WiMAX / LTE EPS-AKA Key Generation

classic Classic list List threaded Threaded
14 messages Options
| Threaded
Open this post in threaded view
|

WiMAX / LTE EPS-AKA Key Generation

Benjamin Thompson
Hi

I am writing to ask whether anyone has any advice or scripts etc. to
generate the Authentication Vector (AUTN, RAND, XRES, and KASME) for LTE
authentication.

The documentation I have found is:

About the keys:
https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2296
-> 3GPP TS 33.401 V16.3.0 (2020-7) Page 24

About the RADIUS attributes:
http://wimaxforum.org/Document/Download/WMF-T33-001-R022v05_Network-Stage3-Base
-> Page 1309

I am looking to implement this but it would be great if someone has already
done it and can help me on my way.

Ben Thompson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Alan DeKok-2
On Oct 2, 2020, at 4:47 PM, Benjamin Thompson <[hidden email]> wrote:
> I am writing to ask whether anyone has any advice or scripts etc. to
> generate the Authentication Vector (AUTN, RAND, XRES, and KASME) for LTE
> authentication.

  Anything we know about is in the server source.  :(

> The documentation I have found is:
>
> About the keys:
> https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2296
> -> 3GPP TS 33.401 V16.3.0 (2020-7) Page 24
>
> About the RADIUS attributes:
> http://wimaxforum.org/Document/Download/WMF-T33-001-R022v05_Network-Stage3-Base
> -> Page 1309
>
> I am looking to implement this but it would be great if someone has already
> done it and can help me on my way.

  As with most 3G specs, they're fairly complex.  And not easy to understand.

  It's probably fairly easy to update the WiMAX dictionaries with the latest WiMAX attributes.

  My $0.02 would be to put the relevant calculations into rlm_wimax.  Once you understand the specs, the code shouldn't be *too* bad.

  We're happy to help answer questions about FreeRADIUS.  But I can't promise to spend days reading through 3G specs.  If you can supply patches, we're more than happy to add them to the server.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Benjamin Thompson
On Sat, 3 Oct 2020 at 02:55, Alan DeKok <[hidden email]> wrote:

> On Oct 2, 2020, at 4:47 PM, Benjamin Thompson <[hidden email]>
> wrote:
> > I am writing to ask whether anyone has any advice or scripts etc. to
> > generate the Authentication Vector (AUTN, RAND, XRES, and KASME) for LTE
> > authentication.
>
>   As with most 3G specs, they're fairly complex.  And not easy to
> understand.
>
>   It's probably fairly easy to update the WiMAX dictionaries with the
> latest WiMAX attributes.
>
>   My $0.02 would be to put the relevant calculations into rlm_wimax.  Once
> you understand the specs, the code shouldn't be *too* bad.
>
>   We're happy to help answer questions about FreeRADIUS.  But I can't
> promise to spend days reading through 3G specs.  If you can supply patches,
> we're more than happy to add them to the server.
>


Hi Alan

Thanks for your advice. Regarding the WiMAX dictionary will create a pull
request soon. As for the rest I have done a bit of research and come up
with the following:

Glossary

IMSI = International mobile subscriber identity
Ki = Authentication key
AMF = Authentication management field
OPc = Network operators key
AK = Anonymity key
CK = Cipher key
IK = Integrity key
XRES = Expected response
ICCID = Integrated circuit card identifier
PLMN = Public land mobile network ID (Mobile Country Code + Mobile Network
Code)

Steps required by FreeRADIUS:

1) Grab IMSI (User-Name) and PLMN (WiMAX attr 146) from Access-Request
2) Lookup SIM in DB by IMSI and retrieve Ki, OPc, AMF
3) Generate SQN (I am not sure whether this should be reset for each
authentication or cached somewhere and incremented)
4) Generate a 16 byte random value and store it in RAND
5) Feed AMF, Ki, SQN and RAND into Milenage algorithm (f1, f2, f3, f4, f5)
which returns AUTN, AK, CK, IK, XRES.
6) Generate KASME from AK, CK, IK, PLMN, SQN using the following algorithm:
    a) Generate key k = CK || IK
    b) Initialise a 14 byte buffer s
    c) Assign the first byte of s as 0x10
    d) Copy the 3 bytes of PLMN into s
    e) Assign 5th and 6th byte as 0x00 and 0x03
    f) Assign the next 6 bytes as SQN ⊕ AK
    g) Assign the last two bytes as 0x00 and 0x06
    h) Perform an HMAC-SHA256 using Key k from step 1 and s as the message.
(ref. https://medium.com/uw-ictd/lte-authentication-2d0810a061ecSudheesh
Singanamalla
<https://medium.com/@sudheeshsinganamalla?source=post_page-----2d0810a061ec-------------------------------->Sudheesh
Singanamalla
<https://medium.com/@sudheeshsinganamalla?source=post_page-----2d0810a061ec-------------------------------->
)
7) Return AUTN, RAND, XRES, and KASME (WiMAX attr 145 tlvs) in Access-Accept

I noticed that the Milenage algorithm is implemented in
src/lib/sim/milenage.c in v4. So if this could be cherry picked into
/src/lib/ in v3 then as I understand it what would remain is:

1) Create a function for KASME generation. (not sure if this should go in
rlm_wimax or e.g lib/kasme.c)
2) In rlm_wimax:
    a) Get input values from request:User-Name, request:WiMAX-146 and
control:xxx attributes (including SQN)
    b) Generate RAND
    c) Call the various Milenage functions from milenage.c and store AUTN,
RAND, XRES in the relevant WiMAX reply attributes (and in variables save
AK, CK and IK)
    c) Call the KASME generation function and save the result in to the
WiMAX reply attribute
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Peter Lambrechtsen-4
This sounds a lot like EAP-AKA or EAP-AKA Prime and I thought there was
work underway for it to be included in v4.
I’m fairly sure the SQN is supposed to be incremented and you can either
store it back in your simdb or in a separate cache when I was interpreting
how our HLR worked.

I would say putting effort into getting it working in v4 as part of a
rap-aka / aka’ is more worthwhile than back porting it to v3.

On Mon, 5 Oct 2020 at 04:39, Benjamin Thompson <[hidden email]> wrote:

> On Sat, 3 Oct 2020 at 02:55, Alan DeKok <[hidden email]> wrote:
>
>
>
> > On Oct 2, 2020, at 4:47 PM, Benjamin Thompson <[hidden email]>
>
> > wrote:
>
> > > I am writing to ask whether anyone has any advice or scripts etc. to
>
> > > generate the Authentication Vector (AUTN, RAND, XRES, and KASME) for
> LTE
>
> > > authentication.
>
> >
>
> >   As with most 3G specs, they're fairly complex.  And not easy to
>
> > understand.
>
> >
>
> >   It's probably fairly easy to update the WiMAX dictionaries with the
>
> > latest WiMAX attributes.
>
> >
>
> >   My $0.02 would be to put the relevant calculations into rlm_wimax.
> Once
>
> > you understand the specs, the code shouldn't be *too* bad.
>
> >
>
> >   We're happy to help answer questions about FreeRADIUS.  But I can't
>
> > promise to spend days reading through 3G specs.  If you can supply
> patches,
>
> > we're more than happy to add them to the server.
>
> >
>
>
>
>
>
> Hi Alan
>
>
>
> Thanks for your advice. Regarding the WiMAX dictionary will create a pull
>
> request soon. As for the rest I have done a bit of research and come up
>
> with the following:
>
>
>
> Glossary
>
>
>
> IMSI = International mobile subscriber identity
>
> Ki = Authentication key
>
> AMF = Authentication management field
>
> OPc = Network operators key
>
> AK = Anonymity key
>
> CK = Cipher key
>
> IK = Integrity key
>
> XRES = Expected response
>
> ICCID = Integrated circuit card identifier
>
> PLMN = Public land mobile network ID (Mobile Country Code + Mobile Network
>
> Code)
>
>
>
> Steps required by FreeRADIUS:
>
>
>
> 1) Grab IMSI (User-Name) and PLMN (WiMAX attr 146) from Access-Request
>
> 2) Lookup SIM in DB by IMSI and retrieve Ki, OPc, AMF
>
> 3) Generate SQN (I am not sure whether this should be reset for each
>
> authentication or cached somewhere and incremented)
>
> 4) Generate a 16 byte random value and store it in RAND
>
> 5) Feed AMF, Ki, SQN and RAND into Milenage algorithm (f1, f2, f3, f4, f5)
>
> which returns AUTN, AK, CK, IK, XRES.
>
> 6) Generate KASME from AK, CK, IK, PLMN, SQN using the following algorithm:
>
>     a) Generate key k = CK || IK
>
>     b) Initialise a 14 byte buffer s
>
>     c) Assign the first byte of s as 0x10
>
>     d) Copy the 3 bytes of PLMN into s
>
>     e) Assign 5th and 6th byte as 0x00 and 0x03
>
>     f) Assign the next 6 bytes as SQN ⊕ AK
>
>     g) Assign the last two bytes as 0x00 and 0x06
>
>     h) Perform an HMAC-SHA256 using Key k from step 1 and s as the message.
>
> (ref. https://medium.com/uw-ictd/lte-authentication-2d0810a061ecSudheesh
>
> Singanamalla
>
> <
> https://medium.com/@sudheeshsinganamalla?source=post_page-----2d0810a061ec--------------------------------
> >Sudheesh
>
> Singanamalla
>
> <
> https://medium.com/@sudheeshsinganamalla?source=post_page-----2d0810a061ec--------------------------------
> >
>
> )
>
> 7) Return AUTN, RAND, XRES, and KASME (WiMAX attr 145 tlvs) in
> Access-Accept
>
>
>
> I noticed that the Milenage algorithm is implemented in
>
> src/lib/sim/milenage.c in v4. So if this could be cherry picked into
>
> /src/lib/ in v3 then as I understand it what would remain is:
>
>
>
> 1) Create a function for KASME generation. (not sure if this should go in
>
> rlm_wimax or e.g lib/kasme.c)
>
> 2) In rlm_wimax:
>
>     a) Get input values from request:User-Name, request:WiMAX-146 and
>
> control:xxx attributes (including SQN)
>
>     b) Generate RAND
>
>     c) Call the various Milenage functions from milenage.c and store AUTN,
>
> RAND, XRES in the relevant WiMAX reply attributes (and in variables save
>
> AK, CK and IK)
>
>     c) Call the KASME generation function and save the result in to the
>
> WiMAX reply attribute
>
> -
>
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Alan DeKok-2
On Oct 4, 2020, at 2:02 PM, Peter Lambrechtsen <[hidden email]> wrote:
>
> This sounds a lot like EAP-AKA or EAP-AKA Prime and I thought there was
> work underway for it to be included in v4.

  EAP-AKA and AKA' are in v4.  So maybe much of the calculations can be back-ported from there.

> I would say putting effort into getting it working in v4 as part of a
> rap-aka / aka’ is more worthwhile than back porting it to v3.\

  If the WiMAX stuff is independent of EAP-AKA, then it may be worth back-porting it.  If it's just EAP-AKA, then we would have to think about it.  Back-porting things from v4 is becoming difficult at this point.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Alan DeKok-2
In reply to this post by Benjamin Thompson
On Oct 4, 2020, at 11:38 AM, Benjamin Thompson <[hidden email]> wrote:
> I noticed that the Milenage algorithm is implemented in
> src/lib/sim/milenage.c in v4. So if this could be cherry picked into
> /src/lib/ in v3 then as I understand it what would remain is:
>
> 1) Create a function for KASME generation. (not sure if this should go in
> rlm_wimax or e.g lib/kasme.c)

  rlm_wimax for now.  We can always worry about details later.

> 2) In rlm_wimax:
>    a) Get input values from request:User-Name, request:WiMAX-146 and
> control:xxx attributes (including SQN)

  We just create attributes in dictionary.freeradius.internal for much of that.

>    b) Generate RAND

  ~5 lines of code.

>    c) Call the various Milenage functions from milenage.c and store AUTN,
> RAND, XRES in the relevant WiMAX reply attributes (and in variables save
> AK, CK and IK)

  Yup.

>    c) Call the KASME generation function and save the result in to the
> WiMAX reply attribute

  That doesn't sound too bad.

  TBH I'd also add unit tests.  The algorithms are complex enough that we don't want to change things and accidentally break them.

  This feature would definitely be useful.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Benjamin Thompson
On Mon, 5 Oct 2020 at 16:30, Alan DeKok <[hidden email]> wrote:

> On Oct 4, 2020, at 11:38 AM, Benjamin Thompson <[hidden email]>
> wrote:
> > I noticed that the Milenage algorithm is implemented in
> > src/lib/sim/milenage.c in v4. So if this could be cherry picked into
> > /src/lib/ in v3 then as I understand it what would remain is:
> >
> > 1) Create a function for KASME generation. (not sure if this should go in
> > rlm_wimax or e.g lib/kasme.c)
>
>   rlm_wimax for now.  We can always worry about details later.
>
> > 2) In rlm_wimax:
> >    a) Get input values from request:User-Name, request:WiMAX-146 and
> > control:xxx attributes (including SQN)
>
>   We just create attributes in dictionary.freeradius.internal for much of
> that.
>
> >    b) Generate RAND
>
>   ~5 lines of code.
>
> >    c) Call the various Milenage functions from milenage.c and store AUTN,
> > RAND, XRES in the relevant WiMAX reply attributes (and in variables save
> > AK, CK and IK)
>
>   Yup.
>
> >    c) Call the KASME generation function and save the result in to the
> > WiMAX reply attribute
>
>   That doesn't sound too bad.
>
>   TBH I'd also add unit tests.  The algorithms are complex enough that we
> don't want to change things and accidentally break them.
>
>   This feature would definitely be useful.
>

Thanks Alan

My plan is to have a go editing rlm_wimax and (hopefully) once I have it
working I will create a pull request for review.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Alan DeKok-2
On Oct 6, 2020, at 11:46 AM, Benjamin Thompson <[hidden email]> wrote:
>
> My plan is to have a go editing rlm_wimax and (hopefully) once I have it
> working I will create a pull request for review.

  Thanks.  That should work well.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

arr2036


> On Oct 6, 2020, at 4:02 PM, Alan DeKok <[hidden email]> wrote:
>
> On Oct 6, 2020, at 11:46 AM, Benjamin Thompson <[hidden email]> wrote:
>>
>> My plan is to have a go editing rlm_wimax and (hopefully) once I have it
>> working I will create a pull request for review.
>
>  Thanks.  That should work well.

Just to note that there's a milenage implementation in src/lib/sim/milenage.c in master branch.

The rest of the code looks fairly easy.  If you're not making any progress, remind me in a couple of days and I'll add an implementation to master branch.

-Arran


Arran Cudbard-Bell <[hidden email]>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Benjamin Thompson
On Fri, 9 Oct 2020 at 17:17, Arran Cudbard-Bell <[hidden email]>
wrote:

> >> My plan is to have a go editing rlm_wimax and (hopefully) once I have it
> >> working I will create a pull request for review.
> >
> >  Thanks.  That should work well.
>
> Just to note that there's a milenage implementation in
> src/lib/sim/milenage.c in master branch.
>
> The rest of the code looks fairly easy.  If you're not making any
> progress, remind me in a couple of days and I'll add an implementation to
> master branch.


Hi Arran

If you could add milenage.c to the 3.0.x branch that would be great. I have
kind of gotten it to work by adding it to the src/modules/rlm_wimax/
directory but I had to comment out some things like FR_PROTO_HEX_DUMP and I
am not sure what to replace them with. Also the functions which I need are
milenage_f1 and milenage_f2345 so I had to make them non static.

Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Alan DeKok-2

On Oct 10, 2020, at 6:36 AM, Benjamin Thompson <[hidden email]> wrote:
> If you could add milenage.c to the 3.0.x branch that would be great. I have
> kind of gotten it to work by adding it to the src/modules/rlm_wimax/
> directory but I had to comment out some things like FR_PROTO_HEX_DUMP and I
> am not sure what to replace them with.

  Just ignore them for now.  They're for detailed packet / hex debugging in v4.

> Also the functions which I need are
> milenage_f1 and milenage_f2345 so I had to make them non static.

  That's fine.

  If it works, ship it!

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Benjamin Thompson
>
> > Also the functions which I need are
> > milenage_f1 and milenage_f2345 so I had to make them non static.
>

I realised after I read milenage.c again that I don't actually need
milenage_f1 and milenage_f2345 as they are called by milenage_umts_generate
which seems to do exactly what I need and is not static.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Benjamin Thompson
In reply to this post by Alan DeKok-2
On Sat, 10 Oct 2020 at 15:48, Alan DeKok <[hidden email]> wrote:

>
> On Oct 10, 2020, at 6:36 AM, Benjamin Thompson <[hidden email]>
> wrote:
> > If you could add milenage.c to the 3.0.x branch that would be great. I
> have
> > kind of gotten it to work by adding it to the src/modules/rlm_wimax/
> > directory but I had to comment out some things like FR_PROTO_HEX_DUMP
> and I
> > am not sure what to replace them with.
>
>   Just ignore them for now.  They're for detailed packet / hex debugging
> in v4.
>
> > Also the functions which I need are
> > milenage_f1 and milenage_f2345 so I had to make them non static.
>
>   That's fine.
>
>   If it works, ship it!
>

Hi Alan and Arran

I have a working implementation, but as it is more or less the first thing
I have written in C it's highly possible that my code is a bit crappy. I
would be really grateful if maybe one of you could have a look at this
commit in my test branch on github and let me know what you think:
https://github.com/bt4/freeradius-server/commit/2e02bce98c1627626fe99d4eaf96944fef875fbd

Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: WiMAX / LTE EPS-AKA Key Generation

Benjamin Thompson
On Fri, 6 Nov 2020 at 19:42, Benjamin Thompson <[hidden email]> wrote:

> On Sat, 10 Oct 2020 at 15:48, Alan DeKok <[hidden email]>
> wrote:
>
>>
>> On Oct 10, 2020, at 6:36 AM, Benjamin Thompson <[hidden email]>
>> wrote:
>> > If you could add milenage.c to the 3.0.x branch that would be great. I
>> have
>> > kind of gotten it to work by adding it to the src/modules/rlm_wimax/
>> > directory but I had to comment out some things like FR_PROTO_HEX_DUMP
>> and I
>> > am not sure what to replace them with.
>>
>>   Just ignore them for now.  They're for detailed packet / hex debugging
>> in v4.
>>
>> > Also the functions which I need are
>> > milenage_f1 and milenage_f2345 so I had to make them non static.
>>
>>   That's fine.
>>
>>   If it works, ship it!
>>
>
> Hi Alan and Arran
>
> I have a working implementation, but as it is more or less the first thing
> I have written in C it's highly possible that my code is a bit crappy. I
> would be really grateful if maybe one of you could have a look at this
> commit in my test branch on github and let me know what you think:
> https://github.com/bt4/freeradius-server/commit/2e02bce98c1627626fe99d4eaf96944fef875fbd
>

I realised that I forgot to add one file to the commit (milenage.c). Here
is a fixed commit:
https://github.com/bt4/freeradius-server/commit/0cb4324d1d75a00ff97121c1345a41151577025e
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html