A.1 EAP based Authentication

3GPP43.318Generic Access Network (GAN)Release 17Stage 2TS

A.1.1 EAP-SIM Procedure for authentication

Figure A.1: EAP-SIM authentication procedure

The EAP-SIM authentication mechanism is specified in [30]. This clause describes how this mechanism is used in GAN.

1. The MS connects to the generic IP access network.

2. The MS obtains the IP address of the GANC-SEGW, and initializes the IKEv2 authentication procedure by starting the IKE_SA_INIT exchange. It indicates the desire to use EAP by leaving out the AUTH payload from message 3 of the IKE_AUTH exchange, and the initiator identity is composed compliant with the Network Access Identifier (NAI) format specified in RFC 2486 [36], which contains the IMSI.

3. The GANC-SEGW communicates with the local AAA server through the Wm interface, which in turn determines the proper AAA Server based on the realm part of the NAI. The routing path may include one or several AAA proxies (not shown in figure A.1).

4. The GANC-SEGW sends an EAP Response/Identity message to the AAA server, containing the identity included in the third IKE message. This triggers the start of EAP-SIM.

5. The AAA Server identifies the subscriber as a candidate for authentication with EAP-SIM, based on the received identity, and sends the EAP Request/SIM-Start packet to GANC-SEGW.

6. The GANC-SEGW forwards the EAP Request/SIM-Start packet to MS.

7. The MS chooses a fresh random number NONCE_MT. The random number is used in network authentication. The MS sends the EAP Response/SIM-Start packet, containing NONCE_MT, to the GANC-SEGW.

8. The GANC-SEGW forwards the EAP Response/SIM-Start packet to the AAA Server.

9. The AAA server requests authentication data from the HLR, based on the IMSI. Note that the AAA server could instead use cached triplets previously retrieved from the HLR to continue the authentication process.

10. The AAA server receives multiple triplets from the HLR.

11. The AAA server formulates an EAP-SIM/Challenge with multiple RAND challenges, and includes a message authentication code (MAC) whose master key is computed based on the associated Kc keys, as well as the NONCE_MT. A new re-authentication identity may be chosen and protected (i.e. encrypted and integrity protected) using EAP-SIM generated keying material. The AAA Server sends this RAND, MAC and re-authentication identity to the GANC-SEGW in the EAP Request/SIM-Challenge message.

12. The GANC-SEGW forwards the EAP Request/SIM-Challenge message to the MS.

13. The MS runs N times the GSM A3/A8 algorithm in the SIM, once for each received RAND. This computing gives N SRES and Kc values. The MS calculates its copy of the network authentication MAC with the newly derived keying material and checks that it is equal with the received MAC. If the MAC is incorrect, the network authentication has failed and the MS cancels the authentication. The MS continues the authentication exchange only if the MAC is correct. The MS calculates a new MAC with the new keying material covering the EAP message concatenated to the N SRES responses. If a re-authentication ID was received, then the MS stores this ID for future authentications.

14. The MS sends EAP Response/SIM-Challenge containing calculated MAC to the GANC-SEGW.

15. The GANC-SEGW forwards the EAP Response/SIM-Challenge packet to the AAA Server.

16. The AAA Server verifies that its copy of the response MAC is equal to the received MAC.

17. If the comparison in step 16 is successful, then the AAA Server sends the EAP Success message to the GANC‑SEGW. The AAA Server includes derived keying material for confidentiality and/or integrity protection between MS and GANC-SEGW, in the underlying AAA protocol message (i.e. not at EAP level).

18. The GANC-SEGW informs the MS about the successful authentication with the EAP Success message.

19. Now the EAP-SIM exchange has been successfully completed, the IKE signalling can be completed

20. The Secure Association between MS and GANC-SEGW has been completed and the MS can continue with the discovery or registration procedure.

A.1.2 EAP-AKA Procedure for authentication

The EAP-AKA authentication mechanism is specified in [EAP AKA]. This section describes how this mechanism is used in GAN.

Figure A.2: EAP-AKA authentication procedure

1. The MS connects to the generic IP access network.

2. The MS obtains the IP address of the GANC-SEGW, and initializes the IKEv2 authentication procedure by starting the IKE_SA_INIT exchange. It indicates the desire to use EAP by leaving out the AUTH payload from message 3, the first message of the IKE_AUTH exchange, and the initiator identity is composed compliant with the Network Access Identifier (NAI) format specified in RFC 2486, which contains the IMSI and an indication that EAP-AKA should be used.

3. The GANC-SEGW communicates with the local AAA server through the Wm interface, which in turn determines the proper AAA Server based on the realm part of the NAI. The routing path may include one or several AAA proxies (not shown in figure A.2).

4. The GANC-SEGW sends an EAP Response/Identity message to the AAA server, containing the initiator identity included in the third IKE message. The leading digit of the NAI indicates that the MS wishes to use EAP-AKA.

5. The AAA server identifies the subscriber as a candidate for authentication with EAP-AKA, based on the received identity, and verifies that EAP-AKA shall be used based on subscription information, The AAA server requests the user profile and UMTS authentication vector(s) from the HSS/HLR, if these are not available in the AAA server.

6. Optionally, the AAA receives user subscription and UMTS authentication vector(s) from the HSS/HLR. The UMTS authentication vector consists of random part (RAND), an authentication part (AUTH), an expected result part (XRES) and sessions keys for integrity check (IK) and encryption (CK).
AAA server determines the EAP method (SIM or AKA) to be used, according to the user subscription and/or the indication received from the MS.
In this sequence diagram, it is assumed that the MS holds a USIM and EAP-AKA will be used.

7. The AAA server formulates an EAP-Request/AKA Challenge with RAND, AUTN and includes a message authentication code (MAC) whose master key is computed based on the associated IK and CK. A new re‑authentication identity may be chosen and protected (i.e. encrypted and integrity protected) using EAP-AKA generated keying material. The AAA Server sends the RAND, AUTN, MAC and re-authentication identity to the GANC-SEGW in the EAP Request/AKA-Challenge message.

8. The GANC-SEGW forwards the EAP Request/AKA-Challenge message to the MS.

9. The MS runs UMTS algorithm on the USIM. The USIM verifies that the AUTN is correct and hereby authenticates the network. If AUTN is incorrect, the MS rejects the authentication (not shown in figure A.3). If AUTN is correct, the USIM computes RES, IK and CK. The MS calculates a new MAC with the new keying material (IK and CK) covering the EAP message.
If a re-authentication ID was received, then the MS stores this ID for future authentications.

10. The MS sends EAP Response/AKA-Challenge containing calculated RES and MAC to the GANC-SEGW.

11. The GANC-SEGW forwards the EAP Response/AKA-Challenge message to the AAA Server.

12. The AAA Server verifies the received MAC and compares XRES to the received RES.

13. If the checks in step 12 are successful, then the AAA Server sends the EAP Success message to the GANC‑SEGW. The AAA Server includes derived keying material for confidentiality and/or integrity protection between MS and GANC-SEGW, in the underlying AAA protocol message (i.e. not at EAP level).

14. The GANC-SEGW informs the MS about the successful authentication with the EAP Success message.

15. Now the EAP-SIM exchange has been successfully completed, the IKE signaling can be completed.

16. The Secure Association between MS and GANC-SEGW has been completed and the MS can continue with the GAN discovery or registration procedure.

A.1.3 Fast Re-authentication

When the authentication process is performed frequently, especially with a large number of connected Mobile Stations, performing fast re-authentication can reduce the network load resulting from this authentication. The fast re-authentication process allows the AAA server to authenticate a user based on keys derived from the last full authentication process.

The MS and GANC-SEGW can use a procedure for fast re-authentication in order to re-authenticate an MS e.g. when setting up a new SA because the IP address of the MS has changed as a result of a handover between generic IP access network attachment points connected to different IP subnets. Fast re-authentication is provided by EAP-SIM and EAP‑AKA, and does not make use of the GSM A3/A8 or UMTS algorithms. The MS may use the re-authentication ID in the IKE_SA_INIT. The decision to make use of the fast re-authentication procedure is taken by the AAA server.

The basic elements of these procedures are the following:

– The MS initiates a new SA with a GANC-SEGW that it was previously connected to and uses the re-authentication ID (re-authentication ID received during the previous full authentication procedure) in the IKE_SA_INIT exchange. The EAP-SIM or EAP-AKA procedure is started as a result of these exchanges.

– The AAA server and MS re-authenticate each other based on the keys derived on the preceding full authentication.

A.1.3.1 EAP-SIM Fast Re-authentication

The EAP-SIM specification [30] includes support for fast re-authentication. The use of this mechanism may be subject to operator policy.

Figure A.3: EAP-SIM fast re-authentication procedure

1. The MS initializes the IKEv2 authentication procedure by starting the IKE_SA_INIT exchange. It indicates the desire to use EAP by leaving out the AUTH payload from message 3 of the IKE_AUTH exchange, and the initiator identity contains the re-authentication identity (this identity was previously delivered by AAA server in a full authentication procedure).

2. The GANC-SEGW sends an EAP Response/Identity message to the AAA server, containing the re‑authentication ID as was included in the third IKE message. This triggers the start of EAP-SIM.

3. The AAA server initiates the Counter (which was initialized to one in the full authentication process) and sends it in the EAP Request message, together with the NONCE, the MAC (calculated over the NONCE) and a re‑authentication id for a next fast re-authentication. If the AAA server is not able to deliver a re-authentication identity, then the MS shall force a full-authentication next time (to avoid the use of the re-authentication identity more than once).

4. The GANC-SEGW forwards the EAP Request message to the MS.

5. The MS verifies that the Counter value is fresh and the MAC is correct.

6. The MS sends the EAP Response message with the same Counter value and a calculated MAC to the GANC‑SEGW.

7. The GANC-SEGW forwards the response to the AAA server.

8. The AAA server verifies that the Counter value is the same as it sent, and that the MAC is correct.

9. The AAA server sends an EAP Success message to the GANC-SEGW.

10. The GANC-SEGW forwards the EAP Success message to the MS.

A.1.3.2 EAP-AKA Fast Re-authentication

The EAP-AKA specification [38] includes support for fast re-authentication. The use of this mechanism may be subject to operator policy.

Figure A.4: EAP-AKA fast re-authentication procedure

1. The MS initializes the IKEv2 authentication procedure by starting the IKE_SA_INIT exchange. It indicates the desire to use EAP by leaving out the AUTH payload from message 3, the first message of the IKE_AUTH exchange, and the initiator identity contains the re-authentication identity (this identity was previously delivered by AAA server in a EAP-AKA full authentication procedure).

2. The GANC-SEGW sends an EAP Response/Identity message to the AAA server, containing the re‑authentication ID as was included in the third IKE message. This triggers the start of EAP-AKA.

3. The AAA server initiates the Counter (which was initialized to one in the full authentication process) and sends it in the EAP Request/AKA-Reauthentication message, together with the NONCE, the MAC (calculated over the NONCE) and a re-authentication id for a next fast re-authentication. If the AAA server is not able to deliver a re-authentication identity, then the MS shall force a full-authentication next time (to avoid the use of the re‑authentication identity more than once).

4. The GANC-SEGW forwards the EAP Request/AKA-Reauthentication message to the MS.

5. The MS verifies that the Counter value is fresh and the MAC is correct.

6. The MS sends the EAP Response/AKA-Reauthentication message with the same Counter value and a calculated MAC to the GANC-SEGW.

7. The GANC-SEGW forwards the response to the AAA server.

8. The AAA server verifies that the Counter value is the same as it sent, and that the MAC is correct.

9. The AAA server sends an EAP Success message to the GANC-SEGW.

10. The GANC-SEGW forwards the EAP Success message to the MS.