[sim-auth RFCv2 0/4]

[sim-auth RFCv2 0/4]

[Pekka.Pessi]

[-- Attachment #1: Type: text/plain, Size: 341 bytes --]

Hi all,

This is my 2nd stab at the SIM authentication API, providing access to
ordinary SIM authentication methods.

In addition to 2G "SIM" authentication and 3G "AKA" authentication there
is "GBA_U". It is an UICC-based GBA variant using a USIM or ISIM service
to store the bootstrapped keys and identities securely.

--Pekka

[sim-auth RFCv2 1/4] TODO: add SIM authentication

[Pekka.Pessi]

[-- Attachment #1: Type: text/plain, Size: 531 bytes --]

From: Pekka Pessi <Pekka.Pessi@nokia.com>

---
 TODO |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/TODO b/TODO
index 6ad972e..11330b6 100644
--- a/TODO
+++ b/TODO
@@ -97,6 +97,12 @@ SIM / SIM File system
   Complexity: C1
   Owner: Marit Henriksen <marit.henriksen@stericsson.com>
 
+- Support SIM authentication: SIM, AKA, and GBA suites.
+
+  Priority: Medium
+  Complexity: C3
+  Owner: Pekka Pessi <pekka.pessi@nokia.com>
+
 Modem Emulator
 ==============
 
-- 
1.7.1

[sim-auth RFCv2 2/4] Added doc/sim-authentication-api.txt.

[Pekka.Pessi]

[-- Attachment #1: Type: text/plain, Size: 6034 bytes --]

From: Pekka Pessi <Pekka.Pessi@nokia.com>

The authentication mechanisms include SIM authentication (basic A8
authentication used with GSM), AKA authentication and UICC-based GBA
authentication.

The SIM and AKA can be used to implement EAP and GBA authentication
algorithms.

The interface can be applied to both SIM/USIM or ISIMs.
---
 doc/sim-authentication-api.txt |  186 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 186 insertions(+), 0 deletions(-)
 create mode 100644 doc/sim-authentication-api.txt

diff --git a/doc/sim-authentication-api.txt b/doc/sim-authentication-api.txt
new file mode 100644
index 0000000..97f4fac
--- /dev/null
+++ b/doc/sim-authentication-api.txt
@@ -0,0 +1,186 @@
+SimAuthentication hierarchy
+===========================
+
+Service		org.ofono
+Interface	org.ofono.SimAuthentication
+Object path	[variable prefix]/{modem0,modem1,...} for SIM/USIM
+       		[variable prefix]/{modem0,modem1,...}/{isim01,...} for ISIM
+
+Methods		dict GetProperties()
+
+			Returns all properties for this object. See the
+			properties section for available properties.
+
+			Possible Errors: [service].Error.InvalidArguments
+
+		dict Authenticate(string suite, dict input)
+
+			Executes the requested authentication suite.
+			The input and returned result depend on the
+			authentication suite.
+
+			See the suite sections for input and results for
+			each suite.
+
+			Possible Errors: [service].Error.InvalidArguments
+					 [service].Error.NotImplemented
+
+Properties	array{string} Suites [readonly]
+
+			Contains the list of supported authentication
+			suites and applications. The possible values are:
+
+			"SIM" - SIM authentication
+			"AKA" - AKA authentication
+			"GBA_U" - UICC-based GBA authentication
+
+		string IPMultimediaPrivateIdentity [readonly, optional]
+
+			GBA identity read from ISIM or derived from IMSI.
+
+		string BootstrappingServerFunctionAddress [readonly, optional]
+
+			FQDN read from ISIM or derived from IMSI,
+			used with GBA.
+
+		string TMPI [readonly, optional]
+
+			Temporary identity used in GBA bootstrapping.
+
+		string BTID [readonly, optional]
+
+			Unique identity obtained from BSF server.
+
+SIM Authentication Suite
+------------------------
+
+		SIM authentication can be used to implement EAP SIM or
+		GBA_ME authentication.
+
+		In case of successful SIM authentication the returned
+		dictionary contains following items:
+
+			byte{array} "SRES" - SRES parameter
+
+			byte{array} "Kc" - Kc ciphering key
+
+		The SRES parameter is a 4-byte array.
+		The Kc parameter is a 8-byte array.
+
+AKA Authentication Suite
+------------------------
+
+		AKA authentication can be used to implement EAP AKA, AKA
+		digest or GBA_ME authentication.
+
+		The input dictionary must contain following input
+		parameters:
+
+			byte{array} "RAND" - RAND parameter
+
+			byte{array} "AUTN" - AUTN parameter
+
+		In case of successful AKA authentication the returned
+		dictionary contains following items:
+
+			byte{array} "RES" - AKA RES parameter
+
+			byte{array} "CK" - AKA Ciphering key
+
+			byte{array} "IK" - AKA Integrity key
+
+		AKA is a mutual authentication algorithm: terminal and
+		network authenticate each other. In case the terminal
+		rejects the AUTN from network, the returned dictionary
+		contain following item:
+
+			byte{array} "AUTS" - AKA AUTS parameter
+
+		All the AKA parameters and keys are 16-byte arrays.
+
+UICC-based GBA Authentication Suite
+-----------------------------------
+
+		GBA is used to establish a unique identity and a shared
+		secret between SIM card and a network service.
+
+		The GBA_ME variant where the Ks key is stored outside
+		SIM card can be implemented using ordinary SIM or AKA
+		authentication.
+
+		The UICC-based GBA variant, GBA_U, keeps the Ks key
+		stored on the SIM card (UICC) and lets the SIM card
+		calculate the NAF keys.
+
+		For further reference on GBA, see 3GPP TS 33.220
+		and 3GPP TS 24.109.
+
+		The GBA authentication suite has three different
+		operations:
+
+		- bootstrapping (AKA authentication with BSF)
+		- update (storing result from BSF to SIM)
+		- NAF key derivation
+
+		The GBA suite recognizes the operations based on the
+		input parameters.
+
+GBA Bootstrapping
+
+		The input dictionary for the GBA bootstrapping must
+		contain following parameters:
+
+			byte{array} "RAND" - AKA RAND parameter
+
+			byte{array} "AUTN" - AKA AUTN parameter
+
+		In case of successful initial GBA bootstrapping the
+		returned dictionary contains following items:
+
+			byte{array} "RES" - AKA RES parameter
+
+		In case of unsuccessful bootstrapping the returned
+		dictionary contains following item:
+
+			byte{array} "AUTS" - AKA AUTS parameter
+
+		If the bootstrapping server accepts the RES parameter,
+		it will return an XML document containing bootstrapping
+		transaction identifier (B-TID) and the lifetime of the
+		KS_NAF keys.
+
+GBA Update
+
+		The input dictionary for GBA update must contain
+		following parameters:
+
+			string "BTID" - B-TID parameter
+			string "lifetime" - NAF key lifetime
+
+		In case of succesful update, an empty dictionary is
+		returned.
+
+NAF Key Derivation
+
+		The input dictionary for NAF key derivation must contain
+		the following parameters:
+
+			string "variant" - "gba-u" or "gba-me"
+
+			string "NAF" - FQDN of NAF
+
+			byte{array} "protocol" - security protocol identifier
+
+		The variant indicates whether the KS_int_NAF or
+		KS_ext_NAF is required.
+
+		The security protocol identifier is usually a 5 byte
+		array. It indicates the protocol used between mobile
+		(UE) and network server (NAF).
+
+		In case of successful NAF key derivation the returned
+		dictionary contains following item:
+
+			byte{array} "KS-NAF" - NAF key
+
+		The KS-NAF is a 32-byte array.
-- 
1.7.1

[sim-auth RFCv2 3/4] Add GBA documents to doc/standards.txt

[Pekka.Pessi]

[-- Attachment #1: Type: text/plain, Size: 854 bytes --]

From: Pekka Pessi <Pekka.Pessi@nokia.com>

---
 doc/standards.txt |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/doc/standards.txt b/doc/standards.txt
index 2b85cb0..e8ec19f 100644
--- a/doc/standards.txt
+++ b/doc/standards.txt
@@ -55,6 +55,19 @@ Describes 3GPP specific aspects of Card Application Toolkit (CAT) / STK.
 Describes the testing parameters and test cases for 31.111.
 
 
+Security Specifications
+=======================
+
+- 33.220  Generic bootstrapping architecture (GBA)
+
+Describes the generic bootstrapping architecture used to leverage
+SIM-based authentication.
+
+- 24.109  Bootstrapping interface (Ub) and NAF interface (Ua)
+
+Describes how the GBA authentication is used with, e.g., HTTP.
+
+
 3GPP Specific Services
 ======================
 
-- 
1.7.1

[sim-auth RFCv2 4/4] Include doc/sim-authentication-api.txt in dist.

[Pekka.Pessi]

[-- Attachment #1: Type: text/plain, Size: 620 bytes --]

From: Pekka Pessi <Pekka.Pessi@nokia.com>

---
 Makefile.am |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 4dec90a..f3afb20 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -380,6 +380,7 @@ doc_files = doc/overview.txt doc/ofono-paper.txt doc/release-faq.txt \
 			doc/message-api.txt doc/message-waiting-api.txt \
 			doc/phonebook-api.txt doc/radio-settings-api.txt \
 			doc/sim-api.txt doc/stk-api.txt \
+			doc/sim-authentication-api.txt \
 			doc/audio-settings-api.txt doc/text-telephony-api.txt \
 			doc/calypso-modem.txt
 
-- 
1.7.1

Re: [sim-auth RFCv2 1/4] TODO: add SIM authentication

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 384 bytes --]

Hi Pekka,

> +- Support SIM authentication: SIM, AKA, and GBA suites.
> +
> +  Priority: Medium
> +  Complexity: C3

Please don't invent new complexity levels.  We explicitly use an
exponential system, so it is either a C2 or a C4, there's no inbetween ;)

> +  Owner: Pekka Pessi <pekka.pessi@nokia.com>
> +
>  Modem Emulator
>  ==============
>  

Regards,
-Denis

Re: [sim-auth RFCv2 2/4] Added doc/sim-authentication-api.txt.

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 927 bytes --]

Hi Pekka,

On 01/12/2011 05:08 PM, Pekka.Pessi(a)nokia.com wrote:
> From: Pekka Pessi <Pekka.Pessi@nokia.com>
> 
> The authentication mechanisms include SIM authentication (basic A8
> authentication used with GSM), AKA authentication and UICC-based GBA
> authentication.
> 
> The SIM and AKA can be used to implement EAP and GBA authentication
> algorithms.
> 
> The interface can be applied to both SIM/USIM or ISIMs.

So I think this is a great start, but the entirety of this proposal
might be too much (at least for me) to digest all at once.  So my vote
would be that we start with the simplest SIM authentication mechanism
and implement it first.  We can mark the API as experimental during this
time.  Then add additional mechanisms as we gain better understanding /
have time to read the specs.

Specifically I'd like to see the flow from the core atom to the AT / ISI
modem.

Regards,
-Denis

Re: [sim-auth RFCv2 3/4] Add GBA documents to doc/standards.txt

[Denis Kenzior]

[-- Attachment #1: Type: text/plain, Size: 286 bytes --]

Hi Pekka,

On 01/12/2011 05:08 PM, Pekka.Pessi(a)nokia.com wrote:
> From: Pekka Pessi <Pekka.Pessi@nokia.com>
> 
> ---
>  doc/standards.txt |   13 +++++++++++++
>  1 files changed, 13 insertions(+), 0 deletions(-)
> 

This patch has been applied, thanks.

Regards,
-Denis