Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jari Arkko, Henry Haverinen, Joseph Salowey (presented by Pasi Eronen)

Published byJocelin Ashlynn Wells Modified over 6 years ago

Similar presentations

Presentation on theme: "Jari Arkko, Henry Haverinen, Joseph Salowey (presented by Pasi Eronen)"— Presentation transcript:

1 Jari Arkko, Henry Haverinen, Joseph Salowey (presented by Pasi Eronen)
EAP SIM and AKA Jari Arkko, Henry Haverinen, Joseph Salowey (presented by Pasi Eronen) July 14, 2003 EAP WG, IETF 57

2 Introduction Authentication based on GSM SIM and UMTS USIM smart cards
Neither the user’s terminal nor EAP server has direct access to the shared secret key We rely on GSM/UMTS key agreement protocols July 14, 2003 EAP WG, IETF 57

3 EAP SIM status Quite stable
Some updates based on Sarvar Patel’s analysis: When multiple RANDs used, client checks that they are different Clarified security considerations section Aligned key derivation with 2284bis AT_CHECKCODE July 14, 2003 EAP WG, IETF 57

4 EAP AKA status Stable Aligned key derivation with 2284bis AT_CHECKCODE
July 14, 2003 EAP WG, IETF 57

5 ”N bits of security” 2284bis: “If the effective key strength is N bits, the best currently known methods to recover the key (with non-negligible probability) require an effort comparable to 2N operations of a typical block cipher.” Must not mix the probability of 2–64 and the work of 264 operations! Attacks with 264 work are interesting; attacks with success probability of 2–64 are not very interesting July 14, 2003 EAP WG, IETF 57

6 ”N bits of security” EAP SIM key strength is ~64 bits with one triplet, and ~128 bits with 2 or 3 New text strongly recommends that both client and server require at least 2 triplets If the same SIM is used in GSM/GPRS, attacker can use their vulnerabilities No need to use SRES to increase key strength July 14, 2003 EAP WG, IETF 57

7 RAND re-use within one exchange
Obviously, if multiple triplets are used, the server chooses different triplets The latest version also requires the client to check this July 14, 2003 EAP WG, IETF 57

8 RAND re-use in different exchanges
EAP SIM requires that the server always uses fresh RANDs Client can’t check if RANDs are fresh (Keeping a list of all previously seen RANDs is not probably feasible) Well-known limitation of GSM; changed in UMTS (AKA) Discussed extensively in security considerations section July 14, 2003 EAP WG, IETF 57

9 Alternative protocols
Main goals in current protocol Use existing SIM cards without changes >800,000,000 deployed When they are redeployed, will support EAP AKA Keys that allow impersonating as the user (for longer than the current session) are never handled outside SIM and AuC This would undermine integrity of charging Keys that allow impersonation as the network are handled in user terminal and EAP server July 14, 2003 EAP WG, IETF 57

10 Next steps Wait until 2284bis is finished
Get reviews and publish as informational RFCs July 14, 2003 EAP WG, IETF 57

Download ppt "Jari Arkko, Henry Haverinen, Joseph Salowey (presented by Pasi Eronen)"

Similar presentations

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P1619.3 April 11, 2007 Andrea Doherty.

1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Dynamic Symmetric Key Provisioning Protocol (DSKPP)
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.

EAP AKA Jari Arkko, Ericsson Henry Haverinen, Nokia.
Version 1 of EAP-TTLS draft-ietf-pppext-eap-ttls-05.txt Paul Funk Funk Software.

Version 1 of EAP-TTLS draft-ietf-pppext-eap-ttls-05.txt Paul Funk Funk Software.
August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.

August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Information Security of Embedded Systems 20.1.2010: Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
CS682- Session 10 Prof. Katz. Well-Known Attacks By far the most common security vulnerabilities Attacks that Script-Kiddies are capable of performing.

CS682- Session 10 Prof. Katz. Well-Known Attacks By far the most common security vulnerabilities Attacks that Script-Kiddies are capable of performing.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Draft-urien-EAP-smartcard-02.txt.

Slide 1/8 07/17/03 EAP 57th IETF WIEN, Austria, July 13-18, 2003 “EAP support in smartcards” Pascal Urien & All ENST Draft-urien-EAP-smartcard-02.txt.
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and 802.11i IKEv2 EAP authentication.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
11/26 Integration of wireless LAN and 3G wireless - Interworking architecture between 3GPP and WLAN systems Ahmavaara, K.; Haverinen, H.; Pichna, R.; Communications.

11/26 Integration of wireless LAN and 3G wireless - Interworking architecture between 3GPP and WLAN systems Ahmavaara, K.; Haverinen, H.; Pichna, R.; Communications.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
Wireless Network Security and Interworking

Wireless Network Security and Interworking
1 Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell.

1 Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell.
EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),

EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),

Similar presentations

Ads by Google