[strongSwan] About migrating the milenage of 3GPP and the USIM card API

[kenxin lau]

Hi,Martin

 After the migration ,I  used the wireshark to get the packets before the
AAA service ,I found that the RES( e.g.

RES1 ) in the wireshark is not equal to the RES( e.g. RES2 ) which  is
calculated by the milenage function. It means that the RES

which before sent out  is not the same as the RES after sent out .And the
first eight bytes of RES1 is the same as the the

first eight bytes of RES2 .But the later eight bytes of RES1 is different
with  the the later eight bytes of RES2 absolutely.Is there  a

bug in the strongswan ? The version of strongswan I  used is the
strongswan-4.6.1.

Best regards !

                                                                    kenxin

2012/4/24 Martin Willi <martin at strongswan.org>

> Hi Kenxin,
>
> > Question 1 : Can I add the milenage algoritm by modifying the USIM API
> > card_get_quintuplet( ) in the file simaka_manager.c ? Would it check
> > wether there is one USIM as default ?
>
> Our eap-aka-3gpp2 plugin implements S.S0055 from the 3GPP2 specs.
> Milenage from 3GPP has the same purpose, but is a little different in
> the implementation.
>
> If you need a software implementation of Milenage, you can create your
> own plugin based on on eap-aka-3gpp2 and implement the fx() functions
> accordingly.
>
> If you want to use a real USIM, you might have a look at the
> eap-sim-pcsc plugin as starting point. It uses PCSC to get SIM triplets.
>
> > Question 2 : Can I add the milenage algoritm by modifying the
> > algorithm function in  eap-aka-3gpp2 ? I haved finished the
> > migration  ,but when I tested it as client with the radius
> > service ,AAA , it failed to work ,the radius service  and AAA had send
> > "chanllge accept " to the client, but the client  report with "unable
> > to use EAP-SIM, missing algorithms".
>
> It just means that, you're missing one of the required crypto
> algorithms, maybe the fips-prf.
>
> >   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
> > revocation hmac xcbc stroke kernel-netlink socket-default fips-prf
> > eap-aka eap-aka-3gpp2 eap-identity updown
>
> We recommend to remove an explicit load statement, unless you exactly
> know what you do. The ./configure script takes care of load order and
> some dependencies, this might solve your issues.
>
> > Question 3 : I aslo will use a USIM card of 3GPP to achieve the
> > EAP-AKA, would I need to  modify the code of strongswan  ? Or I just
> > use the USIM API  card_get_quintuplet( ) in the file
> > simaka_manager.c ? Is there any API which I must use to connect to the
> > USIM driver ?
>
> You'd basically have to map the get_quintuplet() function in your own
> plugin to your cards driver, reading quintuplets. We don't have any
> supporting API to do this, but the eap-sim-pcsc plugin might give you an
> idea how this could work.
>
> Most eap-sim/aka development has been done as sponsored work. Let me
> know if you're interested in our professional development services.
>
> Kind Regards
> Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120427/a82cfd13/attachment.html>