{{ message }}
eap_aka_sim: allow externally-derived CK'/IK' for EAP-AKA'#5894
Open
paunadeu wants to merge 1 commit into
Open
eap_aka_sim: allow externally-derived CK'/IK' for EAP-AKA'#5894paunadeu wants to merge 1 commit into
paunadeu wants to merge 1 commit into
Conversation
In a 3GPP SWx deployment the HSS performs the EAP-AKA' key transform itself (TS 33.402 Annex A) and returns CK'/IK' already bound to the Access Network Identity. The server must then not derive CK'/IK' a second time from CK/IK, or the MSK will not match the peer. Add a per-instance config item derive_ck_ik_prime (default yes, unchanged behavior) to the eap-aka-prime process module. When set to no, the module reads CK'/IK' from the new control.CK-Prime / control.IK-Prime attributes and fr_aka_sim_crypto_umts_kdf_1() skips its local derivation. - dictionary: add CK-Prime (284) and IK-Prime (285) - keys: add ck_ik_prime_provided flag - vector: add fr_aka_sim_vector_umts_ck_ik_prime_from_attrs() - crypto: guard ck_ik_prime_derive() on the flag; add unit test - process/eap_aka_prime: add derive_ck_ik_prime config item The default leaves existing EAP-AKA' (local Milenage / AuC) behavior byte-identical.
paunadeu
force-pushed
the
eap-aka-prime-external-hss-keys
branch
from
7bf10b3 to
03c81ef
Compare
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The EAP-AKA' module derives CK'/IK' from CK/IK locally using the RFC 5448 / TS 33.402 Annex A transform. When the quintuplet is fetched from a 3GPP HSS over SWx (TS 29.273 section 8.2.3.16/17), the HSS has already performed that transform and returns CK'/IK' bound to the Access Network Identity the AAA sent in the MAR. Running the transform again on the server produces keys that no longer match what the peer derives from its USIM-supplied CK/IK, and AT_MAC verification fails on the supplicant.
Concrete example (one Asian HSS vendor on SWx):
CK' || IK' = HMAC-SHA-256(CK || IK, S),S = 0x20 || "WLAN" || 0x0004 || SQN ^ AK || 0x0006.network_name. K_aut is then derived from double-transformed key material; the supplicant, which derives K_aut from a single Annex A pass over its USIM CK/IK, rejects AT_MAC.Add a per-instance config item
derive_ck_ik_primeto the eap-aka-prime process module. Defaultyes, behavior unchanged. When set tono, the module reads CK'/IK' from new control.CK-Prime / control.IK-Prime attributes and skips the local derivation.Changes:
share/dictionary/eap/aka-sim/dictionary.freeradius— add CK-Prime (284), IK-Prime (285).src/lib/eap_aka_sim/base.h— addck_ik_prime_providedonfr_aka_sim_keys_t.src/lib/eap_aka_sim/vector.c— addfr_aka_sim_vector_umts_ck_ik_prime_from_attrs(); reads both attributes, validates lengths againstAKA_SIM_VECTOR_UMTS_CK_SIZE/..._IK_SIZE, sets the flag.src/lib/eap_aka_sim/crypto.c—fr_aka_sim_crypto_umts_kdf_1()skipsck_ik_prime_derive()when the flag is set.src/lib/eap_aka_sim/state_machine.c— inRESUME(send_aka_challenge_request)forFR_EAP_METHOD_AKA_PRIME, pull CK'/IK' fromcontrol.*before invoking the KDF whenderive_ck_ik_prime = no.src/process/eap_aka_prime/base.c— config parser entry with defaultyes.Tests:
test_eap_aka_kdf_1_umts_external_prime(crypto.c): starts from the RFC 5448 Appendix C / RFC 9048 Appendix D Case 1 vector, clobbers raw CK/IK to 0xff, supplies the expected CK'/IK' as if from an HSS, and asserts K_encr, K_aut, K_re, MSK and EMSK match the RFC vector byte for byte. If the local derivation were still running, the test would fail on the first downstream key.test_eap_aka_kdf_1_umtscontinues to pass; default config (noderive_ck_ik_primeset, or set toyes) is byte-identical to current behavior for the local Milenage / AuC path.