HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

151

152

153

154

155

156

157

158

159

160

17 Configuring EAP-SIM and EAP-AKA Authentication

Methods

This chapter introduces you to Extensible Authentication Protocol (EAP) for Global System for

Communications (GSM) Subscriber Identity Module (SIM) and EAP for Universal Mobile

Telecommunications System (UMTS) Authentication and Key Agreement (AKA) authentication

methods.

The chapter discusses the following topics:

• “EAP-SIM” (page 160)

• “EAP-AKA” (page 169)

• “Fast Re-Authentication” (page 178)

• “Pseudonym Identities” (page 184)

• “Generating Authentication Vectors Using A3, A8, and AKA Algorithms” (page 193)

EAP-SIM

This section discusses the EAP-SIM authentication method and its configurations. This section

addresses the following topics:

• “Overview” (page 160)

• “EAP-SIM Authentication Using HP-UX AAA Server” (page 160)

• “Features” (page 162)

• “Benefits” (page 163)

• “Configuring EAP SIM” (page 163)

Overview

EAP-SIM is an authentication method capable of operating in wireless networks. EAP-SIM is used

for authentication and session key distribution using the GSM SIM.

GSM mobile network standard authentication builds on the challenge-response mechanism. Based

on the algorithms specified by the operators, the SIM uses the 128-bit challenge and the secret

key (subscriber key), Ki, to generate a 32-bit response and a 64-bit long cipher key, Kc, as output.

Kc is used to derive the keying material. The Ki, which is also known as the authentication key, is

a 128-bit value used to authenticate SIMs in the network. Each SIM is associated with a unique

Ki, which is assigned by the operator. Therefore, the security of the protocol depends on Kc.

However, for data networks that require stronger and longer keys, Kc is not very secure. To enhance

security, the EAP-SIM mechanism combines multiple challenges to generate several 64-bit Kc long

cipher keys. Collectively, these keys form stronger keying material.

The security of EAP-SIM builds on the GSM mechanism. If the SIM credentials are used only for

EAP-SIM, and are not re-used from GSM/GPRS, EAP-SIM is a more secure method than the

underlying GSM mechanisms.

EAP-SIM Authentication Using HP-UX AAA Server

Each mobile device that is authorized to use the network has a unique identifier, called International

Mobile Subscriber Identity (IMSI), which identifies the subscriber contained in the SIM. The SIM is

also embedded or burnt with a unique secret (subscriber) key, Ki, which is pre-shared with the

HP-UX AAA Server user storage (also referred to as Authentication Center, AuC). This forms the

basis for securing the access to the network.

160 Configuring EAP-SIM and EAP-AKA Authentication Methods