7. GSM authentication( 认证 )
RAND
SIM
Base Station
Ki
A3/A8
SRES
Kc
• RAND is a 128-bit random challenge issued from the base
station to the mobile.
RAND 是基站发给移动台 ( 手机 ) 的 128 比特长随机
数。
• SRES is a 32-bit response generated by A3 issued from the
mobile to the base station
SRES 是移动台 ( 手机 ) 发给基站的 32 比特长响应 , 由
A3 生成。
EAP-SIM
7

8. GSM authentication( 认证 )
• Kc is a 64-bit Cipher Key, used for A5.
Kc 是 64 比特长密匙，由 A8 生成用于数据加密
(A5) 。
• Ki is the SIM’s 128-bit individual subscriber key.
Ki 是 128 比特长 SIM 卡的密匙 ( 拥有标识 ) 。
• A3/A8 are specified by each operator rather than being
fully standardized,but usually implemented together as
COMP128.
A3/A8 定义了算法的输入输出，具体实现由厂商决定
EAP-SIM
8
，实际上厂商都采用了 COMP128 ，它同时实现了

9. EAP-SIM Introduction( 简介 )
Peer
Authenticator
AAA/RADIUS
SS7 Network
GSM/MAP/SS7
Gateway
SIM
Card
GSM Authentication
Center
• builds on underlying GSM mechanisms
构建在 GSM 认证机制之上。
EAP-SIM
9

10. EAP-SIM Introduction( 简介 )
• Provides mutual authentication
支持相互认证。
• several RAND challenges are used for
generating several 64-bit Kc keys, which
are combined to constitute stronger keying
material.
多次挑战生成多个 Kc, 组合起来生成更
强的相关密匙。
EAP-SIM
10

11. EAP-SIM Introduction( 简介 )
• EAP-SIM specifies optional support for
protecting the privacy of subscriber identity
using the same concept as GSM, which is
using pseudonyms/temporary identifiers.
EAP-SIM 支持用户身份保密 ( 可选 ) 。
• It also specifies an optional fast reauthentication procedure.
支持快速重复认证 ( 可选 )
EAP-SIM
11

12. EAP-SIM Full
Authentication
Procedure(
EAP-SIM
|
程完
)
Peer
Authenticator
|
EAP-Request/Identity
|
|<---------------------------------------------------------|
|
|
| EAP-Response/Identity
|
|--------------------------------------------------------->|
|
|
|
EAP-Request/SIM/Start (AT_VERSION_LIST) |
|<---------------------------------------------------------|
|
|
| EAP-Response/SIM/Start (AT_NONCE_MT,
AT_SELECTED_VERSION)|
|--------------------------------------------------------->|
|
|
|
EAP-Request/SIM/Challenge (AT_RAND, AT_MAC)
|<---------------------------------------------------------|
+-------------------------------------+
|
| Peer runs GSM algorithms, verifies |
|
| AT_MAC and derives session keys |
|
+-------------------------------------+
|
| EAP-Response/SIM/Challenge (AT_MAC)
|
|--------------------------------------------------------->|
|
|
|
EAP-Success |
|<---------------------------------------------------------|
|
|
全
认
证
过
12

13. Key Generation
•
•
•
•
MK = SHA1(Identity|n*Kc| NONCE_MT| Version List| Selected Version)
K_aut , K_encr , MSK and EMSK are derived from MK using Pseudo-Random number
Function (PRF)
Request AT_MAC = HMAC-SHA1-128(K_aut, EAP packet| NONCE_MT)
Response AT_MAC = HMAC-SHA1-128(K_aut,EAP packet| n*SRES)
In the formula above, the "|" character denotes concatenation.
Nonce
A value that is used at most once or that is never repeated within the
same cryptographic context.
MAC
Message Authentication Code
EAP-SIM
13

14. Indication of vulnerabilities( 弱
点)
• The security of the A3 and A8 algorithms is
important to the security of EAP-SIM.
Some A3/A8 algorithms have been compromised; see for example [GSM
Cloning] for discussion about the security of COMP-128 version 1. Note that
several revised versions of the COMP-128 A3/A8 algorithm have been
devised after the publication of these weaknesses and that the publicly
specified GSM-MILENAGE [3GPP TS 55.205] algorithm is not vulnerable
to any known attacks.
A3/A8 算法的安全性对 EAP-SIM 是至关重要的。 COMP128-v1 已经被破
解 ( 当前市面上大部分 SIM 卡用的是 COMP128-v1), 修订过的 COMP128
v2,v3 以及公开标准的 GSM-MILENAGE, 当前还没有方法攻破。
EAP-SIM
14

15. Indication of vulnerabilities( 弱
点)
• Mutual Authentication and Triplet Exposure
EAP-SIM provides mutual authentication. The peer believes that the network
is authentic because the network can calculate a correct AT_MAC value in the
EAP-Request/SIM/Challenge packet. To calculate the AT_MAC it is
sufficient to know the RAND and Kc values from the GSM triplets (RAND,
SRES, Kc) used in the authentication. Because the network selects the
RAND challenges and the triplets, an attacker that knows n (2 or 3) GSM
triplets for the subscriber is able to impersonate a valid network to the peer.
EAP-SIM 支持双向认证。被认证者相信认证者是因为认证者能计算出正
确的 AT_MAC, 要计算 AT_MAC 知道 RAND 和 Kc 就足够了。因为是认
证者选择 RAND ，攻击者只需知道几个 (2-3)Kc 就可以假装是一个有效
的认证者。
EAP-SIM
15

16. Security Claims( 安全声明 )
• Auth. mechanism: EAP-SIM is based on the GSM
SIM mechanism, which is a challenge/response
authentication and key agreement mechanism based
on a symmetric 128-bit pre-shared secret. EAP-SIM
also makes use of a peer challenge to provide mutual
authentication.
认证机理 :EAP-SIM 基于 GSM-SIM 的认证机理 , 它是
一种基于挑战 / 响应的认证和密匙分发机制，需要一个
预先共享的 128 比特长对称密匙 (Ki) 。 EAP-SIM 通过
被认证者发挑战 (NONCE_MT) 支持双向认证。
EAP-SIM
16

17. Security Claims( 安全声明 )
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Ciphersuite negotiation: No
Mutual authentication: Yes
Integrity protection: Yes
Replay protection: Yes
Confidentiality: Yes, except method specific success and failure indications
Key derivation: Yes
Description of key hierarchy:(page 13)
Dictionary attack protection: N/A
Fast reconnect: Yes
Cryptographic binding: N/A
Session independence: Yes
Fragmentation: No
Channel binding: No
Indication of vulnerabilities:(page 14,15)
EAP-SIM
17

18. Example
Using EAP-SIM for WLAN
Authentication
EAP-SIM
18

19. Requirements( 需求清单 )
• Windows XP built-in supplicant
• EAP-SIM plug-in for the Windows XP built-in
802.1x Supplicant (http://weap.sf.net)
• PC/SC compatible smart card reader
(QWY LowSpeed CCID smart card reader)
• Wireless Access Point support RADIUS
(TP-LINK TL-WR541G)
• RADIUS server support EAP-SIM
(FreeRadius 1.0.4)
EAP-SIM
19

20. Network topological diagram
( 网络拓扑图 )
simtriplets.dat
EAP-SIM
20

21. SIM Reader Installation
• Download the driver from http://agsm.sf.net
• Insert the USB smart card reader in a USB
port,specify the location of the driver.
• Insert your sim-card into smart card
reader,run agsm2.exe to make sure you can
access the sim-card.
EAP-SIM
21

22. Configure freeradius
• Download freeradius-1.0.4 from
http://www.freeradius.org
• cd freeradius-1.0.4; Configure;make install; cd
srcmodulesrlm_sim_files; make install.
• Add the following to radiusd.conf:
In modules {}, add:
sim_files {
simtriplets = " ${raddbdir}/simtriplets.dat "
}
in eap{} add sim{}
In authorized {}, add: sim_files before eap.
• Add the following to clients.conf
client 192.168.1.0/24 {secret = eap-sim shortname= eap-sim}
EAP-SIM
22

23. •Run agsm2.exe.
simtriplets.dat
#IMSI
RAND
SRES
Kc
1460001551807128,52632FE305874545AC9936926D796256,8184a227,5F05b4a2C
E884400
1460001551807128,ECEB1577E275414e9DD9EF98B277E54A,00fb682e,B6c0de73
256c0400
…………
Make
sure
insert
1
EAP-SIM
Generate
simtriplets.dat
•Copy IMSI,RAND,SRES,Kc to
simtriplets.dat, at least 5 entries.
23

24. Configure AP
EAP-SIM
24

25. EAP-SIM plug-in installation
• Download wEAP-SIM from http://weap.sf.net
• Install.
• Enable tracing.
EnableConsoleTracing :
set HKEY_LOCAL_MACHINESOFTWAREMICROSOFTTRACING
EnableConsoleTracing to nozero
set HKEY_LOCAL_MACHINESOFTWAREMICROSOFTTRACING
wEAP-SIM EnableConsoleTracing to nozero
EnableFileTracing:
set HKEY_LOCAL_MACHINESOFTWAREMICROSOFTTRACING
wEAP-SIM EnableFileTracing to nozero
EAP-SIM
25

26. Authenticate the client
EAP-SIM
26

27. References
• http://www.intel.com/technology/itj/2005/volume
09issue01/art07_next_generation/p05_simpl_netw
ork.htm
• draft-haverinen-pppext-eap-sim-16.txt
• [RFC3748] Extensible Authentication Protocol
(EAP)
• S5.Brumley-comp128.pdf
• [GSM Cloning]
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
EAP-SIM
27

28. 问题 & 讨论
EAP-SIM
28