Network Working Group H. Haverinen, Ed.
Request for Comments: 4186 Nokia
Category: Informational J. Salowey, Ed.
Cisco Systems
January 2006
Network Working Group H. Haverinen, Ed.
Request for Comments: 4186 Nokia
Category: Informational J. Salowey, Ed.
Cisco Systems
January 2006
Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM)
全球移动通信系统(GSM)用户识别模块(EAP-SIM)的可扩展认证协议方法
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
IESG Note
IESG注释
The EAP-SIM protocol was developed by 3GPP. The documentation of EAP-SIM is provided as information to the Internet community. While the EAP WG has verified that EAP-SIM is compatible with EAP, as defined in RFC 3748, no other review has been done, including validation of the security claims. The IETF has also not reviewed the security of the cryptographic algorithms.
EAP-SIM协议由3GPP开发。EAP-SIM的文档作为信息提供给互联网社区。虽然EAP工作组已验证EAP-SIM与RFC 3748中定义的EAP兼容,但尚未进行其他审查,包括验证安全声明。IETF也没有审查加密算法的安全性。
Abstract
摘要
This document specifies an Extensible Authentication Protocol (EAP) mechanism for authentication and session key distribution using the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). GSM is a second generation mobile network standard. The EAP-SIM mechanism specifies enhancements to GSM authentication and key agreement whereby multiple authentication triplets can be combined to create authentication responses and session keys of greater strength than the individual GSM triplets. The mechanism also includes network authentication, user anonymity support, result indications, and a fast re-authentication procedure.
本文档规定了使用全球移动通信系统(GSM)用户身份模块(SIM)进行身份验证和会话密钥分配的可扩展身份验证协议(EAP)机制。GSM是第二代移动网络标准。EAP-SIM机制规定了对GSM身份验证和密钥协议的增强,从而可以组合多个身份验证三元组来创建比单个GSM三元组强度更大的身份验证响应和会话密钥。该机制还包括网络认证、用户匿名支持、结果指示和快速重新认证过程。
Table of Contents
目录
1. Introduction ....................................................4
2. Terms ...........................................................5
3. Overview ........................................................8
4. Operation ......................................................10
4.1. Version Negotiation .......................................10
4.2. Identity Management .......................................11
4.2.1. Format, Generation and Usage of Peer Identities ....11
4.2.2. Communicating the Peer Identity to the Server ......17
4.2.3. Choice of Identity for the EAP-Response/Identity ...19
4.2.4. Server Operation in the Beginning of
EAP-SIM Exchange ...................................19
4.2.5. Processing of EAP-Request/SIM/Start by the Peer ....20
4.2.6. Attacks Against Identity Privacy ...................21
4.2.7. Processing of AT_IDENTITY by the Server ............22
4.3. Message Sequence Examples (Informative) ...................23
4.3.1. Full Authentication ................................24
4.3.2. Fast Re-authentication .............................25
4.3.3. Fall Back to Full Authentication ...................26
4.3.4. Requesting the Permanent Identity 1 ................27
4.3.5. Requesting the Permanent Identity 2 ................28
4.3.6. Three EAP-SIM/Start Roundtrips .....................28
5. Fast Re-Authentication .........................................30
5.1. General ...................................................30
5.2. Comparison to UMTS AKA ....................................31
5.3. Fast Re-authentication Identity ...........................31
5.4. Fast Re-authentication Procedure ..........................33
5.5. Fast Re-authentication Procedure when Counter Is
Too Small .................................................36
6. EAP-SIM Notifications ..........................................37
6.1. General ...................................................37
6.2. Result Indications ........................................39
6.3. Error Cases ...............................................40
6.3.1. Peer Operation .....................................40
6.3.2. Server Operation ...................................41
6.3.3. EAP-Failure ........................................42
6.3.4. EAP-Success ........................................42
7. Key Generation .................................................43
8. Message Format and Protocol Extensibility ......................45
8.1. Message Format ............................................45
8.2. Protocol Extensibility ....................................47
9. Messages .......................................................48
9.1. EAP-Request/SIM/Start .....................................48
9.2. EAP-Response/SIM/Start ....................................49
9.3. EAP-Request/SIM/Challenge .................................49
9.4. EAP-Response/SIM/Challenge ................................50
9.5. EAP-Request/SIM/Re-authentication .........................51
1. Introduction ....................................................4
2. Terms ...........................................................5
3. Overview ........................................................8
4. Operation ......................................................10
4.1. Version Negotiation .......................................10
4.2. Identity Management .......................................11
4.2.1. Format, Generation and Usage of Peer Identities ....11
4.2.2. Communicating the Peer Identity to the Server ......17
4.2.3. Choice of Identity for the EAP-Response/Identity ...19
4.2.4. Server Operation in the Beginning of
EAP-SIM Exchange ...................................19
4.2.5. Processing of EAP-Request/SIM/Start by the Peer ....20
4.2.6. Attacks Against Identity Privacy ...................21
4.2.7. Processing of AT_IDENTITY by the Server ............22
4.3. Message Sequence Examples (Informative) ...................23
4.3.1. Full Authentication ................................24
4.3.2. Fast Re-authentication .............................25
4.3.3. Fall Back to Full Authentication ...................26
4.3.4. Requesting the Permanent Identity 1 ................27
4.3.5. Requesting the Permanent Identity 2 ................28
4.3.6. Three EAP-SIM/Start Roundtrips .....................28
5. Fast Re-Authentication .........................................30
5.1. General ...................................................30
5.2. Comparison to UMTS AKA ....................................31
5.3. Fast Re-authentication Identity ...........................31
5.4. Fast Re-authentication Procedure ..........................33
5.5. Fast Re-authentication Procedure when Counter Is
Too Small .................................................36
6. EAP-SIM Notifications ..........................................37
6.1. General ...................................................37
6.2. Result Indications ........................................39
6.3. Error Cases ...............................................40
6.3.1. Peer Operation .....................................40
6.3.2. Server Operation ...................................41
6.3.3. EAP-Failure ........................................42
6.3.4. EAP-Success ........................................42
7. Key Generation .................................................43
8. Message Format and Protocol Extensibility ......................45
8.1. Message Format ............................................45
8.2. Protocol Extensibility ....................................47
9. Messages .......................................................48
9.1. EAP-Request/SIM/Start .....................................48
9.2. EAP-Response/SIM/Start ....................................49
9.3. EAP-Request/SIM/Challenge .................................49
9.4. EAP-Response/SIM/Challenge ................................50
9.5. EAP-Request/SIM/Re-authentication .........................51
9.6. EAP-Response/SIM/Re-authentication ........................51
9.7. EAP-Response/SIM/Client-Error .............................52
9.8. EAP-Request/SIM/Notification ..............................52
9.9. EAP-Response/SIM/Notification .............................53
10. Attributes ....................................................53
10.1. Table of Attributes ......................................53
10.2. AT_VERSION_LIST ..........................................54
10.3. AT_SELECTED_VERSION ......................................55
10.4. AT_NONCE_MT ..............................................55
10.5. AT_PERMANENT_ID_REQ ......................................56
10.6. AT_ANY_ID_REQ ............................................56
10.7. AT_FULLAUTH_ID_REQ .......................................57
10.8. AT_IDENTITY ..............................................57
10.9. AT_RAND ..................................................58
10.10. AT_NEXT_PSEUDONYM .......................................59
10.11. AT_NEXT_REAUTH_ID .......................................59
10.12. AT_IV, AT_ENCR_DATA, and AT_PADDING .....................60
10.13. AT_RESULT_IND ...........................................62
10.14. AT_MAC ..................................................62
10.15. AT_COUNTER ..............................................63
10.16. AT_COUNTER_TOO_SMALL ....................................63
10.17. AT_NONCE_S ..............................................64
10.18. AT_NOTIFICATION .........................................64
10.19. AT_CLIENT_ERROR_CODE ....................................65
11. IANA Considerations ...........................................66
12. Security Considerations .......................................66
12.1. A3 and A8 Algorithms .....................................66
12.2. Identity Protection ......................................66
12.3. Mutual Authentication and Triplet Exposure ...............67
12.4. Flooding the Authentication Centre .......................69
12.5. Key Derivation ...........................................69
12.6. Cryptographic Separation of Keys and Session
Independence .............................................70
12.7. Dictionary Attacks .......................................71
12.8. Credentials Re-use .......................................71
12.9. Integrity and Replay Protection, and Confidentiality .....72
12.10. Negotiation Attacks .....................................73
12.11. Protected Result Indications ............................73
12.12. Man-in-the-Middle Attacks ...............................74
12.13. Generating Random Numbers ...............................74
13. Security Claims ...............................................74
14. Acknowledgements and Contributions ............................75
14.1. Contributors .............................................75
14.2. Acknowledgements .........................................75
14.2.1. Contributors' Addresses ...........................77
15. References ....................................................78
15.1. Normative References .....................................78
15.2. Informative References ...................................79
9.6. EAP-Response/SIM/Re-authentication ........................51
9.7. EAP-Response/SIM/Client-Error .............................52
9.8. EAP-Request/SIM/Notification ..............................52
9.9. EAP-Response/SIM/Notification .............................53
10. Attributes ....................................................53
10.1. Table of Attributes ......................................53
10.2. AT_VERSION_LIST ..........................................54
10.3. AT_SELECTED_VERSION ......................................55
10.4. AT_NONCE_MT ..............................................55
10.5. AT_PERMANENT_ID_REQ ......................................56
10.6. AT_ANY_ID_REQ ............................................56
10.7. AT_FULLAUTH_ID_REQ .......................................57
10.8. AT_IDENTITY ..............................................57
10.9. AT_RAND ..................................................58
10.10. AT_NEXT_PSEUDONYM .......................................59
10.11. AT_NEXT_REAUTH_ID .......................................59
10.12. AT_IV, AT_ENCR_DATA, and AT_PADDING .....................60
10.13. AT_RESULT_IND ...........................................62
10.14. AT_MAC ..................................................62
10.15. AT_COUNTER ..............................................63
10.16. AT_COUNTER_TOO_SMALL ....................................63
10.17. AT_NONCE_S ..............................................64
10.18. AT_NOTIFICATION .........................................64
10.19. AT_CLIENT_ERROR_CODE ....................................65
11. IANA Considerations ...........................................66
12. Security Considerations .......................................66
12.1. A3 and A8 Algorithms .....................................66
12.2. Identity Protection ......................................66
12.3. Mutual Authentication and Triplet Exposure ...............67
12.4. Flooding the Authentication Centre .......................69
12.5. Key Derivation ...........................................69
12.6. Cryptographic Separation of Keys and Session
Independence .............................................70
12.7. Dictionary Attacks .......................................71
12.8. Credentials Re-use .......................................71
12.9. Integrity and Replay Protection, and Confidentiality .....72
12.10. Negotiation Attacks .....................................73
12.11. Protected Result Indications ............................73
12.12. Man-in-the-Middle Attacks ...............................74
12.13. Generating Random Numbers ...............................74
13. Security Claims ...............................................74
14. Acknowledgements and Contributions ............................75
14.1. Contributors .............................................75
14.2. Acknowledgements .........................................75
14.2.1. Contributors' Addresses ...........................77
15. References ....................................................78
15.1. Normative References .....................................78
15.2. Informative References ...................................79
Appendix A. Test Vectors .........................................81
A.1. EAP-Request/Identity .....................................81
A.2. EAP-Response/Identity ....................................81
A.3. EAP-Request/SIM/Start ....................................82
A.4. EAP-Response/SIM/Start ...................................82
A.5. EAP-Request/SIM/Challenge ................................83
A.6. EAP-Response/SIM/Challenge ...............................86
A.7. EAP-Success ..............................................86
A.8. Fast Re-authentication ...................................86
A.9. EAP-Request/SIM/Re-authentication ........................87
A.10. EAP-Response/SIM/Re-authentication ......................89
Appendix B. Pseudo-Random Number Generator .......................90
Appendix A. Test Vectors .........................................81
A.1. EAP-Request/Identity .....................................81
A.2. EAP-Response/Identity ....................................81
A.3. EAP-Request/SIM/Start ....................................82
A.4. EAP-Response/SIM/Start ...................................82
A.5. EAP-Request/SIM/Challenge ................................83
A.6. EAP-Response/SIM/Challenge ...............................86
A.7. EAP-Success ..............................................86
A.8. Fast Re-authentication ...................................86
A.9. EAP-Request/SIM/Re-authentication ........................87
A.10. EAP-Response/SIM/Re-authentication ......................89
Appendix B. Pseudo-Random Number Generator .......................90
This document specifies an Extensible Authentication Protocol (EAP) [RFC3748] mechanism for authentication and session key distribution using the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM).
本文件规定了使用全球移动通信系统(GSM)用户身份模块(SIM)进行身份验证和会话密钥分配的可扩展身份验证协议(EAP)[RFC3748]机制。
GSM is a second generation mobile network standard. Second generation mobile networks and third generation mobile networks use different authentication and key agreement mechanisms. EAP-AKA [EAP-AKA] specifies an EAP method that is based on the Authentication and Key Agreement (AKA) mechanism used in 3rd generation mobile networks.
GSM是第二代移动网络标准。第二代移动网络和第三代移动网络使用不同的身份验证和密钥协商机制。EAP-AKA[EAP-AKA]指定了一种基于第三代移动网络中使用的身份验证和密钥协商(AKA)机制的EAP方法。
GSM authentication is based on a challenge-response mechanism. The A3/A8 authentication and key derivation algorithms that run on the SIM can be given a 128-bit random number (RAND) as a challenge. The SIM runs operator-specific algorithms, which take the RAND and a secret key Ki (stored on the SIM) as input, and produce a 32-bit response (SRES) and a 64-bit long key Kc as output. The Kc key is originally intended to be used as an encryption key over the air interface, but in this protocol, it is used for deriving keying material and is not directly used. Hence, the secrecy of Kc is critical to the security of this protocol. For more information about GSM authentication, see [GSM-03.20]. See Section 12.1 for more discussion about the GSM algorithms used in EAP-SIM.
GSM认证基于质询-响应机制。在SIM卡上运行的A3/A8身份验证和密钥推导算法可以使用128位随机数(RAND)作为挑战。SIM卡运行特定于运营商的算法,将RAND和密钥Ki(存储在SIM卡上)作为输入,并生成32位响应(SRES)和64位长密钥Kc作为输出。Kc密钥最初打算用作空中接口上的加密密钥,但在本协议中,它用于派生密钥材料,而不是直接使用。因此,Kc的保密性对该协议的安全性至关重要。有关GSM认证的更多信息,请参阅[GSM-03.20]。有关EAP-SIM中使用的GSM算法的更多讨论,请参见第12.1节。
The lack of mutual authentication is a weakness in GSM authentication. The derived 64-bit cipher key (Kc) is not strong enough for data networks in which stronger and longer keys are required. Hence, in EAP-SIM, several RAND challenges are used for generating several 64-bit Kc keys, which are combined to constitute stronger keying material. In EAP-SIM, the client issues a random number NONCE_MT to the network in order to contribute to key derivation, and to prevent replays of EAP-SIM requests from previous
缺乏相互认证是GSM认证的一个弱点。派生的64位密码密钥(Kc)对于需要更强和更长密钥的数据网络来说不够强。因此,在EAP-SIM中,几个RAND挑战用于生成多个64位Kc密钥,这些密钥组合起来构成更强的密钥材料。在EAP-SIM中,客户端向网络发出一个随机数NONCE_MT,以便有助于密钥推导,并防止重播来自以前的EAP-SIM请求
exchanges. The NONCE_MT can be conceived as the client's challenge to the network. EAP-SIM also extends the combined RAND challenges and other messages with a message authentication code in order to provide message integrity protection along with mutual authentication.
交流。可以将当前MT视为客户对网络的挑战。EAP-SIM还使用消息身份验证码扩展了组合的RAND挑战和其他消息,以便在相互身份验证的同时提供消息完整性保护。
EAP-SIM specifies optional support for protecting the privacy of subscriber identity using the same concept as the GSM, which uses pseudonyms/temporary identifiers. It also specifies an optional fast re-authentication procedure.
EAP-SIM使用与GSM相同的概念(使用假名/临时标识符)指定了保护用户身份隐私的可选支持。它还指定了一个可选的快速重新身份验证过程。
The security of EAP-SIM builds on underlying GSM mechanisms. The security properties of EAP-SIM are documented in Section 11 of this document. Implementers and users of EAP-SIM are advised to carefully study the security considerations in Section 11 in order to determine whether the security properties are sufficient for the environment in question, especially as the secrecy of Kc keys is essential to the security of EAP-SIM. In brief, EAP-SIM is in no sense weaker than the GSM mechanisms. In some cases EAP-SIM provides better security properties than the underlying GSM mechanisms, particularly if the SIM credentials are only used for EAP-SIM and are not re-used from GSM/GPRS. Many of the security features of EAP-SIM rely upon the secrecy of the Kc values in the SIM triplets, so protecting these values is key to the security of the EAP-SIM protocol.
EAP-SIM的安全性建立在底层GSM机制的基础上。EAP-SIM的安全属性记录在本文件第11节中。建议EAP-SIM的实施者和用户仔细研究第11节中的安全注意事项,以确定安全属性是否足以满足相关环境的要求,尤其是因为Kc密钥的保密性对EAP-SIM的安全至关重要。简言之,EAP-SIM在任何意义上都不比GSM机制弱。在某些情况下,EAP-SIM提供了比基础GSM机制更好的安全属性,特别是当SIM凭据仅用于EAP-SIM且不从GSM/GPRS重复使用时。EAP-SIM的许多安全功能依赖于SIM三元组中Kc值的保密性,因此保护这些值是EAP-SIM协议安全的关键。
The 3rd Generation Partnership Project (3GPP) has specified an enhanced Authentication and Key Agreement (AKA) architecture for the Universal Mobile Telecommunications System (UMTS). The 3rd generation AKA mechanism includes mutual authentication, replay protection, and derivation of longer session keys. EAP-AKA [EAP-AKA] specifies an EAP method that is based on the 3rd generation AKA. EAP-AKA, which is a more secure protocol, may be used instead of EAP-SIM, if 3rd generation identity modules and 3G network infrastructures are available.
第三代合作伙伴计划(3GPP)为通用移动通信系统(UMTS)指定了增强认证和密钥协议(AKA)架构。第三代AKA机制包括相互认证、重播保护和较长会话密钥的派生。EAP-AKA[EAP-AKA]指定基于第三代AKA的EAP方法。如果第三代身份模块和3G网络基础设施可用,则可以使用EAP-AKA(一种更安全的协议)代替EAP-SIM。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The terms and abbreviations "authenticator", "backend authentication server", "EAP server", "peer", "Silently Discard", "Master Session Key (MSK)", and "Extended Master Session Key (EMSK)" in this document are to be interpreted as described in [RFC3748].
本文件中的术语和缩写“验证器”、“后端身份验证服务器”、“EAP服务器”、“对等方”、“静默放弃”、“主会话密钥(MSK)”和“扩展主会话密钥(EMSK)”应按照[RFC3748]中所述进行解释。
This document frequently uses the following terms and abbreviations:
本文件经常使用以下术语和缩写:
AAA protocol
AAA协议
Authentication, Authorization, and Accounting protocol
身份验证、授权和记帐协议
AuC
AuC
Authentication Centre. The GSM network element that provides the authentication triplets for authenticating the subscriber.
认证中心。提供认证三元组以认证用户的GSM网络元件。
Authentication vector
认证向量
GSM triplets can be alternatively called authentication vectors.
GSM三元组也可以称为认证向量。
EAP
EAP
Extensible Authentication Protocol
可扩展身份验证协议
Fast re-authentication
快速重新认证
An EAP-SIM authentication exchange that is based on keys derived upon a preceding full authentication exchange. The GSM authentication and key exchange algorithms are not used in the fast re-authentication procedure.
一种EAP-SIM身份验证交换,基于在先前的完全身份验证交换基础上派生的密钥。GSM认证和密钥交换算法不用于快速重新认证过程。
Fast Re-authentication Identity
快速重认证身份
A fast re-authentication identity of the peer, including an NAI realm portion in environments where a realm is used. Used on fast re-authentication only.
对等方的快速重新身份验证标识,包括使用领域的环境中的NAI领域部分。仅用于快速重新身份验证。
Fast Re-authentication Username
快速重新验证用户名
The username portion of fast re-authentication identity, i.e., not including any realm portions.
快速重新身份验证标识的用户名部分,即不包括任何领域部分。
Full authentication
完全认证
An EAP-SIM authentication exchange based on the GSM authentication and key agreement algorithms.
基于GSM认证和密钥协商算法的EAP-SIM认证交换。
GSM
GSM
Global System for Mobile communications.
全球移动通信系统。
GSM Triplet
GSM三元组
The tuple formed by the three GSM authentication values RAND, Kc, and SRES.
由三个GSM身份验证值RAND、Kc和SRE组成的元组。
IMSI
IMSI
International Mobile Subscriber Identifier, used in GSM to identify subscribers.
国际移动用户标识符,在GSM中用于识别用户。
MAC
雨衣
Message Authentication Code
消息身份验证码
NAI
奈
Network Access Identifier
网络访问标识符
Nonce
暂时
A value that is used at most once or that is never repeated within the same cryptographic context. In general, a nonce can be predictable (e.g., a counter) or unpredictable (e.g., a random value). Since some cryptographic properties may depend on the randomness of the nonce, attention should be paid to whether a nonce is required to be random or not. In this document, the term nonce is only used to denote random nonces, and it is not used to denote counters.
在同一加密上下文中最多使用一次或从不重复的值。通常,nonce可以是可预测的(例如计数器)或不可预测的(例如随机值)。由于某些密码特性可能取决于nonce的随机性,因此应注意nonce是否需要随机。在本文档中,术语nonce仅用于表示随机nonce,而不用于表示计数器。
Permanent Identity
永久身份
The permanent identity of the peer, including an NAI realm portion in environments where a realm is used. The permanent identity is usually based on the IMSI. Used on full authentication only.
对等方的永久身份,包括使用领域的环境中的NAI领域部分。永久身份通常基于IMSI。仅用于完全身份验证。
Permanent Username
永久用户名
The username portion of permanent identity, i.e., not including any realm portions.
永久身份的用户名部分,即不包括任何领域部分。
Pseudonym Identity
笔名身份
A pseudonym identity of the peer, including an NAI realm portion in environments where a realm is used. Used on full authentication only.
对等方的笔名标识,包括使用领域的环境中的NAI领域部分。仅用于完全身份验证。
Pseudonym Username
假名用户名
The username portion of pseudonym identity, i.e., not including any realm portions.
笔名标识的用户名部分,即不包括任何领域部分。
SIM
模拟
Subscriber Identity Module. The SIM is traditionally a smart card distributed by a GSM operator.
用户识别模块。SIM卡传统上是由GSM运营商分发的智能卡。
Figure 1 shows an overview of the EAP-SIM full authentication procedure, wherein optional protected success indications are not used. The authenticator typically communicates with an EAP server that is located on a backend authentication server using an AAA protocol. The authenticator shown in the figure is often simply relaying EAP messages to and from the EAP server, but these backend AAA communications are not shown.
图1显示了EAP-SIM完全认证过程的概述,其中未使用可选的受保护成功指示。认证器通常使用AAA协议与位于后端认证服务器上的EAP服务器通信。图中所示的验证器通常只是将EAP消息中继到EAP服务器,或从EAP服务器中继EAP消息,但未显示这些后端AAA通信。
Peer Authenticator
| EAP-Request/Identity |
|<---------------------------------------------------------|
| |
| EAP-Response/Identity |
|--------------------------------------------------------->|
| |
| EAP-Request/SIM/Start (AT_VERSION_LIST) |
|<---------------------------------------------------------|
| |
| EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)|
|--------------------------------------------------------->|
| |
| EAP-Request/SIM/Challenge (AT_RAND, AT_MAC) |
|<---------------------------------------------------------|
+-------------------------------------+ |
| Peer runs GSM algorithms, verifies | |
| AT_MAC and derives session keys | |
+-------------------------------------+ |
| EAP-Response/SIM/Challenge (AT_MAC) |
|--------------------------------------------------------->|
| |
| EAP-Success |
|<---------------------------------------------------------|
| |
Peer Authenticator
| EAP-Request/Identity |
|<---------------------------------------------------------|
| |
| EAP-Response/Identity |
|--------------------------------------------------------->|
| |
| EAP-Request/SIM/Start (AT_VERSION_LIST) |
|<---------------------------------------------------------|
| |
| EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)|
|--------------------------------------------------------->|
| |
| EAP-Request/SIM/Challenge (AT_RAND, AT_MAC) |
|<---------------------------------------------------------|
+-------------------------------------+ |
| Peer runs GSM algorithms, verifies | |
| AT_MAC and derives session keys | |
+-------------------------------------+ |
| EAP-Response/SIM/Challenge (AT_MAC) |
|--------------------------------------------------------->|
| |
| EAP-Success |
|<---------------------------------------------------------|
| |
Figure 1: EAP-SIM full authentication procedure
图1:EAP-SIM完全认证过程
The first EAP Request issued by the authenticator is EAP-Request/Identity. On full authentication, the peer's response includes either the user's International Mobile Subscriber Identity (IMSI) or a temporary identity (pseudonym) if identity privacy is in effect, as specified in Section 4.2.
验证器发出的第一个EAP请求是EAP请求/标识。完全认证时,对等方的响应包括用户的国际移动用户身份(IMSI)或临时身份(笔名)(如果身份隐私有效),如第4.2节所述。
Following the peer's EAP-Response/Identity packet, the peer receives EAP Requests of Type 18 (SIM) from the EAP server and sends the corresponding EAP Responses. The EAP packets that are of the Type SIM also have a Subtype field. On full authentication, the first EAP-Request/SIM packet is of the Subtype 10 (Start). EAP-SIM packets encapsulate parameters in attributes, encoded in a Type, Length, Value format. The packet format and the use of attributes are specified in Section 8.
在对等方的EAP响应/标识分组之后,对等方从EAP服务器接收类型18(SIM)的EAP请求,并发送相应的EAP响应。SIM类型的EAP数据包还具有子类型字段。在完全认证时,第一个EAP请求/SIM数据包属于子类型10(Start)。EAP-SIM数据包将参数封装在属性中,以类型、长度和值格式进行编码。第8节规定了数据包格式和属性的使用。
The EAP-Request/SIM/Start packet contains the list of EAP-SIM versions supported by the EAP server in the AT_VERSION_LIST attribute. This packet may also include attributes for requesting the subscriber identity, as specified in Section 4.2.
EAP请求/SIM/启动数据包在AT_VERSION_list属性中包含EAP服务器支持的EAP-SIM版本列表。如第4.2节所述,该数据包还可包括用于请求订户身份的属性。
The peer responds to a EAP-Request/SIM/Start with the EAP-Response/SIM/Start packet, which includes the AT_NONCE_MT attribute that contains a random number NONCE_MT, chosen by the peer, and the AT_SELECTED_VERSION attribute that contains the version number selected by the peer. The version negotiation is protected by including the version list and the selected version in the calculation of keying material (Section 7).
对等方使用EAP Response/SIM/Start数据包响应EAP Request/SIM/Start,该数据包包括对等方选择的包含随机数NONCE\u MT的AT\u NONCE\u属性和包含对等方选择的版本号的AT\u SELECTED\u VERSION属性。版本协商通过在键控材料计算中包括版本列表和所选版本来保护(第7节)。
After receiving the EAP Response/SIM/Start, the EAP server obtains n GSM triplets for use in authenticating the subscriber, where n = 2 or n = 3. From the triplets, the EAP server derives the keying material, as specified in Section 7. The triplets may be obtained by contacting an Authentication Centre (AuC) on the GSM network; per GSM specifications, between 1 and 5 triplets may be obtained at a time. Triplets may be stored in the EAP server for use at a later time, but triplets MUST NOT be re-used, except in some error cases that are specified in Section 10.9.
在接收到EAP响应/SIM/Start之后,EAP服务器获得n个GSM三元组以用于认证订户,其中n=2或n=3。根据第7节中的规定,EAP服务器从三元组中派生出键控材料。可通过联系GSM网络上的认证中心(AuC)获得三元组;根据GSM规范,一次可获得1到5个三元组。三元组可以存储在EAP服务器中供以后使用,但三元组不得重复使用,第10.9节规定的某些错误情况除外。
The next EAP Request the EAP Server issues is of the type SIM and subtype Challenge (11). It contains the RAND challenges and a message authentication code attribute AT_MAC to cover the challenges. The AT_MAC attribute is a general message authentication code attribute that is used in many EAP-SIM messages.
EAP服务器发出的下一个EAP请求是SIM类型和子类型质询(11)。它包含RAND挑战和_MAC上的消息身份验证代码属性,以应对挑战。AT_MAC属性是在许多EAP-SIM消息中使用的通用消息身份验证码属性。
On receipt of the EAP-Request/SIM/Challenge message, the peer runs the GSM authentication algorithm and calculates a copy of the message authentication code. The peer then verifies that the calculated MAC equals the received MAC. If the MAC's do not match, then the peer
在收到EAP请求/SIM/质询消息时,对等方运行GSM认证算法并计算消息认证码的副本。然后,对等方验证计算出的MAC是否等于接收到的MAC。如果MAC不匹配,则对等机
sends the EAP-Response/SIM/Client-Error packet and the authentication exchange terminates.
发送EAP响应/SIM/客户端错误数据包,身份验证交换终止。
Since the RANDs given to a peer are accompanied by the message authentication code AT_MAC, and since the peer's NONCE_MT value contributes to AT_MAC, the peer is able to verify that the EAP-SIM message is fresh (i.e., not a replay) and that the sender possesses valid GSM triplets for the subscriber.
由于提供给对等方的RAND伴随着消息认证码AT_MAC,并且由于对等方的NONCE_MT值有助于AT_MAC,因此对等方能够验证EAP-SIM消息是新的(即,不是重播),并且发送方拥有订户的有效GSM三元组。
If all checks out, the peer responds with the EAP-Response/SIM/Challenge, containing the AT_MAC attribute that covers the peer's SRES response values (Section 9.4). The EAP server verifies that the MAC is correct. Because protected success indications are not used in this example, the EAP server sends the EAP-Success packet, indicating that the authentication was successful. (Protected success indications are discussed in Section 6.2.) The EAP server may also include derived keying material in the message it sends to the authenticator. The peer has derived the same keying material, so the authenticator does not forward the keying material to the peer along with EAP-Success.
如果全部签出,对等方将使用EAP响应/SIM/质询进行响应,其中包含覆盖对等方SRES响应值的AT_MAC属性(第9.4节)。EAP服务器验证MAC是否正确。由于本例中未使用受保护的成功指示,EAP服务器发送EAP成功数据包,指示身份验证成功。(第6.2节讨论了受保护的成功指示。)EAP服务器还可以在发送给认证者的消息中包含衍生密钥材料。对等方已派生相同的密钥材料,因此身份验证器不会将密钥材料与EAP成功一起转发给对等方。
EAP-SIM also includes a separate fast re-authentication procedure that does not make use of the A3/A8 algorithms or the GSM infrastructure. Fast re-authentication is based on keys derived on full authentication. If the peer has maintained state information for fast re-authentication and wants to use fast re-authentication, then the peer indicates this by using a specific fast re-authentication identity instead of the permanent identity or a pseudonym identity. The fast re-authentication procedure is described in Section 5.
EAP-SIM还包括一个单独的快速重新认证程序,该程序不使用A3/A8算法或GSM基础设施。快速重新身份验证基于完全身份验证派生的密钥。如果对等方维护了快速重新身份验证的状态信息,并且希望使用快速重新身份验证,则对等方通过使用特定的快速重新身份验证标识而不是永久标识或假名标识来指示这一点。第5节描述了快速重新认证过程。
EAP-SIM includes version negotiation so as to allow future developments in the protocol. The version negotiation is performed on full authentication and it uses two attributes, AT_VERSION_LIST, which the server always includes in EAP-Request/SIM/Start, and AT_SELECTED_VERSION, which the peer includes in EAP-Response/SIM/Start on full authentication.
EAP-SIM包括版本协商,以允许协议的未来发展。版本协商在完全身份验证时执行,它使用两个属性,即服务器始终包含在EAP请求/SIM/Start中的AT_version_列表和对等方在完全身份验证时包含在EAP响应/SIM/Start中的AT_SELECTED_version。
AT_VERSION_LIST includes the EAP-SIM versions supported by the server. If AT_VERSION_LIST does not include a version that is implemented by the peer and allowed in the peer's security policy, then the peer MUST send the EAP-Response/SIM/Client-Error packet (Section 9.7) to the server with the error code "unsupported version". If a suitable version is included, then the peer includes
AT_VERSION_列表包括服务器支持的EAP-SIM版本。如果AT_VERSION_列表中不包含由对等方实施并在对等方安全策略中允许的版本,则对等方必须向服务器发送EAP响应/SIM/客户端错误包(第9.7节),错误代码为“不支持的版本”。如果包括合适的版本,则对等方包括
the AT_SELECTED_VERSION attribute, containing the selected version in the EAP-Response/SIM/Start packet. The peer MUST only indicate a version that is included in the AT_VERSION_LIST. If several versions are acceptable, then the peer SHOULD choose the version that occurs first in the version list.
AT_SELECTED_VERSION属性,在EAP响应/SIM/Start数据包中包含所选版本。对等方必须仅指明AT_version_列表中包含的版本。如果可以接受多个版本,则对等方应选择版本列表中首先出现的版本。
The version number list of AT_VERSION_LIST and the selected version of AT_SELECTED_VERSION are included in the key derivation procedure (Section 7). If an attacker modifies either one of these attributes, then the peer and the server derive different keying material. Because K_aut keys are different, the server and peer calculate different AT_MAC values. Hence, the peer detects that AT_MAC, included in EAP-Request/SIM/Challenge, is incorrect and sends the EAP-Response/SIM/Client-Error packet. The authentication procedure terminates.
AT_版本列表的版本号列表和AT_所选版本的所选版本包含在密钥推导过程中(第7节)。如果攻击者修改这些属性中的任何一个,则对等方和服务器将派生不同的密钥材料。由于K_aut密钥不同,服务器和对等机计算的AT_MAC值不同。因此,对等方检测到包括在EAP请求/SIM/质询中的AT_MAC不正确,并发送EAP响应/SIM/客户端错误分组。身份验证过程终止。
In the beginning of EAP authentication, the Authenticator or the EAP server usually issues the EAP-Request/Identity packet to the peer. The peer responds with the EAP-Response/Identity, which contains the user's identity. The formats of these packets are specified in [RFC3748].
在EAP认证开始时,认证者或EAP服务器通常向对等方发出EAP请求/标识数据包。对等方使用包含用户标识的EAP响应/标识进行响应。[RFC3748]中规定了这些数据包的格式。
GSM subscribers are identified with the International Mobile Subscriber Identity (IMSI) [GSM-03.03]. The IMSI is a string of not more than 15 digits. It is composed of a three digit Mobile Country Code (MCC), a two or three digit Mobile Network Code (MNC), and a Mobile Subscriber Identification Number (MSIN) of no more than 10 digits. MCC and MNC uniquely identify the GSM operator and help identify the AuC from which the authentication vectors need to be retrieved for this subscriber.
GSM用户通过国际移动用户标识(IMSI)[GSM-03.03]识别。IMSI是一个不超过15位的字符串。它由三位移动国家代码(MCC)、两位或三位移动网络代码(MNC)和不超过10位的移动用户标识号(MSIN)组成。MCC和MNC唯一地标识GSM运营商,并帮助标识需要为此用户检索认证向量的AuC。
Internet AAA protocols identify users with the Network Access Identifier (NAI) [RFC4282]. When used in a roaming environment, the NAI is composed of a username and a realm, separated with "@" (username@realm). The username portion identifies the subscriber within the realm.
Internet AAA协议使用网络访问标识符(NAI)标识用户[RFC4282]。在漫游环境中使用时,NAI由用户名和域组成,用“@”分隔(username@realm). 用户名部分标识域中的订户。
This section specifies the peer identity format used in EAP-SIM. In this document, the term "identity" or "peer identity" refers to the whole identity string that is used to identify the peer. The peer
本节规定了EAP-SIM中使用的对等身份格式。在本文档中,术语“标识”或“对等标识”指用于标识对等方的整个标识字符串。同伴
identity may include a realm portion. "Username" refers to the portion of the peer identity that identifies the user, i.e., the username does not include the realm portion.
标识可以包括领域部分。“用户名”是指对等身份中标识用户的部分,即用户名不包括领域部分。
EAP-SIM includes optional identity privacy (anonymity) support that can be used to hide the cleartext permanent identity and thereby make the subscriber's EAP exchanges untraceable to eavesdroppers. Because the permanent identity never changes, revealing it would help observers to track the user. The permanent identity is usually based on the IMSI, which may further help the tracking, because the same identifier may be used in other contexts as well. Identity privacy is based on temporary identities, or pseudonyms, which are equivalent to but separate from the Temporary Mobile Subscriber Identities (TMSI) that are used on cellular networks. Please see Section 12.2 for security considerations regarding identity privacy.
EAP-SIM包括可选的身份隐私(匿名)支持,可用于隐藏明文永久身份,从而使窃听者无法追踪订户的EAP交换。因为永久身份永远不会改变,透露它将有助于观察者跟踪用户。永久身份通常基于IMSI,这可能进一步有助于跟踪,因为相同的标识符也可以在其他上下文中使用。身份隐私基于临时身份或假名,与蜂窝网络上使用的临时移动用户身份(TMSI)相同,但不同。有关身份隐私的安全注意事项,请参见第12.2节。
There are three types of usernames in EAP-SIM peer identities:
EAP-SIM对等身份中有三种类型的用户名:
(1) Permanent usernames. For example, 1123456789098765@myoperator.com might be a valid permanent identity. In this example, 1123456789098765 is the permanent username.
(1) 永久用户名。例如1123456789098765@myoperator.com可能是一个有效的永久身份。在本例中,1123456789098765是永久用户名。
(2) Pseudonym usernames. For example, 3s7ah6n9q@myoperator.com might be a valid pseudonym identity. In this example, 3s7ah6n9q is the pseudonym username.
(2) 假名用户名。例如3s7ah6n9q@myoperator.com可能是有效的笔名身份。在本例中,3s7ah6n9q是假名用户名。
(3) Fast re-authentication usernames. For example, 53953754@myoperator.com might be a valid fast re-authentication identity. In this case, 53953754 is the fast re-authentication username. Unlike permanent usernames and pseudonym usernames, fast re-authentication usernames are one-time identifiers, which are not re-used across EAP exchanges.
(3) 快速重新验证用户名。例如53953754@myoperator.com可能是有效的快速重新身份验证标识。在本例中,53953754是快速重新验证用户名。与永久用户名和假名不同,快速重新身份验证用户名是一次性标识符,不会在EAP交换中重复使用。
The first two types of identities are used only on full authentication and the last one only on fast re-authentication. When the optional identity privacy support is not used, the non-pseudonym permanent identity is used on full authentication. The fast re-authentication exchange is specified in Section 5.
前两种身份仅用于完全身份验证,最后一种身份仅用于快速重新身份验证。如果未使用可选身份隐私支持,则在完全身份验证时使用非笔名永久身份。第5节规定了快速重新认证交换。
In some environments, the peer may need to decorate the identity by prepending or appending the username with a string, in order to indicate supplementary AAA routing information in addition to the NAI
在某些环境中,对等方可能需要通过在用户名前面加上字符串或在用户名后面加上字符串来修饰身份,以指示除NAI之外的补充AAA路由信息
realm. (The usage of an NAI realm portion is not considered decoration.) Username decoration is out of the scope of this document. However, it should be noted that username decoration might prevent the server from recognizing a valid username. Hence, although the peer MAY use username decoration in the identities that the peer includes in EAP-Response/Identity, and although the EAP server MAY accept a decorated peer username in this message, the peer or the EAP server MUST NOT decorate any other peer identities that are used in various EAP-SIM attributes. Only the identity used in the EAP-Response/Identity may be decorated.
领域(NAI领域部分的使用不被视为修饰。)用户名修饰不在本文档的范围内。但是,应该注意,用户名修饰可能会阻止服务器识别有效的用户名。因此,尽管对等方可以在其包括在EAP响应/标识中的标识中使用用户名修饰,并且尽管EAP服务器可以在该消息中接受修饰的对等方用户名,但是对等方或EAP服务器不得修饰在各种EAP-SIM属性中使用的任何其他对等方标识。只能修饰EAP响应/标识中使用的标识。
The peer MAY include a realm portion in the peer identity, as per the NAI format. The use of a realm portion is not mandatory.
根据NAI格式,对等方可以在对等方身份中包括领域部分。领域部分的使用不是强制性的。
If a realm is used, the realm MAY be chosen by the subscriber's home operator and it MAY be a configurable parameter in the EAP-SIM peer implementation. In this case, the peer is typically configured with the NAI realm of the home operator. Operators MAY reserve a specific realm name for EAP-SIM users. This convention makes it easy to recognize that the NAI identifies a GSM subscriber. Such a reserved NAI realm may be a useful hint as to the first authentication method to use during method negotiation. When the peer is using a pseudonym username instead of the permanent username, the peer selects the realm name portion similarly as it select the realm portion when using the permanent username.
如果使用领域,则该领域可由订户的家庭运营商选择,并且它可以是EAP-SIM对等实现中的可配置参数。在这种情况下,对等方通常配置家庭运营商的NAI领域。运营商可以为EAP-SIM用户保留特定的域名。该约定使得容易识别NAI识别GSM用户。这样的保留NAI域可能是关于在方法协商期间使用的第一个身份验证方法的有用提示。当对等方使用假名用户名而不是永久用户名时,对等方选择领域名称部分的方式与使用永久用户名时选择领域部分的方式类似。
If no configured realm name is available, the peer MAY derive the realm name from the MCC and MNC portions of the IMSI. A RECOMMENDED way to derive the realm from the IMSI using the realm 3gppnetwork.org is specified in [3GPP-TS-23.003].
如果没有配置的领域名称可用,对等方可以从IMSI的MCC和MNC部分派生领域名称。[3GPP-TS-23.003]中规定了使用领域3gppnetwork.org从IMSI派生领域的推荐方法。
Some old implementations derive the realm name from the IMSI by concatenating "mnc", the MNC digits of IMSI, ".mcc", the MCC digits of IMSI, and ".owlan.org". For example, if the IMSI is 123456789098765, and the MNC is three digits long, then the derived realm name is "mnc456.mcc123.owlan.org". As there are no DNS servers running at owlan.org, these realm names can only be used with manually configured AAA routing. New implementations SHOULD use the mechanism specified in [3GPP-TS-23.003] instead of owlan.org.
一些旧的实现通过连接“mnc”、IMSI的mnc数字、.mcc、IMSI的mcc数字和“.owlan.org”从IMSI派生领域名称。例如,如果IMSI是123456789098765,MNC是三位数,那么派生的领域名称是“mnc456.mcc123.owlan.org”。由于owlan.org上没有运行DNS服务器,这些域名只能与手动配置的AAA路由一起使用。新的实现应该使用[3GPP-TS-23.003]中指定的机制,而不是owlan.org。
The IMSI is a string of digits without any explicit structure, so the peer may not be able to determine the length of the MNC portion. If the peer is not able to determine whether the MNC is two or three digits long, the peer MAY use a 3-digit MNC. If the correct length of the MNC is two, then the MNC used in the realm name includes the first digit of the MSIN. Hence, when configuring AAA networks for
IMSI是没有任何显式结构的一串数字,因此对等方可能无法确定MNC部分的长度。如果对等方无法确定跨国公司的长度是两位数还是三位数,则对等方可以使用三位数的跨国公司。如果MNC的正确长度为2,则领域名称中使用的MNC包括MSIN的第一位数字。因此,在为配置AAA网络时
operators that have 2-digit MNCs, the network SHOULD also be prepared for realm names with incorrect, 3-digit MNCs.
如果运营商拥有两位数的跨国公司,网络还应准备好使用不正确的三位数跨国公司的域名。
The non-pseudonym permanent username SHOULD be derived from the IMSI. In this case, the permanent username MUST be of the format "1" | IMSI, where the character "|" denotes concatenation. In other words, the first character of the username is the digit one (ASCII value 31 hexadecimal), followed by the IMSI. The IMSI is encoded as an ASCII string that consists of not more than 15 decimal digits (ASCII values between 30 and 39 hexadecimal), one character per IMSI digit, in the order specified in [GSM-03.03]. For example, a permanent username derived from the IMSI 295023820005424 would be encoded as the ASCII string "1295023820005424" (byte values in hexadecimal notation: 31 32 39 35 30 32 33 38 32 30 30 30 35 34 32 34).
非笔名永久用户名应来自IMSI。在这种情况下,永久用户名的格式必须为“1”| IMSI,其中字符“|”表示串联。换句话说,用户名的第一个字符是数字1(ASCII值31十六进制),后跟IMSI。IMSI编码为ASCII字符串,该字符串由不超过15个十进制数字(30到39个十六进制之间的ASCII值)组成,每个IMSI数字一个字符,按照[GSM-03.03]中规定的顺序。例如,从IMSI 295023820005424派生的永久用户名将被编码为ASCII字符串“1295023820005424”(十六进制表示法的字节值:31 32 39 35 32 33 32 30 34)。
The EAP server MAY use the leading "1" as a hint to try EAP-SIM as the first authentication method during method negotiation, rather than, for example EAP/AKA. The EAP-SIM server MAY propose EAP-SIM, even if the leading character was not "1".
EAP服务器可以使用前导的“1”作为提示,在方法协商期间尝试EAP-SIM作为第一认证方法,而不是例如EAP/AKA。EAP-SIM服务器可以提议EAP-SIM,即使主角不是“1”。
Alternatively, an implementation MAY choose a permanent username that is not based on the IMSI. In this case, the selection of the username, its format, and its processing is out of the scope of this document. In this case, the peer implementation MUST NOT prepend any leading characters to the username.
或者,实现可以选择不基于IMSI的永久用户名。在这种情况下,用户名的选择、格式及其处理超出了本文档的范围。在这种情况下,对等实现不能在用户名前加任何前导字符。
4.2.1.7. Generating Pseudonyms and Fast Re-authentication Identities by the Server
4.2.1.7. 由服务器生成假名和快速重新身份验证身份
Pseudonym usernames and fast re-authentication identities are generated by the EAP server. The EAP server produces pseudonym usernames and fast re-authentication identities in an implementation-dependent manner. Only the EAP server needs to be able to map the pseudonym username to the permanent identity, or to recognize a fast re-authentication identity.
笔名用户名和快速重新身份验证标识由EAP服务器生成。EAP服务器以依赖于实现的方式生成假名用户名和快速重新身份验证标识。只有EAP服务器需要能够将假名用户名映射到永久身份,或者识别快速重新身份验证身份。
EAP-SIM includes no provisions to ensure that the same EAP server that generated a pseudonym username will be used on the authentication exchange when the pseudonym username is used. It is recommended that the EAP servers implement some centralized mechanism to allow all EAP servers of the home operator to map pseudonyms generated by other severs to the permanent identity. If no such mechanism is available, then the EAP server failing to understand a pseudonym issued by another server can request the that peer send the permanent identity.
EAP-SIM不包括确保在使用假名用户名时在身份验证交换上使用生成假名用户名的同一EAP服务器的规定。建议EAP服务器实施某种集中式机制,以允许家庭运营商的所有EAP服务器将其他服务器生成的假名映射到永久身份。如果没有这样的机制可用,则EAP服务器无法理解另一台服务器发出的假名,可以请求该对等方发送永久身份。
When issuing a fast re-authentication identity, the EAP server may include a realm name in the identity to make the fast re-authentication request be forwarded to the same EAP server.
当发出快速重新认证标识时,EAP服务器可在标识中包括领域名称,以使快速重新认证请求转发到同一EAP服务器。
When generating fast re-authentication identities, the server SHOULD choose a fresh, new fast re-authentication identity that is different from the previous ones that were used after the same full authentication exchange. A full authentication exchange and the associated fast re-authentication exchanges are referred to here as the same "full authentication context". The fast re-authentication identity SHOULD include a random component. This random component works as a full authentication context identifier. A context-specific fast re-authentication identity can help the server to detect whether its fast re-authentication state information matches that of its peer (in other words, whether the state information is from the same full authentication exchange). The random component also makes the fast re-authentication identities unpredictable, so an attacker cannot initiate a fast re-authentication exchange to get the server's EAP-Request/SIM/ Re-authentication packet.
在生成快速重新身份验证标识时,服务器应选择一个新的快速重新身份验证标识,该标识不同于在相同的完全身份验证交换之后使用的先前标识。完全认证交换和相关联的快速重新认证交换在这里被称为相同的“完全认证上下文”。快速重新身份验证标识应包含随机组件。此随机组件用作完整身份验证上下文标识符。特定于上下文的快速重新身份验证标识可以帮助服务器检测其快速重新身份验证状态信息是否与其对等方的状态信息匹配(换句话说,状态信息是否来自同一完全身份验证交换)。随机组件还使快速重新身份验证身份不可预测,因此攻击者无法启动快速重新身份验证交换以获取服务器的EAP请求/SIM/重新身份验证数据包。
Transmitting pseudonyms and fast re-authentication identities from the server to the peer is discussed in Section 4.2.1.8. The pseudonym is transmitted as a username, without an NAI realm, and the fast re-authentication identity is transmitted as a complete NAI, including a realm portion if a realm is required. The realm is included in the fast re-authentication identity to allow the server to include a server-specific realm.
第4.2.1.8节讨论了从服务器向对等方传输假名和快速重新认证身份。笔名作为用户名传输,没有NAI领域,快速重新认证身份作为完整的NAI传输,如果需要领域,则包括领域部分。域包含在快速重新身份验证标识中,以允许服务器包含特定于服务器的域。
Regardless of the construction method, the pseudonym username MUST conform to the grammar specified for the username portion of an NAI. The fast re-authentication identity also MUST conform to the NAI grammar. The EAP servers that the subscribers of an operator can use MUST ensure that the pseudonym usernames and the username portions used in fast re-authentication identities they generate are unique.
无论构造方法如何,假名用户名必须符合NAI用户名部分指定的语法。快速重新身份验证标识还必须符合NAI语法。运营商的订户可以使用的EAP服务器必须确保其生成的快速重新认证身份中使用的假名用户名和用户名部分是唯一的。
In any case, it is necessary that permanent usernames, pseudonym usernames, and fast re-authentication usernames are separate and recognizable from each other. It is also desirable that EAP-SIM and EAP-AKA [EAP-AKA] usernames be distinguishable from each other as an aid for the server on which method to offer.
在任何情况下,永久用户名、假名用户名和快速重新身份验证用户名都必须相互分离并可识别。还希望EAP-SIM和EAP-AKA[EAP-AKA]用户名能够彼此区分,以帮助服务器提供方法。
In general, it is the task of the EAP server and the policies of its administrator to ensure sufficient separation of the usernames. Pseudonym usernames and fast re-authentication usernames are both produced and used by the EAP server. The EAP server MUST compose pseudonym usernames and fast re-authentication usernames so that it can determine if an NAI username is an EAP-SIM pseudonym username or
通常,EAP服务器及其管理员的任务是确保用户名的充分分离。笔名用户名和快速重新身份验证用户名均由EAP服务器生成和使用。EAP服务器必须组成假名用户名和快速重新身份验证用户名,以便确定NAI用户名是EAP-SIM假名用户名还是其他用户名
an EAP-SIM fast re-authentication username. For instance, when the usernames have been derived from the IMSI, the server could use different leading characters in the pseudonym usernames and fast re-authentication usernames (e.g., the pseudonym could begin with a leading "3" character). When mapping a fast re-authentication identity to a permanent identity, the server SHOULD only examine the username portion of the fast re-authentication identity and ignore the realm portion of the identity.
EAP-SIM快速重新认证用户名。例如,当用户名来自IMSI时,服务器可以在假名用户名和快速重新认证用户名中使用不同的前导字符(例如,假名可以以前导“3”字符开头)。将快速重新身份验证标识映射到永久标识时,服务器应仅检查快速重新身份验证标识的用户名部分,而忽略标识的领域部分。
Because the peer may fail to save a pseudonym username sent in an EAP-Request/SIM/Challenge, for example due to malfunction, the EAP server SHOULD maintain at least the most recently used pseudonym username in addition to the most recently issued pseudonym username. If the authentication exchange is not completed successfully, then the server SHOULD NOT overwrite the pseudonym username that was issued during the most recent successful authentication exchange.
由于对等方可能无法保存在EAP请求/SIM/Challenge中发送的假名用户名,例如由于故障,因此EAP服务器除了保留最近发布的假名用户名外,还应至少保留最近使用的假名用户名。如果身份验证交换未成功完成,则服务器不应覆盖最近一次成功身份验证交换期间发出的假名用户名。
4.2.1.8. Transmitting Pseudonyms and Fast Re-authentication Identities to the Peer
4.2.1.8. 向对等方传输假名和快速重新认证身份
The server transmits pseudonym usernames and fast re-authentication identities to the peer in cipher, using the AT_ENCR_DATA attribute.
服务器使用AT_ENCR_DATA属性以密码方式将假名用户名和快速重新身份验证身份传输给对等方。
The EAP-Request/SIM/Challenge message MAY include an encrypted pseudonym username and/or an encrypted fast re-authentication identity in the value field of the AT_ENCR_DATA attribute. Because identity privacy support and fast re-authentication are optional implementations, the peer MAY ignore the AT_ENCR_DATA attribute and always use the permanent identity. On fast re-authentication (discussed in Section 5), the server MAY include a new, encrypted fast re-authentication identity in the EAP-Request/SIM/Re-authentication message.
EAP请求/SIM/质询消息可以在AT_ENCR_数据属性的值字段中包括加密的假名用户名和/或加密的快速重新认证标识。由于身份隐私支持和快速重新身份验证是可选实现,对等方可能会忽略AT_ENCR_数据属性,并始终使用永久身份。关于快速重新认证(在第5节中讨论),服务器可在EAP请求/SIM/重新认证消息中包括新的、加密的快速重新认证标识。
On receipt of the EAP-Request/SIM/Challenge, the peer MAY decrypt the encrypted data in AT_ENCR_DATA. If the authentication exchange is successful, and the encrypted data includes a pseudonym username, then the peer may use the obtained pseudonym username on the next full authentication. If a fast re-authentication identity is included, then the peer MAY save it together with other fast re-authentication state information, as discussed in Section 5, for the next fast re-authentication. If the authentication exchange does not complete successfully, the peer MUST ignore the received pseudonym username and the fast re-authentication identity.
在接收到EAP请求/SIM/质询时,对等方可以解密AT_ENCR_数据中的加密数据。如果认证交换成功,并且加密数据包括假名用户名,则对等方可以在下一次完全认证时使用获得的假名用户名。如果包括快速重新认证标识,则对等方可将其与其他快速重新认证状态信息一起保存,如第5节所述,以用于下一次快速重新认证。如果身份验证交换未成功完成,对等方必须忽略收到的假名用户名和快速重新身份验证标识。
If the peer does not receive a new pseudonym username in the EAP-Request/SIM/Challenge message, the peer MAY use an old pseudonym username instead of the permanent username on the next full authentication. The username portions of fast re-authentication
如果对等方在EAP请求/SIM/质询消息中未收到新的假名用户名,则对等方可在下一次完全身份验证时使用旧的假名用户名而不是永久用户名。快速重新身份验证的用户名部分
identities are one-time usernames, which the peer MUST NOT re-use. When the peer uses a fast re-authentication identity in an EAP exchange, the peer MUST discard the fast re-authentication identity and not re-use it in another EAP authentication exchange, even if the authentication exchange was not completed.
身份是一次性用户名,对等方不得重复使用。当对等方在EAP交换中使用快速重新身份验证标识时,该对等方必须放弃该快速重新身份验证标识,并且不得在另一个EAP身份验证交换中重新使用它,即使身份验证交换未完成。
When the optional identity privacy support is used on full authentication, the peer MAY use a pseudonym username received as part of a previous full authentication sequence as the username portion of the NAI. The peer MUST NOT modify the pseudonym username received in AT_NEXT_PSEUDONYM. However, as discussed above, the peer MAY need to decorate the username in some environments by appending or prepending the username with a string that indicates supplementary AAA routing information.
当在完全认证上使用可选的身份隐私支持时,对等方可以使用作为先前完全认证序列的一部分接收的假名用户名作为NAI的用户名部分。对等方不得修改AT_NEXT_假名中接收的假名用户名。然而,如上所述,在某些环境中,对等方可能需要通过在用户名后面附加或前面加上表示补充AAA路由信息的字符串来修饰用户名。
When using a pseudonym username in an environment where a realm portion is used, the peer concatenates the received pseudonym username with the "@" character and an NAI realm portion. The selection of the NAI realm is discussed above. The peer can select the realm portion similarly, regardless of whether it uses the permanent username or a pseudonym username.
在使用领域部分的环境中使用假名用户名时,对等方将收到的假名用户名与“@”字符和NAI领域部分连接起来。上文讨论了NAI领域的选择。对等方可以类似地选择领域部分,而不管它使用的是永久用户名还是假名用户名。
On fast re-authentication, the peer uses the fast re-authentication identity that was received as part of the previous authentication sequence. A new re-authentication identity may be delivered as part of both full authentication and fast re-authentication. The peer MUST NOT modify the username part of the fast re-authentication identity received in AT_NEXT_REAUTH_ID, except in cases when username decoration is required. Even in these cases, the "root" fast re-authentication username must not be modified, but it may be appended or prepended with another string.
在快速重新认证时,对等方使用作为先前认证序列的一部分接收的快速重新认证标识。新的重新认证标识可以作为完全认证和快速重新认证的一部分进行交付。对等方不得修改AT_NEXT_REAUTH_ID中接收的快速重新身份验证标识的用户名部分,除非需要修改用户名。即使在这些情况下,也不能修改“root”快速重新身份验证用户名,但可以用另一个字符串将其追加或加在前面。
The peer identity MAY be communicated to the server with the EAP-Response/Identity message. This message MAY contain the permanent identity, a pseudonym identity, or a fast re-authentication identity. If the peer uses the permanent identity or a pseudonym identity, which the server is able to map to the permanent identity, then the authentication proceeds as discussed in the overview of Section 3. If the peer uses a fast re-authentication identity, and if the fast re-authentication identity matches with a valid fast
对等身份可以通过EAP响应/身份消息传送给服务器。此消息可能包含永久身份、假名身份或快速重新身份验证身份。如果对等方使用服务器能够映射到永久身份的永久身份或假名身份,则认证按照第3节概述中的讨论进行。对等方是否使用快速重新身份验证标识,以及快速重新身份验证标识是否与有效的快速重新身份验证标识匹配
re-authentication identity maintained by the server, and if the server agrees to use fast re-authentication, then a fast re-authentication exchange is performed, as described in Section 5.
由服务器维护的重新身份验证,如果服务器同意使用快速重新身份验证,则执行快速重新身份验证交换,如第5节所述。
The peer identity can also be transmitted from the peer to the server using EAP-SIM messages instead of the EAP-Response/Identity. In this case, the server includes an identity-requesting attribute (AT_ANY_ID_REQ, AT_FULLAUTH_ID_REQ or AT_PERMANENT_ID_REQ) in the EAP-Request/SIM/Start message, and the peer includes the AT_IDENTITY attribute, which contains the peer's identity, in the EAP-Response/SIM/Start message. The AT_ANY_ID_REQ attribute is a general identity-requesting attribute, which the server uses if it does not specify which kind of an identity the peer should return in AT_IDENTITY. The server uses the AT_FULLAUTH_ID_REQ attribute to request either the permanent identity or a pseudonym identity. The server uses the AT_PERMANENT_ID_REQ attribute to request that the peer send its permanent identity.
还可以使用EAP-SIM消息(而不是EAP响应/标识)将对等身份从对等传输到服务器。在这种情况下,服务器在EAP请求/SIM/Start消息中包括身份请求属性(AT_ANY_ID_REQ、AT_FULLAUTH_ID_REQ或AT_PERMANENT_ID_REQ),对等方在EAP响应/SIM/Start消息中包括包含对等方身份的AT_标识属性。AT_ANY_ID_REQ属性是一个通用的身份请求属性,如果服务器没有指定对等方应在AT_标识中返回哪种身份,则会使用该属性。服务器使用AT_FULLAUTH_ID_REQ属性请求永久身份或假名身份。服务器使用AT_PERMANENT_ID_REQ属性请求对等方发送其永久标识。
The identity format in the AT_IDENTITY attribute is the same as in the EAP-Response/Identity packet (except that identity decoration is not allowed). The AT_IDENTITY attribute contains a permanent identity, a pseudonym identity, or a fast re-authentication identity.
AT_identity属性中的标识格式与EAP响应/标识数据包中的标识格式相同(但不允许进行标识修饰)。AT_IDENTITY属性包含永久身份、假名身份或快速重新身份验证身份。
Please note that the EAP-SIM peer and the EAP-SIM server only process the AT_IDENTITY attribute; entities that only pass through EAP packets do not process this attribute. Hence, the authenticator and other intermediate AAA elements (such as possible AAA proxy servers) will continue to refer to the peer with the original identity from the EAP-Response/Identity packet unless the identity authenticated in the AT_IDENTITY attribute is communicated to them in another way within the AAA protocol.
请注意,EAP-SIM对等方和EAP-SIM服务器仅处理AT_标识属性;仅通过EAP数据包的实体不处理此属性。因此,认证器和其他中间AAA元素(例如可能的AAA代理服务器)将继续引用具有来自EAP响应/标识分组的原始标识的对等方,除非在AT_标识属性中认证的标识在AAA协议内以另一种方式传送给它们。
The EAP-Response/Identity packet is not method-specific, so in many implementations it may be handled by an EAP Framework. This introduces an additional layer of processing between the EAP peer and EAP server. The extra layer of processing may cache identity responses or add decorations to the identity. A modification of the identity response will cause the EAP peer and EAP server to use different identities in the key derivation, which will cause the protocol to fail.
EAP响应/标识数据包不是特定于方法的,因此在许多实现中,它可能由EAP框架处理。这在EAP对等机和EAP服务器之间引入了额外的处理层。额外的处理层可以缓存身份响应或为身份添加修饰。修改标识响应将导致EAP对等方和EAP服务器在密钥派生中使用不同的标识,这将导致协议失败。
For this reason, it is RECOMMENDED that the EAP peer and server use the method-specific identity attributes in EAP-SIM, and the server is strongly discouraged from relying upon the EAP-Response/Identity.
因此,建议EAP对等方和服务器使用EAP-SIM中特定于方法的标识属性,强烈建议服务器不要依赖EAP响应/标识。
In particular, if the EAP server receives a decorated identity in EAP-Response/Identity, then the EAP server MUST use the identity-requesting attributes to request that the peer send an unmodified and undecorated copy of the identity in AT_IDENTITY.
特别是,如果EAP服务器在EAP响应/标识中接收到修饰的标识,则EAP服务器必须使用标识请求属性请求对等方在AT_标识中发送未修改和未修饰的标识副本。
If EAP-SIM peer is started upon receiving an EAP-Request/Identity message, then the peer MAY use an EAP-SIM identity in the EAP-Response/Identity packet. In this case, the peer performs the following steps.
如果EAP-SIM对等方在接收到EAP请求/标识消息时启动,则该对等方可以在EAP响应/标识分组中使用EAP-SIM标识。在这种情况下,对等方执行以下步骤。
If the peer has maintained fast re-authentication state information and wants to use fast re-authentication, then the peer transmits the fast re-authentication identity in EAP-Response/Identity.
如果对等方维护了快速重新认证状态信息并希望使用快速重新认证,则对等方在EAP响应/标识中传输快速重新认证标识。
Else, if the peer has a pseudonym username available, then the peer transmits the pseudonym identity in EAP-Response/Identity.
否则,如果对等方具有可用的假名用户名,则对等方在EAP响应/标识中传输假名标识。
In other cases, the peer transmits the permanent identity in EAP-Response/Identity.
在其他情况下,对等方在EAP响应/标识中传输永久标识。
As discussed in Section 4.2.2.2, the server SHOULD NOT rely on an identity string received in EAP-Response/Identity. Therefore, the RECOMMENDED way to start an EAP-SIM exchange is to ignore any received identity strings. The server SHOULD begin the EAP-SIM exchange by issuing the EAP-Request/SIM/Start packet with an identity-requesting attribute to indicate that the server wants the peer to include an identity in the AT_IDENTITY attribute of the EAP-Response/SIM/Start message. Three methods to request an identity from the peer are discussed below.
如第4.2.2.2节所述,服务器不应依赖EAP响应/标识中接收的标识字符串。因此,建议启动EAP-SIM交换的方法是忽略任何接收到的标识字符串。服务器应通过发出具有身份请求属性的EAP请求/SIM/Start数据包开始EAP-SIM交换,以指示服务器希望对等方在EAP响应/SIM/Start消息的AT_标识属性中包含身份。下面讨论从对等方请求身份的三种方法。
If the server chooses not to ignore the contents of EAP-Response/Identity, then the server may have already received an EAP-SIM identity in this packet. However, if the EAP server has not received any EAP-SIM peer identity (permanent identity, pseudonym identity, or fast re-authentication identity) from the peer when sending the first EAP-SIM request, or if the EAP server has received an EAP-Response/Identity packet but the contents do not appear to be a valid permanent identity, pseudonym identity or a re-authentication identity, then the server MUST request an identity from the peer using one of the methods below.
如果服务器选择不忽略EAP响应/标识的内容,则服务器可能已在此数据包中接收到EAP-SIM标识。但是,如果EAP服务器在发送第一个EAP-SIM请求时未从对等方接收到任何EAP-SIM对等方身份(永久身份、假名身份或快速重新认证身份),或者如果EAP服务器已接收到EAP响应/身份数据包,但内容似乎不是有效的永久身份,如果使用假名身份或重新身份验证身份,则服务器必须使用以下方法之一从对等方请求身份。
The server sends the EAP-Request/SIM/Start message with the AT_PERMANENT_ID_REQ attribute to indicate that the server wants the peer to include the permanent identity in the AT_IDENTITY attribute
服务器发送带有AT_PERMANENT_ID_REQ属性的EAP Request/SIM/Start消息,以指示服务器希望对等方在AT_identity属性中包含永久标识
of the EAP-Response/SIM/Start message. This is done in the following cases:
EAP响应/SIM/启动消息的。这是在以下情况下完成的:
o The server does not support fast re-authentication or identity privacy.
o 服务器不支持快速重新身份验证或身份隐私。
o The server decided to process a received identity, and the server recognizes the received identity as a pseudonym identity but the server is not able to map the pseudonym identity to a permanent identity.
o 服务器决定处理接收到的标识,并且服务器将接收到的标识识别为假名标识,但服务器无法将假名标识映射为永久标识。
The server issues the EAP-Request/SIM/Start packet with the AT_FULLAUTH_ID_REQ attribute to indicate that the server wants the peer to include a full authentication identity (pseudonym identity or permanent identity) in the AT_IDENTITY attribute of the EAP-Response/SIM/Start message. This is done in the following cases:
服务器发出具有AT_FULLAUTH_ID_REQ属性的EAP Request/SIM/Start数据包,以指示服务器希望对等方在EAP响应/SIM/Start消息的AT_标识属性中包含完整身份验证标识(笔名标识或永久标识)。这是在以下情况下完成的:
o The server does not support fast re-authentication and the server supports identity privacy.
o 服务器不支持快速重新身份验证,并且服务器支持身份隐私。
o The server decided to process a received identity, and the server recognizes the received identity as a re-authentication identity but the server is not able to map the re-authentication identity to a permanent identity.
o 服务器决定处理接收到的标识,并且服务器将接收到的标识识别为重新身份验证标识,但服务器无法将重新身份验证标识映射到永久标识。
The server issues the EAP-Request/SIM/Start packet with the AT_ANY_ID_REQ attribute to indicate that the server wants the peer to include an identity in the AT_IDENTITY attribute of the EAP-Response/SIM/Start message, and the server does not indicate any preferred type for the identity. This is done in other cases, such as when the server ignores a received EAP-Response/Identity, the server does not have any identity, or the server does not recognize the format of a received identity.
服务器发出带有AT_ANY_ID_REQ属性的EAP Request/SIM/Start数据包,以指示服务器希望对等方在EAP响应/SIM/Start消息的AT_标识属性中包含标识,并且服务器不指示标识的任何首选类型。在其他情况下,例如当服务器忽略接收到的EAP响应/标识时,服务器没有任何标识,或者服务器无法识别接收到的标识的格式时,可以执行此操作。
Upon receipt of an EAP-Request/SIM/Start message, the peer MUST perform the following steps.
在收到EAP请求/SIM/启动消息后,对等方必须执行以下步骤。
If the EAP-Request/SIM/Start does not include an identity request attribute, then the peer responds with EAP-Response/SIM/Start without AT_IDENTITY. The peer includes the AT_SELECTED_VERSION and AT_NONCE_MT attributes, because the exchange is a full authentication exchange.
如果EAP请求/SIM/Start不包含标识请求属性,则对等方使用EAP响应/SIM/Start进行响应,而不使用AT_标识。对等方包括AT_SELECTED_VERSION和AT_NONCE_MT属性,因为交换是完全身份验证交换。
If the EAP-Request/SIM/Start includes AT_PERMANENT_ID_REQ, and if the peer does not have a pseudonym available, then the peer MUST respond with EAP-Response/SIM/Start and include the permanent identity in
如果EAP请求/SIM/Start包含AT_PERMANENT_ID_REQ,并且对等方没有可用的假名,则对等方必须使用EAP Response/SIM/Start进行响应,并将永久身份包含在请求中
AT_IDENTITY. If the peer has a pseudonym available, then the peer MAY refuse to send the permanent identity; hence, in this case the peer MUST either respond with EAP-Response/SIM/Start and include the permanent identity in AT_IDENTITY or respond with EAP-Response/SIM/ Client-Error packet with the code "unable to process packet".
AT_身份。如果对等方有可用的笔名,则对等方可拒绝发送永久身份;因此,在这种情况下,对等方必须要么响应EAP响应/SIM/Start并在AT_标识中包含永久标识,要么响应代码为“无法处理数据包”的EAP响应/SIM/客户端错误数据包。
If the EAP-Request/SIM/Start includes AT_FULL_AUTH_ID_REQ, and if the peer has a pseudonym available, then the peer SHOULD respond with EAP-Response/SIM/Start and include the pseudonym identity in AT_IDENTITY. If the peer does not have a pseudonym when it receives this message, then the peer MUST respond with EAP-Response/SIM/Start and include the permanent identity in AT_IDENTITY. The Peer MUST NOT use a re-authentication identity in the AT_IDENTITY attribute.
如果EAP请求/SIM/Start包含AT_FULL_AUTH_ID_REQ,并且如果对等方具有可用的假名,则对等方应使用EAP响应/SIM/Start进行响应,并将假名标识包含在AT_标识中。如果对等方在收到此消息时没有假名,则对等方必须使用EAP Response/SIM/Start进行响应,并在AT_标识中包含永久标识。对等方不得在AT_标识属性中使用重新身份验证标识。
If the EAP-Request/SIM/Start includes AT_ANY_ID_REQ, and if the peer has maintained fast re-authentication state information and the peer wants to use fast re-authentication, then the peer responds with EAP-Response/SIM/Start and includes the fast re-authentication identity in AT_IDENTITY. Else, if the peer has a pseudonym identity available, then the peer responds with EAP-Response/SIM/Start and includes the pseudonym identity in AT_IDENTITY. Else, the peer responds with EAP-Response/SIM/Start and includes the permanent identity in AT_IDENTITY.
如果EAP请求/SIM/Start包含AT_任何ID_请求,并且如果对等方维护了快速重新认证状态信息,并且对等方希望使用快速重新认证,则对等方使用EAP响应/SIM/Start进行响应,并在AT_标识中包含快速重新认证标识。否则,如果对等方具有可用的假名标识,则对等方使用EAP Response/SIM/Start进行响应,并将假名标识包含在AT_标识中。否则,对等方用EAP Response/SIM/Start进行响应,并将永久身份包含在AT_identity中。
An EAP-SIM exchange may include several EAP/SIM/Start rounds. The server may issue a second EAP-Request/SIM/Start if it was not able to recognize the identity that the peer used in the previous AT_IDENTITY attribute. At most, three EAP/SIM/Start rounds can be used, so the peer MUST NOT respond to more than three EAP-Request/SIM/Start messages within an EAP exchange. The peer MUST verify that the sequence of EAP-Request/SIM/Start packets that the peer receives comply with the sequencing rules defined in this document. That is, AT_ANY_ID_REQ can only be used in the first EAP-Request/SIM/Start; in other words, AT_ANY_ID_REQ MUST NOT be used in the second or third EAP-Request/SIM/Start. AT_FULLAUTH_ID_REQ MUST NOT be used if the previous EAP-Request/SIM/Start included AT_PERMANENT_ID_REQ. The peer operation, in cases when it receives an unexpected attribute or an unexpected message, is specified in Section 6.3.1.
EAP-SIM交换机可能包括多个EAP/SIM/启动轮次。如果服务器无法识别对等方在上一个AT_标识属性中使用的标识,则可能会发出第二个EAP请求/SIM/Start。最多可以使用三个EAP/SIM/Start轮次,因此对等方在一个EAP交换中响应的EAP请求/SIM/Start消息不得超过三个。对等方必须验证对等方接收的EAP请求/SIM/启动数据包的顺序是否符合本文档中定义的顺序规则。也就是说,AT_ANY_ID_REQ只能在第一个EAP请求/SIM/Start中使用;换句话说,在第二个或第三个EAP请求/SIM/Start中不得使用任何EAP ID请求。如果之前的EAP请求/SIM/Start包含在永久性ID请求中,则不得使用AT FULLAUTH ID请求。第6.3.1节规定了对等操作,在接收到意外属性或意外消息的情况下。
The section above specifies two possible ways the peer can operate upon receipt of AT_PERMANENT_ID_REQ. This is because a received AT_PERMANENT_ID_REQ does not necessarily originate from the valid network, but an active attacker may transmit an EAP-Request/SIM/ Start packet with an AT_PERMANENT_ID_REQ attribute to the peer, in an effort to find out the true identity of the user. If the peer does not want to reveal its permanent identity, then the peer sends the
上面的部分指定了对等方在收到AT_PERMANENT_ID_REQ时可以操作的两种可能方式。这是因为接收到的AT_PERMANENT_ID_REQ不一定来自有效网络,但主动攻击者可能会向对等方发送带有AT_PERMANENT_ID_REQ属性的EAP请求/SIM/启动数据包,以找出用户的真实身份。如果对等方不想透露其永久身份,则对等方发送
EAP-Response/SIM/Client-Error packet with the error code "unable to process packet", and the authentication exchange terminates.
EAP响应/SIM/客户端错误数据包,错误代码为“无法处理数据包”,身份验证交换终止。
Basically, there are two different policies that the peer can employ with regard to AT_PERMANENT_ID_REQ. A "conservative" peer assumes that the network is able to maintain pseudonyms robustly. Therefore, if a conservative peer has a pseudonym username, the peer responds with EAP-Response/SIM/Client-Error to the EAP packet with AT_PERMANENT_ID_REQ, because the peer believes that the valid network is able to map the pseudonym identity to the peer's permanent identity. (Alternatively, the conservative peer may accept AT_PERMANENT_ID_REQ in certain circumstances, for example, if the pseudonym was received a long time ago.) The benefit of this policy is that it protects the peer against active attacks on anonymity. On the other hand, a "liberal" peer always accepts the AT_PERMANENT_ID_REQ and responds with the permanent identity. The benefit of this policy is that it works even if the valid network sometimes loses pseudonyms and is not able to map them to the permanent identity.
基本上,对于AT_PERMANENT_ID_REQ,对等方可以采用两种不同的策略。“保守的”对等网络假设网络能够可靠地维护假名。因此,如果保守的对等方具有假名用户名,则对等方使用EAP Response/SIM/Client Error对具有AT_PERMANENT_ID_REQ的EAP分组作出响应,因为对等方相信有效的网络能够将假名身份映射到对等方的永久身份。(或者,在某些情况下,保守的对等方可以接受AT_PERMANENT_ID_REQ,例如,如果假名是很久以前收到的。)此策略的好处是,它可以保护对等方免受主动匿名攻击。另一方面,“自由”对等方总是接受AT_PERMANENT_ID_REQ并以永久身份进行响应。此策略的好处是,即使有效网络有时会丢失笔名,并且无法将其映射到永久身份,它也可以工作。
When the server receives an EAP-Response/SIM/Start message with the AT_IDENTITY (in response to the server's identity requesting attribute), the server MUST operate as follows.
当服务器接收到带有AT_标识的EAP响应/SIM/启动消息(响应服务器的标识请求属性)时,服务器必须按如下方式运行。
If the server used AT_PERMANENT_ID_REQ, and if the AT_IDENTITY does not contain a valid permanent identity, then the server sends EAP-Request/SIM/Notification with AT_NOTIFICATION code "General failure" (16384), and the EAP exchange terminates. If the server recognizes the permanent identity and is able to continue, then the server proceeds with full authentication by sending EAP-Request/SIM/ Challenge.
如果服务器使用AT_PERMANENT_ID_REQ,并且AT_标识不包含有效的永久标识,则服务器发送带有AT_通知代码“General failure”(16384)的EAP Request/SIM/通知,EAP交换终止。如果服务器识别出永久身份并能够继续,则服务器通过发送EAP请求/SIM/质询继续进行完全身份验证。
If the server used AT_FULLAUTH_ID_REQ, and if AT_IDENTITY contains a valid permanent identity or a pseudonym identity that the server can map to a valid permanent identity, then the server proceeds with full authentication by sending EAP-Request/SIM/Challenge. If AT_IDENTITY contains a pseudonym identity that the server is not able to map to a valid permanent identity, or an identity that the server is not able to recognize or classify, then the server sends EAP-Request/SIM/Start with AT_PERMANENT_ID_REQ.
如果AT_FULLAUTH_ID_REQ使用的服务器,并且AT_标识包含服务器可以映射到有效永久标识的有效永久标识或假名标识,则服务器通过发送EAP请求/SIM/质询继续进行完全身份验证。如果AT_标识包含服务器无法映射到有效永久标识的假名标识,或服务器无法识别或分类的标识,则服务器将发送EAP请求/SIM/启动AT_永久标识请求。
If the server used AT_ANY_ID_REQ, and if the AT_IDENTITY contains a valid permanent identity or a pseudonym identity that the server can map to a valid permanent identity, then the server proceeds with full authentication by sending EAP-Request/SIM/Challenge.
如果服务器使用AT_ANY_ID_REQ,并且AT_标识包含服务器可以映射到有效永久标识的有效永久标识或假名标识,则服务器通过发送EAP请求/SIM/质询进行完全身份验证。
If the server used AT_ANY_ID_REQ, and if AT_IDENTITY contains a valid fast re-authentication identity and the server agrees on using re-authentication, then the server proceeds with fast re-authentication by sending EAP-Request/SIM/Re-authentication (Section 5).
如果AT_使用的服务器有任何ID_请求,并且AT_标识包含有效的快速重新身份验证标识,并且服务器同意使用重新身份验证,则服务器通过发送EAP请求/SIM/重新身份验证(第5节)进行快速重新身份验证。
If the server used AT_ANY_ID_REQ, and if the peer sent an EAP-Response/SIM/Start with only AT_IDENTITY (indicating re-authentication), but the server is not able to map the identity to a permanent identity, then the server sends EAP-Request/SIM/Start with AT_FULLAUTH_ID_REQ.
如果服务器使用AT_ANY_ID_REQ,并且如果对等方仅发送AT_标识的EAP响应/SIM/Start(表示重新身份验证),但服务器无法将标识映射到永久标识,则服务器发送EAP请求/SIM/Start AT_FULLAUTH_ID_REQ。
If the server used AT_ANY_ID_REQ, and if AT_IDENTITY contains a valid fast re-authentication identity that the server is able to map to a permanent identity, and if the server does not want to use fast re-authentication, then the server sends EAP-Request/SIM/Start without any identity requesting attributes.
如果AT_ANY_ID_REQ使用的服务器,并且AT_IDENTITY包含一个有效的快速重新身份验证标识,并且服务器能够映射到一个永久身份,并且如果服务器不想使用快速重新身份验证,则服务器发送EAP Request/SIM/Start,而不发送任何身份请求属性。
If the server used AT_ANY_ID_REQ, and AT_IDENTITY contains an identity that the server recognizes as a pseudonym identity but the server is not able to map the pseudonym identity to a permanent identity, then the server sends EAP-Request/SIM/Start with AT_PERMANENT_ID_REQ.
如果AT_ANY_ID_REQ使用的服务器,且AT_IDENTITY包含服务器识别为假名身份的身份,但服务器无法将假名身份映射到永久身份,则服务器发送EAP请求/SIM/以AT_permanent_ID_REQ开始。
If the server used AT_ANY_ID_REQ, and AT_IDENTITY contains an identity that the server is not able to recognize or classify, then the server sends EAP-Request/SIM/Start with AT_FULLAUTH_ID_REQ.
如果AT_ANY_ID_REQ使用的服务器,且AT_IDENTITY包含服务器无法识别或分类的标识,则服务器发送EAP Request/SIM/Start with AT_FULLAUTH_ID_REQ。
This section contains non-normative message sequence examples to illustrate how the peer identity can be communicated to the server.
本节包含非规范性消息序列示例,以说明如何将对等身份传递给服务器。
This case for full authentication is illustrated below in Figure 2. In this case, AT_IDENTITY contains either the permanent identity or a pseudonym identity. The same sequence is also used in case the server uses the AT_FULLAUTH_ID_REQ in EAP-Request/SIM/Start.
下面的图2说明了完全身份验证的情况。在这种情况下,AT_标识包含永久标识或笔名标识。如果服务器在EAP请求/SIM/Start中使用AT_FULLAUTH_ID_REQ,也会使用相同的顺序。
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Figure 2: Requesting any identity, full authentication
图2:请求任何身份、完全身份验证
If the peer uses its full authentication identity and the AT_IDENTITY attribute contains a valid permanent identity or a valid pseudonym identity that the EAP server is able to map to the permanent identity, then the full authentication sequence proceeds as usual with the EAP Server issuing the EAP-Request/SIM/Challenge message.
如果对等方使用其完全身份验证标识,且AT_identity属性包含EAP服务器能够映射到永久标识的有效永久标识或有效假名标识,则完全身份验证序列与EAP服务器发出EAP请求/SIM/质询消息时一样进行。
The case when the server uses the AT_ANY_ID_REQ and the peer wants to perform fast re-authentication is illustrated below in Figure 3.
当服务器使用AT_ANY_ID_REQ并且对等方希望执行快速重新身份验证时的情况如下图3所示。
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY containing a fast re-auth. identity) |
|------------------------------------------------------>|
| |
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY containing a fast re-auth. identity) |
|------------------------------------------------------>|
| |
Figure 3: Requesting any identity, fast re-authentication
图3:请求任何身份,快速重新身份验证
On fast re-authentication, if the AT_IDENTITY attribute contains a valid fast re-authentication identity and the server agrees on using fast re-authentication, then the server proceeds with the fast re-authentication sequence and issues the EAP-Request/SIM/ Re-authentication packet, as specified in Section 5.
在快速重新身份验证中,如果AT_IDENTITY属性包含有效的快速重新身份验证,并且服务器同意使用快速重新身份验证,则服务器继续执行快速重新身份验证序列,并按照第5节的规定发出EAP请求/SIM/重新身份验证数据包。
Figure 4 illustrates cases in which the server does not recognize the fast re-authentication identity the peer used in AT_IDENTITY, and issues a second EAP-Request/SIM/Start message.
图4说明了服务器无法识别AT_标识中使用的对等方的快速重新身份验证标识,并发出第二条EAP请求/SIM/Start消息的情况。
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY containing a fast re-auth. identity) |
|------------------------------------------------------>|
| |
| +------------------------------+
| | Server does not recognize |
| | The fast re-auth. |
| | Identity |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_FULLAUTH_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with a full-auth. identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY containing a fast re-auth. identity) |
|------------------------------------------------------>|
| |
| +------------------------------+
| | Server does not recognize |
| | The fast re-auth. |
| | Identity |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_FULLAUTH_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with a full-auth. identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Figure 4: Fall back to full authentication
图4:退回到完全身份验证
Figure 5 illustrates the case in which the EAP server fails to map the pseudonym identity included in the EAP-Response/Identity packet to a valid permanent identity.
图5说明了EAP服务器无法将EAP响应/标识数据包中包含的假名标识映射到有效的永久标识的情况。
Peer Authenticator
| |
| EAP-Request/Identity |
|<------------------------------------------------------|
| |
| EAP-Response/Identity |
| (Includes a pseudonym) |
|------------------------------------------------------>|
| |
| +------------------------------+
| | Server fails to map the |
| | Pseudonym to a permanent id. |
| +------------------------------+
| EAP-Request/SIM/Start |
| (AT_PERMANENT_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with permanent identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Peer Authenticator
| |
| EAP-Request/Identity |
|<------------------------------------------------------|
| |
| EAP-Response/Identity |
| (Includes a pseudonym) |
|------------------------------------------------------>|
| |
| +------------------------------+
| | Server fails to map the |
| | Pseudonym to a permanent id. |
| +------------------------------+
| EAP-Request/SIM/Start |
| (AT_PERMANENT_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with permanent identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Figure 5: Requesting the permanent identity
图5:申请永久身份
If the server recognizes the permanent identity, then the authentication sequence proceeds as usual with the EAP Server issuing the EAP-Request/SIM/Challenge message.
如果服务器识别出永久身份,则认证序列将照常进行,EAP服务器将发出EAP请求/SIM/质询消息。
Figure 6 illustrates the case in which the EAP server fails to map the pseudonym included in the AT_IDENTITY attribute to a valid permanent identity.
图6说明了EAP服务器无法将AT_IDENTITY属性中包含的笔名映射到有效的永久身份的情况。
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
|EAP-Response/SIM/Start |
|(AT_IDENTITY with a pseudonym identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| +-------------------------------+
| | Server fails to map the |
| | Pseudonym in AT_IDENTITY |
| | to a valid permanent identity |
| +-------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_PERMANENT_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with permanent identity, |
| AT_NONCE_MT, AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
|EAP-Response/SIM/Start |
|(AT_IDENTITY with a pseudonym identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| +-------------------------------+
| | Server fails to map the |
| | Pseudonym in AT_IDENTITY |
| | to a valid permanent identity |
| +-------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_PERMANENT_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with permanent identity, |
| AT_NONCE_MT, AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Figure 6: Requesting a permanent identity (two EAP-SIM Start rounds)
图6:请求永久身份(两轮EAP-SIM启动)
In the worst case, there are three EAP/SIM/Start round trips before the server obtains an acceptable identity. This case is illustrated in Figure 7.
在最坏的情况下,在服务器获得可接受的身份之前,有三次EAP/SIM/Start往返。该案例如图7所示。
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| EAP-Request/SIM/Start |
| (Includes AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with fast re-auth. identity) |
|------------------------------------------------------>|
| |
| +------------------------------+
| | Server does not accept |
| | The fast re-auth. |
| | Identity |
| +------------------------------+
| EAP-Request/SIM/Start |
| (AT_FULLAUTH_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
: :
: :
: :
: :
|EAP-Response/SIM/Start |
|(AT_IDENTITY with a pseudonym identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
| +-------------------------------+
| | Server fails to map the |
| | Pseudonym in AT_IDENTITY |
| | to a valid permanent identity |
| +-------------------------------+
| EAP-Request/SIM/Start |
| (AT_PERMANENT_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with permanent identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Figure 7: Three EAP-SIM Start rounds
Peer Authenticator
| |
| +------------------------------+
| | Server does not have a |
| | Subscriber identity available|
| | When starting EAP-SIM |
| +------------------------------+
| EAP-Request/SIM/Start |
| (Includes AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with fast re-auth. identity) |
|------------------------------------------------------>|
| |
| +------------------------------+
| | Server does not accept |
| | The fast re-auth. |
| | Identity |
| +------------------------------+
| EAP-Request/SIM/Start |
| (AT_FULLAUTH_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
: :
: :
: :
: :
|EAP-Response/SIM/Start |
|(AT_IDENTITY with a pseudonym identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
| +-------------------------------+
| | Server fails to map the |
| | Pseudonym in AT_IDENTITY |
| | to a valid permanent identity |
| +-------------------------------+
| EAP-Request/SIM/Start |
| (AT_PERMANENT_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with permanent identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
Figure 7: Three EAP-SIM Start rounds
After the last EAP-Response/SIM/Start message, the full authentication sequence proceeds as usual. If the EAP Server recognizes the permanent identity and is able to proceed, the server issues the EAP-Request/SIM/Challenge message.
在最后一个EAP响应/SIM/Start消息之后,完整的身份验证序列照常进行。如果EAP服务器识别出永久身份并能够继续,则服务器将发出EAP请求/SIM/质询消息。
In some environments, EAP authentication may be performed frequently. Because the EAP-SIM full authentication procedure makes use of the GSM SIM A3/A8 algorithms, and therefore requires 2 or 3 fresh triplets from the Authentication Centre, the full authentication procedure is not very well suited for frequent use. Therefore, EAP-SIM includes a more inexpensive fast re-authentication procedure that does not make use of the SIM A3/A8 algorithms and does not need new triplets from the Authentication Centre. Re-authentication can be performed in fewer roundtrips than the full authentication.
在某些环境中,可能会频繁执行EAP身份验证。由于EAP-SIM完全认证程序使用GSM SIM A3/A8算法,因此需要认证中心提供2或3个新的三元组,因此完全认证程序不太适合频繁使用。因此,EAP-SIM包括一个更便宜的快速重新认证过程,该过程不使用SIM A3/A8算法,也不需要认证中心提供新的三元组。与完全身份验证相比,可以在更少的往返中执行重新身份验证。
Fast re-authentication is optional to implement for both the EAP-SIM server and peer. On each EAP authentication, either one of the entities may also fall back on full authentication if it does not want to use fast re-authentication.
EAP-SIM服务器和对等机均可选择实施快速重新身份验证。在每个EAP身份验证中,如果其中一个实体不想使用快速重新身份验证,则该实体也可以使用完全身份验证。
Fast re-authentication is based on the keys derived on the preceding full authentication. The same K_aut and K_encr keys that were used in full authentication are used to protect EAP-SIM packets and attributes, and the original Master Key from full authentication is used to generate a fresh Master Session Key, as specified in Section 7.
快速重新身份验证基于在前面的完全身份验证中派生的密钥。完全认证中使用的相同K_aut和K_encr密钥用于保护EAP-SIM数据包和属性,完全认证中的原始主密钥用于生成新的主会话密钥,如第7节所述。
The fast re-authentication exchange makes use of an unsigned 16-bit counter, included in the AT_COUNTER attribute. The counter has three goals: 1) it can be used to limit the number of successive reauthentication exchanges without full authentication 2) it contributes to the keying material, and 3) it protects the peer and the server from replays. On full authentication, both the server and the peer initialize the counter to one. The counter value of at least one is used on the first fast re-authentication. On subsequent fast re-authentications, the counter MUST be greater than on any of the previous re-authentications. For example, on the second fast re-authentication, the counter value is two or greater. The AT_COUNTER attribute is encrypted.
快速重新身份验证交换使用AT_计数器属性中包含的无符号16位计数器。计数器有三个目标:1)它可以用来限制连续的重新身份验证交换次数,而无需完全身份验证;2)它有助于密钥材料;3)它可以保护对等方和服务器免受重播。在完全身份验证时,服务器和对等方都将计数器初始化为1。在第一次快速重新认证时使用至少一个计数器值。在随后的快速重新身份验证中,计数器必须大于之前任何一次重新身份验证中的计数器。例如,在第二次快速重新身份验证时,计数器值为2或更大。AT_计数器属性已加密。
Both the peer and the EAP server maintain a copy of the counter. The EAP server sends its counter value to the peer in the fast re-authentication request. The peer MUST verify that its counter value is less than or equal to the value sent by the EAP server.
对等方和EAP服务器都维护计数器的副本。EAP服务器在快速重新身份验证请求中将其计数器值发送给对等方。对等方必须验证其计数器值是否小于或等于EAP服务器发送的值。
The server includes an encrypted server random nonce (AT_NONCE_S) in the fast re-authentication request. The AT_MAC attribute in the peer's response is calculated over NONCE_S to provide a challenge/response authentication scheme. The NONCE_S also contributes to the new Master Session Key.
服务器在快速重新身份验证请求中包含一个加密的服务器随机时间(AT_nonce)。对等方响应中的AT_MAC属性在当前时间计算,以提供质询/响应身份验证方案。临时密钥也有助于新的主会话密钥。
Both the peer and the server SHOULD have an upper limit for the number of subsequent fast re-authentications allowed before a full authentication needs to be performed. Because a 16-bit counter is used in fast re-authentication, the theoretical maximum number of re-authentications is reached when the counter value reaches FFFF hexadecimal.
在需要执行完全身份验证之前,对等方和服务器都应该有允许的后续快速重新身份验证的数量上限。由于16位计数器用于快速重新身份验证,因此当计数器值达到FFFF十六进制时,将达到理论上的最大重新身份验证次数。
In order to use fast re-authentication, the peer and the EAP server need to store the following values: Master Key, latest counter value and the next fast re-authentication identity. K_aut, K_encr may either be stored or derived again from MK. The server may also need to store the permanent identity of the user.
为了使用快速重新身份验证,对等方和EAP服务器需要存储以下值:主密钥、最新计数器值和下一个快速重新身份验证标识。K_aut、K_encr可以存储或再次从MK派生。服务器可能还需要存储用户的永久身份。
When analyzing the fast re-authentication exchange, it may be helpful to compare it with the UMTS Authentication and Key Agreement (AKA) exchange, which it resembles closely. The counter corresponds to the UMTS AKA sequence number, NONCE_S corresponds to RAND, AT_MAC in EAP-Request/SIM/Re-authentication corresponds to AUTN, the AT_MAC in EAP-Response/SIM/Re-authentication corresponds to RES, AT_COUNTER_TOO_SMALL corresponds to AUTS, and encrypting the counter corresponds to the usage of the Anonymity Key. Also, the key generation on fast re-authentication, with regard to random or fresh material, is similar to UMTS AKA -- the server generates the NONCE_S and counter values, and the peer only verifies that the counter value is fresh.
在分析快速重新认证交换时,将其与UMTS认证和密钥协议(AKA)交换进行比较可能会有所帮助,后者非常类似。计数器对应于UMTS AKA序列号,NONCE_S对应于RAND,EAP-Request/SIM/Re-authentication中的AT_-MAC对应于AUTN,EAP-Response/SIM/Re-authentication中的AT_-MAC对应于RES,AT_-counter_-TOO_-SMALL对应于AUTS,并且加密计数器对应于匿名密钥的使用。此外,关于随机或新鲜材料的快速重新认证上的密钥生成类似于UMTS AKA——服务器生成NONCE_S和计数器值,对等方仅验证计数器值是否新鲜。
It should also be noted that encrypting the AT_NONCE_S, AT_COUNTER, or AT_COUNTER_TOO_SMALL attributes is not important to the security of the fast re-authentication exchange.
还应注意,加密当前、当前计数器或当前计数器太小的属性对于快速重新身份验证交换的安全性并不重要。
The fast re-authentication procedure makes use of separate re-authentication user identities. Pseudonyms and the permanent identity are reserved for full authentication only. If a re-authentication identity is lost and the network does not recognize it, the EAP server can fall back on full authentication.
快速重新身份验证过程使用单独的重新身份验证用户身份。笔名和永久身份仅用于完全身份验证。如果重新身份验证标识丢失且网络无法识别,则EAP服务器可以采用完全身份验证。
If the EAP server supports fast re-authentication, it MAY include the skippable AT_NEXT_REAUTH_ID attribute in the encrypted data of EAP-Request/SIM/Challenge message (Section 9.3). This attribute contains a new fast re-authentication identity for the next fast re-authentication. The attribute also works as a capability flag that, indicating that the server supports fast re-authentication, and that the server wants to continue using fast re-authentication within the current context. The peer MAY ignore this attribute, in which case it MUST use full authentication next time. If the peer wants to use re-authentication, it uses this fast re-authentication identity on next authentication. Even if the peer has a fast re-authentication identity, the peer MAY discard the fast re-authentication identity and use a pseudonym or the permanent identity instead, in which case full authentication MUST be performed. If the EAP server does not include the AT_NEXT_REAUTH_ID in the encrypted data of EAP-Request/SIM/Challenge or EAP-Request/SIM/ Re-authentication, then the peer MUST discard its current fast re-authentication state information and perform a full authentication next time.
如果EAP服务器支持快速重新认证,它可能会在EAP请求/SIM/质询消息的加密数据中包含可跳过的AT_NEXT_REAUTH_ID属性(第9.3节)。此属性包含下一次快速重新身份验证的新快速重新身份验证标识。该属性还用作功能标志,指示服务器支持快速重新身份验证,并且服务器希望在当前上下文中继续使用快速重新身份验证。对等方可以忽略此属性,在这种情况下,下次必须使用完全身份验证。如果对等方希望使用重新身份验证,它将在下次身份验证时使用此快速重新身份验证标识。即使对等方具有快速重新认证标识,对等方也可以丢弃快速重新认证标识并使用假名或永久标识,在这种情况下,必须执行完全认证。如果EAP服务器在EAP Request/SIM/Challenge或EAP Request/SIM/Re authentication的加密数据中未包含AT_NEXT_REAUTH_ID,则对等方必须放弃其当前快速重新身份验证状态信息,并在下次执行完全身份验证。
In environments where a realm portion is needed in the peer identity, the fast re-authentication identity received in AT_NEXT_REAUTH_ID MUST contain both a username portion and a realm portion, as per the NAI format. The EAP Server can choose an appropriate realm part in order to have the AAA infrastructure route subsequent fast re-authentication related requests to the same AAA server. For example, the realm part MAY include a portion that is specific to the AAA server. Hence, it is sufficient to store the context required for fast re-authentication in the AAA server that performed the full authentication.
在对等身份中需要领域部分的环境中,根据NAI格式,在AT_NEXT_REAUTH_ID中接收的快速重新身份验证身份必须同时包含用户名部分和领域部分。EAP服务器可以选择适当的领域部分,以便AAA基础设施将后续快速重新认证相关请求路由到同一AAA服务器。例如,领域部分可以包括特定于AAA服务器的部分。因此,在执行完全身份验证的AAA服务器中存储快速重新身份验证所需的上下文就足够了。
The peer MAY use the fast re-authentication identity in the EAP-Response/Identity packet or, in response to the server's AT_ANY_ID_REQ attribute, the peer MAY use the fast re-authentication identity in the AT_IDENTITY attribute of the EAP-Response/SIM/Start packet.
对等方可以在EAP响应/标识分组中使用快速重新认证标识,或者,响应于服务器的AT_ANY_ID_REQ属性,对等方可以在EAP响应/SIM/启动分组的AT_标识属性中使用快速重新认证标识。
The peer MUST NOT modify the username portion of the fast re-authentication identity, but the peer MAY modify the realm portion or replace it with another realm portion. The peer might need to modify the realm in order to influence the AAA routing, for example, to make sure that the correct server is reached. It should be noted that sharing the same fast re-authentication key among several servers may have security risks, so changing the realm portion of the NAI in order to change the EAP server is not desirable.
对等方不得修改快速重新身份验证标识的用户名部分,但对等方可以修改域部分或用另一个域部分替换它。对等方可能需要修改域以影响AAA路由,例如,以确保到达正确的服务器。应当注意,在多个服务器之间共享相同的快速重新认证密钥可能具有安全风险,因此不希望为了改变EAP服务器而改变NAI的领域部分。
Even if the peer uses a fast re-authentication identity, the server may want to fall back on full authentication, for example because the server does not recognize the fast re-authentication identity or does not want to use fast re-authentication. In this case, the server starts the full authentication procedure by issuing an EAP-Request/SIM/Start packet. This packet always starts a full authentication sequence if it does not include the AT_ANY_ID_REQ attribute. If the server was not able to recover the peer's identity from the fast re-authentication identity, the server includes either the AT_FULLAUTH_ID_REQ or the AT_PERMANENT_ID_REQ attribute in this EAP request.
即使对等方使用快速重新身份验证标识,服务器也可能希望退回到完全身份验证,例如,因为服务器无法识别快速重新身份验证标识或不希望使用快速重新身份验证。在这种情况下,服务器通过发出EAP请求/SIM/Start数据包来启动完整身份验证过程。如果此数据包不包含AT_ANY_ID_REQ属性,则它总是启动完整的身份验证序列。如果服务器无法从快速重新身份验证身份恢复对等方的身份,则服务器在此EAP请求中包括AT_FULLAUTH_ID_REQ或AT_PERMANENT_ID_REQ属性。
Figure 8 illustrates the fast re-authentication procedure. In this example, the optional protected success indication is not used. Encrypted attributes are denoted with '*'. The peer uses its re-authentication identity in the EAP-Response/Identity packet. As discussed above, an alternative way to communicate the re-authentication identity to the server is for the peer to use the AT_IDENTITY attribute in the EAP-Response/SIM/Start message. This latter case is not illustrated in the figure below, and it is only possible when the server requests that the peer send its identity by including the AT_ANY_ID_REQ attribute in the EAP-Request/SIM/Start packet.
图8说明了快速重新身份验证过程。在此示例中,未使用可选的受保护成功指示。加密属性用“*”表示。对等方在EAP响应/标识数据包中使用其重新身份验证标识。如上所述,将重新认证身份传送到服务器的另一种方法是对等方使用EAP响应/SIM/Start消息中的AT_标识属性。后一种情况未在下图中说明,并且仅当服务器通过在EAP请求/SIM/Start数据包中包含AT_ANY_ID_REQ属性请求对等方发送其身份时才可能。
If the server recognizes the identity as a valid fast re-authentication identity, and if the server agrees to use fast re-authentication, then the server sends the EAP-Request/SIM/ Re-authentication packet to the peer. This packet MUST include the encrypted AT_COUNTER attribute, with a fresh counter value, the encrypted AT_NONCE_S attribute that contains a random number chosen by the server, the AT_ENCR_DATA and the AT_IV attributes used for encryption, and the AT_MAC attribute that contains a message authentication code over the packet. The packet MAY also include an encrypted AT_NEXT_REAUTH_ID attribute that contains the next fast re-authentication identity.
如果服务器将该身份识别为有效的快速重新身份验证身份,并且如果服务器同意使用快速重新身份验证,则服务器向对等方发送EAP请求/SIM/重新身份验证数据包。此数据包必须包括加密的AT_计数器属性(具有新计数器值)、加密的AT_NONCE_S属性(包含服务器选择的随机数)、用于加密的AT_ENCR_数据和AT_IV属性,以及AT_MAC属性(包含数据包上的消息身份验证代码)。该分组还可以包括加密的AT_NEXT_REAUTH_ID属性,该属性包含下一个快速重新认证标识。
Fast re-authentication identities are one-time identities. If the peer does not receive a new fast re-authentication identity, it MUST use either the permanent identity or a pseudonym identity on the next authentication to initiate full authentication.
快速重新身份验证身份是一次性身份。如果对等方没有收到新的快速重新身份验证标识,则必须在下一次身份验证时使用永久身份或假名身份来启动完全身份验证。
The peer verifies that AT_MAC is correct, and that the counter value is fresh (greater than any previously used value). The peer MAY save the next fast re-authentication identity from the encrypted AT_NEXT_REAUTH_ID for next time. If all checks are successful, the peer responds with the EAP-Response/SIM/Re-authentication packet,
对等方验证AT_MAC是否正确,计数器值是否新鲜(大于以前使用的任何值)。对等方可以从加密的AT_next_REAUTH_ID保存下一个快速重新身份验证标识,以备下次使用。如果所有检查都成功,对等方将使用EAP响应/SIM/重新认证数据包进行响应,
including the AT_COUNTER attribute with the same counter value and AT_MAC attribute.
包括具有相同计数器值和AT_MAC属性的AT_计数器属性。
The server verifies the AT_MAC attribute and also verifies that the counter value is the same that it used in the EAP-Request/SIM/ Re-authentication packet. If these checks are successful, the re-authentication has succeeded and the server sends the EAP-Success packet to the peer.
服务器验证AT_MAC属性,并验证计数器值是否与EAP请求/SIM/Re身份验证数据包中使用的计数器值相同。如果这些检查成功,则重新身份验证已成功,服务器将EAP成功数据包发送给对等方。
If protected success indications (Section 6.2) were used, the EAP-Success packet would be preceded by an EAP-SIM notification round.
如果使用受保护的成功指示(第6.2节),EAP成功数据包之前将有一轮EAP-SIM通知。
Peer Authenticator
| |
| EAP-Request/Identity |
|<------------------------------------------------------|
| |
| EAP-Response/Identity |
| (Includes a fast re-authentication identity) |
|------------------------------------------------------>|
| |
| +--------------------------------+
| | Server recognizes the identity |
| | and agrees to use fast |
| | re-authentication |
| +--------------------------------+
| |
: :
: :
: :
: :
| EAP-Request/SIM/Re-authentication |
| (AT_IV, AT_ENCR_DATA, *AT_COUNTER, |
| *AT_NONCE_S, *AT_NEXT_REAUTH_ID, AT_MAC) |
|<------------------------------------------------------|
| |
+-----------------------------------------------+ |
| Peer verifies AT_MAC and the freshness of | |
| the counter. Peer MAY store the new fast re- | |
| authentication identity for next re-auth. | |
+-----------------------------------------------+ |
| |
| EAP-Response/SIM/Re-authentication |
| (AT_IV, AT_ENCR_DATA, *AT_COUNTER with same value, |
| AT_MAC) |
|------------------------------------------------------>|
| +--------------------------------+
| | Server verifies AT_MAC and |
| | the counter |
| +--------------------------------+
| |
| EAP-Success |
|<------------------------------------------------------|
| |
Peer Authenticator
| |
| EAP-Request/Identity |
|<------------------------------------------------------|
| |
| EAP-Response/Identity |
| (Includes a fast re-authentication identity) |
|------------------------------------------------------>|
| |
| +--------------------------------+
| | Server recognizes the identity |
| | and agrees to use fast |
| | re-authentication |
| +--------------------------------+
| |
: :
: :
: :
: :
| EAP-Request/SIM/Re-authentication |
| (AT_IV, AT_ENCR_DATA, *AT_COUNTER, |
| *AT_NONCE_S, *AT_NEXT_REAUTH_ID, AT_MAC) |
|<------------------------------------------------------|
| |
+-----------------------------------------------+ |
| Peer verifies AT_MAC and the freshness of | |
| the counter. Peer MAY store the new fast re- | |
| authentication identity for next re-auth. | |
+-----------------------------------------------+ |
| |
| EAP-Response/SIM/Re-authentication |
| (AT_IV, AT_ENCR_DATA, *AT_COUNTER with same value, |
| AT_MAC) |
|------------------------------------------------------>|
| +--------------------------------+
| | Server verifies AT_MAC and |
| | the counter |
| +--------------------------------+
| |
| EAP-Success |
|<------------------------------------------------------|
| |
Figure 8: Fast Re-authentication
图8:快速重新认证
If the peer does not accept the counter value of EAP-Request/SIM/ Re-authentication, it indicates the counter synchronization problem by including the encrypted AT_COUNTER_TOO_SMALL in EAP-Response/SIM/ Re-authentication. The server responds with EAP-Request/SIM/Start to initiate a normal full authentication procedure. This is illustrated in Figure 9. Encrypted attributes are denoted with '*'.
如果对等方不接受EAP Request/SIM/Re authentication的计数器值,则通过在EAP Response/SIM/Re authentication中包含加密的AT_counter_TOO_SMALL来指示计数器同步问题。服务器响应EAP请求/SIM/Start以启动正常的完全身份验证过程。如图9所示。加密属性用“*”表示。
Peer Authenticator
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY) |
| (Includes a fast re-authentication identity) |
|------------------------------------------------------>|
| |
| EAP-Request/SIM/Re-authentication |
| (AT_IV, AT_ENCR_DATA, *AT_COUNTER, |
| *AT_NONCE_S, *AT_NEXT_REAUTH_ID, AT_MAC) |
|<------------------------------------------------------|
+-----------------------------------------------+ |
| AT_MAC is valid but the counter is not fresh. | |
+-----------------------------------------------+ |
| |
| EAP-Response/SIM/Re-authentication |
| (AT_IV, AT_ENCR_DATA, *AT_COUNTER_TOO_SMALL, |
| *AT_COUNTER, AT_MAC) |
|------------------------------------------------------>|
| +----------------------------------------------+
| | Server verifies AT_MAC but detects |
| | That peer has included AT_COUNTER_TOO_SMALL |
| +----------------------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_VERSION_LIST) |
|<------------------------------------------------------|
+---------------------------------------------------------------+
| Normal full authentication follows. |
+---------------------------------------------------------------+
| |
Peer Authenticator
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY) |
| (Includes a fast re-authentication identity) |
|------------------------------------------------------>|
| |
| EAP-Request/SIM/Re-authentication |
| (AT_IV, AT_ENCR_DATA, *AT_COUNTER, |
| *AT_NONCE_S, *AT_NEXT_REAUTH_ID, AT_MAC) |
|<------------------------------------------------------|
+-----------------------------------------------+ |
| AT_MAC is valid but the counter is not fresh. | |
+-----------------------------------------------+ |
| |
| EAP-Response/SIM/Re-authentication |
| (AT_IV, AT_ENCR_DATA, *AT_COUNTER_TOO_SMALL, |
| *AT_COUNTER, AT_MAC) |
|------------------------------------------------------>|
| +----------------------------------------------+
| | Server verifies AT_MAC but detects |
| | That peer has included AT_COUNTER_TOO_SMALL |
| +----------------------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_VERSION_LIST) |
|<------------------------------------------------------|
+---------------------------------------------------------------+
| Normal full authentication follows. |
+---------------------------------------------------------------+
| |
Figure 9: Fast Re-authentication, counter is not fresh
图9:快速重新认证,计数器不新鲜
In the figure above, the first three messages are similar to the basic fast re-authentication case. When the peer detects that the counter value is not fresh, it includes the AT_COUNTER_TOO_SMALL attribute in EAP-Response/SIM/Re-authentication. This attribute doesn't contain any data, but it is a request for the server to initiate full authentication. In this case, the peer MUST ignore the contents of the server's AT_NEXT_REAUTH_ID attribute.
在上图中,前三条消息类似于基本的快速重新身份验证案例。当对等方检测到计数器值不新鲜时,它在EAP响应/SIM/Re身份验证中包含AT_counter_TOO_SMALL属性。此属性不包含任何数据,但它是服务器启动完全身份验证的请求。在这种情况下,对等方必须忽略服务器的AT_NEXT_REAUTH_ID属性的内容。
On receipt of AT_COUNTER_TOO_SMALL, the server verifies AT_MAC and verifies that AT_COUNTER contains the same counter value as in the EAP-Request/SIM/Re-authentication packet. If not, the server terminates the authentication exchange by sending the EAP-Request/SIM/Notification with AT_NOTIFICATION code "General failure" (16384). If all checks on the packet are successful, the server transmits a new EAP-Request/SIM/Start packet and the full authentication procedure is performed as usual. Since the server already knows the subscriber identity, it MUST NOT include AT_ANY_ID_REQ, AT_FULLAUTH_ID_REQ, or AT_PERMANENT_ID_REQ in the EAP-Request/SIM/Start.
在收到AT_计数器太小时,服务器验证AT_MAC,并验证AT_计数器是否包含与EAP请求/SIM/重新身份验证数据包中相同的计数器值。如果没有,服务器将通过发送EAP请求/SIM/通知(AT_通知代码为“一般故障”(16384))来终止身份验证交换。如果对数据包的所有检查都成功,则服务器将发送一个新的EAP请求/SIM/启动数据包,并像往常一样执行完整的身份验证过程。由于服务器已经知道用户身份,因此它不能在EAP请求/SIM/Start中包含AT_ANY_ID_REQ、AT_FULLAUTH_ID_REQ或AT_PERMANENT_ID_REQ。
It should be noted that in this case, peer identity is only transmitted in the AT_IDENTITY attribute at the beginning of the whole EAP exchange. The fast re-authentication identity used in this AT_IDENTITY attribute will be used in key derivation (see Section 7).
应当注意,在这种情况下,对等身份仅在整个EAP交换开始时在AT_identity属性中传输。此AT_标识属性中使用的快速重新身份验证标识将用于密钥派生(参见第7节)。
EAP-SIM does not prohibit the use of the EAP Notifications as specified in [RFC3748]. EAP Notifications can be used at any time in the EAP-SIM exchange. It should be noted that EAP-SIM does not protect EAP Notifications. EAP-SIM also specifies method-specific EAP-SIM notifications that are protected in some cases.
EAP-SIM不禁止使用[RFC3748]中规定的EAP通知。EAP通知可在EAP-SIM交换机中随时使用。应注意,EAP-SIM不保护EAP通知。EAP-SIM还指定在某些情况下受保护的方法特定的EAP-SIM通知。
The EAP server can use EAP-SIM notifications to convey notifications and result indications (Section 6.2) to the peer.
EAP服务器可以使用EAP-SIM通知向对等方传送通知和结果指示(第6.2节)。
The server MUST use notifications in cases discussed in Section 6.3.2. When the EAP server issues an EAP-Request/SIM/Notification packet to the peer, the peer MUST process the notification packet. The peer MAY show a notification message to the user and the peer MUST respond to the EAP server with an EAP-Response/SIM/Notification packet, even if the peer did not recognize the notification code.
服务器必须在第6.3.2节讨论的情况下使用通知。当EAP服务器向对等方发出EAP请求/SIM/通知数据包时,对等方必须处理该通知数据包。对等方可以向用户显示通知消息,并且对等方必须使用EAP响应/SIM/通知分组响应EAP服务器,即使对等方不识别通知代码。
An EAP-SIM full authentication exchange or a fast re-authentication exchange MUST NOT include more than one EAP-SIM notification round.
EAP-SIM完全身份验证交换或快速重新身份验证交换不得包含多轮EAP-SIM通知。
The notification code is a 16-bit number. The most significant bit is called the Success bit (S bit). The S bit specifies whether the notification implies failure. The code values with the S bit set to zero (code values 0...32767) are used on unsuccessful cases. The receipt of a notification code from this range implies a failed EAP exchange, so the peer can use the notification as a failure indication. After receiving the EAP-Response/SIM/Notification for these notification codes, the server MUST send the EAP-Failure packet.
通知代码是一个16位数字。最高有效位称为成功位。S位指定通知是否意味着失败。S位设置为零的代码值(代码值0…32767)用于不成功的情况。从该范围接收到通知代码意味着EAP交换失败,因此对等方可以使用该通知作为失败指示。在收到这些通知代码的EAP响应/SIM/通知后,服务器必须发送EAP故障数据包。
The receipt of a notification code with the S bit set to one (values 32768...65536) does not imply failure. Notification code "Success" (32768) has been reserved as a general notification code to indicate successful authentication.
接收S位设置为1(值32768…65536)的通知代码并不意味着失败。通知代码“Success”(32768)已保留为通用通知代码,以指示身份验证成功。
The second most significant bit of the notification code is called the Phase bit (P bit). It specifies at which phase of the EAP-SIM exchange the notification can be used. If the P bit is set to zero, the notification can only be used after a successful EAP/SIM/Challenge round in full authentication or a successful EAP/SIM/Re-authentication round in reauthentication. A re-authentication round is considered successful only if the peer has successfully verified AT_MAC and AT_COUNTER attributes, and does not include the AT_COUNTER_TOO_SMALL attribute in EAP-Response/SIM/Re-authentication.
通知代码的第二个最高有效位称为相位位(P位)。它指定在EAP-SIM交换的哪个阶段可以使用通知。如果P位设置为零,则通知只能在完全身份验证中的EAP/SIM/质询轮成功或重新身份验证中的EAP/SIM/重新身份验证轮成功后使用。只有当对等方已成功验证AT_MAC和AT_计数器属性,并且在EAP响应/SIM/重新身份验证中未包含AT_计数器太小属性时,重新身份验证回合才被视为成功。
If the P bit is set to one, the notification can only by used before the EAP/SIM/Challenge round in full authentication, or before the EAP/SIM/Re-authentication round in reauthentication. These notifications can only be used to indicate various failure cases. In other words, if the P bit is set to one, then the S bit MUST be set to zero.
如果P位设置为1,则通知只能在完全身份验证中的EAP/SIM/质询轮之前使用,或在重新身份验证中的EAP/SIM/重新身份验证轮之前使用。这些通知只能用于指示各种故障情况。换句话说,如果P位设置为1,则S位必须设置为0。
Section 9.8 and Section 9.9 specify what other attributes must be included in the notification packets.
第9.8节和第9.9节规定了通知包中必须包含的其他属性。
Some of the notification codes are authorization related and, hence, are not usually considered part of the responsibility of an EAP method. However, they are included as part of EAP-SIM because there are currently no other ways to convey this information to the user in a localizable way, and the information is potentially useful for the user. An EAP-SIM server implementation may decide never to send these EAP-SIM notifications.
一些通知代码与授权相关,因此通常不被视为EAP方法责任的一部分。然而,它们作为EAP-SIM的一部分被包括在内,因为目前没有其他方式以可本地化的方式向用户传达该信息,并且该信息对用户可能有用。EAP-SIM服务器实施可能决定从不发送这些EAP-SIM通知。
As discussed in Section 6.3, the server and the peer use explicit error messages in all error cases. If the server detects an error after successful authentication, the server uses an EAP-SIM notification to indicate failure to the peer. In this case, the result indication is integrity and replay protected.
如第6.3节所述,服务器和对等方在所有错误情况下都使用显式错误消息。如果服务器在成功身份验证后检测到错误,则服务器将使用EAP-SIM通知向对等方指示失败。在这种情况下,结果指示为完整性和重播保护。
By sending an EAP-Response/SIM/Challenge packet or an EAP-Response/SIM/Re-authentication packet (without AT_COUNTER_TOO_SMALL), the peer indicates that it has successfully authenticated the server and that the peer's local policy accepts the EAP exchange. In other words, these packets are implicit success indications from the peer to the server.
通过发送EAP响应/SIM/质询数据包或EAP响应/SIM/重新认证数据包(AT_计数器不太小),对等方表示已成功认证服务器,并且对等方的本地策略接受EAP交换。换句话说,这些数据包是从对等方到服务器的隐式成功指示。
EAP-SIM also supports optional protected success indications from the server to the peer. If the EAP server wants to use protected success indications, it includes the AT_RESULT_IND attribute in the EAP-Request/SIM/Challenge or the EAP-Request/SIM/Re-authentication packet. This attribute indicates that the EAP server would like to use result indications in both successful and unsuccessful cases. If the peer also wants this, the peer includes AT_RESULT_IND in EAP-Response/SIM/Challenge or EAP-Response/SIM/Re-authentication. The peer MUST NOT include AT_RESULT_IND if it did not receive AT_RESULT_IND from the server. If both the peer and the server used AT_RESULT_IND, then the EAP exchange is not complete yet, but an EAP-SIM notification round will follow. The following EAP-SIM notification may indicate either failure or success.
EAP-SIM还支持从服务器到对等机的可选受保护成功指示。如果EAP服务器想要使用受保护的成功指示,它会在EAP请求/SIM/质询或EAP请求/SIM/重新身份验证数据包中包含AT_RESULT_IND属性。此属性表示EAP服务器希望在成功和不成功的情况下都使用结果指示。如果对等方也希望这样做,则对等方在EAP响应/SIM/质询或EAP响应/SIM/重新认证中包含AT_RESULT_IND。如果对等方未从服务器接收到AT_RESULT_IND,则该对等方不得包含AT_RESULT_IND。如果对等方和服务器都在\u RESULT\u IND使用,则EAP交换尚未完成,但随后将进行一轮EAP-SIM通知。以下EAP-SIM通知可能表示失败或成功。
Success indications with the AT_NOTIFICATION code "Success" (32768) can only be used if both the server and the peer indicate they want to use them with AT_RESULT_IND. If the server did not include AT_RESULT_IND in the EAP-Request/SIM/Challenge or EAP-Request/SIM/Re-authentication packet, or if the peer did not include AT_RESULT_IND in the corresponding response packet, then the server MUST NOT use protected success indications.
只有当服务器和对等方都表示希望将AT_结果标识与AT_结果标识一起使用时,才能使用带有AT_通知代码“Success”(32768)的成功标识。如果服务器未将AT_结果标识包含在EAP请求/SIM/质询或EAP请求/SIM/重新验证数据包中,或者,如果对等方未在相应的响应数据包中包含AT_RESULT_IND,则服务器不得使用受保护的成功指示。
Because the server uses the AT_NOTIFICATION code "Success" (32768) to indicate that the EAP exchange has completed successfully, the EAP exchange cannot fail when the server processes the EAP-SIM response to this notification. Hence, the server MUST ignore the contents of the EAP-SIM response it receives from the EAP-Request/SIM/Notification with this code. Regardless of the contents of the EAP-SIM response, the server MUST send EAP-Success as the next packet.
由于服务器使用AT_通知代码“Success”(32768)表示EAP交换已成功完成,因此当服务器处理EAP-SIM对此通知的响应时,EAP交换不能失败。因此,服务器必须忽略使用此代码从EAP请求/SIM/通知接收的EAP-SIM响应的内容。无论EAP-SIM响应的内容如何,服务器都必须将EAP Success作为下一个数据包发送。
This section specifies the operation of the peer and the server in error cases. The subsections below require the EAP-SIM peer and server to send an error packet (EAP-Response/SIM/Client-Error from the peer or EAP-Request/SIM/Notification from the server) in error cases. However, implementations SHOULD NOT rely upon the correct error reporting behavior of the peer, authenticator, or the server. It is possible for error and other messages to be lost in transit or for a malicious participant to attempt to consume resources by not issuing error messages. Both the peer and the EAP server SHOULD have a mechanism to clean up state, even if an error message or EAP-Success is not received after a timeout period.
本节指定对等机和服务器在错误情况下的操作。以下小节要求EAP-SIM对等方和服务器在错误情况下发送错误数据包(来自对等方的EAP响应/SIM/客户端错误或来自服务器的EAP请求/SIM/通知)。但是,实现不应依赖于对等方、验证器或服务器的正确错误报告行为。错误和其他消息可能在传输过程中丢失,或者恶意参与者试图通过不发出错误消息来消耗资源。对等服务器和EAP服务器都应该具有清除状态的机制,即使超时后未收到错误消息或EAP Success。
In general, if an EAP-SIM peer detects an error in a received EAP-SIM packet, the EAP-SIM implementation responds with the EAP-Response/SIM/Client-Error packet. In response to the EAP-Response/SIM/Client-Error, the EAP server MUST issue the EAP-Failure packet and the authentication exchange terminates.
通常,如果EAP-SIM对等方在接收到的EAP-SIM数据包中检测到错误,则EAP-SIM实现使用EAP响应/SIM/客户端错误数据包进行响应。为了响应EAP响应/SIM/客户端错误,EAP服务器必须发出EAP失败数据包,并且身份验证交换终止。
By default, the peer uses the client error code 0, "unable to process packet". This error code is used in the following cases:
默认情况下,对等方使用客户端错误代码0,“无法处理数据包”。此错误代码用于以下情况:
o EAP exchange is not acceptable according to the peer's local policy.
o 根据对等方的本地策略,EAP交换是不可接受的。
o the peer is not able to parse the EAP request, i.e., the EAP request is malformed.
o 对等方无法解析EAP请求,即EAP请求的格式不正确。
o the peer encountered a malformed attribute.
o 对等方遇到格式不正确的属性。
o wrong attribute types or duplicate attributes have been included in the EAP request.
o EAP请求中包含错误的属性类型或重复的属性。
o a mandatory attribute is missing.
o 缺少必需属性。
o unrecognized, non-skippable attribute.
o 无法识别的、不可跳过的属性。
o unrecognized or unexpected EAP-SIM Subtype in the EAP request.
o EAP请求中存在无法识别或意外的EAP-SIM子类型。
o A RAND challenge repeated in AT_RAND.
o 一场兰德挑战赛在阿图兰德重演。
o invalid AT_MAC. The peer SHOULD log this event.
o 在麦加无效。对等方应记录此事件。
o invalid pad bytes in AT_PADDING.
o AT_填充中的填充字节无效。
o the peer does not want to process AT_PERMANENT_ID_REQ.
o 对等方不希望处理永久ID请求。
Separate error codes have been defined for the following error cases in Section 10.19:
第10.19节为以下错误情况定义了单独的错误代码:
As specified in Section 4.1, when processing the AT_VERSION_LIST attribute, which lists the EAP-SIM versions supported by the server, if the attribute does not include a version that is implemented by the peer and allowed in the peer's security policy, then the peer MUST send the EAP-Response/SIM/Client-Error packet with the error code "unsupported version".
如第4.1节所述,在处理列出服务器支持的EAP-SIM版本的AT_VERSION_LIST属性时,如果该属性不包括由对等方实现并在对等方安全策略中允许的版本,则对等方必须发送带有错误代码的EAP Response/SIM/Client错误包“不支持的版本”。
If the number of RAND challenges is smaller than what is required by peer's local policy when processing the AT_RAND attribute, the peer MUST send the EAP-Response/SIM/Client-Error packet with the error code "insufficient number of challenges".
如果在处理AT_RAND属性时RAND质询的数量小于对等方的本地策略要求的数量,则对等方必须发送错误代码为“质询数量不足”的EAP响应/SIM/客户端错误数据包。
If the peer believes that the RAND challenges included in AT_RAND are not fresh e.g., because it is capable of remembering some previously used RANDs, the peer MUST send the EAP-Response/SIM/Client-Error packet with the error code "RANDs are not fresh".
如果对等方认为AT_RAND中包含的RAND挑战不新鲜,例如,因为它能够记住一些以前使用的RAND,则对等方必须发送错误代码为“RAND不新鲜”的EAP响应/SIM/客户端错误包。
If an EAP-SIM server detects an error in a received EAP-SIM response, the server MUST issue the EAP-Request/SIM/Notification packet with an AT_NOTIFICATION code that implies failure. By default, the server uses one of the general failure codes ("General failure after authentication" (0), or "General failure" (16384)). The choice between these two codes depends on the phase of the EAP-SIM exchange, see Section 6. When the server issues an EAP-Request/SIM/Notification that implies failure, the error cases include the following:
如果EAP-SIM服务器在接收到的EAP-SIM响应中检测到错误,则服务器必须发出EAP请求/SIM/通知数据包,其中包含表示失败的AT_通知代码。默认情况下,服务器使用常规故障代码之一(“身份验证后的常规故障”(0)或“常规故障”(16384))。这两种代码之间的选择取决于EAP-SIM交换的相位,见第6节。当服务器发出表示失败的EAP请求/SIM/通知时,错误情况包括:
o the server is not able to parse the peer's EAP response
o 服务器无法分析对等方的EAP响应
o the server encounters a malformed attribute, a non-recognized non-skippable attribute, or a duplicate attribute
o 服务器遇到格式错误的属性、无法识别的不可跳过属性或重复属性
o a mandatory attribute is missing or an invalid attribute was included
o 缺少必需属性或包含无效属性
o unrecognized or unexpected EAP-SIM Subtype in the EAP Response
o EAP响应中无法识别或意外的EAP-SIM子类型
o invalid AT_MAC. The server SHOULD log this event.
o 在麦加无效。服务器应记录此事件。
o invalid AT_COUNTER
o 在柜台无效
The EAP-SIM server sends EAP-Failure in two cases:
EAP-SIM服务器在两种情况下发送EAP故障:
1) In response to an EAP-Response/SIM/Client-Error packet the server has received from the peer, or
1) 作为对EAP响应/SIM/客户端错误数据包的响应,服务器已从对等方收到,或
2) Following an EAP-SIM notification round, when the AT_NOTIFICATION code implies failure.
2) 在EAP-SIM通知轮之后,当AT_通知代码暗示失败时。
The EAP-SIM server MUST NOT send EAP-Failure in cases other than these two. However, it should be noted that even though the EAP-SIM server would not send an EAP-Failure, an authorization decision that happens outside EAP-SIM, such as in the AAA server or in an intermediate AAA proxy, may result in a failed exchange.
除这两种情况外,EAP-SIM服务器不得发送EAP故障。然而,应注意的是,即使EAP-SIM服务器不会发送EAP故障,在EAP-SIM之外发生的授权决策,例如在AAA服务器或中间AAA代理中,也可能导致交换失败。
The peer MUST accept the EAP-Failure packet in case 1) and case 2), above. The peer SHOULD silently discard the EAP-Failure packet in other cases.
在上述情况1)和情况2)中,对等方必须接受EAP故障数据包。在其他情况下,对等方应默默地丢弃EAP故障数据包。
On full authentication, the server can only send EAP-Success after the EAP/SIM/Challenge round. The peer MUST silently discard any EAP-Success packets if they are received before the peer has successfully authenticated the server and sent the EAP-Response/SIM/Challenge packet.
在完全身份验证时,服务器只能在EAP/SIM/质询轮之后发送EAP Success。如果在对等方成功验证服务器并发送EAP响应/SIM/质询数据包之前收到任何EAP成功数据包,则对等方必须以静默方式丢弃这些数据包。
If the peer did not indicate that it wants to use protected success indications with AT_RESULT_IND (as discussed in Section 6.2) on full authentication, then the peer MUST accept EAP-Success after a successful EAP/SIM/Challenge round.
如果对等方未表示希望在完全认证时使用AT_RESULT_IND(如第6.2节所述)的受保护成功指示,则对等方必须在成功的EAP/SIM/质询回合后接受EAP success。
If the peer indicated that it wants to use protected success indications with AT_RESULT_IND (as discussed in Section 6.2), then the peer MUST NOT accept EAP-Success after a successful EAP/SIM/Challenge round. In this case, the peer MUST only accept EAP-Success after receiving an EAP-SIM Notification with the AT_NOTIFICATION code "Success" (32768).
如果对等方表示希望使用具有AT_RESULT_IND的受保护成功指示(如第6.2节所述),则对等方不得在成功的EAP/SIM/质询回合后接受EAP成功。在这种情况下,对等方必须在收到带有AT_通知代码“Success”(32768)的EAP-SIM通知后才接受EAP Success。
On fast re-authentication, EAP-Success can only be sent after the EAP/SIM/Re-authentication round. The peer MUST silently discard any EAP-Success packets if they are received before the peer has successfully authenticated the server and sent the EAP-Response/SIM/Re-authentication packet.
在快速重新认证时,EAP成功只能在EAP/SIM/re认证轮后发送。如果在对等方成功对服务器进行身份验证并发送EAP响应/SIM/重新身份验证数据包之前收到任何EAP成功数据包,则对等方必须以静默方式丢弃这些数据包。
If the peer did not indicate that it wants to use protected success indications with AT_RESULT_IND (as discussed in Section 6.2) on fast
如果对等方未表示希望在fast上使用AT_RESULT_IND(如第6.2节所述)的受保护成功指示
re-authentication, then the peer MUST accept EAP-Success after a successful EAP/SIM/Re-authentication round.
重新身份验证,则对等方必须在成功的EAP/SIM/重新身份验证回合后接受EAP成功。
If the peer indicated that it wants to use protected success indications with AT_RESULT_IND (as discussed in Section 6.2), then the peer MUST NOT accept EAP-Success after a successful EAP/SIM/Re-authentication round. In this case, the peer MUST only accept EAP-Success after receiving an EAP-SIM Notification with the AT_NOTIFICATION code "Success" (32768).
如果对等方表示希望使用具有AT_RESULT_IND的受保护成功指示(如第6.2节所述),则对等方在成功的EAP/SIM/重新认证回合后不得接受EAP成功。在这种情况下,对等方必须在收到带有AT_通知代码“Success”(32768)的EAP-SIM通知后才接受EAP Success。
If the peer receives an EAP-SIM notification (Section 6) that indicates failure, then the peer MUST no longer accept the EAP-Success packet, even if the server authentication was successfully completed.
如果对等方收到表明失败的EAP-SIM通知(第6节),则对等方不得再接受EAP成功数据包,即使服务器身份验证已成功完成。
This section specifies how keying material is generated.
本节指定如何生成关键帧材质。
On EAP-SIM full authentication, a Master Key (MK) is derived from the underlying GSM authentication values (Kc keys), the NONCE_MT, and other relevant context as follows.
在EAP-SIM完全身份验证中,主密钥(MK)来自底层GSM身份验证值(Kc密钥)、NONCE_MT和其他相关上下文,如下所示。
MK = SHA1(Identity|n*Kc| NONCE_MT| Version List| Selected Version)
MK = SHA1(Identity|n*Kc| NONCE_MT| Version List| Selected Version)
In the formula above, the "|" character denotes concatenation. "Identity" denotes the peer identity string without any terminating null characters. It is the identity from the last AT_IDENTITY attribute sent by the peer in this exchange, or, if AT_IDENTITY was not used, it is the identity from the EAP-Response/Identity packet. The identity string is included as-is, without any changes. As discussed in Section 4.2.2.2, relying on EAP-Response/Identity for conveying the EAP-SIM peer identity is discouraged, and the server SHOULD use the EAP-SIM method-specific identity attributes.
在上面的公式中,“|”字符表示串联。“标识”表示没有任何终止空字符的对等标识字符串。它是此交换中对等方发送的最后一个AT_标识属性中的标识,或者,如果未使用AT_标识,则它是EAP响应/标识数据包中的标识。标识字符串按原样包含,没有任何更改。如第4.2.2.2节所述,不鼓励依靠EAP响应/标识来传递EAP-SIM对等身份,服务器应使用EAP-SIM方法特定的标识属性。
The notation n*Kc in the formula above denotes the n Kc values concatenated. The Kc keys are used in the same order as the RAND challenges in AT_RAND attribute. NONCE_MT denotes the NONCE_MT value (not the AT_NONCE_MT attribute, but only the nonce value). The Version List includes the 2-byte-supported version numbers from AT_VERSION_LIST, in the same order as in the attribute. The Selected Version is the 2-byte selected version from AT_SELECTED_VERSION. Network byte order is used, just as in the attributes. The hash function SHA-1 is specified in [SHA-1]. If several EAP/SIM/Start roundtrips are used in an EAP-SIM exchange, then the NONCE_MT, Version List and Selected version from the last EAP/SIM/Start round are used, and the previous EAP/SIM/Start rounds are ignored.
上面公式中的符号n*Kc表示连接的n个Kc值。Kc键的使用顺序与AT_RAND属性中的RAND challenges相同。NONCE_MT表示NONCE_MT值(不是AT_NONCE_MT属性,而是仅表示NONCE值)。版本列表包括AT_Version_列表中支持的2字节版本号,其顺序与属性中的顺序相同。所选版本是从AT_Selected_版本中选择的2字节版本。使用网络字节顺序,就像在属性中一样。哈希函数SHA-1在[SHA-1]中指定。如果在一个EAP-SIM交换机中使用了多个EAP/SIM/Start往返,则使用上一轮EAP/SIM/Start中的当前版本、版本列表和所选版本,并忽略以前的EAP/SIM/Start往返。
The Master Key is fed into a Pseudo-Random number Function (PRF) which generates separate Transient EAP Keys (TEKs) for protecting EAP-SIM packets, as well as a Master Session Key (MSK) for link layer security, and an Extended Master Session Key (EMSK) for other purposes. On fast re-authentication, the same TEKs MUST be used for protecting EAP packets, but a new MSK and a new EMSK MUST be derived from the original MK and from new values exchanged in the fast re-authentication.
主密钥被馈入伪随机数函数(PRF),该伪随机数函数生成单独的瞬态EAP密钥(TEK)用于保护EAP-SIM数据包,以及用于链路层安全的主会话密钥(MSK)和用于其他目的的扩展主会话密钥(EMSK)。在快速重新认证时,必须使用相同的TEK来保护EAP数据包,但必须从原始MK和快速重新认证中交换的新值派生出新的MSK和新的EMSK。
EAP-SIM requires two TEKs for its own purposes; the authentication key K_aut is to be used with the AT_MAC attribute, and the encryption key K_encr is to be used with the AT_ENCR_DATA attribute. The same K_aut and K_encr keys are used in full authentication and subsequent fast re-authentications.
EAP-SIM需要两个TEK用于其自身目的;身份验证密钥K_aut将与AT_MAC属性一起使用,加密密钥K_encr将与AT_encr_DATA属性一起使用。在完全身份验证和随后的快速重新身份验证中使用相同的K_aut和K_encr密钥。
Key derivation is based on the random number generation specified in NIST Federal Information Processing Standards (FIPS) Publication 186-2 [PRF]. The pseudo-random number generator is specified in the change notice 1 (2001 October 5) of [PRF] (Algorithm 1). As specified in the change notice (page 74), when Algorithm 1 is used as a general-purpose pseudo-random number generator, the "mod q" term in step 3.3 is omitted. The function G used in the algorithm is constructed via the Secure Hash Standard, as specified in Appendix 3.3 of the standard. It should be noted that the function G is very similar to SHA-1, but the message padding is different. Please refer to [PRF] for full details. For convenience, the random number algorithm with the correct modification is cited in Appendix B.
密钥推导基于NIST联邦信息处理标准(FIPS)出版物186-2[PRF]中规定的随机数生成。[PRF](算法1)的变更通知1(2001年10月5日)中规定了伪随机数生成器。如变更通知(第74页)所述,当算法1用作通用伪随机数生成器时,省略步骤3.3中的“mod q”项。算法中使用的函数G是通过安全哈希标准构建的,如标准附录3.3所述。应该注意的是,函数G与SHA-1非常相似,但消息填充不同。有关详细信息,请参阅[PRF]。为方便起见,附录B中引用了经过正确修改的随机数算法。
160-bit XKEY and XVAL values are used, so b = 160. On each full authentication, the Master Key is used as the initial secret seed-key XKEY. The optional user input values (XSEED_j) in step 3.1 are set to zero.
使用160位XKEY和XVAL值,因此b=160。在每次完全身份验证时,主密钥用作初始密钥种子密钥XKEY。步骤3.1中的可选用户输入值(XSEED_j)设置为零。
On full authentication, the resulting 320-bit random numbers (x_0, x_1, ..., x_m-1) are concatenated and partitioned into suitable-sized chunks and used as keys in the following order: K_encr (128 bits), K_aut (128 bits), Master Session Key (64 bytes), Extended Master Session Key (64 bytes).
在完全身份验证时,生成的320位随机数(x_0,x_1,…,x_m-1)被连接并划分为适当大小的块,并按以下顺序用作密钥:K_encr(128位)、K_aut(128位)、主会话密钥(64字节)、扩展主会话密钥(64字节)。
On fast re-authentication, the same pseudo-random number generator can be used to generate a new Master Session Key and a new Extended Master Session Key. The seed value XKEY' is calculated as follows:
在快速重新身份验证中,可以使用相同的伪随机数生成器生成新的主会话密钥和新的扩展主会话密钥。种子值XKEY'的计算如下:
XKEY' = SHA1(Identity|counter|NONCE_S| MK)
XKEY'=SHA1(身份|计数器|暂时| S | MK)
In the formula above, the Identity denotes the fast re-authentication identity, without any terminating null characters, from the AT_IDENTITY attribute of the EAP-Response/SIM/Start packet, or, if
在上面的公式中,标识表示来自EAP响应/SIM/Start数据包的AT_标识属性的快速重新认证标识,没有任何终止的空字符,或者,如果
EAP-Response/SIM/Start was not used on fast re-authentication, it denotes the identity string from the EAP-Response/Identity packet. The counter denotes the counter value from the AT_COUNTER attribute used in the EAP-Response/SIM/Re-authentication packet. The counter is used in network byte order. NONCE_S denotes the 16-byte NONCE_S value from the AT_NONCE_S attribute used in the EAP-Request/SIM/Re-authentication packet. The MK is the Master Key derived on the preceding full authentication.
EAP响应/SIM/Start未用于快速重新身份验证,它表示来自EAP响应/身份数据包的身份字符串。计数器表示EAP响应/SIM/Re认证数据包中使用的AT_计数器属性中的计数器值。计数器按网络字节顺序使用。NONCE_S表示EAP请求/SIM/Re身份验证数据包中使用的AT_NONCE_S属性中的16字节NONCE_S值。MK是在前面的完全身份验证中派生的主密钥。
On fast re-authentication, the pseudo-random number generator is run with the new seed value XKEY', and the resulting 320-bit random numbers (x_0, x_1, ..., x_m-1) are concatenated and partitioned into two 64-byte chunks and used as the new 64-byte Master Session Key and the new 64-byte Extended Master Session Key. Note that because K_encr and K_aut are not derived on fast re-authentication, the Master Session Key and the Extended Master Session key are obtained from the beginning of the key stream (x_0, x_1, ...).
在快速重新身份验证时,伪随机数生成器使用新的种子值XKEY'运行,生成的320位随机数(x_0,x_1,…,x_m-1)被连接并划分为两个64字节的块,并用作新的64字节主会话密钥和新的64字节扩展主会话密钥。注意,由于K_encr和K_aut不是在快速重新身份验证时派生的,因此主会话密钥和扩展主会话密钥是从密钥流的开始(x_0,x_1,…)获得的。
The first 32 bytes of the MSK can be used as the Pairwise Master Key (PMK) for IEEE 802.11i.
MSK的前32个字节可用作IEEE 802.11i的成对主密钥(PMK)。
When the RADIUS attributes specified in [RFC2548] are used to transport keying material, then the first 32 bytes of the MSK correspond to MS-MPPE-RECV-KEY and the second 32 bytes to MS-MPPE-SEND-KEY. In this case, only 64 bytes of keying material (the MSK) are used.
当[RFC2548]中指定的半径属性用于传输键控材料时,MSK的前32字节对应于MS-MPPE-RECV-KEY,第二32字节对应于MS-MPPE-SEND-KEY。在这种情况下,仅使用64字节的键控材料(MSK)。
When generating the initial Master Key, the hash function is used as a mixing function to combine several session keys (Kc's) generated by the GSM authentication procedure and the random number NONCE_MT into a single session key. There are several reasons for this. The current GSM session keys are, at most, 64 bits, so two or more of them are needed to generate a longer key. By using a one-way function to combine the keys, we are assured that, even if an attacker managed to learn one of the EAP-SIM session keys, it wouldn't help him in learning the original GSM Kc's. In addition, since we include the random number NONCE_MT in the calculation, the peer is able to verify that the EAP-SIM packets it receives from the network are fresh and not replays (also see Section 11).
生成初始主密钥时,哈希函数用作混合函数,将GSM认证过程生成的多个会话密钥(Kc)和随机数NONCE_MT组合成单个会话密钥。这有几个原因。当前GSM会话密钥最多为64位,因此需要两个或更多密钥来生成更长的密钥。通过使用单向功能组合密钥,我们可以确信,即使攻击者设法学习其中一个EAP-SIM会话密钥,也无法帮助他学习原始GSM Kc。此外,由于我们在计算中包括随机数noncemt,对等方能够验证其从网络接收的EAP-SIM数据包是新的,而不是重放(另请参见第11节)。
As specified in [RFC3748], EAP packets begin with the Code, Identifiers, Length, and Type fields, which are followed by EAP-method-specific Type-Data. The Code field in the EAP header is set to 1 for EAP requests, and to 2 for EAP Responses. The usage of the
如[RFC3748]中所述,EAP数据包以代码、标识符、长度和类型字段开头,后跟EAP方法特定的类型数据。EAP头中的代码字段对于EAP请求设置为1,对于EAP响应设置为2。使用
Length and Identifier fields in the EAP header are also specified in [RFC3748]. In EAP-SIM, the Type field is set to 18.
EAP标头中的长度和标识符字段也在[RFC3748]中指定。在EAP-SIM中,类型字段设置为18。
In EAP-SIM, the Type-Data begins with an EAP-SIM header that consists of a 1-octet Subtype field and a 2-octet reserved field. The Subtype values used in EAP-SIM are defined in the IANA considerations section of the EAP-AKA specification [EAP-AKA]. The formats of the EAP header and the EAP-SIM header are shown below.
在EAP-SIM中,类型数据以EAP-SIM报头开始,该报头由1个八位字节的子类型字段和2个八位字节的保留字段组成。EAP-SIM中使用的子类型值在EAP-AKA规范[EAP-AKA]的IANA注意事项部分中定义。EAP标头和EAP-SIM标头的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Subtype | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Subtype | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The rest of the Type-Data that immediately follows the EAP-SIM header consists of attributes that are encoded in Type, Length, Value format. The figure below shows the generic format of an attribute.
紧跟在EAP-SIM报头之后的其余类型数据由以类型、长度、值格式编码的属性组成。下图显示了属性的通用格式。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Attribute Type
属性类型
Indicates the particular type of attribute. The attribute type values are listed in the IANA considerations section of the EAP-AKA specification [EAP-AKA].
指示属性的特定类型。属性类型值列在EAP-AKA规范[EAP-AKA]的IANA注意事项部分。
Length
长
Indicates the length of this attribute in multiples of four bytes. The maximum length of an attribute is 1024 bytes. The length includes the Attribute Type and Length bytes.
以四个字节的倍数表示此属性的长度。属性的最大长度为1024字节。长度包括属性类型和长度字节。
Value
价值
The particular data associated with this attribute. This field is always included and it may be two or more bytes in length. The type and length fields determine the format and length of the value field.
与此属性关联的特定数据。始终包含此字段,其长度可能为两个或更多字节。类型和长度字段决定值字段的格式和长度。
Attributes numbered within the range 0 through 127 are called non-skippable attributes. When an EAP-SIM peer encounters a non-skippable attribute that the peer does not recognize, the peer MUST send the EAP-Response/SIM/Client-Error packet, which terminates the authentication exchange. If an EAP-SIM server encounters a non-skippable attribute that the server does not recognize, then the server sends the EAP-Request/SIM/Notification packet with an AT_NOTIFICATION code, which implies general failure ("General failure after authentication" (0), or "General failure" (16384), depending on the phase of the exchange), which terminates the authentication exchange.
编号在0到127之间的属性称为不可跳过属性。当EAP-SIM对等方遇到对等方无法识别的不可跳过属性时,对等方必须发送EAP响应/SIM/客户端错误数据包,从而终止身份验证交换。如果EAP-SIM服务器遇到服务器无法识别的不可跳过属性,则服务器发送带有AT_通知代码的EAP请求/SIM/通知数据包,这意味着一般故障(“身份验证后的一般故障”(0)或“一般故障”(16384),具体取决于交换的阶段),它终止身份验证交换。
Attributes within the range of 128 through 255 are called skippable attributes. When a skippable attribute is encountered and is not recognized, it is ignored. The rest of the attributes and message data MUST still be processed. The Length field of the attribute is used to skip the attribute value in searching for the next attribute.
128到255范围内的属性称为可跳过属性。当遇到可跳过属性且无法识别时,将忽略该属性。其余的属性和消息数据仍必须处理。属性的长度字段用于在搜索下一个属性时跳过属性值。
Unless otherwise specified, the order of the attributes in an EAP-SIM message is insignificant and an EAP-SIM implementation should not assume a certain order to be used.
除非另有规定,否则EAP-SIM消息中属性的顺序无关紧要,EAP-SIM实现不应采用特定的使用顺序。
Attributes can be encapsulated within other attributes. In other words, the value field of an attribute type can be specified to contain other attributes.
属性可以封装在其他属性中。换句话说,属性类型的值字段可以指定为包含其他属性。
EAP-SIM can be extended by specifying new attribute types. If skippable attributes are used, it is possible to extend the protocol without breaking old implementations.
EAP-SIM可以通过指定新的属性类型进行扩展。如果使用了可跳过属性,则可以在不破坏旧实现的情况下扩展协议。
However, any new attributes added to the EAP-Request/SIM/Start or EAP-Response/SIM/Start packets would not be integrity-protected. Therefore, these messages MUST NOT be extended in the current version of EAP-SIM. If the list of supported EAP-SIM versions in the AT_VERSION_LIST does not include versions other than 1, then the server MUST NOT include attributes other than those specified in this document in the EAP-Request/SIM/Start message. Note that future versions of this protocol might specify new attributes for EAP-Request/SIM/Start and still support version 1 of the protocol. In this case, the server might send an EAP-Request/SIM/Start message that includes new attributes and indicates support for protocol version 1 and other versions in the AT_VERSION_LIST attribute. If the peer selects version 1, then the peer MUST ignore any other attributes included in EAP-Request/SIM/Start, other than those specified in this document. If the selected EAP-SIM version in peer's AT_SELECTED_VERSION is 1, then the peer MUST NOT include other
但是,添加到EAP请求/SIM/Start或EAP响应/SIM/Start数据包的任何新属性都不会受到完整性保护。因此,这些消息不得在当前版本的EAP-SIM中扩展。如果AT_VERSION_列表中受支持的EAP-SIM版本列表不包括1以外的版本,则服务器不得在EAP请求/SIM/启动消息中包括本文档中指定的属性以外的其他属性。请注意,此协议的未来版本可能会为EAP Request/SIM/Start指定新属性,并且仍然支持协议的版本1。在这种情况下,服务器可能会发送EAP请求/SIM/Start消息,该消息包括新属性,并在AT_version_LIST属性中指示对协议版本1和其他版本的支持。如果对等方选择版本1,则对等方必须忽略EAP Request/SIM/Start中包含的任何其他属性,本文档中指定的属性除外。如果对等方AT_selected_版本中选择的EAP-SIM版本为1,则对等方不得包括其他EAP-SIM版本
attributes aside from those specified in this document in the EAP-Response/SIM/Start message.
除本文档在EAP响应/SIM/启动消息中指定的属性之外的其他属性。
When specifying new attributes, it should be noted that EAP-SIM does not support message fragmentation. Hence, the sizes of the new extensions MUST be limited so that the maximum transfer unit (MTU) of the underlying lower layer is not exceeded. According to [RFC3748], lower layers must provide an EAP MTU of 1020 bytes or greater, so any extensions to EAP-SIM SHOULD NOT exceed the EAP MTU of 1020 bytes.
指定新属性时,应注意EAP-SIM不支持消息分段。因此,必须限制新扩展的大小,以便不超过底层的最大传输单位(MTU)。根据[RFC3748],较低层必须提供1020字节或更大的EAP MTU,因此EAP-SIM的任何扩展都不应超过1020字节的EAP MTU。
Because EAP-SIM supports version negotiation, new versions of the protocol can also be specified by using a new version number.
由于EAP-SIM支持版本协商,因此还可以使用新版本号指定协议的新版本。
This section specifies the messages used in EAP-SIM. It specifies when a message may be transmitted or accepted, which attributes are allowed in a message, which attributes are required in a message, and other message-specific details. The general message format is specified in Section 8.1.
本节规定了EAP-SIM中使用的消息。它指定何时可以传输或接受消息、消息中允许哪些属性、消息中需要哪些属性以及其他特定于消息的详细信息。第8.1节规定了通用消息格式。
In full authentication the first SIM-specific EAP Request is EAP-Request/SIM/Start. The EAP/SIM/Start roundtrip is used for two purposes. In full authentication this packet is used to request the peer to send the AT_NONCE_MT attribute to the server. In addition, as specified in Section 4.2, the Start round trip may be used by the server for obtaining the peer identity. As discussed in Section 4.2, several Start rounds may be required to obtain a valid peer identity.
在完全身份验证中,第一个特定于SIM卡的EAP请求是EAP Request/SIM/Start。EAP/SIM/Start往返用于两个目的。在完全身份验证中,此数据包用于请求对等方向服务器发送AT_NONCE_MT属性。此外,如第4.2节所述,服务器可以使用起始往返来获取对等身份。如第4.2节所述,可能需要几轮启动才能获得有效的对等身份。
The server MUST always include the AT_VERSION_LIST attribute.
服务器必须始终包含AT_VERSION_LIST属性。
The server MAY include one of the following identity-requesting attributes: AT_PERMANENT_ID_REQ, AT_FULLAUTH_ID_REQ, or AT_ANY_ID_REQ. These three attributes are mutually exclusive, so the server MUST NOT include more than one of the attributes.
服务器可以包括以下身份请求属性之一:AT_PERMANENT_ID_REQ、AT_FULLAUTH_ID_REQ或AT_ANY_ID_REQ。这三个属性是互斥的,因此服务器不能包含多个属性。
If the server has received a response from the peer, it MUST NOT issue a new EAP-Request/SIM/Start packet if it has previously issued an EAP-Request/SIM/Start message either without any identity requesting attributes or with the AT_PERMANENT_ID_REQ attribute.
如果服务器已收到来自对等方的响应,则如果服务器先前已发出EAP请求/SIM/启动消息,且没有任何身份请求属性或具有AT_PERMANENT_ID_REQ属性,则不得发出新的EAP请求/SIM/启动数据包。
If the server has received a response from the peer, it MUST NOT issue a new EAP-Request/SIM/Start packet with the AT_ANY_ID_REQ or AT_FULLAUTH_ID_REQ attributes if it has previously issued an EAP-Request/SIM/Start message with the AT_FULLAUTH_ID_REQ attribute.
如果服务器已收到来自对等方的响应,则如果服务器先前已发出具有AT_ANY_ID_REQ或AT_FULLAUTH_ID_REQ属性的EAP请求/SIM/启动消息,则不得发出具有AT_FULLAUTH_ID_REQ属性的新EAP请求/SIM/启动数据包。
If the server has received a response from the peer, it MUST NOT issue a new EAP-Request/SIM/Start packet with the AT_ANY_ID_REQ attribute if the server has previously issued an EAP-Request/SIM/Start message with the AT_ANY_ID_REQ attribute.
如果服务器已收到来自对等方的响应,则如果服务器先前已发出具有AT_ANY_ID_REQ属性的EAP Request/SIM/Start消息,则不得发出具有AT_ANY_ID_REQ属性的新EAP Request/SIM/Start数据包。
This message MUST NOT include AT_MAC, AT_IV, or AT_ENCR_DATA.
此消息不得包含AT_MAC、AT_IV或AT_ENCR_数据。
The peer sends EAP-Response/SIM/Start in response to a valid EAP-Request/SIM/Start from the server.
对等方发送EAP响应/SIM/Start以响应来自服务器的有效EAP请求/SIM/Start。
If and only if the server's EAP-Request/SIM/Start includes one of the identity-requesting attributes, then the peer MUST include the AT_IDENTITY attribute. The usage of AT_IDENTITY is defined in Section 4.2.
如果且仅当服务器的EAP请求/SIM/Start包含一个身份请求属性,则对等方必须包含AT_身份属性。第4.2节定义了AT_标识的使用。
The AT_NONCE_MT attribute MUST NOT be included if the AT_IDENTITY with a fast re-authentication identity is present for fast re-authentication. AT_NONCE_MT MUST be included in all other cases (full authentication).
如果具有快速重新身份验证标识的AT_标识用于快速重新身份验证,则不得包括AT_NONCE_MT属性。在所有其他情况下(完全身份验证),必须立即包含MT。
The AT_SELECTED_VERSION attribute MUST NOT be included if the AT_IDENTITY attribute with a fast re-authentication identity is present for fast re-authentication. In all other cases, AT_SELECTED_VERSION MUST be included (full authentication). This attribute is used in version negotiation, as specified in Section 4.1.
如果具有快速重新身份验证标识的AT_标识属性用于快速重新身份验证,则不得包括AT_SELECTED_VERSION属性。在所有其他情况下,必须包括AT_选定的版本(完全身份验证)。该属性用于版本协商,如第4.1节所述。
This message MUST NOT include AT_MAC, AT_IV, or AT_ENCR_DATA.
此消息不得包含AT_MAC、AT_IV或AT_ENCR_数据。
The server sends the EAP-Request/SIM/Challenge after receiving a valid EAP-Response/SIM/Start that contains AT_NONCE_MT and AT_SELECTED_VERSION, and after successfully obtaining the subscriber identity.
服务器在接收到包含当前MT和所选版本的有效EAP响应/SIM/Start后,以及在成功获取订户标识后,发送EAP请求/SIM/质询。
The AT_RAND attribute MUST be included.
必须包括AT_RAND属性。
The AT_RESULT_IND attribute MAY be included. The usage of this attribute is discussed in Section 6.2.
可以包括AT_RESULT_IND属性。第6.2节讨论了该属性的用法。
The AT_MAC attribute MUST be included. For EAP-Request/SIM/Challenge, the MAC code is calculated over the following data:
必须包括AT_MAC属性。对于EAP请求/SIM/质询,MAC代码通过以下数据计算:
EAP packet| NONCE_MT
EAP数据包|当前
The EAP packet is represented as specified in Section 8.1. It is followed by the 16-byte NONCE_MT value from the peer's AT_NONCE_MT attribute.
EAP数据包按照第8.1节的规定表示。它后面是对等方的AT_NONCE_MT属性中的16字节NONCE_MT值。
The EAP-Request/SIM/Challenge packet MAY include encrypted attributes for identity privacy and for communicating the next fast re-authentication identity. In this case, the AT_IV and AT_ENCR_DATA attributes are included (Section 10.12).
EAP请求/SIM/质询分组可以包括用于身份隐私和用于传送下一个快速重新认证身份的加密属性。在这种情况下,包括AT_IV和AT_ENCR_数据属性(第10.12节)。
The plaintext of the AT_ENCR_DATA value field consists of nested attributes. The nested attributes MAY include AT_PADDING (as specified in Section 10.12). If the server supports identity privacy and wants to communicate a pseudonym to the peer for the next full authentication, then the nested encrypted attributes include the AT_NEXT_PSEUDONYM attribute. If the server supports re-authentication and wants to communicate a fast re-authentication identity to the peer, then the nested encrypted attributes include the AT_NEXT_REAUTH_ID attribute.
AT_ENCR_数据值字段的纯文本由嵌套属性组成。嵌套属性可能包括AT_填充(如第10.12节所述)。如果服务器支持身份隐私,并希望为下一次完全身份验证向对等方传递假名,则嵌套的加密属性包括AT_next_假名属性。如果服务器支持重新身份验证并希望向对等方传递快速重新身份验证标识,则嵌套的加密属性包括AT_NEXT_REAUTH_ID属性。
When processing this message, the peer MUST process AT_RAND before processing other attributes. Only if AT_RAND is verified to be valid, the peer derives keys and verifies AT_MAC. The operation in case an error occurs is specified in Section 6.3.1.
处理此消息时,对等方必须在处理其他属性之前进行处理。只有验证AT_RAND有效时,对等方才能派生密钥并验证AT_MAC。第6.3.1节规定了发生错误时的操作。
The peer sends EAP-Response/SIM/Challenge in response to a valid EAP-Request/SIM/Challenge.
对等方发送EAP响应/SIM/质询以响应有效的EAP请求/SIM/质询。
Sending this packet indicates that the peer has successfully authenticated the server and that the EAP exchange will be accepted by the peer's local policy. Hence, if these conditions are not met, then the peer MUST NOT send EAP-Response/SIM/Challenge, but the peer MUST send EAP-Response/SIM/Client-Error.
发送此数据包表示对等方已成功对服务器进行身份验证,并且对等方的本地策略将接受EAP交换。因此,如果不满足这些条件,则对等方不得发送EAP响应/SIM/质询,但对等方必须发送EAP响应/SIM/客户端错误。
The AT_MAC attribute MUST be included. For EAP-Response/SIM/Challenge, the MAC code is calculated over the following data:
必须包括AT_MAC属性。对于EAP响应/SIM/质询,MAC代码通过以下数据计算:
EAP packet| n*SRES
EAP数据包| n*SRES
The EAP packet is represented as specified in Section 8.1. The EAP packet bytes are immediately followed by the two or three SRES values concatenated, denoted above with the notation n*SRES. The SRES values are used in the same order as the corresponding RAND challenges in the server's AT_RAND attribute.
EAP数据包按照第8.1节的规定表示。EAP数据包字节后面紧跟着两个或三个串联的SRES值,上面用符号n*SRES表示。SRES值的使用顺序与服务器的AT_RAND属性中相应的RAND挑战相同。
The AT_RESULT_IND attribute MAY be included if it was included in EAP-Request/SIM/Challenge. The usage of this attribute is discussed in Section 6.2.
如果在EAP请求/SIM/质询中包含AT_RESULT_IND属性,则可以包含该属性。第6.2节讨论了该属性的用法。
Later versions of this protocol MAY make use of the AT_ENCR_DATA and AT_IV attributes in this message to include encrypted (skippable) attributes. The EAP server MUST process EAP-Response/SIM/Challenge messages that include these attributes even if the server did not implement these optional attributes.
此协议的更高版本可能会使用此消息中的AT_ENCR_数据和AT_IV属性来包括加密(可跳过)属性。EAP服务器必须处理包含这些属性的EAP响应/SIM/质询消息,即使服务器未实现这些可选属性。
The server sends the EAP-Request/SIM/Re-authentication message if it wants to use fast re-authentication, and if it has received a valid fast re-authentication identity in EAP-Response/Identity or EAP-Response/SIM/Start.
如果服务器希望使用快速重新身份验证,并且在EAP响应/标识或EAP响应/SIM/启动中收到有效的快速重新身份验证标识,则服务器将发送EAP请求/SIM/重新身份验证消息。
AT_MAC MUST be included. No message-specific data is included in the MAC calculation. See Section 10.14.
必须包括AT_MAC。MAC计算中不包括特定于消息的数据。见第10.14节。
The AT_RESULT_IND attribute MAY be included. The usage of this attribute is discussed in Section 6.2.
可以包括AT_RESULT_IND属性。第6.2节讨论了该属性的用法。
The AT_IV and AT_ENCR_DATA attributes MUST be included. The plaintext consists of the following nested encrypted attributes, which MUST be included: AT_COUNTER and AT_NONCE_S. In addition, the nested encrypted attributes MAY include the following attributes: AT_NEXT_REAUTH_ID and AT_PADDING.
必须包括AT_IV和AT_ENCR_数据属性。明文由以下嵌套的加密属性组成,这些属性必须包括:AT_COUNTER和AT_NONCE。此外,嵌套的加密属性可能包括以下属性:AT_NEXT_REAUTH_ID和AT_PADDING。
The client sends the EAP-Response/SIM/Re-authentication packet in response to a valid EAP-Request/SIM/Re-authentication.
客户端发送EAP响应/SIM/重新认证数据包以响应有效的EAP请求/SIM/重新认证。
The AT_MAC attribute MUST be included. For EAP-Response/SIM/Re-authentication, the MAC code is calculated over the following data:
必须包括AT_MAC属性。对于EAP响应/SIM/重新认证,MAC代码通过以下数据计算:
EAP packet| NONCE_S
EAP数据包|暂时
The EAP packet is represented as specified in Section 8.1. It is followed by the 16-byte NONCE_S value from the server's AT_NONCE_S attribute.
EAP数据包按照第8.1节的规定表示。它后面是服务器的AT_NONCE_S属性中的16字节NONCE_S值。
The AT_IV and AT_ENCR_DATA attributes MUST be included. The nested encrypted attributes MUST include the AT_COUNTER attribute. The AT_COUNTER_TOO_SMALL attribute MAY be included in the nested
必须包括AT_IV和AT_ENCR_数据属性。嵌套的加密属性必须包括AT_计数器属性。嵌套的计数器中可能包含AT_COUNTER_TOO_SMALL属性
encrypted attributes, and it is included in cases specified in Section 5. The AT_PADDING attribute MAY be included.
加密属性,并包含在第5节规定的情况中。可以包括AT_PADDING属性。
The AT_RESULT_IND attribute MAY be included if it was included in EAP-Request/SIM/Re-authentication. The usage of this attribute is discussed in Section 6.2.
如果AT_RESULT_IND属性包含在EAP请求/SIM/Re身份验证中,则可以包含该属性。第6.2节讨论了该属性的用法。
Sending this packet without AT_COUNTER_TOO_SMALL indicates that the peer has successfully authenticated the server and that the EAP exchange will be accepted by the peer's local policy. Hence, if these conditions are not met, then the peer MUST NOT send EAP-Response/SIM/Re-authentication, but the peer MUST send EAP-Response/SIM/Client-Error.
如果发送此数据包时AT_计数器_太小,则表示对等方已成功验证服务器,并且对等方的本地策略将接受EAP交换。因此,如果不满足这些条件,则对等方不得发送EAP响应/SIM/重新身份验证,但对等方必须发送EAP响应/SIM/客户端错误。
The peer sends EAP-Response/SIM/Client-Error in error cases, as specified in Section 6.3.1.
按照第6.3.1节的规定,对等方在错误情况下发送EAP响应/SIM/客户端错误。
The AT_CLIENT_ERROR_CODE attribute MUST be included.
必须包括AT_客户端错误代码属性。
The AT_MAC, AT_IV, or AT_ENCR_DATA attributes MUST NOT be used with this packet.
AT_MAC、AT_IV或AT_ENCR_数据属性不得与此数据包一起使用。
The usage of this message is specified in Section 6. The AT_NOTIFICATION attribute MUST be included.
第6节规定了此消息的用法。必须包括AT_通知属性。
The AT_MAC attribute MUST be included if the P bit of the notification code in AT_NOTIFICATION is set to zero, and MUST NOT be included in cases when the P bit is set to one. The P bit is discussed in Section 6.
如果AT_通知中通知代码的P位设置为零,则必须包括AT_MAC属性,并且在P位设置为1的情况下,不得包括AT_MAC属性。第6节讨论了P位。
No message-specific data is included in the MAC calculation. See Section 10.14.
MAC计算中不包括特定于消息的数据。见第10.14节。
If EAP-Request/SIM/Notification is used on a fast re-authentication exchange, and if the P bit in AT_NOTIFICATION is set to zero, then AT_COUNTER is used for replay protection. In this case, the AT_ENCR_DATA and AT_IV attributes MUST be included, and the encapsulated plaintext attributes MUST include the AT_COUNTER attribute. The counter value included in AT_COUNTER MUST be the same as in the EAP-Request/SIM/Re-authentication packet on the same fast re-authentication exchange.
如果EAP请求/SIM/通知用于快速重新身份验证交换,并且如果AT_通知中的P位设置为零,则AT_计数器用于重播保护。在这种情况下,必须包括AT_ENCR_数据和AT_IV属性,并且封装的明文属性必须包括AT_计数器属性。AT_计数器中包含的计数器值必须与同一快速重新认证交换机上的EAP请求/SIM/重新认证数据包中的计数器值相同。
The usage of this message is specified in Section 6. This packet is an acknowledgement of EAP-Request/SIM/Notification.
第6节规定了此消息的用法。此数据包是EAP请求/SIM/通知的确认。
The AT_MAC attribute MUST be included in cases when the P bit of the notification code in AT_NOTIFICATION of EAP-Request/SIM/Notification is set to zero, and MUST NOT be included in cases when the P bit is set to one. The P bit is discussed in Section 6.
在EAP请求/SIM/通知的AT_通知中的通知代码的P位设置为零的情况下,必须包括AT_MAC属性,在P位设置为1的情况下,不得包括AT_MAC属性。第6节讨论了P位。
No message-specific data is included in the MAC calculation, see Section 10.14.
MAC计算中不包括特定于消息的数据,见第10.14节。
If EAP-Request/SIM/Notification is used on a fast re-authentication exchange, and if the P bit in AT_NOTIFICATION is set to zero, then AT_COUNTER is used for replay protection. In this case, the AT_ENCR_DATA and AT_IV attributes MUST be included, and the encapsulated plaintext attributes MUST include the AT_COUNTER attribute. The counter value included in AT_COUNTER MUST be the same as in the EAP-Request/SIM/Re-authentication packet on the same fast re-authentication exchange.
如果EAP请求/SIM/通知用于快速重新身份验证交换,并且如果AT_通知中的P位设置为零,则AT_计数器用于重播保护。在这种情况下,必须包括AT_ENCR_数据和AT_IV属性,并且封装的明文属性必须包括AT_计数器属性。AT_计数器中包含的计数器值必须与同一快速重新认证交换机上的EAP请求/SIM/重新认证数据包中的计数器值相同。
This section specifies the format of message attributes. The attribute type numbers are specified in the IANA considerations section of the EAP-AKA specification [EAP-AKA].
本节指定消息属性的格式。属性类型编号在EAP-AKA规范[EAP-AKA]的IANA注意事项部分中指定。
The following table provides a guide to which attributes may be found in which kinds of messages, and in what quantity. Messages are denoted with numbers in parentheses as follows: (1) EAP-Request/SIM/Start, (2) EAP-Response/SIM/Start, (3) EAP-Request/SIM/Challenge, (4) EAP-Response/SIM/Challenge, (5) EAP-Request/SIM/Notification, (6) EAP-Response/SIM/Notification, (7) EAP-Response/SIM/Client-Error, (8) EAP-Request/SIM/Re-authentication, and (9) EAP-Response/SIM/Re-authentication. The column denoted with "Encr" indicates whether the attribute is a nested attribute that MUST be included within AT_ENCR_DATA, and the column denoted with "Skip" indicates whether the attribute is a skippable attribute.
下表提供了在哪些类型的消息中可以找到哪些属性以及数量的指南。消息用括号中的数字表示如下:(1)EAP请求/SIM/启动,(2)EAP响应/SIM/启动,(3)EAP请求/SIM/质询,(4)EAP响应/SIM/质询,(5)EAP请求/SIM/通知,(6)EAP响应/SIM/通知,(7)EAP响应/SIM/客户端错误,(8)EAP请求/SIM/重新认证,以及(9)EAP响应/SIM/重新认证。用“Encr”表示的列表示该属性是否为必须包含在AT_Encr_数据中的嵌套属性,用“Skip”表示的列表示该属性是否为可跳过属性。
"0" indicates that the attribute MUST NOT be included in the message, "1" indicates that the attribute MUST be included in the message, "0-1" indicates that the attribute is sometimes included in the message, and "0*" indicates that the attribute is not included in the message in cases specified in this document, but MAY be included in future versions of the protocol.
“0”表示该属性不得包含在消息中,“1”表示该属性必须包含在消息中,“0-1”表示该属性有时包含在消息中,“0*”表示在本文档中指定的情况下该属性不包含在消息中,但可能包含在未来版本的协议中。
Attribute (1) (2) (3) (4) (5) (6) (7) (8) (9) Encr Skip AT_VERSION_LIST 1 0 0 0 0 0 0 0 0 N N AT_SELECTED_VERSION 0 0-1 0 0 0 0 0 0 0 N N AT_NONCE_MT 0 0-1 0 0 0 0 0 0 0 N N AT_PERMANENT_ID_REQ 0-1 0 0 0 0 0 0 0 0 N N AT_ANY_ID_REQ 0-1 0 0 0 0 0 0 0 0 N N AT_FULLAUTH_ID_REQ 0-1 0 0 0 0 0 0 0 0 N N AT_IDENTITY 0 0-1 0 0 0 0 0 0 0 N N AT_RAND 0 0 1 0 0 0 0 0 0 N N AT_NEXT_PSEUDONYM 0 0 0-1 0 0 0 0 0 0 Y Y AT_NEXT_REAUTH_ID 0 0 0-1 0 0 0 0 0-1 0 Y Y AT_IV 0 0 0-1 0* 0-1 0-1 0 1 1 N Y AT_ENCR_DATA 0 0 0-1 0* 0-1 0-1 0 1 1 N Y AT_PADDING 0 0 0-1 0* 0-1 0-1 0 0-1 0-1 Y N AT_RESULT_IND 0 0 0-1 0-1 0 0 0 0-1 0-1 N Y AT_MAC 0 0 1 1 0-1 0-1 0 1 1 N N AT_COUNTER 0 0 0 0 0-1 0-1 0 1 1 Y N AT_COUNTER_TOO_SMALL 0 0 0 0 0 0 0 0 0-1 Y N AT_NONCE_S 0 0 0 0 0 0 0 1 0 Y N AT_NOTIFICATION 0 0 0 0 1 0 0 0 0 N N AT_CLIENT_ERROR_CODE 0 0 0 0 0 0 1 0 0 N N
属性(1)(2)(3)(4)(5)(6)(7)(8)(9)0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N N N N在0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N N在0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N N N在0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N N在0 0 0 0 0 0 0 0 0 0-0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N N在0 0 0 0-0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 1 1 0 0 0 0 1 1 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0在当前0时为-1 Y N0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 N N在0 0 0 0 0 0 0客户端错误代码0 0 0 0 0 0 0 1 0 0 N
It should be noted that attributes AT_PERMANENT_ID_REQ, AT_ANY_ID_REQ, and AT_FULLAUTH_ID_REQ are mutually exclusive; only one of them can be included at the same time. If one of the attributes AT_IV and AT_ENCR_DATA is included, then both of the attributes MUST be included.
需要注意的是,永久性ID请求、任意ID请求和完全授权ID请求的属性是互斥的;同时只能包含其中一个。如果包含第四个和第五个数据的属性之一,则必须同时包含这两个属性。
The format of the AT_VERSION_LIST attribute is shown below.
AT_VERSION_LIST属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_VERSION_L..| Length | Actual Version List Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Supported Version 1 | Supported Version 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Supported Version N | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_VERSION_L..| Length | Actual Version List Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Supported Version 1 | Supported Version 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Supported Version N | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This attribute is used in version negotiation, as specified in Section 4.1. The attribute contains the version numbers supported by the EAP-SIM server. The server MUST only include versions that it
该属性用于版本协商,如第4.1节所述。该属性包含EAP-SIM服务器支持的版本号。服务器必须仅包含其支持的版本
implements and that are allowed in its security policy. The server SHOULD list the versions in the order of preference, with the most preferred versions listed first. At least one version number MUST be included. The version number for the protocol described in this document is one (0001 hexadecimal).
实现其安全策略中允许的和。服务器应按首选顺序列出版本,最首选的版本列在第一位。必须至少包含一个版本号。本文件中所述协议的版本号为一(0001十六进制)。
The value field of this attribute begins with 2-byte Actual Version List Length, which specifies the length of the Version List in bytes, not including the Actual Version List Length attribute length. This field is followed by the list of the versions supported by the server, which each have a length of 2 bytes. For example, if there is only one supported version, then the Actual Version List Length is 2. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the value field with zero bytes when necessary.
此属性的值字段以2字节的实际版本列表长度开始,该长度以字节为单位指定版本列表的长度,不包括实际版本列表长度属性长度。此字段后面是服务器支持的版本列表,每个版本的长度为2字节。例如,如果只有一个受支持的版本,则实际版本列表长度为2。因为属性的长度必须是4字节的倍数,所以发送方在必要时用零字节填充值字段。
The format of the AT_SELECTED_VERSION attribute is shown below.
AT_SELECTED_VERSION属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_SELECTED...| Length = 1 | Selected Version |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_SELECTED...| Length = 1 | Selected Version |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This attribute is used in version negotiation, as specified in Section 4.1. The value field of this attribute contains a two-byte version number, which indicates the EAP-SIM version that the peer wants to use.
该属性用于版本协商,如第4.1节所述。此属性的值字段包含一个两字节的版本号,表示对等方要使用的EAP-SIM版本。
The format of the AT_NONCE_MT attribute is shown below.
当前MT属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_NONCE_MT | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| NONCE_MT |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_NONCE_MT | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| NONCE_MT |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of the NONCE_MT attribute contains two reserved bytes followed by a random number freshly generated by the peer (16 bytes long) for this EAP-SIM authentication exchange. The random number is used as a seed value for the new keying material. The reserved bytes are set to zero upon sending and ignored upon reception.
NONCE_MT属性的值字段包含两个保留字节,后跟由对等方新生成的用于此EAP-SIM身份验证交换的随机数(16字节长)。随机数用作新关键帧材质的种子值。保留字节在发送时设置为零,在接收时忽略。
The peer MUST NOT re-use the NONCE_MT value from a previous EAP-SIM authentication exchange. If an EAP-SIM exchange includes several EAP/SIM/Start rounds, then the peer SHOULD use the same NONCE_MT value in all EAP-Response/SIM/Start packets. The peer SHOULD use a good source of randomness to generate NONCE_MT. Please see [RFC4086] for more information about generating random numbers for security applications.
对等方不得重复使用先前EAP-SIM身份验证交换中的NONCE_MT值。如果EAP-SIM交换包括多个EAP/SIM/启动轮,则对等方应在所有EAP响应/SIM/启动数据包中使用相同的NONCE_MT值。对等方应使用良好的随机性源来生成NONCE_MT。有关为安全应用程序生成随机数的更多信息,请参阅[RFC4086]。
The format of the AT_PERMANENT_ID_REQ attribute is shown below.
AT_PERMANENT_ID_REQ属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_PERM..._REQ | Length = 1 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_PERM..._REQ | Length = 1 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The use of the AT_PERMANENT_ID_REQ is defined in Section 4.2. The value field contains only two reserved bytes, which are set to zero on sending and ignored on reception.
第4.2节定义了AT_永久性_ID_需求的使用。值字段仅包含两个保留字节,发送时设置为零,接收时忽略。
The format of the AT_ANY_ID_REQ attribute is shown below.
AT_ANY_ID_REQ属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_ANY_ID_REQ | Length = 1 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_ANY_ID_REQ | Length = 1 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The use of the AT_ANY_ID_REQ is defined in Section 4.2. The value field contains only two reserved bytes, which are set to zero on sending and ignored on reception.
第4.2节定义了AT_ANY_ID_REQ的使用。值字段仅包含两个保留字节,发送时设置为零,接收时忽略。
The format of the AT_FULLAUTH_ID_REQ attribute is shown below.
AT_FULLAUTH_ID_REQ属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_FULLAUTH_...| Length = 1 | Reserved |
+---------------+---------------+-------------------------------+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_FULLAUTH_...| Length = 1 | Reserved |
+---------------+---------------+-------------------------------+
The use of the AT_FULLAUTH_ID_REQ is defined in Section 4.2. The value field contains only two reserved bytes, which are set to zero on sending and ignored on reception.
第4.2节定义了AT_FULLAUTH_ID_请求的使用。值字段仅包含两个保留字节,发送时设置为零,接收时忽略。
The format of the AT_IDENTITY attribute is shown below.
AT_标识属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_IDENTITY | Length | Actual Identity Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Identity (optional) .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_IDENTITY | Length | Actual Identity Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Identity (optional) .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The use of the AT_IDENTITY is defined in Section 4.2. The value field of this attribute begins with a 2-byte actual identity length, which specifies the length of the identity in bytes. This field is followed by the subscriber identity of the indicated actual length. The identity is the permanent identity, a pseudonym identity, or a fast re-authentication identity. The identity format is specified in Section 4.2.1. The same identity format is used in the AT_IDENTITY attribute and the EAP-Response/Identity packet, with the exception that the peer MUST NOT decorate the identity it includes in AT_IDENTITY. The identity does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the identity with zero bytes when necessary.
第4.2节定义了AT_标识的使用。此属性的值字段以2字节的实际标识长度开始,该长度以字节为单位指定标识的长度。此字段后面是指示实际长度的订户标识。身份是永久身份、假名身份或快速重新身份验证身份。第4.2.1节规定了标识格式。AT_标识属性和EAP响应/标识数据包中使用相同的标识格式,但对等方不得修饰AT_标识中包含的标识。标识不包括任何终止的空字符。因为属性的长度必须是4字节的倍数,所以发送方在必要时用零字节填充标识。
The format of the AT_RAND attribute is shown below.
AT_RAND属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_RAND | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. n*RAND .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_RAND | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. n*RAND .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of this attribute contains two reserved bytes followed by n GSM RANDs, each 16 bytes long. The value of n can be determined by the attribute length. The reserved bytes are set to zero upon sending and ignored upon reception.
此属性的值字段包含两个保留字节,后跟n个GSM RAND,每个长度为16字节。n的值可由属性长度确定。保留字节在发送时设置为零,在接收时忽略。
The number of RAND challenges (n) MUST be two or three. The peer MUST verify that the number of RAND challenges is sufficient according to the peer's policy. The server MUST use different RAND values. In other words, a RAND value can only be included once in AT_RAND. When processing the AT_RAND attribute, the peer MUST check that the RANDs are different.
RAND挑战数(n)必须为两个或三个。对等方必须根据对等方的策略验证RAND挑战的数量是否足够。服务器必须使用不同的RAND值。换句话说,一个RAND值只能在AT_RAND中包含一次。处理AT_RAND属性时,对等方必须检查RAND是否不同。
The EAP server MUST obtain fresh RANDs for each EAP-SIM full authentication exchange. More specifically, the server MUST consider RANDs it included in AT_RAND to be consumed if the server receives an EAP-Response/SIM/Challenge packet with a valid AT_MAC, or an EAP-Response/SIM/Client-Error with the code "insufficient number of challenges" or "RANDs are not fresh". However, in other cases (if the server does not receive a response to its EAP-Request/SIM/Challenge packet, or if the server receives a response other than the cases listed above), the server does not need to consider the RANDs to be consumed, and the server MAY re-use the RANDs in the AT_RAND attribute of the next full authentication attempt.
EAP服务器必须为每个EAP-SIM完全身份验证交换获取新的RAND。更具体地说,如果服务器接收到一个有效的ATLMAC的EAP响应/ SIM /挑战包,或者EAP响应/ SIM /客户端错误,代码“挑战数不足”或“RAND不新鲜”,服务器必须考虑它包含在ATYRAND中的RAND。然而,在其他情况下(如果服务器没有接收到对其EAP请求/ SIM /挑战包的响应,或者如果服务器接收了上面列出的情况以外的响应),服务器不需要考虑消耗的RAND,并且服务器可以在下一次完全认证尝试的AttRand属性中重用RAND。
The format of the AT_NEXT_PSEUDONYM attribute is shown below.
AT_NEXT_假名属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_NEXT_PSEU..| Length | Actual Pseudonym Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Next Pseudonym .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_NEXT_PSEU..| Length | Actual Pseudonym Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Next Pseudonym .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of this attribute begins with the 2-byte actual pseudonym length, which specifies the length of the following pseudonym in bytes. This field is followed by a pseudonym username that the peer can use in the next authentication. The username MUST NOT include any realm portion. The username does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the pseudonym with zero bytes when necessary. The username encoding MUST follow the UTF-8 transformation format [RFC3629]. This attribute MUST always be encrypted by encapsulating it within the AT_ENCR_DATA attribute.
此属性的值字段以2字节的实际假名长度开始,该长度以字节为单位指定以下假名的长度。此字段后面是对等方可在下次身份验证中使用的假名用户名。用户名不得包含任何领域部分。用户名不包含任何终止的空字符。因为属性的长度必须是4字节的倍数,所以发送方在必要时用零字节填充假名。用户名编码必须遵循UTF-8转换格式[RFC3629]。必须始终通过将该属性封装在AT_ENCR_DATA属性中来加密该属性。
The format of the AT_NEXT_REAUTH_ID attribute is shown below.
AT_NEXT_REAUTH_ID属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_NEXT_REAU..| Length | Actual Re-Auth Identity Length|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Next Fast Re-authentication Username .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_NEXT_REAU..| Length | Actual Re-Auth Identity Length|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Next Fast Re-authentication Username .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of this attribute begins with the 2-byte actual re-authentication identity length which specifies the length of the following fast re-authentication identity in bytes. This field is followed by a fast re-authentication identity that the peer can use in the next fast re-authentication, as described in Section 5. In environments where a realm portion is required, the fast re-authentication identity includes both a username portion and a
此属性的值字段以2字节的实际重新身份验证标识长度开始,该长度以字节为单位指定以下快速重新身份验证标识的长度。如第5节所述,该字段后面是对等方可在下一次快速重新认证中使用的快速重新认证标识。在需要领域部分的环境中,快速重新身份验证标识包括用户名部分和
realm name portion. The fast re-authentication identity does not include any terminating null characters. Because the length of the attribute must be a multiple of 4 bytes, the sender pads the fast re-authentication identity with zero bytes when necessary. The identity encoding MUST follow the UTF-8 transformation format [RFC3629]. This attribute MUST always be encrypted by encapsulating it within the AT_ENCR_DATA attribute.
域名部分。快速重新身份验证标识不包括任何终止的空字符。因为属性的长度必须是4字节的倍数,所以发送方在必要时将快速重新身份验证标识填充为零字节。标识编码必须遵循UTF-8转换格式[RFC3629]。必须始终通过将该属性封装在AT_ENCR_DATA属性中来加密该属性。
AT_IV and AT_ENCR_DATA attributes can be used to transmit encrypted information between the EAP-SIM peer and server.
AT_IV和AT_ENCR_数据属性可用于在EAP-SIM对等机和服务器之间传输加密信息。
The value field of AT_IV contains two reserved bytes followed by a 16-byte initialization vector required by the AT_ENCR_DATA attribute. The reserved bytes are set to zero when sending and ignored on reception. The AT_IV attribute MUST be included if and only if the AT_ENCR_DATA is included. Section 6.3 specifies the operation if a packet that does not meet this condition is encountered.
AT_IV的值字段包含两个保留字节,后跟AT_ENCR_数据属性所需的16字节初始化向量。发送时保留字节设置为零,接收时忽略。当且仅当包含AT_ENCR_数据时,必须包含AT_IV属性。第6.3节规定了遇到不符合此条件的数据包时的操作。
The sender of the AT_IV attribute chooses the initialization vector at random. The sender MUST NOT re-use the initialization vector value from previous EAP-SIM packets. The sender SHOULD use a good source of randomness to generate the initialization vector. Please see [RFC4086] for more information about generating random numbers for security applications. The format of AT_IV is shown below.
AT_IV属性的发送方随机选择初始化向量。发送方不得重复使用以前EAP-SIM数据包中的初始化向量值。发送方应使用良好的随机性源来生成初始化向量。有关为安全应用程序生成随机数的更多信息,请参阅[RFC4086]。AT_IV的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_IV | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Initialization Vector |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_IV | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Initialization Vector |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of the AT_ENCR_DATA attribute consists of two reserved bytes followed by cipher text bytes encrypted using the Advanced Encryption Standard (AES) [AES] with a 128-bit key in the Cipher Block Chaining (CBC) mode of operation using the initialization vector from the AT_IV attribute. The reserved bytes are set to zero when sending and ignored on reception. Please see [CBC] for a description of the CBC mode. The format of the AT_ENCR_DATA attribute is shown below.
AT_ENCR_数据属性的值字段由两个保留字节组成,后跟使用高级加密标准(AES)[AES]加密的密文字节,在密码块链接(CBC)操作模式下使用AT_IV属性的初始化向量使用128位密钥进行加密。发送时保留字节设置为零,接收时忽略。有关CBC模式的说明,请参见[CBC]。AT_ENCR_数据属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_ENCR_DATA | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Encrypted Data .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_ENCR_DATA | Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
. Encrypted Data .
. .
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The derivation of the encryption key (K_encr) is specified in Section 7.
第7节规定了加密密钥(K_encr)的推导。
The plaintext consists of nested EAP-SIM attributes.
明文由嵌套的EAP-SIM属性组成。
The encryption algorithm requires the length of the plaintext to be a multiple of 16 bytes. The sender may need to include the AT_PADDING attribute as the last attribute within AT_ENCR_DATA. The AT_PADDING attribute is not included if the total length of other nested attributes within the AT_ENCR_DATA attribute is a multiple of 16 bytes. As usual, the Length of the Padding attribute includes the Attribute Type and Attribute Length fields. The length of the Padding attribute is 4, 8, or 12 bytes. It is chosen so that the length of the value field of the AT_ENCR_DATA attribute becomes a multiple of 16 bytes. The actual pad bytes in the value field are set to zero (00 hexadecimal) on sending. The recipient of the message MUST verify that the pad bytes are set to zero. If this verification fails on the peer, then it MUST send the EAP-Response/SIM/Client-Error packet with the error code "unable to process packet" to terminate the authentication exchange. If this verification fails on the server, then the server sends the peer the EAP-Request/SIM/Notification packet with an AT_NOTIFICATION code that implies failure to terminate the authentication exchange. The format of the AT_PADDING attribute is shown below.
加密算法要求明文的长度为16字节的倍数。发送方可能需要将AT_PADDING属性作为AT_ENCR_数据中的最后一个属性。如果AT_ENCR_数据属性中其他嵌套属性的总长度是16字节的倍数,则不包括AT_PADDING属性。通常,Padding属性的长度包括属性类型和属性长度字段。Padding属性的长度为4、8或12字节。选择它时,AT_ENCR_数据属性的值字段的长度将变为16字节的倍数。值字段中的实际pad字节在发送时设置为零(00十六进制)。邮件收件人必须验证pad字节是否设置为零。如果对等方验证失败,则必须发送错误代码为“无法处理数据包”的EAP响应/SIM/客户端错误数据包,以终止身份验证交换。如果此验证在服务器上失败,则服务器向对等方发送EAP请求/SIM/通知数据包,其中包含AT_通知代码,表示无法终止身份验证交换。AT_PADDING属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_PADDING | Length | Padding... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_PADDING | Length | Padding... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The format of the AT_RESULT_IND attribute is shown below.
AT_RESULT_IND属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_RESULT_...| Length = 1 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_RESULT_...| Length = 1 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of this attribute consists of two reserved bytes, which are set to zero upon sending and ignored upon reception. This attribute is always sent unencrypted, so it MUST NOT be encapsulated within the AT_ENCR_DATA attribute.
此属性的值字段由两个保留字节组成,在发送时设置为零,在接收时忽略。此属性始终未加密发送,因此不能封装在AT_ENCR_DATA属性中。
The AT_MAC attribute is used for EAP-SIM message authentication. Section 8 specifies in which messages AT_MAC MUST be included.
AT_MAC属性用于EAP-SIM消息身份验证。第8节规定了必须包括在\u MAC上的哪些消息。
The value field of the AT_MAC attribute contains two reserved bytes followed by a keyed message authentication code (MAC). The MAC is calculated over the whole EAP packet and concatenated with optional message-specific data, with the exception that the value field of the MAC attribute is set to zero when calculating the MAC. The EAP packet includes the EAP header that begins with the Code field, the EAP-SIM header that begins with the Subtype field, and all the attributes, as specified in Section 8.1. The reserved bytes in AT_MAC are set to zero when sending and ignored on reception. The contents of the message-specific data that may be included in the MAC calculation are specified separately for each EAP-SIM message in Section 9.
AT_MAC属性的值字段包含两个保留字节,后跟密钥消息身份验证码(MAC)。MAC在整个EAP分组上计算,并与可选的消息特定数据连接,但MAC属性的值字段在计算MAC时设置为零的情况除外。EAP数据包包括以代码字段开头的EAP报头、以子类型字段开头的EAP-SIM报头以及第8.1节中规定的所有属性。AT_MAC中的保留字节在发送时设置为零,在接收时忽略。可包括在MAC计算中的消息特定数据的内容在第9节中针对每个EAP-SIM消息分别指定。
The format of the AT_MAC attribute is shown below.
AT_MAC属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_MAC | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| MAC |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_MAC | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| MAC |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The MAC algorithm is an HMAC-SHA1-128 [RFC2104] keyed hash value. (The HMAC-SHA1-128 value is obtained from the 20-byte HMAC-SHA1 value by truncating the output to the first 16 bytes. Hence, the length of the MAC is 16 bytes. The derivation of the authentication key (K_aut) used in the calculation of the MAC is specified in Section 7.
MAC算法是HMAC-SHA1-128[RFC2104]键控哈希值。(HMAC-SHA1-128值是通过将输出截断为前16个字节从20字节的HMAC-SHA1值中获得的。因此,MAC的长度为16个字节。第7节规定了计算MAC时使用的身份验证密钥(K_aut)的推导过程。
When the AT_MAC attribute is included in an EAP-SIM message, the recipient MUST process the AT_MAC attribute before looking at any other attributes, except when processing EAP-Request/SIM/Challenge. The processing of EAP-Request/SIM/Challenge is specified in Section 9.3. If the message authentication code is invalid, then the recipient MUST ignore all other attributes in the message and operate as specified in Section 6.3.
当EAP-SIM消息中包含AT_MAC属性时,收件人必须先处理AT_MAC属性,然后再查看任何其他属性,处理EAP请求/SIM/质询时除外。第9.3节规定了EAP请求/SIM/质询的处理。如果邮件验证码无效,则收件人必须忽略邮件中的所有其他属性,并按照第6.3节的规定操作。
The format of the AT_COUNTER attribute is shown below.
AT_计数器属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_COUNTER | Length = 1 | Counter |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_COUNTER | Length = 1 | Counter |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of the AT_COUNTER attribute consists of a 16-bit unsigned integer counter value, represented in network byte order. This attribute MUST always be encrypted by encapsulating it within the AT_ENCR_DATA attribute.
AT_计数器属性的值字段由16位无符号整数计数器值组成,以网络字节顺序表示。必须始终通过将该属性封装在AT_ENCR_DATA属性中来加密该属性。
The format of the AT_COUNTER_TOO_SMALL attribute is shown below.
AT_COUNTER_TOO_SMALL属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_COUNTER...| Length = 1 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_COUNTER...| Length = 1 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of this attribute consists of two reserved bytes, which are set to zero upon sending and ignored upon reception. This attribute MUST always be encrypted by encapsulating it within the AT_ENCR_DATA attribute.
此属性的值字段由两个保留字节组成,在发送时设置为零,在接收时忽略。必须始终通过将该属性封装在AT_ENCR_DATA属性中来加密该属性。
The format of the AT_NONCE_S attribute is shown below.
当前属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_NONCE_S | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| NONCE_S |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AT_NONCE_S | Length = 5 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| NONCE_S |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of the AT_NONCE_S attribute contains two reserved bytes followed by a random number freshly generated by the server (16 bytes) for this EAP-SIM fast re-authentication. The random number is used as a challenge for the peer and also as a seed value for the new keying material. The reserved bytes are set to zero upon sending and ignored upon reception. This attribute MUST always be encrypted by encapsulating it within the AT_ENCR_DATA attribute.
“当前”属性的值字段包含两个保留字节,后跟服务器为此EAP-SIM快速重新身份验证新生成的随机数(16字节)。随机数被用作对等方的挑战,也被用作新键控材料的种子值。保留字节在发送时设置为零,在接收时忽略。必须始终通过将该属性封装在AT_ENCR_DATA属性中来加密该属性。
The server MUST NOT re-use the NONCE_S value from any previous EAP-SIM fast re-authentication exchange. The server SHOULD use a good source of randomness to generate NONCE_S. Please see [RFC4086] for more information about generating random numbers for security applications.
服务器不得重新使用以前任何EAP-SIM快速重新身份验证交换中的NONCE_S值。服务器应使用良好的随机性源来生成NONCE_。有关为安全应用程序生成随机数的更多信息,请参阅[RFC4086]。
The format of the AT_NOTIFICATION attribute is shown below.
AT_通知属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_NOTIFICATION| Length = 1 |S|P| Notification Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_NOTIFICATION| Length = 1 |S|P| Notification Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of this attribute contains a two-byte notification code. The first and second bit (S and P) of the notification code are interpreted as described in Section 6.
此属性的值字段包含一个两字节的通知代码。通知代码的第一位和第二位(S和P)如第6节所述进行解释。
The notification code values listed below have been reserved. The descriptions below illustrate the semantics of the notifications.
下面列出的通知代码值已保留。下面的描述说明了通知的语义。
The peer implementation MAY use different wordings when presenting the notifications to the user. The "requested service" depends on the environment where EAP-SIM is applied.
对等实现在向用户呈现通知时可以使用不同的措辞。“请求的服务”取决于应用EAP-SIM的环境。
0 - General failure after authentication. (Implies failure, used after successful authentication.)
0-身份验证后发生常规故障。(表示失败,在成功身份验证后使用。)
16384 - General failure. (Implies failure, used before authentication.)
16384-一般故障。(表示失败,在身份验证之前使用。)
32768 - Success. User has been successfully authenticated. (Does not imply failure, used after successful authentication). The usage of this code is discussed in Section 6.2.
32768-成功。用户已成功通过身份验证。(不表示失败,在成功验证后使用)。第6.2节讨论了此代码的用法。
1026 - User has been temporarily denied access to the requested service. (Implies failure, used after successful authentication.)
1026-用户暂时被拒绝访问请求的服务。(表示失败,在成功身份验证后使用。)
1031 - User has not subscribed to the requested service. (Implies failure, used after successful authentication.)
1031-用户尚未订阅请求的服务。(表示失败,在成功身份验证后使用。)
The format of the AT_CLIENT_ERROR_CODE attribute is shown below.
AT_CLIENT_ERROR_CODE属性的格式如下所示。
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_CLIENT_ERR..| Length = 1 | Client Error Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|AT_CLIENT_ERR..| Length = 1 | Client Error Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The value field of this attribute contains a two-byte client error code. The following error code values have been reserved.
此属性的值字段包含一个两字节的客户端错误代码。已保留以下错误代码值。
0 "unable to process packet": a general error code
0“无法处理数据包”:一般错误代码
1 "unsupported version": the peer does not support any of the versions listed in AT_VERSION_LIST
1“不支持的版本”:对等方不支持AT_version_列表中列出的任何版本
2 "insufficient number of challenges": the peer's policy requires more triplets than the server included in AT_RAND
2“挑战数量不足”:对等方的策略需要比AT_RAND中包含的服务器更多的三元组
3 "RANDs are not fresh": the peer believes that the RAND challenges included in AT_RAND were not fresh
3“RAND并不新鲜”:同行认为AT_RAND中包含的RAND挑战并不新鲜
IANA has assigned the EAP type number 18 for this protocol.
IANA已为此协议分配EAP类型编号18。
EAP-SIM shares most of the protocol design, such as attributes and message Subtypes, with EAP-AKA [EAP-AKA]. EAP-SIM protocol numbers should be administered in the same IANA registry as EAP-AKA. The initial values are listed in [EAP-AKA] for both protocols, so this document does not require any new registries or parameter allocation. As a common registry is used for EAP-SIM and EAP-AKA, the protocol number allocation policy for both protocols is specified in [EAP-AKA].
EAP-SIM与EAP-AKA[EAP-AKA]共享大部分协议设计,如属性和消息子类型。EAP-SIM协议编号应与EAP-AKA在同一IANA注册表中管理。[EAP-AKA]中列出了两个协议的初始值,因此本文档不需要任何新的注册表或参数分配。由于EAP-SIM和EAP-AKA使用公共注册表,因此[EAP-AKA]中规定了两个协议的协议号分配策略。
The EAP specification [RFC3748] describes the security vulnerabilities of EAP, which does not include its own security mechanisms. This section discusses the claimed security properties of EAP-SIM, as well as vulnerabilities and security recommendations.
EAP规范[RFC3748]描述了EAP的安全漏洞,其中不包括其自身的安全机制。本节讨论EAP-SIM声称的安全属性,以及漏洞和安全建议。
The GSM A3 and A8 algorithms are used in EAP-SIM. [GSM-03.20] specifies the general GSM authentication procedure and the external interface (inputs and outputs) of the A3 and A8 algorithms. The operation of these functions falls completely within the domain of an individual operator, and therefore, the functions are specified by each operator rather than being fully standardised. The GSM-MILENAGE algorithm, specified publicly in [3GPP-TS-55.205], is an example algorithm set for A3 and A8 algorithms.
EAP-SIM中使用GSM A3和A8算法。[GSM-03.20]规定了一般GSM认证程序以及A3和A8算法的外部接口(输入和输出)。这些功能的操作完全属于单个操作员的范围,因此,这些功能由每个操作员指定,而不是完全标准化。[3GPP-TS-55.205]中公开规定的GSM-MILENAGE算法是A3和A8算法的示例算法集。
The security of the A3 and A8 algorithms is important to the security of EAP-SIM. Some A3/A8 algorithms have been compromised; see [GSM-Cloning] for discussion about the security of COMP-128 version 1. Note that several revised versions of the COMP-128 A3/A8 algorithm have been devised after the publication of these weaknesses and that the publicly specified GSM-MILENAGE algorithm is not vulnerable to any known attacks.
A3和A8算法的安全性对EAP-SIM的安全性至关重要。一些A3/A8算法已被破坏;有关COMP-128版本1安全性的讨论,请参见[GSM克隆]。请注意,在公布这些弱点之后,已经设计出了COMP-128 A3/A8算法的多个修订版本,并且公开指定的GSM-MILENAGE算法不易受到任何已知攻击。
EAP-SIM includes optional identity privacy support that protects the privacy of the subscriber identity against passive eavesdropping. This document only specifies a mechanism to deliver pseudonyms from the server to the peer as part of an EAP-SIM exchange. Hence, a peer that has not yet performed any EAP-SIM exchanges does not typically have a pseudonym available. If the peer does not have a pseudonym available, then the privacy mechanism cannot be used, but the
EAP-SIM包括可选的身份隐私支持,可保护用户身份的隐私免受被动窃听。本文档仅指定一种机制,作为EAP-SIM交换的一部分,将假名从服务器传递到对等方。因此,尚未执行任何EAP-SIM交换的对等方通常没有可用的假名。如果对等方没有可用的假名,则不能使用隐私机制,但
permanent identity will have to be sent in the clear. The terminal SHOULD store the pseudonym in a non-volatile memory so that it can be maintained across reboots. An active attacker that impersonates the network may use the AT_PERMANENT_ID_REQ attribute to attempt to learn the subscriber's permanent identity. However, as discussed in Section 4.2.2, the terminal can refuse to send the cleartext permanent identity if it believes that the network should be able to recognize the pseudonym.
永久身份必须以明文规定的方式发送。终端应将笔名存储在非易失性存储器中,以便在重新启动期间保持该笔名。模拟网络的主动攻击者可能使用AT_PERMANENT_ID_REQ属性试图了解订户的永久身份。然而,如第4.2.2节所述,如果终端认为网络应该能够识别笔名,则可以拒绝发送明文永久身份。
If the peer and server cannot guarantee that the pseudonym will be maintained reliably, and identity privacy is required, then additional protection from an external security mechanism (such as Protected Extensible Authentication Protocol (PEAP) [PEAP]) may be used. If an external security mechanism is in use, the identity privacy features of EAP-SIM may not be useful. The security considerations of using an external security mechanism with EAP-SIM are beyond the scope of this document.
如果对等方和服务器不能保证将可靠地维护笔名,并且需要身份隐私,那么可以使用来自外部安全机制的额外保护(例如受保护的可扩展认证协议(PEAP)[PEAP])。如果使用外部安全机制,EAP-SIM的身份隐私功能可能没有用处。与EAP-SIM一起使用外部安全机制的安全注意事项超出了本文档的范围。
EAP-SIM provides mutual authentication. The peer believes that the network is authentic because the network can calculate a correct AT_MAC value in the EAP-Request/SIM/Challenge packet. To calculate AT_MAC it is sufficient to know the RAND and Kc values from the GSM triplets (RAND, SRES, Kc) used in the authentication. Because the network selects the RAND challenges and the triplets, an attacker that knows n (2 or 3) GSM triplets for the subscriber is able to impersonate a valid network to the peer. (Some peers MAY employ an implementation-specific counter-measure against impersonating a valid network by re-using a previously used RAND; see below.) In other words, the security of EAP-SIM is based on the secrecy of Kc keys, which are considered secret intermediate results in the EAP-SIM cryptographic calculations.
EAP-SIM提供相互认证。对等方认为网络是可信的,因为网络可以在EAP请求/SIM/质询数据包中计算正确的AT_MAC值。要计算AT_MAC,从认证中使用的GSM三元组(RAND、SRES、Kc)中知道RAND和Kc值就足够了。由于网络选择RAND挑战和三元组,因此知道订户的n(2或3)个GSM三元组的攻击者能够向对等方模拟有效网络。(一些对等方可能会采用特定于实现的反措施,防止通过重新使用以前使用的RAND模拟有效网络;见下文。)换句话说,EAP-SIM的安全性基于Kc密钥的保密性,Kc密钥在EAP-SIM加密计算中被视为机密中间结果。
Given physical access to the SIM card, it is easy to obtain any number of GSM triplets.
如果可以物理访问SIM卡,则很容易获得任意数量的GSM三元组。
Another way to obtain triplets is to mount an attack on the peer platform via a virus or other malicious piece of software. The peer SHOULD be protected against triplet querying attacks by malicious software. Care should be taken not to expose Kc keys to attackers when they are stored or handled by the peer, or transmitted between subsystems of the peer. Steps should be taken to limit the transport, storage, and handling of these values outside a protected environment within the peer. However, the virus protection of the peer and the security capabilities of the peer's operating system are outside the scope of this document.
获取三胞胎的另一种方法是通过病毒或其他恶意软件在对等平台上发起攻击。应保护对等方免受恶意软件的三重查询攻击。当Kc密钥由对等方存储或处理,或在对等方子系统之间传输时,应注意不要将其暴露给攻击者。应采取措施限制这些值在对等计算机内受保护环境之外的传输、存储和处理。但是,对等计算机的病毒防护和对等计算机操作系统的安全功能不在本文档的范围内。
The EAP-SIM server typically obtains the triplets from the Home Location Register (HLR). An attacker might try to obtain triplets by attacking against the network used between the EAP-SIM server and the HLR. Care should be taken not to expose Kc keys to attackers when they are stored or handled by the EAP-SIM server, or transmitted between the EAP server and the HLR. Steps should be taken to limit the transport, storage, and handling of these values outside a protected environment. However, the protection of the communications between the EAP-SIM server and the HLR is outside the scope of this document.
EAP-SIM服务器通常从归属位置寄存器(HLR)获取三元组。攻击者可能试图通过攻击EAP-SIM服务器和HLR之间使用的网络来获取三元组。当Kc密钥由EAP-SIM服务器存储或处理,或在EAP服务器和HLR之间传输时,应注意不要将其暴露给攻击者。应采取措施限制在受保护环境外运输、储存和处理这些数值。但是,EAP-SIM服务器与HLR之间的通信保护不在本文档范围内。
If the same SIM credentials are also used for GSM traffic, the triplets could be revealed in the GSM network; see Section 12.8.
如果相同的SIM卡凭证也用于GSM通信,则三胞胎可能会在GSM网络中显示;见第12.8节。
In GSM, the network is allowed to re-use the RAND challenge in consecutive authentication exchanges. This is not allowed in EAP-SIM. The EAP-SIM server is mandated to use fresh triplets (RAND challenges) in consecutive authentication exchanges, as specified in Section 3. EAP-SIM does not mandate any means for the peer to check if the RANDs are fresh, so the security of the scheme leans on the secrecy of the triplets. However, the peer MAY employ implementation-specific mechanisms to remember some of the previously used RANDs, and the peer MAY check the freshness of the server's RANDs. The operation in cases when the peer detects that the RANDs are not fresh is specified in Section 6.3.1.
在GSM中,允许网络在连续的身份验证交换中重复使用RAND挑战。这在EAP-SIM中是不允许的。按照第3节的规定,EAP-SIM服务器必须在连续身份验证交换中使用新的三元组(RAND挑战)。EAP-SIM不要求对等方通过任何方式检查RAND是否新鲜,因此该方案的安全性依赖于三胞胎的保密性。然而,对等方可以采用特定于实现的机制来记住一些先前使用的rand,并且对等方可以检查服务器rand的新鲜度。第6.3.1节规定了对等方检测到RAND不新鲜时的操作。
Preventing the re-use of authentication vectors has been taken into account in the design of the UMTS Authentication and Key Agreement (AKA), which is used in EAP-AKA [EAP-AKA]. In cases when the triplet re-use properties of EAP-SIM are not considered sufficient, it is advised to use EAP-AKA.
在设计用于EAP-AKA[EAP-AKA]的UMTS认证和密钥协议(AKA)时,已考虑到防止认证向量的重复使用。如果认为EAP-SIM的三重态重复使用特性不足,建议使用EAP-AKA。
Note that EAP-SIM mutual authentication is done with the EAP server. In general, EAP methods do not authenticate the identity or services provided by the EAP authenticator (if distinct from the EAP server) unless they provide the so-called channel bindings property. The vulnerabilities related to this have been discussed in [RFC3748], [EAP-Keying], [Service-Identity].
请注意,EAP-SIM相互认证是通过EAP服务器完成的。通常,EAP方法不会对EAP验证器提供的身份或服务进行身份验证(如果与EAP服务器不同),除非它们提供所谓的通道绑定属性。与此相关的漏洞已在[RFC3748]、[EAP键控]、[Service Identity]中讨论过。
EAP-SIM does not provide the channel bindings property, so it only authenticates the EAP server. However, ongoing work such as [Service-Identity] may provide such support as an extension to popular EAP methods such as EAP-TLS, EAP-SIM, or EAP-AKA.
EAP-SIM不提供通道绑定属性,因此它仅对EAP服务器进行身份验证。然而,诸如[服务标识]之类的正在进行的工作可以提供这样的支持,作为流行EAP方法(例如EAP-TLS、EAP-SIM或EAP-AKA)的扩展。
The EAP-SIM server typically obtains authentication vectors from the Authentication Centre (AuC). EAP-SIM introduces a new usage for the AuC. The protocols between the EAP-SIM server and the AuC are out of the scope of this document. However, it should be noted that a malicious EAP-SIM peer may generate a lot of protocol requests to mount a denial of service attack. The EAP-SIM server implementation SHOULD take this into account and SHOULD take steps to limit the traffic that it generates towards the AuC, preventing the attacker from flooding the AuC and from extending the denial of service attack from EAP-SIM to other users of the AuC.
EAP-SIM服务器通常从认证中心(AuC)获取认证向量。EAP-SIM为AuC引入了一种新用法。EAP-SIM服务器和AuC之间的协议不在本文档范围内。但是,应该注意,恶意EAP-SIM对等方可能会生成大量协议请求以发起拒绝服务攻击。EAP-SIM服务器实施应考虑到这一点,并应采取措施限制其向AuC产生的流量,防止攻击者淹没AuC并将拒绝服务攻击从EAP-SIM扩展到AuC的其他用户。
EAP-SIM supports key derivation. The key hierarchy is specified in Section 7. EAP-SIM combines several GSM triplets in order to generate stronger keying material and stronger AT_MAC values. The actual strength of the resulting keys depends, among other things, on operator-specific parameters including authentication algorithms, the strength of the Ki key, and the quality of the RAND challenges. For example, some SIM cards generate Kc keys with 10 bits set to zero. Such restrictions may prevent the concatenation technique from yielding strong session keys. Because the strength of the Ki key is 128 bits, the ultimate strength of any derived secret key material is never more than 128 bits.
EAP-SIM支持密钥派生。第7节规定了密钥层次结构。EAP-SIM组合了几个GSM三元组,以生成更强的键控材料和更强的AT_MAC值。结果密钥的实际强度除其他外,取决于特定于操作员的参数,包括身份验证算法、Ki密钥的强度和密钥的质量。例如,某些SIM卡生成的Kc密钥的10位设置为零。这种限制可能会阻止串联技术产生强会话密钥。因为Ki密钥的强度是128位,所以任何派生密钥材料的最终强度都不会超过128位。
It should also be noted that a security policy that allows n=2 to be used may compromise the security of a future policy that requires three triplets, because adversaries may be able to exploit the messages exchanged when the weaker policy is applied.
还应注意,允许使用n=2的安全策略可能会危及需要三个三元组的未来策略的安全性,因为对手可能能够利用应用较弱策略时交换的消息。
There is no known way to obtain complete GSM triplets by mounting an attack against EAP-SIM. A passive eavesdropper can learn n*RAND and AT_MAC and may be able to link this information to the subscriber identity. An active attacker that impersonates a GSM subscriber can easily obtain n*RAND and AT_MAC values from the EAP server for any given subscriber identity. However, calculating the Kc and SRES values from AT_MAC would require the attacker to reverse the keyed message authentication code function HMAC-SHA1-128.
目前还没有已知的方法通过对EAP-SIM发起攻击来获得完整的GSM三元组。被动窃听者可以学习n*RAND和AT_MAC,并且可以将此信息链接到用户身份。模拟GSM用户的主动攻击者可以轻松地从EAP服务器获取任何给定用户身份的n*RAND和AT_MAC值。但是,从AT_MAC计算Kc和SRES值需要攻击者反转密钥消息身份验证码函数HMAC-SHA1-128。
As EAP-SIM does not expose any values calculated from an individual GSM Kc keys, it is not possible to mount a brute force attack on only one of the Kc keys in EAP-SIM. Therefore, when considering brute force attacks on the values exposed in EAP-SIM, the effective length of EAP-SIM session keys is not compromised by the fact that they are
由于EAP-SIM不公开根据单个GSM Kc密钥计算的任何值,因此不可能仅对EAP-SIM中的一个Kc密钥进行暴力攻击。因此,在考虑对EAP-SIM中公开的值进行暴力攻击时,EAP-SIM会话密钥的有效长度不会因其
combined from several shorter keys, i.e., the effective length of 128 bits may be achieved. For additional considerations, see Section 12.8.
由几个较短的键组合而成,即,可以实现128位的有效长度。有关其他注意事项,请参见第12.8节。
The EAP Transient Keys used to protect EAP-SIM packets (K_encr, K_aut), the Master Session Key, and the Extended Master Session Key are cryptographically separate in EAP-SIM. An attacker cannot derive any non-trivial information about any of these keys based on the other keys. An attacker also cannot calculate the pre-shared secret (Ki) from the GSM Kc keys, from EAP-SIM K_encr, from EAP-SIM K_aut, from the Master Session Key, or from the Extended Master Session Key.
用于保护EAP-SIM数据包(K_encr、K_aut)的EAP瞬态密钥、主会话密钥和扩展主会话密钥在EAP-SIM中以加密方式分开。攻击者无法基于其他密钥获取有关这些密钥的任何非平凡信息。攻击者也无法从GSM Kc密钥、EAP-SIM K_encr、EAP-SIM K_aut、主会话密钥或扩展主会话密钥计算预共享密钥(Ki)。
Each EAP-SIM exchange generates fresh keying material, and the keying material exported from the method upon separate EAP-SIM exchanges is cryptographically separate. The EAP-SIM peer contributes to the keying material with the NONCE_MT parameter, which must be chosen freshly for each full authentication exchange. The EAP server is mandated to choose the RAND challenges freshly for each full authentication exchange. If either the server or the peer chooses its random value (NONCE_MT or RAND challenges) freshly, even if the other entity re-used its value from a previous exchange, then the EAP Transient Keys, the Master Session Key, and the Extended Master Session Key will be different and cryptographically separate from the corresponding values derived upon the previous full authentication exchange.
每个EAP-SIM交换生成新的密钥材料,并且在单独的EAP-SIM交换时从该方法导出的密钥材料是加密分离的。EAP-SIM对等方使用NONCE_MT参数提供密钥材料,必须为每次完整身份验证交换新选择该参数。EAP服务器必须为每个完整身份验证交换选择一个完整的身份验证。如果服务器或对等方新选择其随机值(NONCE_MT或RAND challenges),即使其他实体重新使用了以前交换中的值,则EAP瞬态密钥、主会话密钥、,并且,扩展主会话密钥将不同于在先前的完全身份验证交换中导出的相应值,并且以加密方式与之分离。
On fast re-authentication, freshness of the Master Session Key and the Extended Master Session Key is provided with a counter (AT_COUNTER). The same EAP Transient Keys (K_encr, K_aut) that were used in the full authentication exchange are used to protect the EAP negotiation. However, replay and integrity protection across all the fast re-authentication exchanges that use the same EAP Transient Keys is provided with AT_COUNTER.
在快速重新身份验证时,主会话密钥和扩展主会话密钥的新鲜度由计数器(AT_计数器)提供。完整身份验证交换中使用的相同EAP瞬态密钥(K_encr、K_aut)用于保护EAP协商。但是,AT_计数器为使用相同EAP瞬态密钥的所有快速重新认证交换提供了重播和完整性保护。
[RFC3748] defines session independence as the "demonstration that passive attacks (such as capture of the EAP conversation) or active attacks (including compromise of the MSK or EMSK) do not enable compromise of subsequent or prior MSKs or EMSKs". Because the MSKs and EMSKs are separate between EAP exchanges, EAP-SIM supports this security claim.
[RFC3748]将会话独立性定义为“证明被动攻击(如捕获EAP会话)或主动攻击(包括MSK或EMSK的泄露)不会泄露后续或先前的MSK或EMSK”。由于MSK和EMSK在EAP交换机之间是分开的,EAP-SIM支持此安全声明。
It should be noted that [Patel-2003], which predates [RFC3748], uses a slightly different meaning for session independence. The EAP-SIM protocol does not allow the peer to ensure that different Kc key values would be used in different exchanges. Only the server is able to ensure that fresh RANDs, and therefore, fresh Kc keys are used.
应该注意的是,早于[RFC3748]的[Patel-2003]对会话独立性的含义略有不同。EAP-SIM协议不允许对等方确保在不同的交换中使用不同的Kc密钥值。只有服务器能够确保使用新的RAND,因此使用新的Kc密钥。
Hence, the peer cannot guarantee EAP-SIM sessions to be independent with regard to the internal Kc values. However, in EAP-SIM, the Kc keys are considered to be secret intermediate results, which are not exported outside the method. See Section 12.3 for more information about RAND re-use.
因此,对等方不能保证EAP-SIM会话独立于内部Kc值。然而,在EAP-SIM中,Kc密钥被视为秘密中间结果,不会导出到方法之外。有关兰德公司重复使用的更多信息,请参见第12.3节。
Because EAP-SIM is not a password protocol, it is not vulnerable to dictionary attacks. (The pre-shared symmetric secret stored on the SIM card is not a passphrase, nor is it derived from a passphrase.)
由于EAP-SIM不是密码协议,因此不易受到字典攻击。(存储在SIM卡上的预共享对称密钥不是密码短语,也不是从密码短语派生的。)
EAP-SIM cannot prevent attacks over the GSM or GPRS radio networks. If the same SIM credentials are also used in GSM or GPRS, it is possible to mount attacks over the cellular interface.
EAP-SIM无法阻止通过GSM或GPRS无线网络进行的攻击。如果在GSM或GPRS中也使用相同的SIM卡凭据,则有可能通过蜂窝接口发起攻击。
A passive attacker can eavesdrop GSM or GPRS traffic and obtain RAND, SRES pairs. He can then use a brute force attack or other cryptanalysis techniques to obtain the 64-bit Kc keys used to encrypt the GSM or GPRS data. This makes it possible to attack each 64-bit key separately.
被动攻击者可以窃听GSM或GPRS通信并获取RAND、SRES对。然后,他可以使用暴力攻击或其他密码分析技术获取用于加密GSM或GPRS数据的64位Kc密钥。这使得分别攻击每个64位密钥成为可能。
An active attacker can mount a "rogue GSM/GPRS base station attack", replaying previously seen RAND challenges to obtain SRES values. He can then use a brute force attack to obtain the Kc keys. If successful, the attacker can impersonate a valid network or decrypt previously seen traffic, because EAP-SIM does not provide perfect forward secrecy (PFS).
主动攻击者可以发起“恶意GSM/GPRS基站攻击”,重播以前看到的RAND挑战以获取SRES值。然后他可以使用蛮力攻击来获得Kc密钥。如果成功,攻击者可以模拟有效的网络或解密以前看到的流量,因为EAP-SIM不提供完美的前向保密(PFS)。
Due to several weaknesses in the GSM encryption algorithms, the effective key strength of the Kc keys is much less than the expected 64 bits (no more than 40 bits if the A5/1 GSM encryption algorithm is used; as documented in [Barkan-2003], an active attacker can force the peer to use the weaker A5/2 algorithm that can be broken in less than a second).
由于GSM加密算法存在若干弱点,Kc密钥的有效密钥强度远小于预期的64位(如果使用A5/1 GSM加密算法,则不超过40位;如[Barkan-2003]中所述),主动攻击者可强制对等方使用较弱的A5/2算法,该算法可在不到一秒钟内被破解)。
Because the A5 encryption algorithm is not used in EAP-SIM, and because EAP-SIM does not expose any values calculated from individual Kc keys, it should be noted that these attacks are not possible if the SIM credentials used in EAP-SIM are not shared in GSM/GPRS.
由于EAP-SIM中未使用A5加密算法,并且由于EAP-SIM未公开从单个Kc密钥计算的任何值,因此应注意,如果EAP-SIM中使用的SIM凭据未在GSM/GPRS中共享,则不可能进行这些攻击。
At the time this document was written, the 3rd Generation Partnership Project (3GPP) has started to work on fixes to these A5 vulnerabilities. One of the solution proposals discussed in 3GPP is integrity-protected A5 version negotiation, which would require the base station to prove knowledge of the Kc key before the terminal
在编写本文档时,第三代合作伙伴项目(3GPP)已开始修复这些A5漏洞。3GPP中讨论的解决方案建议之一是完整性保护的A5版本协商,这将要求基站在终端之前证明知道Kc密钥
sends any values calculated from the Kc to the network. Another proposal is so-called special RANDs, where some bits of the RAND challenge would be used for cryptographic separation by indicating the allowed use of the triplet, such as the allowed A5 algorithm in GSM or the fact that the triplet is intended for EAP-SIM. This is currently a work in progress, and the mechanisms have not been selected yet.
将从Kc计算的任何值发送到网络。另一个建议是所谓的特殊RAND,其中RAND挑战的一些位将通过指示三元组的允许使用来用于密码分离,例如GSM中允许的A5算法或三元组用于EAP-SIM的事实。这项工作目前正在进行中,机制尚未选定。
AT_MAC, AT_IV, AT_ENCR_DATA, and AT_COUNTER attributes are used to provide integrity, replay and confidentiality protection for EAP-SIM requests and responses. Integrity protection with AT_MAC includes the EAP header. These attributes cannot be used during the EAP/SIM/Start roundtrip. However, the protocol values (user identity string, NONCE_MT, and version negotiation parameters) are (implicitly) protected by later EAP-SIM messages by including them in key derivation.
AT_MAC、AT_IV、AT_ENCR_数据和AT_计数器属性用于为EAP-SIM请求和响应提供完整性、重播和保密保护。AT_MAC的完整性保护包括EAP头。EAP/SIM/Start往返过程中不能使用这些属性。然而,协议值(用户标识字符串、NONCE_MT和版本协商参数)通过将其包含在密钥派生中而(隐式地)受到后来的EAP-SIM消息的保护。
Integrity protection (AT_MAC) is based on a keyed message authentication code. Confidentiality (AT_ENCR_DATA and AT_IV) is based on a block cipher.
完整性保护(AT_MAC)基于密钥消息身份验证代码。机密性(AT_ENCR_数据和AT_IV)基于分组密码。
Confidentiality protection is applied only to a part of the protocol fields. The table of attributes in Section 10.1 summarizes which fields are confidentiality-protected. It should be noted that the error and notification code attributes AT_CLIENT_ERROR_CODE and AT_NOTIFICATION are not confidential, but they are transmitted in the clear. Identity protection is discussed in Section 12.2.
保密保护仅应用于协议字段的一部分。第10.1节中的属性表总结了受保密保护的字段。需要注意的是,客户端错误代码和通知代码的错误和通知代码属性不是机密的,但它们是以明文形式传输的。第12.2节讨论了身份保护。
On full authentication, replay protection of the EAP exchange is provided by the RAND values from the underlying GSM authentication scheme and the use of the NONCE_MT value. Protection against replays of EAP-SIM messages is also based on the fact that messages that can include AT_MAC can only be sent once with a certain EAP-SIM Subtype, and on the fact that a different K_aut key will be used for calculating AT_MAC in each full authentication exchange.
在完全身份验证时,EAP交换的重播保护由基础GSM身份验证方案中的RAND值和NONCE_MT值的使用提供。针对EAP-SIM消息重播的保护还基于这样一个事实,即可以包括AT_MAC的消息只能使用某个EAP-SIM子类型发送一次,并且在每个完整身份验证交换中,将使用不同的K_aut密钥来计算AT_MAC。
On fast re-authentication, a counter included in AT_COUNTER and a server random nonce is used to provide replay protection. The AT_COUNTER attribute is also included in EAP-SIM notifications if it is used after successful authentication in order to provide replay protection between re-authentication exchanges.
在快速重新身份验证中,AT_计数器中包含的计数器和服务器随机nonce用于提供重播保护。如果在成功身份验证后使用AT_计数器属性,以便在重新身份验证交换之间提供重播保护,则EAP-SIM通知中还包括AT_计数器属性。
Because EAP-SIM is not a tunneling method, EAP-Request/Notification, EAP-Response/Notification, EAP-Success, or EAP-Failure packets are not confidential, integrity-protected, or replay-protected in EAP-SIM. On physically insecure networks, this may enable an
由于EAP-SIM不是隧道方法,EAP请求/通知、EAP响应/通知、EAP成功或EAP失败数据包在EAP-SIM中不受保密、完整性保护或重播保护。在物理上不安全的网络上,这可能会启用
attacker to send false notifications to the peer and to mount denial of service attacks by spoofing these packets. As discussed in Section 6.3, the peer will only accept EAP-Success after the peer successfully authenticates the server. Hence, the attacker cannot force the peer to believe successful mutual authentication has occurred until the peer successfully authenticates the server or after the peer fails to authenticate the server.
攻击者通过欺骗这些数据包向对等方发送虚假通知并发起拒绝服务攻击。如第6.3节所述,只有在对等方成功验证服务器后,对等方才会接受EAP成功。因此,在对等方成功对服务器进行身份验证或对等方未能对服务器进行身份验证之前,攻击者无法强迫对等方相信已成功进行相互身份验证。
The security considerations of EAP-SIM result indications are covered in Section 12.11
第12.11节介绍了EAP-SIM结果指示的安全注意事项
An eavesdropper will see the EAP-Request/Notification, EAP-Response/Notification, EAP-Success, and EAP-Failure packets sent in the clear. With EAP-SIM, confidential information MUST NOT be transmitted in EAP Notification packets.
窃听者将看到EAP请求/通知、EAP响应/通知、EAP成功和EAP失败数据包以明文形式发送。使用EAP-SIM,机密信息不得在EAP通知包中传输。
EAP-SIM does not protect the EAP-Response/Nak packet. Because EAP-SIM does not protect the EAP method negotiation, EAP method downgrading attacks may be possible, especially if the user uses the same identity with EAP-SIM and other EAP methods.
EAP-SIM不保护EAP响应/Nak数据包。由于EAP-SIM不保护EAP方法协商,因此可能会发生EAP方法降级攻击,尤其是当用户使用与EAP-SIM和其他EAP方法相同的身份时。
EAP-SIM includes a version negotiation procedure. In EAP-SIM the keying material derivation includes the version list and selected version to ensure that the protocol cannot be downgraded and that the peer and server use the same version of EAP-SIM.
EAP-SIM包括版本协商过程。在EAP-SIM中,密钥材料派生包括版本列表和所选版本,以确保协议不能降级,并且对等方和服务器使用相同版本的EAP-SIM。
EAP-SIM does not support ciphersuite negotiation.
EAP-SIM不支持密码套件协商。
EAP-SIM supports optional protected success indications and acknowledged failure indications. If a failure occurs after successful authentication, then the EAP-SIM failure indication is integrity- and replay-protected.
EAP-SIM支持可选的受保护成功指示和已确认的故障指示。如果认证成功后出现故障,则EAP-SIM故障指示为完整性和重播保护。
Even if an EAP-Failure packet is lost when using EAP-SIM over an unreliable medium, then the EAP-SIM failure indications will help ensure that the peer and EAP server will know the other party's authentication decision. If protected success indications are used, then the loss of Success packet will also be addressed by the acknowledged, integrity- and replay-protected EAP-SIM success indication. If the optional success indications are not used, then the peer may end up believing that the server succeeded authentication, when it actually failed. Since access will not be
即使在通过不可靠介质使用EAP-SIM时EAP故障数据包丢失,EAP-SIM故障指示也将有助于确保对等方和EAP服务器了解另一方的认证决定。如果使用受保护的成功指示,则成功数据包的丢失也将通过已确认、完整性和重播受保护的EAP-SIM成功指示来解决。如果未使用可选的成功指示,那么当服务器实际失败时,对等方可能最终认为服务器已成功进行身份验证。因为访问权限将不受限制
granted in this case, protected result indications are not needed unless the client is not able to realize it does not have access for an extended period of time.
在这种情况下,不需要受保护的结果指示,除非客户无法意识到其在较长时间内无法访问。
In order to avoid man-in-the-middle attacks and session hijacking, user data SHOULD be integrity-protected on physically insecure networks. The EAP-SIM Master Session Key, or keys derived from it, MAY be used as the integrity protection keys, or, if an external security mechanism such as PEAP is used, then the link integrity protection keys MAY be derived by the external security mechanism.
为了避免中间人攻击和会话劫持,应该在物理上不安全的网络上保护用户数据的完整性。EAP-SIM主会话密钥或从其派生的密钥可用作完整性保护密钥,或者,如果使用诸如PEAP的外部安全机制,则链路完整性保护密钥可由外部安全机制派生。
There are man-in-the-middle attacks associated with the use of any EAP method within a tunneled protocol. For instance, an early version of PEAP [PEAP-02] was vulnerable to this attack. This specification does not address these attacks. If EAP-SIM is used with a tunneling protocol, there should be cryptographic binding provided between the protocol and EAP-SIM to prevent man-in-the-middle attacks through rogue authenticators being able to setup one-way authenticated tunnels. For example, newer versions of PEAP include such cryptographic binding. The EAP-SIM Master Session Key MAY be used to provide the cryptographic binding. However, the mechanism by which the binding is provided depends on the tunneling protocol and is beyond the scope of this document.
在隧道协议中,存在与使用任何EAP方法相关的中间人攻击。例如,早期版本的PEAP[PEAP-02]易受此攻击。本规范不涉及这些攻击。如果EAP-SIM与隧道协议一起使用,则应在协议和EAP-SIM之间提供加密绑定,以通过能够设置单向认证隧道的流氓身份验证器防止中间人攻击。例如,PEAP的较新版本包括这种加密绑定。EAP-SIM主会话密钥可用于提供加密绑定。但是,提供绑定的机制取决于隧道协议,超出了本文档的范围。
An EAP-SIM implementation SHOULD use a good source of randomness to generate the random numbers required in the protocol. Please see [RFC4086] for more information on generating random numbers for security applications.
EAP-SIM实现应使用良好的随机性源来生成协议中所需的随机数。有关为安全应用程序生成随机数的更多信息,请参阅[RFC4086]。
This section provides the security claims required by [RFC3748].
本节提供了[RFC3748]要求的担保索赔。
Auth. mechanism: EAP-SIM is based on the GSM SIM mechanism, which is a challenge/response authentication and key agreement mechanism based on a symmetric 128-bit pre-shared secret. EAP-SIM also makes use of a peer challenge to provide mutual authentication.
Auth。机制:EAP-SIM基于GSM SIM机制,这是一种基于对称128位预共享秘密的质询/响应身份验证和密钥协商机制。EAP-SIM还利用对等质询提供相互认证。
Ciphersuite negotiation: No
Ciphersuite协商:否
Mutual authentication: Yes (Section 12.3)
相互认证:是(第12.3节)
Integrity protection: Yes (Section 12.9)
完整性保护:是(第12.9节)
Replay protection: Yes (Section 12.9)
重播保护:是(第12.9节)
Confidentiality: Yes, except method-specific success and failure indications (Section 12.2, Section 12.9)
保密性:是,方法特定成功和失败指示除外(第12.2节,第12.9节)
Key derivation: Yes
关键词:是的
Key strength: EAP-SIM supports key derivation with 128-bit effective key strength (Section 12.5). However, as discussed in Section 11, if the same credentials are used in GSM/GPRS and in EAP-SIM, then the key strength may be reduced considerably, basically to the same level as in GSM, by mounting attacks over GSM/GPRS. For example an active attack using a false GSM/GPRS base station reduces the effective key strength to almost zero.
密钥强度:EAP-SIM支持128位有效密钥强度的密钥派生(第12.5节)。但是,如第11节所述,如果在GSM/GPRS和EAP-SIM中使用相同的凭据,则通过在GSM/GPRS上发起攻击,密钥强度可能会显著降低,基本上与GSM中相同。例如,使用虚假GSM/GPRS基站的主动攻击会将有效密钥强度降低到几乎为零。
Description of key hierarchy: Please see Section 7.
密钥层次结构描述:请参见第7节。
Dictionary attack protection: N/A (Section 12.7)
字典攻击保护:不适用(第12.7节)
Fast reconnect: Yes
快速重新连接:是的
Cryptographic binding: N/A
加密绑定:不适用
Session independence: Yes (Section 12.6)
会话独立性:是(第12.6节)
Fragmentation: No
碎片:没有
Channel binding: No
通道绑定:否
Indication of vulnerabilities: Vulnerabilities are discussed in Section 12.
漏洞指示:第12节讨论了漏洞。
In addition to the editors, Nora Dabbous, Jose Puthenkulam, and Prasanna Satarasinghe were significant contributors to this document.
除了编辑之外,诺拉·达布、何塞·普滕库拉姆和普拉桑娜·萨塔拉辛格也是本文件的重要贡献者。
Pasi Eronen and Jukka-Pekka Honkanen contributed Appendix A.
Pasi Eronen和Jukka Pekka Honkanen提供了附录A。
Juha Ala-Laurila, N. Asokan, Jan-Erik Ekberg, Patrik Flykt, Jukka-Pekka Honkanen, Antti Kuikka, Jukka Latva, Lassi Lehtinen, Jyri Rinnemaa, Timo Takamaki, and Raimo Vuonnala contributed many original ideas and concepts to this protocol.
Juha Ala Laurila、N.Asokan、Jan Erik Ekberg、Patrik Flykt、Jukka Pekka Honkanen、Antti Kuika、Jukka Latva、Lassi Lehtinen、Jyri Rinnema、Timo Takamaki和Raimo Vounnala为该议定书贡献了许多原创想法和概念。
N. Asokan, Pasi Eronen, and Jukka-Pekka Honkanen contributed and helped in innumerable ways during the development of the protocol.
N.Asokan、Pasi Eronen和Jukka Pekka Honkanen在议定书制定过程中以无数方式作出了贡献和帮助。
Valtteri Niemi and Kaisa Nyberg contributed substantially to the design of the key derivation and the fast re-authentication procedure, and have also provided their cryptographic expertise in many discussions related to this protocol.
Valtteri Niemi和Kaisa Nyberg对密钥派生和快速重新认证过程的设计做出了重大贡献,并在与该协议相关的许多讨论中提供了他们的密码专业知识。
Simon Blake-Wilson provided very helpful comments on key derivation and version negotiation.
Simon Blake Wilson就密钥派生和版本协商提供了非常有用的意见。
Thanks to Greg Rose for his very valuable comments to an early version of this specification [S3-020125], and for reviewing and providing very useful comments on version 12.
感谢Greg Rose对本规范早期版本[S3-020125]的宝贵意见,以及对版本12的审查和提供非常有用的意见。
Thanks to Bernard Aboba, Vladimir Alperovich, Florent Bersani, Jacques Caron, Gopal Dommety, Augustin Farrugia, Mark Grayson, Max de Groot, Prakash Iyer, Nishi Kant, Victor Lortz, Jouni Malinen, Sarvar Patel, Tom Porcher, Michael Richardson, Stefan Schroeder, Uma Shankar, Jesse Walker, and Thomas Wieland for their contributions and critiques. Special thanks to Max for proposing improvements to the MAC calculation.
感谢伯纳德·阿博巴、弗拉基米尔·阿尔佩罗维奇、弗洛伦特·贝尔萨尼、雅克·卡隆、戈帕尔·多梅蒂、奥古斯丁·法鲁加、马克·格雷森、马克斯·德·格罗特、普拉卡什·艾耶、西·坎特、维克托·洛茨、朱尼·马利南、萨瓦尔·帕特尔、汤姆·波彻、迈克尔·理查森、斯特凡·施罗德、乌玛·尚卡尔、杰西·沃克和托马斯·维兰德的贡献和批评。特别感谢Max对MAC计算提出的改进建议。
Thanks to Glen Zorn for reviewing this document and for providing very useful comments on the protocol.
感谢Glen Zorn审阅本文件,并就协议提供了非常有用的意见。
Thanks to Sarvar Patel for his review of the protocol [Patel-2003].
感谢Sarvar Patel对方案的审查[Patel-2003]。
Thanks to Bernard Aboba for reviewing this document for RFC 3748 compliance.
感谢Bernard Aboba对本文件的RFC 3748合规性进行审查。
The identity privacy support is based on the identity privacy support of [EAP-SRP]. The attribute format is based on the extension format of Mobile IPv4 [RFC3344].
身份隐私支持基于[EAP-SRP]的身份隐私支持。属性格式基于移动IPv4[RFC3344]的扩展格式。
This protocol has been partly developed in parallel with EAP-AKA [EAP-AKA], and hence this specification incorporates many ideas from Jari Arkko.
本协议部分是与EAP-AKA[EAP-AKA]并行开发的,因此本规范包含了Jari Arkko的许多想法。
Nora Dabbous Gemplus 34 rue Guynemer 92447 Issy les Moulineaux France
诺拉·达布·吉姆普拉斯法国盖内默街34号92447伊西·勒·穆莱诺
Phone: +33 1 4648 2000
EMail: nora.dabbous@gemplus.com
Phone: +33 1 4648 2000
EMail: nora.dabbous@gemplus.com
Jose Puthenkulam Intel Corporation 2111 NE 25th Avenue, JF2-58 Hillsboro, OR 97124 USA
Jose Puthenkulam英特尔公司美国希尔斯堡东北25大道2111号JF2-58,邮编:97124
Phone: +1 503 264 6121
EMail: jose.p.puthenkulam@intel.com
Phone: +1 503 264 6121
EMail: jose.p.puthenkulam@intel.com
Prasanna Satarasinghe Transat Technologies 180 State Street, Suite 240 Southlake, TX 76092 USA
美国德克萨斯州南湖州州立街180号Prasanna Satarasinghe Transat Technologies 240室76092
Phone: + 1 817 4814412
EMail: prasannas@transat-tech.com
Phone: + 1 817 4814412
EMail: prasannas@transat-tech.com
[GSM-03.20] European Telecommunications Standards Institute, "GSM Technical Specification GSM 03.20 (ETS 300 534): "Digital cellular telecommunication system (Phase 2); Security related network functions"", August 1997.
[GSM-03.20]欧洲电信标准协会,“GSM技术规范GSM 03.20(ETS 300 534):“数字蜂窝通信系统(第2阶段);与安全有关的网络功能”,1997年8月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[GSM-03.03] European Telecommunications Standards Institute, "GSM Technical Specification GSM 03.03 (ETS 300 523): "Digital cellular telecommunication system (Phase 2); Numbering, addressing and identification"", April 1997.
[GSM-03.03]欧洲电信标准协会,“GSM技术规范GSM 03.03(ETS 300 523):“数字蜂窝通信系统(第2阶段);编号、地址和标识”,1997年4月。
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。
[RFC4282] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network Access Identifier", RFC 4282, December 2005.
[RFC4282]Aboba,B.,Beadles,M.,Arkko,J.,和P.Erenen,“网络访问标识符”,RFC 42822005年12月。
[AES] National Institute of Standards and Technology, "Federal Information Processing Standards (FIPS) Publication 197, "Advanced Encryption Standard (AES)"", November 2001. http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf
[AES]国家标准与技术研究所,“联邦信息处理标准(FIPS)出版物197,“高级加密标准(AES)”,2001年11月。http://csrc.nist.gov/publications/fips/fips197/ fips-197.pdf
[CBC] National Institute of Standards and Technology,
"NIST Special Publication 800-38A, "Recommendation
for Block Cipher Modes of Operation - Methods and
Techniques"", December 2001.
http://csrc.nist.gov/publications/nistpubs/
800-38a/sp800-38a.pdf
[CBC] National Institute of Standards and Technology,
"NIST Special Publication 800-38A, "Recommendation
for Block Cipher Modes of Operation - Methods and
Techniques"", December 2001.
http://csrc.nist.gov/publications/nistpubs/
800-38a/sp800-38a.pdf
[SHA-1] National Institute of Standards and Technology, U.S. Department of Commerce, "Federal Information Processing Standard (FIPS) Publication 180-1, "Secure Hash Standard"", April 1995.
[SHA-1]美国商务部国家标准与技术研究所,“联邦信息处理标准(FIPS)出版物180-1,“安全哈希标准”,1995年4月。
[PRF] National Institute of Standards and Technology,
"Federal Information Processing Standards (FIPS)
Publication 186-2 (with change notice); Digital
Signature Standard (DSS)", January 2000.
Available on-line at:
http://csrc.nist.gov/publications/
fips/fips186-2/fips186-2-change1.pdf
[PRF] National Institute of Standards and Technology,
"Federal Information Processing Standards (FIPS)
Publication 186-2 (with change notice); Digital
Signature Standard (DSS)", January 2000.
Available on-line at:
http://csrc.nist.gov/publications/
fips/fips186-2/fips186-2-change1.pdf
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.
[RFC3748]Aboba,B.,Blunk,L.,Vollbrecht,J.,Carlson,J.,和H.Levkowetz,“可扩展身份验证协议(EAP)”,RFC 3748,2004年6月。
[EAP-AKA] Arkko, J. and H. Haverinen, "Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)", RFC 4187, January 2006.
[EAP-AKA]Arkko,J.和H.Haverinen,“第三代认证和密钥协议(EAP-AKA)的可扩展认证协议方法”,RFC 4187,2006年1月。
[3GPP-TS-23.003] 3rd Generation Partnership Project, "3GPP Technical Specification 3GPP TS 23.003 V6.8.0: "3rd Generation Parnership Project; Technical Specification Group Core Network; Numbering, addressing and identification (Release 6)"", December 2005.
[3GPP-TS-23.003]第三代合作伙伴项目,“3GPP技术规范3GPP TS 23.003 V6.8.0:”第三代合作伙伴项目;技术规范组核心网;编号、地址和标识(第6版)”,2005年12月。
[3GPP-TS-55.205] 3rd Generation Partnership Project, "3GPP Technical Specification 3GPP TS 55.205 V 6.0.0: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Specification of the GSM-MILENAGE Algorithms: An example algorithm set for the GSM Authentication and Key Generation functions A3 and A8 (Release 6)"", December 2002.
[3GPP-TS-55.205]第三代合作伙伴项目,“3GPP技术规范3GPP TS 55.205 V 6.0.0:”第三代合作伙伴项目;技术规范组服务和系统方面;GSM-MILENAGE算法规范:GSM认证和密钥生成功能A3和A8的示例算法集(第6版)”,2002年12月。
[PEAP] Palekar, A., Simon, D., Zorn, G., Salowey, J., Zhou, H., and S. Josefsson, "Protected EAP Protocol (PEAP) Version 2", Work in Progress, October 2004.
[PEAP]Palekar,A.,Simon,D.,Zorn,G.,Salowey,J.,Zhou,H.,和S.Josefsson,“受保护的EAP协议(PEAP)版本2”,正在进行的工作,2004年10月。
[PEAP-02] Anderson, H., Josefsson, S., Zorn, G., Simon, D., and A. Palekar, "Protected EAP Protocol (PEAP)", Work in Progress, February 2002.
[PEAP-02]Anderson,H.,Josefsson,S.,Zorn,G.,Simon,D.,和A.Palekar,“受保护的EAP协议(PEAP)”,正在进行的工作,2002年2月。
[EAP-Keying] Aboba, B., Simon, D., Arkko, J., Eronen, P., and H. Levkowetz, "Extensible Authentication Protocol (EAP) Key Management Framework", Work in Progress, October 2005.
[EAP键控]Aboba,B.,Simon,D.,Arkko,J.,Eronen,P.,和H.Levkowetz,“可扩展认证协议(EAP)密钥管理框架”,正在进行的工作,2005年10月。
[Service-Identity] Arkko, J. and P. Eronen, "Authenticated Service Information for the Extensible Authentication Protocol (EAP)", Work in Progress, October 2004.
[服务标识]Arkko,J.和P.Eronen,“可扩展认证协议(EAP)的认证服务信息”,正在进行的工作,2004年10月。
[RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC4086]伊斯特莱克,D.,3,席勒,J.和S.克罗克,“安全的随机性要求”,BCP 106,RFC 4086,2005年6月。
[S3-020125] Qualcomm, "Comments on draft EAP/SIM, 3rd Generation Partnership Project document 3GPP TSG SA WG3 Security S3#22, S3-020125", February 2002.
[S3-020125]高通公司,“对EAP/SIM草案的评论,第三代合作伙伴关系项目文件3GPP TSG SA WG3安全S3#22,S3-020125”,2002年2月。
[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, August 2002.
[RFC3344]Perkins,C.,“IPv4的IP移动支持”,RFC 3344,2002年8月。
[RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes ", RFC 2548, March 1999.
[RFC2548]Zorn,G.,“微软特定于供应商的半径属性”,RFC 2548,1999年3月。
[EAP-SRP] Carlson, J., Aboba, B., and H. Haverinen, "EAP SRP-SHA1 Authentication Protocol", Work in Progress, July 2001.
[EAP-SRP]Carlson,J.,Aboba,B.,和H.Haverinen,“EAP-SRP-SHA1认证协议”,正在进行的工作,2001年7月。
[GSM-Cloning] Wagner, D., "GSM Cloning". Web page about
COMP-128 version 1 vulnerabilities, available at
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
[GSM-Cloning] Wagner, D., "GSM Cloning". Web page about
COMP-128 version 1 vulnerabilities, available at
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
[Barkan-2003] Barkan, E., Biham, E., and N. Keller, "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communications". available on-line at http://cryptome.org/gsm-crack-bbk.pdf
[Barkan-2003]Barkan,E.,Biham,E.,和N.Keller,“GSM加密通信的即时密码分析”。可在线访问http://cryptome.org/gsm-crack-bbk.pdf
[Patel-2003] Patel, S., "Analysis of EAP-SIM Session Key
Agreement". Posted to the EAP mailing list 29
May,2003. http://
mail.frascone.com/pipermail/public/eap/2003-May/
001267.html
[Patel-2003] Patel, S., "Analysis of EAP-SIM Session Key
Agreement". Posted to the EAP mailing list 29
May,2003. http://
mail.frascone.com/pipermail/public/eap/2003-May/
001267.html
Test vectors for the NIST FIPS 186-2 pseudo-random number generator
[PRF] are available at the following URL:
http://csrc.nist.gov/encryption/dss/Examples-1024bit.pdf
Test vectors for the NIST FIPS 186-2 pseudo-random number generator
[PRF] are available at the following URL:
http://csrc.nist.gov/encryption/dss/Examples-1024bit.pdf
The following examples show the contents of EAP-SIM packets on full authentication and fast re-authentication.
以下示例显示了完全身份验证和快速重新身份验证时EAP-SIM数据包的内容。
The first packet is a plain Identity Request:
第一个数据包是普通身份请求:
01 ; Code: Request
00 ; Identifier: 0
00 05 ; Length: 5 octets
01 ; Type: Identity
01 ; Code: Request
00 ; Identifier: 0
00 05 ; Length: 5 octets
01 ; Type: Identity
The client's identity is "1244070100000001@eapsim.foo", so it responds with the following packet:
客户的身份是“1244070100000001@eapsim.foo,因此它会用以下数据包进行响应:
02 ; Code: Response 00 ; Identifier: 0 00 20 ; Length: 32 octets 01 ; Type: Identity 31 32 34 34 ; "1244070100000001@eapsim.foo" 30 37 30 31 30 30 30 30 30 30 30 31 40 65 61 70 73 69 6d 2e 66 6f 6f
02 ; 代码:回复00;识别码:0020;长度:32个八位组01;类型:身份31323434 ;;"1244070100000001@eapsim.foo“30 37 30 30 30 31 40 65 61 70 73 69 6d 2e 66 6f 6f
The server's first packet looks like this:
服务器的第一个数据包如下所示:
01 ; Code: Request
01 ; Identifier: 1
00 10 ; Length: 16 octets
12 ; Type: EAP-SIM
0a ; EAP-SIM subtype: Start
00 00 ; (reserved)
0f ; Attribute type: AT_VERSION_LIST
02 ; Attribute length: 8 octets (2*4)
00 02 ; Actual version list length: 2 octets
00 01 ; Version: 1
00 00 ; (attribute padding)
01 ; Code: Request
01 ; Identifier: 1
00 10 ; Length: 16 octets
12 ; Type: EAP-SIM
0a ; EAP-SIM subtype: Start
00 00 ; (reserved)
0f ; Attribute type: AT_VERSION_LIST
02 ; Attribute length: 8 octets (2*4)
00 02 ; Actual version list length: 2 octets
00 01 ; Version: 1
00 00 ; (attribute padding)
The client selects a nonce and responds with the following packet:
客户端选择一个nonce并使用以下数据包进行响应:
02 ; Code: Response
01 ; Identifier: 1
00 20 ; Length: 32 octets
12 ; Type: EAP-SIM
0a ; EAP-SIM subtype: Start
00 00 ; (reserved)
07 ; Attribute type: AT_NONCE_MT
05 ; Attribute length: 20 octets (5*4)
00 00 ; (reserved)
01 23 45 67 ; NONCE_MT value
89 ab cd ef
fe dc ba 98
76 54 32 10
10 ; Attribute type: AT_SELECTED_VERSION
01 ; Attribute length: 4 octets (1*4)
00 01 ; Version: 1
02 ; Code: Response
01 ; Identifier: 1
00 20 ; Length: 32 octets
12 ; Type: EAP-SIM
0a ; EAP-SIM subtype: Start
00 00 ; (reserved)
07 ; Attribute type: AT_NONCE_MT
05 ; Attribute length: 20 octets (5*4)
00 00 ; (reserved)
01 23 45 67 ; NONCE_MT value
89 ab cd ef
fe dc ba 98
76 54 32 10
10 ; Attribute type: AT_SELECTED_VERSION
01 ; Attribute length: 4 octets (1*4)
00 01 ; Version: 1
Next, the server selects three authentication triplets
接下来,服务器选择三个身份验证三元组
(RAND1,SRES1,Kc1) = (10111213 14151617 18191a1b 1c1d1e1f,
d1d2d3d4,
a0a1a2a3 a4a5a6a7)
(RAND2,SRES2,Kc2) = (20212223 24252627 28292a2b 2c2d2e2f,
e1e2e3e4,
b0b1b2b3 b4b5b6b7)
(RAND3,SRES3,Kc3) = (30313233 34353637 38393a3b 3c3d3e3f,
f1f2f3f4,
c0c1c2c3 c4c5c6c7)
(RAND1,SRES1,Kc1) = (10111213 14151617 18191a1b 1c1d1e1f,
d1d2d3d4,
a0a1a2a3 a4a5a6a7)
(RAND2,SRES2,Kc2) = (20212223 24252627 28292a2b 2c2d2e2f,
e1e2e3e4,
b0b1b2b3 b4b5b6b7)
(RAND3,SRES3,Kc3) = (30313233 34353637 38393a3b 3c3d3e3f,
f1f2f3f4,
c0c1c2c3 c4c5c6c7)
Next, the MK is calculated as specified in Section 7*.
接下来,根据第7节*的规定计算MK。
MK = e576d5ca 332e9930 018bf1ba ee2763c7 95b3c712
MK=e576d5ca 332e9930 018bf1ba ee2763c7 95b3c712
And the other keys are derived using the PRNG:
其他关键点使用PRNG导出:
K_encr = 536e5ebc 4465582a a6a8ec99 86ebb620 K_aut = 25af1942 efcbf4bc 72b39434 21f2a974 MSK = 39d45aea f4e30601 983e972b 6cfd46d1 c3637733 65690d09 cd44976b 525f47d3 a60a985e 955c53b0 90b2e4b7 3719196a 40254296 8fd14a88 8f46b9a7 886e4488 EMSK = 5949eab0 fff69d52 315c6c63 4fd14a7f 0d52023d 56f79698 fa6596ab eed4f93f bb48eb53 4d985414 ceed0d9a 8ed33c38 7c9dfdab 92ffbdf2 40fcecf6 5a2c93b9
K_encr=536e5ebc 4465582a a6a8ec99 86ebb620 K_aut=25af1942 efcbf4bc 72b39434 21f2a974 MSK=39d45aea f4e30601 983e972b 6cfd46d1 c3637733 65690d09 cd44976b 525f47d3 a60a985e 955c53b0 90b2e4b7 3719196a 40254296 8fd14a88 8F46797 886e4488 EMSK=5949eab0 fff69d52 3153 4F4676B C6567B 525F474AB955F498E498E494F CFF498E448E448E=495D=495E8ed33c38 7c9dfdab 92ffbdf2 40fcecf6 5a2c93b9
Next, the server selects a pseudonym and a fast re-authentication identity (in this case, "w8w49PexCazWJ&xCIARmxuMKht5S1sxR DqXSEFBEg3DcZP9cIxTe5J4OyIwNGVzxeJOU1G" and "Y24fNSrz8BP274jOJaF17WfxI8YO7QX0 0pMXk9XMMVOw7broaNhTczuFq53aEpOkk3L0dm@eapsim.foo", respectively).
接下来,服务器选择笔名和快速重新身份验证标识(在本例中为“w8w49PexCazWJ&xCIARmxuMKht5S1sxR-DqXSEFBEg3DcZP9cIxTe5J4OyIwNGVzxeJOU1G”和“Y24fNSrz8BP274jOJaF17WfxI8YO7QX0”0pMXk9XMMVOw7broaNhTczuFq53aEpOkk3L0dm@eapsim.foo“,分别)。
The following plaintext will be encrypted and stored in the AT_ENCR_DATA attribute:
以下明文将被加密并存储在AT_ENCR_数据属性中:
84 ; Attribute type: AT_NEXT_PSEUDONYM 13 ; Attribute length: 76 octets (19*4) 00 46 ; Actual pseudonym length: 70 octets 77 38 77 34 39 50 65 78 43 61 7a 57 4a 26 78 43 49 41 52 6d 78 75 4d 4b 68 74 35 53 31 73 78 52 44 71 58 53 45 46 42 45 67 33 44 63 5a 50 39 63 49 78 54 65 35 4a 34 4f 79 49 77 4e 47 56 7a 78 65 4a 4f 55 31 47 00 00 ; (attribute padding) 85 ; Attribute type: AT_NEXT_REAUTH_ID 16 ; Attribute length: 88 octets (22*4) 00 51 ; Actual re-auth identity length: 81 octets 59 32 34 66 4e 53 72 7a 38 42 50 32 37 34 6a 4f 4a 61 46 31 37 57 66 78 49 38 59 4f 37 51 58 30 30 70 4d 58 6b 39 58 4d 4d 56 4f 77 37 62 72 6f 61 4e 68 54 63 7a 75 46 71 35 33 61 45 70 4f 6b 6b 33 4c 30 64 6d 40 65 61 70 73 69 6d 2e 66 6f 6f 00 00 00 ; (attribute padding) 06 ; Attribute type: AT_PADDING 03 ; Attribute length: 12 octets (3*4) 00 00 00 00 00 00 00 00 00 00
84 ; 属性类型:AT_NEXT_笔名13;属性长度:76个八位字节(19*4)0046;实际笔名长度:70个八位组77 38 77 34 39 50 65 78 43 61 7a 57 4a 26 78 43 41 52 6d 78 75 4d 4b 68 74 35 53 31 73 78 52 71 58 53 45 46 42 45 67 33 44 63 5a 50 39 63 49 78 54 65 4a 34 4f 79 49 77 4e 47 56 7a 78 65 4a 4f 55 31 47 00;(属性填充)85;属性类型:AT_NEXT_REAUTH_ID 16;属性长度:88个八位字节(22*4)0051;实际重新验证身份长度:81个八位字节59 32 34 66 4e 53 72 7a 38 42 50 32 37 34 6a 4f 4a 61 46 31 37 57 66 78 49 38 59 4f 37 51 30 70 4d 58 6 B 39 58 4d 4 D 56 4f 77 62 72 6f 61 4e 68 54 7 A 75 46 71 35 33 61 45 70 4f 6b 33 4c 30 64 6 D 40 65 70 73 69 6d 6 F 6 F 00 00;(属性填充)06;属性类型:AT_PADDING 03;属性长度:12个八位字节(3*4)00
The EAP packet looks like this:
EAP数据包如下所示:
01 ; Code: Request
02 ; Identifier: 2
01 18 ; Length: 280 octets
12 ; Type: EAP-SIM
0b ; EAP-SIM subtype: Challenge
00 00 ; (reserved)
01 ; Attribute type: AT_RAND
0d ; Attribute length: 52 octets (13*4)
00 00 ; (reserved)
10 11 12 13 ; first RAND
14 15 16 17
18 19 1a 1b
1c 1d 1e 1f
20 21 22 23 ; second RAND
24 25 26 27
28 29 2a 2b
2c 2d 2e 2f
01 ; Code: Request
02 ; Identifier: 2
01 18 ; Length: 280 octets
12 ; Type: EAP-SIM
0b ; EAP-SIM subtype: Challenge
00 00 ; (reserved)
01 ; Attribute type: AT_RAND
0d ; Attribute length: 52 octets (13*4)
00 00 ; (reserved)
10 11 12 13 ; first RAND
14 15 16 17
18 19 1a 1b
1c 1d 1e 1f
20 21 22 23 ; second RAND
24 25 26 27
28 29 2a 2b
2c 2d 2e 2f
30 31 32 33 ; third RAND 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 81 ; Attribute type: AT_IV 05 ; Attribute length: 20 octets (5*4) 00 00 ; (reserved) 9e 18 b0 c2 ; IV value 9a 65 22 63 c0 6e fb 54 dd 00 a8 95 82 ; Attribute type: AT_ENCR_DATA 2d ; Attribute length: 180 octets (45*4) 00 00 ; (reserved) 55 f2 93 9b bd b1 b1 9e a1 b4 7f c0 b3 e0 be 4c ab 2c f7 37 2d 98 e3 02 3c 6b b9 24 15 72 3d 58 ba d6 6c e0 84 e1 01 b6 0f 53 58 35 4b d4 21 82 78 ae a7 bf 2c ba ce 33 10 6a ed dc 62 5b 0c 1d 5a a6 7a 41 73 9a e5 b5 79 50 97 3f c7 ff 83 01 07 3c 6f 95 31 50 fc 30 3e a1 52 d1 e1 0a 2d 1f 4f 52 26 da a1 ee 90 05 47 22 52 bd b3 b7 1d 6f 0c 3a 34 90 31 6c 46 92 98 71 bd 45 cd fd bc a6 11 2f 07 f8 be 71 79 90 d2 5f 6d d7 f2 b7 b3 20 bf 4d 5a 99 2e 88 03 31 d7 29 94 5a ec 75 ae 5d 43 c8 ed a5 fe 62 33 fc ac 49 4e e6 7a 0d 50 4d 0b ; Attribute type: AT_MAC 05 ; Attribute length: 20 octets (5*4) 00 00 ; (reserved) fe f3 24 ac ; MAC value 39 62 b5 9f 3b d7 82 53 ae 4d cb 6a
30 31 32 33 ; 第三个兰特34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 81;属性类型:AT_IV 05;属性长度:20个八位字节(5*4)00;(预留)9E18 b0 c2;IV值9a 65 22 63 c0 6e fb 54 dd 00 a8 95 82;属性类型:AT_ENCR_DATA 2d;属性长度:180个八位字节(45*4)00;(保留)55 f2 93 9b bd b1 b1 9e a1 b4 7f c0 b3 e0 be 4c ab 2c f7 37 2d 98 e3 02 3c 6b b9 24 15 72 3d 58 ba d6 6c e0 84 e1 01 b6 0f 53 58 35 4b d4 21 82 78 ae a7 bf 2c ba ce 33 10 6a ed dc 62 5b 0c 1d 5a a6 41 73 9a e5 b5 79 50 97 3f c7 ff 83 01 07 3c 95 50 fc 30 3e a1 52 d1 0a 2d 1f 52 26 da ee 50 50 22 bd 7 90 0c 3431 6c 46 92 98 71 bd 45 cd fd bc a6 11 2f 07 f8 be 71 79 90 d2 5f 6d d7 f2 b7 b3 20 bf 4d 5a 99 2e 88 03 31 d7 29 94 5a ec 75 ae 5d 43 c8 ed a5 fe 62 33 fc ac 49 4e e6 7a 0d 50 4d 0b;属性类型:AT_MAC 05;属性长度:20个八位字节(5*4)00;(预留)fe f3 24 ac;MAC值39 62 b5 9f 3b d7 82 53 ae 4d cb 6a
The MAC is calculated over the EAP packet above (with MAC value set to zero), followed by the NONCE_MT value (a total of 296 bytes).
MAC通过上面的EAP数据包计算(MAC值设置为零),然后是NONCE_MT值(总共296字节)。
The client's response looks like this:
客户端的响应如下所示:
02 ; Code: Response
02 ; Identifier: 2
00 1c ; Length: 28 octets
12 ; Type: EAP-SIM
0b ; EAP-SIM subtype: Challenge
00 00 ; (reserved)
0b ; Attribute type: AT_MAC
05 ; Attribute length: 20 octets (5*4)
00 00 ; (reserved)
f5 6d 64 33 ; MAC value
e6 8e d2 97
6a c1 19 37
fc 3d 11 54
02 ; Code: Response
02 ; Identifier: 2
00 1c ; Length: 28 octets
12 ; Type: EAP-SIM
0b ; EAP-SIM subtype: Challenge
00 00 ; (reserved)
0b ; Attribute type: AT_MAC
05 ; Attribute length: 20 octets (5*4)
00 00 ; (reserved)
f5 6d 64 33 ; MAC value
e6 8e d2 97
6a c1 19 37
fc 3d 11 54
The MAC is calculated over the EAP packet above (with MAC value set to zero), followed by the SRES values (a total of 40 bytes).
MAC通过上面的EAP数据包计算(MAC值设置为零),然后是SRES值(总共40个字节)。
The last packet is an EAP-Success:
最后一个数据包是EAP成功:
03 ; Code: Success
02 ; Identifier: 2
00 04 ; Length: 4 octets
03 ; Code: Success
02 ; Identifier: 2
00 04 ; Length: 4 octets
When performing fast re-authentication, the EAP-Request/Identity packet is the same as usual. The EAP-Response/Identity contains the fast re-authentication identity (from AT_ENCR_DATA attribute above):
执行快速重新身份验证时,EAP请求/标识数据包与通常相同。EAP响应/标识包含快速重新身份验证标识(来自上面的AT_ENCR_数据属性):
02 ; Code: Response 00 ; Identifier: 0 00 56 ; Length: 86 octets 01 ; Type: Identity 59 32 34 66 4e 53 72 7a 38 42 50 32 37 34 6a 4f 4a 61 46 31 37 57 66 78 49 38 59 4f 37 51 58 30 30 70 4d 58 6b 39 58 4d 4d 56 4f 77 37 62 72 6f 61 4e 68 54 63 7a 75 46 71 35 33 61 45 70 4f 6b 6b 33 4c 30 64 6d 40 65 61 70 73 69 6d 2e 66 6f 6f
02 ; 代码:回复00;标识符:0 00 56;长度:86个八位组01;类型:标识59 32 34 66 4e 53 72 7a 38 42 50 32 37 34 6a 4f 4a 61 46 31 37 66 78 49 38 59 4f 37 51 58 30 70 4d 58 6b 39 58 4d 56 4f 77 37 62 72 6f 61 4e 68 54 63 7a 75 46 71 35 33 61 45 70 4f 6b 33 4c 30 64 6d 40 65 70 73 6 D 2 66 6f
The server recognizes the reauthentication identity, so it will respond with EAP-Request/SIM/Re-authentication. It retrieves the associated counter value, generates a nonce, and picks a new reauthentication identity (in this case, "uta0M0iyIsMwWp5TTdSdnOLvg2XDVf21OYt1vnfiMcs5dnIDHOIFVavIRzMR yzW6vFzdHW@eapsim.foo").
服务器识别重新身份验证标识,因此将使用EAP请求/SIM/重新身份验证进行响应。它检索关联的计数器值,生成一个nonce,并选择一个新的重新身份验证标识(在本例中为“uta0M0iIsmWwp5ttdsdnolvg2xdvf21oyt1vnfimcs5dnidhoifavirzmryzW6vFzdHW@eapsim.foo").
The following plaintext will be encrypted and stored in the AT_ENCR_DATA attribute. Note that AT_PADDING is not used because the length of the plaintext is a multiple of 16 bytes.
以下明文将被加密并存储在AT_ENCR_数据属性中。注意,不使用AT_填充,因为明文的长度是16字节的倍数。
13 ; Attribute type: AT_COUNTER 01 ; Attribute length: 4 octets (1*4) 00 01 ; Counter value 15 ; Attribute type: AT_NONCE_S 05 ; Attribute length: 20 octets (5*4) 00 00 ; (reserved) 01 23 45 67 ; NONCE_S value 89 ab cd ef fe dc ba 98 76 54 32 10 85 ; Attribute type: AT_NEXT_REAUTH_ID 16 ; Attribute length: 88 octets (22*4) 00 51 ; Actual re-auth identity length: 81 octets 75 74 61 30 4d 30 69 79 49 73 4d 77 57 70 35 54 54 64 53 64 6e 4f 4c 76 67 32 58 44 56 66 32 31 4f 59 74 31 76 6e 66 69 4d 63 73 35 64 6e 49 44 48 4f 49 46 56 61 76 49 52 7a 4d 52 79 7a 57 36 76 46 7a 64 48 57 40 65 61 70 73 69 6d 2e 66 6f 6f 00 00 00 ; (attribute padding)
13 ; 属性类型:AT_计数器01;属性长度:4个八位字节(1*4)00 01;计数器值15;属性类型:当前05;属性长度:20个八位字节(5*4)00;(预留)01 23 45 67 ;;当前值89 ab cd ef fe dc ba 98 76 54 32 10 85;属性类型:AT_NEXT_REAUTH_ID 16;属性长度:88个八位字节(22*4)0051;实际重新验证身份长度:81个八位字节75 74 61 30 4d 30 69 79 49 73 4d 77 57 70 35 54 64 53 64 6e 4f 4c 76 67 32 58 44 56 66 32 31 4f 59 74 31 76 6e 66 69 4d 63 35 64 6 E 49 44 48 4f 49 46 56 61 49 52 7a 4d 52 79 7a 57 36 76 7a 64 48 57 40 61 70 69 6 D 2 6 F 6 F 00;(属性填充)
The EAP packet looks like this:
EAP数据包如下所示:
01 ; Code: Request 01 ; Identifier: 1 00 a4 ; Length: 164 octets 12 ; Type: EAP-SIM 0d ; EAP-SIM subtype: Re-authentication 00 00 ; (reserved) 81 ; Attribute type: AT_IV 05 ; Attribute length: 20 octets (5*4) 00 00 ; (reserved) d5 85 ac 77 ; IV value 86 b9 03 36 65 7c 77 b4 65 75 b9 c4 82 ; Attribute type: AT_ENCR_DATA 1d ; Attribute length: 116 octets (29*4) 00 00 ; (reserved) 68 62 91 a9 d2 ab c5 8c aa 32 94 b6 e8 5b 44 84 6c 44 e5 dc b2 de 8b 9e 80 d6 9d 49 85 8a 5d b8 4c dc 1c 9b c9 5c 01 b9 6b 6e ca 31 34 74 ae a6 d3 14 16 e1 9d aa 9d f7 0f 05 00 88 41 ca 80 14 96 4d 3b 30 a4 9b cf 43 e4 d3 f1 8e 86 29 5a 4a 2b 38 d9 6c 97 05 c2 bb b0 5c 4a ac e9 7d 5e af f5 64 04 6c 8b d3 0b c3 9b e5 e1 7a ce 2b 10 a6 0b ; Attribute type: AT_MAC 05 ; Attribute length: 20 octets (5*4) 00 00 ; (reserved) 48 3a 17 99 ; MAC value b8 3d 7c d3 d0 a1 e4 01 d9 ee 47 70
01 ; 代码:请求01;识别号码:100A4;长度:164个八位组12个;类型:EAP-SIM 0d;EAP-SIM子类型:重新认证00;(保留)81;属性类型:AT_IV 05;属性长度:20个八位字节(5*4)00;(预留)d5 85 ac 77;IV值86 b9 03 36 65 7c 77 b4 65 b9 c4 82;属性类型:AT_ENCR_DATA 1d;属性长度:116个八位字节(29*4)00;(保留)68 62 91 a9 d2 ab c5 8c aa 32 94 b6 e8 5b 44 84 6c 44 e5 dc b2 de 8b 9e 80 d6 9d 49 85 8a 5d b8 4c dc 1c 9b c9 5c 01 b9 6b 6e ca 31 34 74 ae a6 d3 14 16 e1 9d aa 9d f7 0f 05 00 88 41 ca 80 96 4d 3b 30 a4 9b cf 43 e4 d3 8e 86 29 5a 2b 38 d9 6c 97 05 c2 b0 5c 5b 4a ac e9 7d 5d 5d 5e af f5 64 04 C4 8b c3 0b E2 0b E2 0b E2 0b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b 8b;属性类型:AT_MAC 05;属性长度:20个八位字节(5*4)00;(保留)483A 1799;MAC值b8 3d 7c d3 d0 a1 e4 01 d9 ee 47 70
The MAC is calculated over the EAP packet above (with MAC value set to zero; a total of 164 bytes).
通过上面的EAP数据包计算MAC(MAC值设置为零;总共164字节)。
Finally, the server derives new keys. The XKEY' is calculated as described in Section 7*:
最后,服务器派生新密钥。按照第7节*的规定计算XKEY:
XKEY' = 863dc120 32e08343 c1a2308d b48377f6 801f58d4
XKEY'=863dc120 32e08343 c1a2308d b48377f6 801f58d4
The new MSK and EMSK are derived using the PRNG (note that K_encr and K_aut stay the same).
新的MSK和EMSK是使用PRNG导出的(请注意,K_encr和K_aut保持不变)。
MSK = 6263f614 973895e1 335f7e30 cff028ee 2176f519 002c9abe 732fe0ef 00cf167c 756d9e4c ed6d5ed6 40eb3fe3 8565ca07 6e7fb8a8 17cfe8d9 adbce441 d47c4f5e EMSK = 3d8ff786 3a630b2b 06e2cf20 9684c13f 6b82f992 f2b06f1b 54bf51ef 237f2a40 1ef5e0d7 e098a34c 533eaebf 34578854 b7721526 20a777f0 e0340884 a294fb73
MSK=6263f614 973895e1 335f7e30 cff028ee 2176f519 002c9abe 732FE0CF167C 756d9e4c ed6d5ed6 40eb3fe3 8565ca07 6e7fb8a8 17cfe8d9 adbce441 d47c4f5e EMSK=3d8ff786 3a630b2b 06e2cf20 9684c13f 6b82f992 f2b06f1b 54bf51ef 237f2a40 1ef5e0d7 e098a34c 533EAF 345784 B7721F084
The client's response includes the counter as well. The following plaintext will be encrypted and stored in the AT_ENCR_DATA attribute:
客户的响应也包括计数器。以下明文将被加密并存储在AT_ENCR_数据属性中:
13 ; Attribute type: AT_COUNTER
01 ; Attribute length: 4 octets (1*4)
00 01 ; Counter value
06 ; Attribute type: AT_PADDING
03 ; Attribute length: 12 octets (3*4)
00 00 00 00
00 00 00 00
00 00
13 ; Attribute type: AT_COUNTER
01 ; Attribute length: 4 octets (1*4)
00 01 ; Counter value
06 ; Attribute type: AT_PADDING
03 ; Attribute length: 12 octets (3*4)
00 00 00 00
00 00 00 00
00 00
The EAP packet looks like this:
EAP数据包如下所示:
02 ; Code: Response
01 ; Identifier: 1
00 44 ; Length: 68 octets
12 ; Type: EAP-SIM
0d ; EAP-SIM subtype: Re-authentication
00 00 ; (reserved)
81 ; Attribute type: AT_IV
05 ; Attribute length: 20 octets (5*4)
00 00 ; (reserved)
cd f7 ff a6 ; IV value
5d e0 4c 02
6b 56 c8 6b
76 b1 02 ea
82 ; Attribute type: AT_ENCR_DATA
05 ; Attribute length: 20 octets (5*4)
00 00 ; (reserved)
b6 ed d3 82
79 e2 a1 42
3c 1a fc 5c
45 5c 7d 56
02 ; Code: Response
01 ; Identifier: 1
00 44 ; Length: 68 octets
12 ; Type: EAP-SIM
0d ; EAP-SIM subtype: Re-authentication
00 00 ; (reserved)
81 ; Attribute type: AT_IV
05 ; Attribute length: 20 octets (5*4)
00 00 ; (reserved)
cd f7 ff a6 ; IV value
5d e0 4c 02
6b 56 c8 6b
76 b1 02 ea
82 ; Attribute type: AT_ENCR_DATA
05 ; Attribute length: 20 octets (5*4)
00 00 ; (reserved)
b6 ed d3 82
79 e2 a1 42
3c 1a fc 5c
45 5c 7d 56
0b ; Attribute type: AT_MAC 05 ; Attribute length: 20 octets (5*4) 00 00 ; (reserved) fa f7 6b 71 ; MAC value fb e2 d2 55 b9 6a 35 66 c9 15 c6 17
0b;属性类型:AT_MAC 05;属性长度:20个八位字节(5*4)00;(保留)fa f7 6b 71;MAC值fb e2 d2 55 b9 6a 35 66 c9 15 c6 17
The MAC is calculated over the EAP packet above (with MAC value set to zero), followed by the NONCE_S value (a total of 84 bytes).
MAC是通过上面的EAP数据包计算的(MAC值设置为零),然后是NONCE_S值(总共84个字节)。
The next packet will be EAP-Success:
下一个数据包将是EAP Success:
03 ; Code: Success
01 ; Identifier: 1
00 04 ; Length: 4 octets
03 ; Code: Success
01 ; Identifier: 1
00 04 ; Length: 4 octets
The "|" character denotes concatenation, and "^" denotes exponentiation.
“|”字符表示串联,“^”表示幂运算。
Step 1: Choose a new, secret value for the seed-key, XKEY
步骤1:为种子密钥选择一个新的秘密值XKEY
Step 2: In hexadecimal notation let t = 67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0 This is the initial value for H0|H1|H2|H3|H4 in the FIPS SHS [SHA-1]
步骤2:以十六进制表示法,让t=67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0这是FIPS SHS[SHA-1]中H0 | H1 | H2 | H3 | H4的初始值
Step 3: For j = 0 to m - 1 do
3.1 XSEED_j = 0 /* no optional user input */
3.2 For i = 0 to 1 do
a. XVAL = (XKEY + XSEED_j) mod 2^b
b. w_i = G(t, XVAL)
c. XKEY = (1 + XKEY + w_i) mod 2^b
3.3 x_j = w_0|w_1
Step 3: For j = 0 to m - 1 do
3.1 XSEED_j = 0 /* no optional user input */
3.2 For i = 0 to 1 do
a. XVAL = (XKEY + XSEED_j) mod 2^b
b. w_i = G(t, XVAL)
c. XKEY = (1 + XKEY + w_i) mod 2^b
3.3 x_j = w_0|w_1
Authors' Addresses
作者地址
Henry Haverinen (editor) Nokia Enterprise Solutions P.O. Box 12 FIN-40101 Jyvaskyla Finland
Henry Haverinen(编辑)诺基亚企业解决方案邮政信箱12 FIN-40101芬兰Jyvaskyla
EMail: henry.haverinen@nokia.com
EMail: henry.haverinen@nokia.com
Joseph Salowey (editor) Cisco Systems 2901 Third Avenue Seattle, WA 98121 USA
Joseph Salowey(编辑)美国华盛顿州西雅图第三大道2901号思科系统公司98121
Phone: +1 206 256 3380
EMail: jsalowey@cisco.com
Phone: +1 206 256 3380
EMail: jsalowey@cisco.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。