HP-UX AAA Server A.08.02.10 Administrator's Guide HP-UX 11i v3 (T1428-90093, November 2013)

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

161

162

163

164

165

166

167

168

169

170

17 Configuring EAP-SIM and EAP-AKA Authentication

Methods

This chapter introduces you to Extensible Authentication Protocol (EAP) for Global System for

Communications (GSM) Subscriber Identity Module (SIM) and EAP for Universal Mobile

Telecommunications System (UMTS) Authentication and Key Agreement (AKA) authentication

methods.

The chapter discusses the following topics:

• “EAP-SIM” (page 161)

• “EAP-AKA” (page 170)

• “Fast Re-Authentication” (page 179)

• “Pseudonym Identities” (page 185)

• “Generating Authentication Vectors Using A3, A8, and AKA Algorithms” (page 194)

EAP-SIM

This section discusses the EAP-SIM authentication method and its configurations. This section

addresses the following topics:

• “Overview” (page 161)

• “EAP-SIM Authentication Using HP-UX AAA Server” (page 161)

• “Features” (page 163)

• “Benefits” (page 164)

• “Configuring EAP SIM” (page 164)

Overview

EAP-SIM is an authentication method capable of operating in wireless networks. EAP-SIM is used

for authentication and session key distribution using the GSM SIM.

GSM mobile network standard authentication builds on the challenge-response mechanism. Based

on the algorithms specified by the operators, the SIM uses the 128-bit challenge and the secret

key (subscriber key), Ki, to generate a 32-bit response and a 64-bit long cipher key, Kc, as output.

Kc is used to derive the keying material. The Ki, which is also known as the authentication key, is

a 128-bit value used to authenticate SIMs in the network. Each SIM is associated with a unique

Ki, which is assigned by the operator. Therefore, the security of the protocol depends on Kc.

However, for data networks that require stronger and longer keys, Kc is not very secure. To enhance

security, the EAP-SIM mechanism combines multiple challenges to generate several 64-bit Kc long

cipher keys. Collectively, these keys form stronger keying material.

The security of EAP-SIM builds on the GSM mechanism. If the SIM credentials are used only for

EAP-SIM, and are not re-used from GSM/GPRS, EAP-SIM is a more secure method than the

underlying GSM mechanisms.

EAP-SIM Authentication Using HP-UX AAA Server

Each mobile device that is authorized to use the network has a unique identifier, called International

Mobile Subscriber Identity (IMSI), which identifies the subscriber contained in the SIM. The SIM is

also embedded or burnt with a unique secret (subscriber) key, Ki, which is pre-shared with the

HP-UX AAA Server user storage (also referred to as Authentication Center, AuC). This forms the

basis for securing the access to the network.

EAP-SIM 161