-
Notifications
You must be signed in to change notification settings - Fork 76
/
Copy pathrfc4187.txt
4427 lines (3062 loc) · 190 KB
/
rfc4187.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group J. Arkko
Request for Comments: 4187 Ericsson
Category: Informational H. Haverinen
Nokia
January 2006
Extensible Authentication Protocol Method for 3rd Generation
Authentication and Key Agreement (EAP-AKA)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
IESG Note
The EAP-AKA protocol was developed by 3GPP. The documentation of
EAP-AKA is provided as information to the Internet community. While
the EAP WG has verified that EAP-AKA is compatible with EAP as
defined in RFC 3748, no other review has been done, including
validation of the security claims. The IETF has also not reviewed
the security of the underlying UMTS AKA algorithms.
Abstract
This document specifies an Extensible Authentication Protocol (EAP)
mechanism for authentication and session key distribution that uses
the Authentication and Key Agreement (AKA) mechanism. AKA is used in
the 3rd generation mobile networks Universal Mobile
Telecommunications System (UMTS) and CDMA2000. AKA is based on
symmetric keys, and typically runs in a Subscriber Identity Module,
which is a UMTS Subscriber Identity Module, USIM, or a (Removable)
User Identity Module, (R)UIM, similar to a smart card.
EAP-AKA includes optional identity privacy support, optional result
indications, and an optional fast re-authentication procedure.
Arkko & Haverinen Informational [Page 1]
RFC 4187 EAP-AKA Authentication January 2006
Table of Contents
1. Introduction and Motivation .....................................4
2. Terms and Conventions Used in This Document .....................5
3. Protocol Overview ...............................................9
4. Operation ......................................................15
4.1. Identity Management .......................................15
4.1.1. Format, Generation, and Usage of Peer Identities ...15
4.1.2. Communicating the Peer Identity to the Server ......21
4.1.3. Choice of Identity for the EAP-Response/Identity ...23
4.1.4. Server Operation in the Beginning of
EAP-AKA Exchange ...................................23
4.1.5. Processing of EAP-Request/AKA-Identity by
the Peer ...........................................24
4.1.6. Attacks against Identity Privacy ...................25
4.1.7. Processing of AT_IDENTITY by the Server ............26
4.2. Message Sequence Examples (Informative) ...................27
4.2.1. Usage of AT_ANY_ID_REQ .............................27
4.2.2. Fall Back on Full Authentication ...................28
4.2.3. Requesting the Permanent Identity 1 ................29
4.2.4. Requesting the Permanent Identity 2 ................30
4.2.5. Three EAP/AKA-Identity Round Trips .................30
5. Fast Re-Authentication .........................................32
5.1. General ...................................................32
5.2. Comparison to AKA .........................................33
5.3. Fast Re-Authentication Identity ...........................33
5.4. Fast Re-Authentication Procedure ..........................35
5.5. Fast Re-Authentication Procedure when Counter is
Too Small .................................................37
6. EAP-AKA Notifications ..........................................38
6.1. General ...................................................38
6.2. Result Indications ........................................39
6.3. Error Cases ...............................................40
6.3.1. Peer Operation .....................................41
6.3.2. Server Operation ...................................41
6.3.3. EAP-Failure ........................................42
6.3.4. EAP-Success ........................................42
7. Key Generation .................................................43
8. Message Format and Protocol Extensibility ......................45
8.1. Message Format ............................................45
8.2. Protocol Extensibility ....................................47
9. Messages .......................................................48
9.1. EAP-Request/AKA-Identity ..................................48
9.2. EAP-Response/AKA-Identity .................................48
9.3. EAP-Request/AKA-Challenge .................................49
9.4. EAP-Response/AKA-Challenge ................................49
9.5. EAP-Response/AKA-Authentication-Reject ....................50
9.6. EAP-Response/AKA-Synchronization-Failure ..................50
Arkko & Haverinen Informational [Page 2]
RFC 4187 EAP-AKA Authentication January 2006
9.7. EAP-Request/AKA-Reauthentication ..........................50
9.8. EAP-Response/AKA-Reauthentication .........................51
9.9. EAP-Response/AKA-Client-Error .............................52
9.10. EAP-Request/AKA-Notification .............................52
9.11. EAP-Response/AKA-Notification ............................52
10. Attributes ....................................................53
10.1. Table of Attributes ......................................53
10.2. AT_PERMANENT_ID_REQ ......................................54
10.3. AT_ANY_ID_REQ ............................................54
10.4. AT_FULLAUTH_ID_REQ .......................................54
10.5. AT_IDENTITY ..............................................55
10.6. AT_RAND ..................................................55
10.7. AT_AUTN ..................................................56
10.8. AT_RES ...................................................56
10.9. AT_AUTS ..................................................57
10.10. AT_NEXT_PSEUDONYM .......................................57
10.11. AT_NEXT_REAUTH_ID .......................................58
10.12. AT_IV, AT_ENCR_DATA, and AT_PADDING .....................58
10.13. AT_CHECKCODE ............................................60
10.14. AT_RESULT_IND ...........................................62
10.15. AT_MAC ..................................................63
10.16. AT_COUNTER ..............................................64
10.17. AT_COUNTER_TOO_SMALL ....................................64
10.18. AT_NONCE_S ..............................................65
10.19. AT_NOTIFICATION .........................................65
10.20. AT_CLIENT_ERROR_CODE ....................................66
11. IANA and Protocol Numbering Considerations ....................66
12. Security Considerations .......................................68
12.1. Identity Protection ......................................69
12.2. Mutual Authentication ....................................69
12.3. Flooding the Authentication Centre .......................69
12.4. Key Derivation ...........................................70
12.5. Brute-Force and Dictionary Attacks .......................70
12.6. Protection, Replay Protection, and Confidentiality .......70
12.7. Negotiation Attacks ......................................71
12.8. Protected Result Indications .............................72
12.9. Man-in-the-Middle Attacks ................................72
12.10. Generating Random Numbers ...............................73
13. Security Claims ...............................................73
14. Acknowledgements and Contributions ............................74
15. References ....................................................74
15.1. Normative References .....................................74
15.2. Informative References ...................................76
Appendix A. Pseudo-Random Number Generator .......................77
Arkko & Haverinen Informational [Page 3]
RFC 4187 EAP-AKA Authentication January 2006
1. Introduction and Motivation
This document specifies an Extensible Authentication Protocol (EAP)
mechanism for authentication and session key distribution that uses
the 3rd generation Authentication and Key Agreement mechanism,
specified for Universal Mobile Telecommunications System (UMTS) in
[TS33.102] and for CDMA2000 in [S.S0055-A]. UMTS and CDMA2000 are
global 3rd generation mobile network standards that use the same AKA
mechanism.
2nd generation mobile networks and 3rd generation mobile networks use
different authentication and key agreement mechanisms. The Global
System for Mobile communications (GSM) is a 2nd generation mobile
network standard, and EAP-SIM [EAP-SIM] specifies an EAP mechanism
that is based on the GSM authentication and key agreement primitives.
AKA is based on challenge-response mechanisms and symmetric
cryptography. AKA typically runs in a UMTS Subscriber Identity
Module (USIM) or a CDMA2000 (Removable) User Identity Module
((R)UIM). In this document, both modules are referred to as identity
modules. Compared to the 2nd generation mechanisms such as GSM AKA,
the 3rd generation AKA provides substantially longer key lengths and
mutual authentication.
The introduction of AKA inside EAP allows several new applications.
These include the following:
o The use of the AKA also as a secure PPP authentication method in
devices that already contain an identity module.
o The use of the 3rd generation mobile network authentication
infrastructure in the context of wireless LANs
o Relying on AKA and the existing infrastructure in a seamless way
with any other technology that can use EAP.
AKA works in the following manner:
o The identity module and the home environment have agreed on a
secret key beforehand. (The "home environment" refers to the home
operator's authentication network infrastructure.)
o The actual authentication process starts by having the home
environment produce an authentication vector, based on the secret
key and a sequence number. The authentication vector contains a
random part RAND, an authenticator part AUTN used for
authenticating the network to the identity module, an expected
result part XRES, a 128-bit session key for integrity check IK,
and a 128-bit session key for encryption CK.
Arkko & Haverinen Informational [Page 4]
RFC 4187 EAP-AKA Authentication January 2006
o The RAND and the AUTN are delivered to the identity module.
o The identity module verifies the AUTN, again based on the secret
key and the sequence number. If this process is successful (the
AUTN is valid and the sequence number used to generate AUTN is
within the correct range), the identity module produces an
authentication result RES and sends it to the home environment.
o The home environment verifies the correct result from the identity
module. If the result is correct, IK and CK can be used to
protect further communications between the identity module and the
home environment.
When verifying AUTN, the identity module may detect that the sequence
number the network uses is not within the correct range. In this
case, the identity module calculates a sequence number
synchronization parameter AUTS and sends it to the network. AKA
authentication may then be retried with a new authentication vector
generated using the synchronized sequence number.
For a specification of the AKA mechanisms and how the cryptographic
values AUTN, RES, IK, CK and AUTS are calculated, see [TS33.102] for
UMTS and [S.S0055-A] for CDMA2000.
In EAP-AKA, the EAP server node obtains the authentication vectors,
compares RES and XRES, and uses CK and IK in key derivation.
In the 3rd generation mobile networks, AKA is used for both radio
network authentication and IP multimedia service authentication
purposes. Different user identities and formats are used for these;
the radio network uses the International Mobile Subscriber Identifier
(IMSI), whereas the IP multimedia service uses the Network Access
Identifier (NAI) [RFC4282].
2. Terms and Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
The terms and abbreviations "authenticator", "backend authentication
server", "EAP server", "peer", "Silently Discard", "Master Session
Key (MSK)", and "Extended Master Session Key (EMSK)" in this document
are to be interpreted as described in [RFC3748].
This document frequently uses the following terms and abbreviations.
The AKA parameters are specified in detail in [TS33.102] for UMTS and
[S.S0055-A] for CDMA2000.
Arkko & Haverinen Informational [Page 5]
RFC 4187 EAP-AKA Authentication January 2006
AAA protocol
Authentication, Authorization and Accounting protocol
AKA
Authentication and Key Agreement
AuC
Authentication Centre. The mobile network element that can
authenticate subscribers in the mobile networks.
AUTN
AKA parameter. AUTN is an authentication value generated by
the AuC, which, together with the RAND, authenticates the
server to the peer, 128 bits.
AUTS
AKA parameter. A value generated by the peer upon
experiencing a synchronization failure, 112 bits.
EAP
Extensible Authentication Protocol [RFC3748]
Fast Re-Authentication
An EAP-AKA authentication exchange that is based on keys
derived upon a preceding full authentication exchange. The
3rd Generation AKA is not used in the fast re-authentication
procedure.
Fast Re-Authentication Identity
A fast re-authentication identity of the peer, including an
NAI realm portion in environments where a realm is used.
Used on re-authentication only.
Fast Re-Authentication Username
The username portion of fast re-authentication identity,
i.e., not including any realm portions.
Arkko & Haverinen Informational [Page 6]
RFC 4187 EAP-AKA Authentication January 2006
Full Authentication
An EAP-AKA authentication exchange that is based on the
3rd Generation AKA procedure.
GSM
Global System for Mobile communications.
NAI
Network Access Identifier [RFC4282]
Identity Module
Identity module is used in this document to refer to the
part of the mobile device that contains authentication and
key agreement primitives. The identity module may be an
integral part of the mobile device or it may be an application
on a smart card distributed by a mobile operator. USIM and
(R)UIM are identity modules.
Nonce
A value that is used at most once or that is never repeated
within the same cryptographic context. In general, a nonce can
be predictable (e.g., a counter) or unpredictable (e.g., a
random value). Because some cryptographic properties may
depend on the randomness of the nonce, attention should be paid
to whether a nonce is required to be random or not. In this
document, the term nonce is only used to denote random nonces,
and it is not used to denote counters.
Permanent Identity
The permanent identity of the peer, including an NAI realm
portion in environments where a realm is used. The permanent
identity is usually based on the IMSI. Used on full
authentication only.
Permanent Username
The username portion of permanent identity, i.e., not including
any realm portions.
Arkko & Haverinen Informational [Page 7]
RFC 4187 EAP-AKA Authentication January 2006
Pseudonym Identity
A pseudonym identity of the peer, including an NAI realm
portion in environments where a realm is used. Used on full
authentication only.
Pseudonym Username
The username portion of pseudonym identity, i.e., not including
any realm portions.
RAND
An AKA parameter. Random number generated by the AuC,
128 bits.
RES
Authentication result from the peer, which, together with
the RAND, authenticates the peer to the server,
128 bits.
(R)UIM
CDMA2000 (Removable) User Identity Module. (R)UIM is an
application that is resident on devices such as smart cards,
which may be fixed in the terminal or distributed by CDMA2000
operators (when removable).
SQN
An AKA parameter. Sequence number used in the authentication
process, 48 bits.
SIM
Subscriber Identity Module. The SIM is traditionally a smart
card distributed by a GSM operator.
SRES
The authentication result parameter in GSM, corresponds to
the RES parameter in 3G AKA, 32 bits.
Arkko & Haverinen Informational [Page 8]
RFC 4187 EAP-AKA Authentication January 2006
UAK
UIM Authentication Key, used in CDMA2000 AKA. Both the
identity module and the network can optionally generate the UAK
during the AKA computation in CDMA2000. UAK is not used in
this version of EAP-AKA.
UIM
Please see (R)UIM.
USIM
UMTS Subscriber Identity Module. USIM is an application that
is resident on devices such as smart cards distributed by UMTS
operators.
3. Protocol Overview
Figure 1 shows the basic, successful full authentication exchange in
EAP-AKA, when optional result indications are not used. The
authenticator typically communicates with an EAP server that is
located on a backend authentication server using an AAA protocol.
The authenticator shown in the figure is often simply relaying EAP
messages to and from the EAP server, but these backend AAA
communications are not shown. At the minimum, EAP-AKA uses two
roundtrips to authenticate and authorize the peer and generate
session keys. As in other EAP schemes, an identity request/response
message pair is usually exchanged first. On full authentication, the
peer's identity response includes either the user's International
Mobile Subscriber Identity (IMSI), or a temporary identity
(pseudonym) if identity privacy is in effect, as specified in
Section 4.1. (As specified in [RFC3748], the initial identity
request is not required, and MAY be bypassed in cases where the
network can presume the identity, such as when using leased lines,
dedicated dial-ups, etc. Please see Section 4.1.2 for specification
of how to obtain the identity via EAP AKA messages.)
After obtaining the subscriber identity, the EAP server obtains an
authentication vector (RAND, AUTN, RES, CK, IK) for use in
authenticating the subscriber. From the vector, the EAP server
derives the keying material, as specified in Section 6.4. The vector
may be obtained by contacting an Authentication Centre (AuC) on the
mobile network; for example, per UMTS specifications, several vectors
may be obtained at a time. Vectors may be stored in the EAP server
for use at a later time, but they may not be reused.
Arkko & Haverinen Informational [Page 9]
RFC 4187 EAP-AKA Authentication January 2006
In CDMA2000, the vector may include a sixth value called the User
Identity Module Authentication Key (UAK). This key is not used in
EAP-AKA.
Next, the EAP server starts the actual AKA protocol by sending an
EAP-Request/AKA-Challenge message. EAP-AKA packets encapsulate
parameters in attributes, encoded in a Type, Length, Value format.
The packet format and the use of attributes are specified in
Section 8. The EAP-Request/AKA-Challenge message contains a RAND
random number (AT_RAND), a network authentication token (AT_AUTN),
and a message authentication code (AT_MAC). The EAP-Request/
AKA-Challenge message MAY optionally contain encrypted data, which is
used for identity privacy and fast re-authentication support, as
described in Section 4.1. The AT_MAC attribute contains a message
authentication code covering the EAP packet. The encrypted data is
not shown in the figures of this section.
The peer runs the AKA algorithm (typically using an identity module)
and verifies the AUTN. If this is successful, the peer is talking to
a legitimate EAP server and proceeds to send the EAP-Response/
AKA-Challenge. This message contains a result parameter that allows
the EAP server, in turn, to authenticate the peer, and the AT_MAC
attribute to integrity protect the EAP message.
The EAP server verifies that the RES and the MAC in the EAP-Response/
AKA-Challenge packet are correct. Because protected success
indications are not used in this example, the EAP server sends the
EAP-Success packet, indicating that the authentication was
successful. (Protected success indications are discussed in
Section 6.2.) The EAP server may also include derived keying
material in the message it sends to the authenticator. The peer has
derived the same keying material, so the authenticator does not
forward the keying material to the peer along with EAP-Success.
Arkko & Haverinen Informational [Page 10]
RFC 4187 EAP-AKA Authentication January 2006
Peer Authenticator
| EAP-Request/Identity |
|<------------------------------------------------------|
| |
| EAP-Response/Identity |
| (Includes user's NAI) |
|------------------------------------------------------>|
| +------------------------------+
| | Server runs AKA algorithms, |
| | generates RAND and AUTN. |
| +------------------------------+
| EAP-Request/AKA-Challenge |
| (AT_RAND, AT_AUTN, AT_MAC) |
|<------------------------------------------------------|
+-------------------------------------+ |
| Peer runs AKA algorithms, | |
| verifies AUTN and MAC, derives RES | |
| and session key | |
+-------------------------------------+ |
| EAP-Response/AKA-Challenge |
| (AT_RES, AT_MAC) |
|------------------------------------------------------>|
| +--------------------------------+
| | Server checks the given RES, |
| | and MAC and finds them correct.|
| +--------------------------------+
| EAP-Success |
|<------------------------------------------------------|
Figure 1: EAP-AKA full authentication procedure
Arkko & Haverinen Informational [Page 11]
RFC 4187 EAP-AKA Authentication January 2006
Figure 2 shows how the EAP server rejects the Peer due to a failed
authentication.
Peer Authenticator
| EAP-Request/Identity |
|<------------------------------------------------------|
| |
| EAP-Response/Identity |
| (Includes user's NAI) |
|------------------------------------------------------>|
| +------------------------------+
| | Server runs AKA algorithms, |
| | generates RAND and AUTN. |
| +------------------------------+
| EAP-Request/AKA-Challenge |
| (AT_RAND, AT_AUTN, AT_MAC) |
|<------------------------------------------------------|
+-------------------------------------+ |
| Peer runs AKA algorithms, | |
| possibly verifies AUTN, and sends an| |
| invalid response | |
+-------------------------------------+ |
| EAP-Response/AKA-Challenge |
| (AT_RES, AT_MAC) |
|------------------------------------------------------>|
| +------------------------------------------+
| | Server checks the given RES and the MAC, |
| | and finds one of them incorrect. |
| +------------------------------------------+
| EAP-Request/AKA-Notification |
|<------------------------------------------------------|
| EAP-Response/AKA-Notification |
|------------------------------------------------------>|
| EAP-Failure |
|<------------------------------------------------------|
Figure 2: Peer authentication fails
Arkko & Haverinen Informational [Page 12]
RFC 4187 EAP-AKA Authentication January 2006
Figure 3 shows the peer rejecting the AUTN of the EAP server.
The peer sends an explicit error message (EAP-Response/
AKA-Authentication-Reject) to the EAP server, as usual in AKA when
AUTN is incorrect. This allows the EAP server to produce the same
error statistics that AKA generally produces in UMTS or CDMA2000.
Peer Authenticator
| EAP-Request/Identity |
|<------------------------------------------------------|
| EAP-Response/Identity |
| (Includes user's NAI) |
|------------------------------------------------------>|
| +------------------------------+
| | Server runs AKA algorithms, |
| | generates RAND and a bad AUTN|
| +------------------------------+
| EAP-Request/AKA-Challenge |
| (AT_RAND, AT_AUTN, AT_MAC) |
|<------------------------------------------------------|
+-------------------------------------+ |
| Peer runs AKA algorithms | |
| and discovers AUTN that can not be | |
| verified | |
+-------------------------------------+ |
| EAP-Response/AKA-Authentication-Reject |
|------------------------------------------------------>|
| EAP-Failure |
|<------------------------------------------------------|
Figure 3: Network authentication fails
The AKA uses shared secrets between the Peer and the Peer's home
operator, together with a sequence number, to actually perform an
authentication. In certain circumstances, shown in Figure 4, it is
possible for the sequence numbers to get out of sequence.
Arkko & Haverinen Informational [Page 13]
RFC 4187 EAP-AKA Authentication January 2006
Peer Authenticator
| EAP-Request/Identity |
|<------------------------------------------------------|
| EAP-Response/Identity |
| (Includes user's NAI) |
|------------------------------------------------------>|
| +------------------------------+
| | Server runs AKA algorithms, |
| | generates RAND and AUTN. |
| +------------------------------+
| EAP-Request/AKA-Challenge |
| (AT_RAND, AT_AUTN, AT_MAC) |
|<------------------------------------------------------|
+-------------------------------------+ |
| Peer runs AKA algorithms | |
| and discovers AUTN that contains an | |
| inappropriate sequence number | |
+-------------------------------------+ |
| EAP-Response/AKA-Synchronization-Failure |
| (AT_AUTS) |
|------------------------------------------------------>|
| +---------------------------+
| | Perform resynchronization |
| | Using AUTS and |
| | the sent RAND |
| +---------------------------+
| |
Figure 4: Sequence number synchronization
After the resynchronization process has taken place in the server and
AAA side, the process continues by the server side sending a new
EAP-Request/AKA-Challenge message.
In addition to the full authentication scenarios described above,
EAP-AKA includes a fast re-authentication procedure, which is
specified in Section 5. Fast re-authentication is based on keys
derived on full authentication. If the peer has maintained state
information for re-authentication and wants to use fast
re-authentication, then the peer indicates this by using a specific
fast re-authentication identity instead of the permanent identity or
a pseudonym identity.
Arkko & Haverinen Informational [Page 14]
RFC 4187 EAP-AKA Authentication January 2006
4. Operation
4.1. Identity Management
4.1.1. Format, Generation, and Usage of Peer Identities
4.1.1.1. General
In the beginning of EAP authentication, the Authenticator or the EAP
server usually issues the EAP-Request/Identity packet to the peer.
The peer responds with EAP-Response/Identity, which contains the
user's identity. The formats of these packets are specified in
[RFC3748].
Subscribers of mobile networks are identified with the International
Mobile Subscriber Identity (IMSI) [TS23.003]. The IMSI is a string
of not more than 15 digits. It is composed of a Mobile Country Code
(MCC) of 3 digits, a Mobile Network Code (MNC) of 2 or 3 digits, and
a Mobile Subscriber Identification Number (MSIN) of not more than 10
digits. MCC and MNC uniquely identify the GSM operator and help
identify the AuC from which the authentication vectors need to be
retrieved for this subscriber.
Internet AAA protocols identify users with the Network Access
Identifier (NAI) [RFC4282]. When used in a roaming environment, the
NAI is composed of a username and a realm, separated with "@"
(username@realm). The username portion identifies the subscriber
within the realm.
This section specifies the peer identity format used in EAP-AKA. In
this document, the term identity or peer identity refers to the whole
identity string that is used to identify the peer. The peer identity
may include a realm portion. "Username" refers to the portion of the
peer identity that identifies the user, i.e., the username does not
include the realm portion.
4.1.1.2. Identity Privacy Support
EAP-AKA includes optional identity privacy (anonymity) support that
can be used to hide the cleartext permanent identity and thereby make
the subscriber's EAP exchanges untraceable to eavesdroppers. Because
the permanent identity never changes, revealing it would help
observers to track the user. The permanent identity is usually based
on the IMSI, which may further help the tracking, because the same
identifier may be used in other contexts as well. Identity privacy
is based on temporary identities, or pseudonyms, which are equivalent
Arkko & Haverinen Informational [Page 15]
RFC 4187 EAP-AKA Authentication January 2006
to but separate from the Temporary Mobile Subscriber Identities
(TMSI) that are used on cellular networks. Please see Section 12.1
for security considerations regarding identity privacy.
4.1.1.3. Username Types in EAP-AKA Identities
There are three types of usernames in EAP-AKA peer identities:
(1) Permanent usernames. For example,
[email protected] might be a valid permanent identity.
In this example, 0123456789098765 is the permanent username.
(2) Pseudonym usernames. For example, [email protected] might
be a valid pseudonym identity. In this example, 2s7ah6n9q is the
pseudonym username.
(3) Fast re-authentication usernames. For example,
[email protected] might be a valid fast re-authentication
identity. In this case, 43953754 is the fast re-authentication
username. Unlike permanent usernames and pseudonym usernames, fast
re-authentication usernames are one-time identifiers, which are not
re-used across EAP exchanges.
The first two types of identities are used only on full
authentication, and the last type only on fast re-authentication.
When the optional identity privacy support is not used, the
non-pseudonym permanent identity is used on full authentication. The
fast re-authentication exchange is specified in Section 5.
4.1.1.4. Username Decoration
In some environments, the peer may need to decorate the identity by
prepending or appending the username with a string, in order to
indicate supplementary AAA routing information in addition to the NAI
realm. (The usage of an NAI realm portion is not considered to be
decoration.) Username decoration is out of the scope of this
document. However, it should be noted that username decoration might
prevent the server from recognizing a valid username. Hence,
although the peer MAY use username decoration in the identities that
the peer includes in EAP-Response/Identity, and although the EAP
server MAY accept a decorated peer username in this message, the peer
or the EAP server MUST NOT decorate any other peer identities that
are used in various EAP-AKA attributes. Only the identity used in
EAP-Response/Identity may be decorated.
Arkko & Haverinen Informational [Page 16]
RFC 4187 EAP-AKA Authentication January 2006
4.1.1.5. NAI Realm Portion
The peer MAY include a realm portion in the peer identity, as per the
NAI format. The use of a realm portion is not mandatory.
If a realm is used, the realm MAY be chosen by the subscriber's home
operator and it MAY be a configurable parameter in the EAP-AKA peer
implementation. In this case, the peer is typically configured with
the NAI realm of the home operator. Operators MAY reserve a specific
realm name for EAP-AKA users. This convention makes it easy to
recognize that the NAI identifies an AKA subscriber. Such a reserved
NAI realm may be useful as a hint of the first authentication method
to use during method negotiation. When the peer is using a pseudonym
username instead of the permanent username, the peer selects the
realm name portion similarly to how it selects the realm portion when
using the permanent username.
If no configured realm name is available, the peer MAY derive the
realm name from the MCC and MNC portions of the IMSI. A RECOMMENDED
way to derive the realm from the IMSI, using the realm
3gppnetwork.org, will be specified in [TS23.003].
Some old implementations derive the realm name from the IMSI by
concatenating "mnc", the MNC digits of IMSI, ".mcc", the MCC digits
of IMSI, and ".owlan.org". For example, if the IMSI is
123456789098765, and the MNC is three digits long, then the derived
realm name is "mnc456.mcc123.owlan.org". As there are no DNS servers
running at owlan.org, these realm names can only be used with
manually configured AAA routing. New implementations SHOULD use the
mechanism specified in [TS23.003] instead of owlan.org.
The IMSI is a string of digits without any explicit structure, so the
peer may not be able to determine the length of the MNC portion. If
the peer is not able to determine whether the MNC is two or three
digits long, the peer MAY use a 3-digit MNC. If the correct length
of the MNC is two, then the MNC used in the realm name includes the
first digit of MSIN. Hence, when configuring AAA networks for
operators that have 2-digit MNC's, the network SHOULD also be
prepared for realm names with incorrect 3-digit MNC's.
4.1.1.6. Format of the Permanent Username
The non-pseudonym permanent username SHOULD be derived from the IMSI.
In this case, the permanent username MUST be of the format "0" |
IMSI, where the character "|" denotes concatenation. In other words,
the first character of the username is the digit zero (ASCII value 30
hexadecimal), followed by the IMSI. The IMSI is an ASCII string that
consists of not more than 15 decimal digits (ASCII values between 30
Arkko & Haverinen Informational [Page 17]
RFC 4187 EAP-AKA Authentication January 2006
and 39 hexadecimal), one character per IMSI digit, in the order as
specified in [TS23.003]. For example, a permanent username derived
from the IMSI 295023820005424 would be encoded as the ASCII string
"0295023820005424" (byte values in hexadecimal notation: 30 32 39 35
30 32 33 38 32 30 30 30 35 34 32 34)
The EAP server MAY use the leading "0" as a hint to try EAP-AKA as
the first authentication method during method negotiation, rather
than using, for example, EAP-SIM. The EAP-AKA server MAY propose
EAP-AKA even if the leading character was not "0".
Alternatively, an implementation MAY choose a permanent username that
is not based on the IMSI. In this case the selection of the
username, its format, and its processing is out of the scope of this
document. In this case, the peer implementation MUST NOT prepend any
leading characters to the username.
4.1.1.7. Generating Pseudonyms and Fast Re-Authentication Identities by
the Server
Pseudonym usernames and fast re-authentication identities are
generated by the EAP server. The EAP server produces pseudonym
usernames and fast re-authentication identities in an
implementation-dependent manner. Only the EAP server needs to be
able to map the pseudonym username to the permanent identity, or to
recognize a fast re-authentication identity.
EAP-AKA includes no provisions to ensure that the same EAP server
that generated a pseudonym username will be used on the
authentication exchange when the pseudonym username is used. It is
recommended that the EAP servers implement some centralized mechanism
to allow all EAP servers of the home operator to map pseudonyms
generated by other severs to the permanent identity. If no such
mechanism is available, then the EAP server, failing to understand a
pseudonym issued by another server, can request the peer to send the
permanent identity.
When issuing a fast re-authentication identity, the EAP server may
include a realm name in the identity that will cause the fast
re-authentication request to be forwarded to the same EAP server.
When generating fast re-authentication identities, the server SHOULD