From: Pekka Pessi <pekka.pe...@nokia.com> The authentication mechanisms include SIM authentication (basic A8 authentication used with GSM), AKA authentication and UICC-based GBA authentication.
The SIM and AKA can be used to implement EAP and GBA authentication algorithms. The interface can be applied to both SIM/USIM or ISIMs. --- doc/sim-authentication-api.txt | 186 ++++++++++++++++++++++++++++++++++++++++ 1 files changed, 186 insertions(+), 0 deletions(-) create mode 100644 doc/sim-authentication-api.txt diff --git a/doc/sim-authentication-api.txt b/doc/sim-authentication-api.txt new file mode 100644 index 0000000..97f4fac --- /dev/null +++ b/doc/sim-authentication-api.txt @@ -0,0 +1,186 @@ +SimAuthentication hierarchy +=========================== + +Service org.ofono +Interface org.ofono.SimAuthentication +Object path [variable prefix]/{modem0,modem1,...} for SIM/USIM + [variable prefix]/{modem0,modem1,...}/{isim01,...} for ISIM + +Methods dict GetProperties() + + Returns all properties for this object. See the + properties section for available properties. + + Possible Errors: [service].Error.InvalidArguments + + dict Authenticate(string suite, dict input) + + Executes the requested authentication suite. + The input and returned result depend on the + authentication suite. + + See the suite sections for input and results for + each suite. + + Possible Errors: [service].Error.InvalidArguments + [service].Error.NotImplemented + +Properties array{string} Suites [readonly] + + Contains the list of supported authentication + suites and applications. The possible values are: + + "SIM" - SIM authentication + "AKA" - AKA authentication + "GBA_U" - UICC-based GBA authentication + + string IPMultimediaPrivateIdentity [readonly, optional] + + GBA identity read from ISIM or derived from IMSI. + + string BootstrappingServerFunctionAddress [readonly, optional] + + FQDN read from ISIM or derived from IMSI, + used with GBA. + + string TMPI [readonly, optional] + + Temporary identity used in GBA bootstrapping. + + string BTID [readonly, optional] + + Unique identity obtained from BSF server. + +SIM Authentication Suite +------------------------ + + SIM authentication can be used to implement EAP SIM or + GBA_ME authentication. + + In case of successful SIM authentication the returned + dictionary contains following items: + + byte{array} "SRES" - SRES parameter + + byte{array} "Kc" - Kc ciphering key + + The SRES parameter is a 4-byte array. + The Kc parameter is a 8-byte array. + +AKA Authentication Suite +------------------------ + + AKA authentication can be used to implement EAP AKA, AKA + digest or GBA_ME authentication. + + The input dictionary must contain following input + parameters: + + byte{array} "RAND" - RAND parameter + + byte{array} "AUTN" - AUTN parameter + + In case of successful AKA authentication the returned + dictionary contains following items: + + byte{array} "RES" - AKA RES parameter + + byte{array} "CK" - AKA Ciphering key + + byte{array} "IK" - AKA Integrity key + + AKA is a mutual authentication algorithm: terminal and + network authenticate each other. In case the terminal + rejects the AUTN from network, the returned dictionary + contain following item: + + byte{array} "AUTS" - AKA AUTS parameter + + All the AKA parameters and keys are 16-byte arrays. + +UICC-based GBA Authentication Suite +----------------------------------- + + GBA is used to establish a unique identity and a shared + secret between SIM card and a network service. + + The GBA_ME variant where the Ks key is stored outside + SIM card can be implemented using ordinary SIM or AKA + authentication. + + The UICC-based GBA variant, GBA_U, keeps the Ks key + stored on the SIM card (UICC) and lets the SIM card + calculate the NAF keys. + + For further reference on GBA, see 3GPP TS 33.220 + and 3GPP TS 24.109. + + The GBA authentication suite has three different + operations: + + - bootstrapping (AKA authentication with BSF) + - update (storing result from BSF to SIM) + - NAF key derivation + + The GBA suite recognizes the operations based on the + input parameters. + +GBA Bootstrapping + + The input dictionary for the GBA bootstrapping must + contain following parameters: + + byte{array} "RAND" - AKA RAND parameter + + byte{array} "AUTN" - AKA AUTN parameter + + In case of successful initial GBA bootstrapping the + returned dictionary contains following items: + + byte{array} "RES" - AKA RES parameter + + In case of unsuccessful bootstrapping the returned + dictionary contains following item: + + byte{array} "AUTS" - AKA AUTS parameter + + If the bootstrapping server accepts the RES parameter, + it will return an XML document containing bootstrapping + transaction identifier (B-TID) and the lifetime of the + KS_NAF keys. + +GBA Update + + The input dictionary for GBA update must contain + following parameters: + + string "BTID" - B-TID parameter + string "lifetime" - NAF key lifetime + + In case of succesful update, an empty dictionary is + returned. + +NAF Key Derivation + + The input dictionary for NAF key derivation must contain + the following parameters: + + string "variant" - "gba-u" or "gba-me" + + string "NAF" - FQDN of NAF + + byte{array} "protocol" - security protocol identifier + + The variant indicates whether the KS_int_NAF or + KS_ext_NAF is required. + + The security protocol identifier is usually a 5 byte + array. It indicates the protocol used between mobile + (UE) and network server (NAF). + + In case of successful NAF key derivation the returned + dictionary contains following item: + + byte{array} "KS-NAF" - NAF key + + The KS-NAF is a 32-byte array. -- 1.7.1 _______________________________________________ ofono mailing list ofono@ofono.org http://lists.ofono.org/listinfo/ofono