[strongSwan] About migrating the milenage of 3GPP and the USIM card API
martin at strongswan.org
Tue Apr 24 08:37:46 CEST 2012
> Question 1 : Can I add the milenage algoritm by modifying the USIM API
> card_get_quintuplet( ) in the file simaka_manager.c ? Would it check
> wether there is one USIM as default ?
Our eap-aka-3gpp2 plugin implements S.S0055 from the 3GPP2 specs.
Milenage from 3GPP has the same purpose, but is a little different in
If you need a software implementation of Milenage, you can create your
own plugin based on on eap-aka-3gpp2 and implement the fx() functions
If you want to use a real USIM, you might have a look at the
eap-sim-pcsc plugin as starting point. It uses PCSC to get SIM triplets.
> Question 2 : Can I add the milenage algoritm by modifying the
> algorithm function in eap-aka-3gpp2 ? I haved finished the
> migration ,but when I tested it as client with the radius
> service ,AAA , it failed to work ,the radius service and AAA had send
> "chanllge accept " to the client, but the client report with "unable
> to use EAP-SIM, missing algorithms".
It just means that, you're missing one of the required crypto
algorithms, maybe the fips-prf.
> load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> revocation hmac xcbc stroke kernel-netlink socket-default fips-prf
> eap-aka eap-aka-3gpp2 eap-identity updown
We recommend to remove an explicit load statement, unless you exactly
know what you do. The ./configure script takes care of load order and
some dependencies, this might solve your issues.
> Question 3 : I aslo will use a USIM card of 3GPP to achieve the
> EAP-AKA, would I need to modify the code of strongswan ? Or I just
> use the USIM API card_get_quintuplet( ) in the file
> simaka_manager.c ? Is there any API which I must use to connect to the
> USIM driver ?
You'd basically have to map the get_quintuplet() function in your own
plugin to your cards driver, reading quintuplets. We don't have any
supporting API to do this, but the eap-sim-pcsc plugin might give you an
idea how this could work.
Most eap-sim/aka development has been done as sponsored work. Let me
know if you're interested in our professional development services.
More information about the Users