[strongSwan] About migrating the milenage of 3GPP and the USIM card API

Martin Willi martin at strongswan.org
Tue Apr 24 08:37:46 CEST 2012


Hi Kenxin,

> Question 1 : Can I add the milenage algoritm by modifying the USIM API
> card_get_quintuplet( ) in the file simaka_manager.c ? Would it check
> wether there is one USIM as default ?

Our eap-aka-3gpp2 plugin implements S.S0055 from the 3GPP2 specs.
Milenage from 3GPP has the same purpose, but is a little different in
the implementation.

If you need a software implementation of Milenage, you can create your
own plugin based on on eap-aka-3gpp2 and implement the fx() functions
accordingly.

If you want to use a real USIM, you might have a look at the
eap-sim-pcsc plugin as starting point. It uses PCSC to get SIM triplets.

> Question 2 : Can I add the milenage algoritm by modifying the
> algorithm function in  eap-aka-3gpp2 ? I haved finished the
> migration  ,but when I tested it as client with the radius
> service ,AAA , it failed to work ,the radius service  and AAA had send
> "chanllge accept " to the client, but the client  report with "unable
> to use EAP-SIM, missing algorithms".

It just means that, you're missing one of the required crypto
algorithms, maybe the fips-prf.

>   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation hmac xcbc stroke kernel-netlink socket-default fips-prf
> eap-aka eap-aka-3gpp2 eap-identity updown

We recommend to remove an explicit load statement, unless you exactly
know what you do. The ./configure script takes care of load order and
some dependencies, this might solve your issues.

> Question 3 : I aslo will use a USIM card of 3GPP to achieve the
> EAP-AKA, would I need to  modify the code of strongswan  ? Or I just
> use the USIM API  card_get_quintuplet( ) in the file
> simaka_manager.c ? Is there any API which I must use to connect to the
> USIM driver ? 

You'd basically have to map the get_quintuplet() function in your own
plugin to your cards driver, reading quintuplets. We don't have any
supporting API to do this, but the eap-sim-pcsc plugin might give you an
idea how this could work.

Most eap-sim/aka development has been done as sponsored work. Let me
know if you're interested in our professional development services.

Kind Regards
Martin






More information about the Users mailing list