Support for EAP-SIM and EAP-AKA in Android.
2013-04-12 15:39
661 查看
http://code.google.com/p/seek-for-android/wiki/EapSimAka
NOTE: The described EAP patch will only work on a real Android Smartphone which has an up and running SmartCardAPI with UICC support and PCSC System Service.
EAP-SIM is specified in
RFC 4186.
EAP-AKA is specified in
RFC 4187.
Specifications about EAP can be found
here and here.
![](http://seek-for-android.googlecode.com/svn/wiki/img/EapSim_System.png)
To run an EAP-SIM/AKA authentication you will need a client as wpa_supplicant which has access to a (U)SIM. The WLAN access point on the network has to support EAP (which is often transcribed as WPA(2)-RADIUS or WPA(2)-ENTERPRISE). The WLAN AP has to have
access to a RADIUS server who handles the authentication and session key generation. The RADIUS server in a productive environment needs for EAP-SIM/AKA access to the home location register (HLR) of the MNO where the (U)SIMs are registered. For testing a file
with precreated values for authentication is sufficient.
The next picture shows simplified the data flow during the authentication process.
![](http://seek-for-android.googlecode.com/svn/wiki/img/EapSim_DataFlow.png)
the wpa_supplicant and
the Settings.apk
To get access to the (U)SIM it is necessary to enable the PC/SC interface and integrate the SmartCard API with UICC support.
The EAP-SIM/AKA patch was tested against Android 2.3.5_r1, the
SmartCard API 2.2.2 and the
PCSC System Service 0.9.7.
expected responses from the (U)SIM according to the T=0 protocol, but the SmartCardService returns response data according to T=1.
SIM and AKA are now available and selectable as EAP-Method. When selecting
SIM or AKA the other fields like Phase 2 Authentication,
CA-Cerificate and so on can be left empty or by their default values.
EAP-SIM/AKA patch and extract the content.
Apply the patch with
in the root directory of your Android Sources. Build the system how it is shown in
BuildingTheSystem.
rlm_sim_files module so that it can provide the EAP-SIM and EAP-AKA module with the correct data and keys.
The result is a patch was developed with version 2.1.9 of the freeradius server but it might also work for other 2.1.x versions.
NOTE: This patch will only work for EAP-AKA if on the USIM the sequence number check is disabled, since the AUTN provided by
rlm_sim_files is constant. Therefore check EF_AuthAlgo on your USIM.
On a ubuntu machine get freeradius sources via (first change to the directory where you want to store the sources)
Get the build dependencies
A freeradius source directory will be created e.g. freeradius-2.1.9-dfsg.
Change the ownership to your development account and the goto the source directory.
Get the
freeradius patch archive and extract the content. Apply the patch within the freeradius source directory of freeradius. You may want to try it first with option
--dry-run to check if everything will do fine.
Build the deb packages:
Install the packages
Since the rlm_sim_files module is not build by the debian packages routines. It has to be built and copied manually. Change to and run make
Copy the libraries and create a symbolic link
(Re-)Start the freeradius server with:
Add to or change clients.conf that it contains
The secret and shortname can be chosen freely, but you have to setup on your WLAN AP the same secret. e.g. on a LinkSys WRT54GL
![](http://seek-for-android.googlecode.com/svn/wiki/img/EapSim_LinksysWpaEapSetup.png)
In the config directory /etc/freeradius/modules create a file sim_files with following content:
In the config file eap.conf add at the end but before the closing }
In the config file default add
directly before
After changes on the configuration files a restart of the server is necessary.
Sample of a simtriplets.dat file
The first triplet block ist for EAP-SIM on a SIM card, the second block is for EAP-SIM on a USIM card and the last line contains the values for EAP-AKA of a USIM card.
It is mandatory to have at least 3 different records for one IMSI when it is used for EAP-SIM.
It is not possible to use a single USIM for EAP-AKA and EAP-SIM at the same time. Only one of the methods may be active, the other method can be disabled by adding a # as prefix.
http://agsm.sourceforge.net/download.html
NOTE: The described EAP patch will only work on a real Android Smartphone which has an up and running SmartCardAPI with UICC support and PCSC System Service.
Introduction
EAP-SIM is a mechanism for authentication and session key generation using a GSM authentication algorithm on client and network side. EAP-AKA is like EAP-SIM but uses the authentication algorithms on an USIM.EAP-SIM is specified in
RFC 4186.
EAP-AKA is specified in
RFC 4187.
Specifications about EAP can be found
here and here.
Details
An overview how a WLAN with EAP authentication may look like is shown below:![](http://seek-for-android.googlecode.com/svn/wiki/img/EapSim_System.png)
To run an EAP-SIM/AKA authentication you will need a client as wpa_supplicant which has access to a (U)SIM. The WLAN access point on the network has to support EAP (which is often transcribed as WPA(2)-RADIUS or WPA(2)-ENTERPRISE). The WLAN AP has to have
access to a RADIUS server who handles the authentication and session key generation. The RADIUS server in a productive environment needs for EAP-SIM/AKA access to the home location register (HLR) of the MNO where the (U)SIMs are registered. For testing a file
with precreated values for authentication is sufficient.
The next picture shows simplified the data flow during the authentication process.
![](http://seek-for-android.googlecode.com/svn/wiki/img/EapSim_DataFlow.png)
Changes to Android
In order to run EAP-SIM/AKA on an Android smartphone it is necessary to adapt two parts of the sources:the wpa_supplicant and
the Settings.apk
To get access to the (U)SIM it is necessary to enable the PC/SC interface and integrate the SmartCard API with UICC support.
The EAP-SIM/AKA patch was tested against Android 2.3.5_r1, the
SmartCard API 2.2.2 and the
PCSC System Service 0.9.7.
wpa_supplicant
For the wpa_supplicant the use of the PCSC interface has to be enabled and the functions which encapsulate the PCSC interface have to be adapted so that they can handle the responses from the SmartCardService, since the original sources of the wpa_supplicantexpected responses from the (U)SIM according to the T=0 protocol, but the SmartCardService returns response data according to T=1.
Settings.apk
To give the user the possibility to enable EAP-SIM or EAP-AKA on his Smartphone it is necessary to extend the WiFi Dialog where it is possible to select the EAP methods. The WiFi Dialog is located in the package Settings.apk. Now the entriesSIM and AKA are now available and selectable as EAP-Method. When selecting
SIM or AKA the other fields like Phase 2 Authentication,
CA-Cerificate and so on can be left empty or by their default values.
Patch
Download theEAP-SIM/AKA patch and extract the content.
Apply the patch with
patch -p1 -i eap-sim-aka_0.4.1.patch
in the root directory of your Android Sources. Build the system how it is shown in
BuildingTheSystem.
Additional Components
Compile freeradius with EAP-SIM/AKA support.
The EAP-AKA support for freeradius was introduced by a patch for Version 1.1.4. This patch is not available for Version 2 of freeradius server. We have merged the old EAP-AKA patch and added some more features to therlm_sim_files module so that it can provide the EAP-SIM and EAP-AKA module with the correct data and keys.
The result is a patch was developed with version 2.1.9 of the freeradius server but it might also work for other 2.1.x versions.
NOTE: This patch will only work for EAP-AKA if on the USIM the sequence number check is disabled, since the AUTN provided by
rlm_sim_files is constant. Therefore check EF_AuthAlgo on your USIM.
On a ubuntu machine get freeradius sources via (first change to the directory where you want to store the sources)
sudo apt-get source freeradius
Get the build dependencies
sudo apt-get build-dep freeradius
A freeradius source directory will be created e.g. freeradius-2.1.9-dfsg.
Change the ownership to your development account and the goto the source directory.
sudo chown -R <user>:<group> ./freeradius-2.1.9-dfsg cd freeradius-2.1.9-dfsg
Get the
freeradius patch archive and extract the content. Apply the patch within the freeradius source directory of freeradius. You may want to try it first with option
--dry-run to check if everything will do fine.
patch -p2 -i freeradius-2.1.9-dfsg_eap-sim-aka-0.1.patch
Build the deb packages:
debian/rules binary
Install the packages
sudo deb -i ../libfreeradius2_2.1.9+dfsg-sch02_i386.deb sudo deb -i ../freeradius_2.1.9+dfsg-sch02_i386.deb sudo deb -i ../freeradius-common_2.1.9+dfsg-sch02_all.deb
Since the rlm_sim_files module is not build by the debian packages routines. It has to be built and copied manually. Change to and run make
cd ./src/modules/rlm_sim_files make
Copy the libraries and create a symbolic link
sudo cp ./.libs/rlm_sim_files-2.1.9.so /usr/lib/freeradius sudo ln -s /usr/lib/freeradius/rlm_sim_files-2.1.9.so /usr/lib/freeradius/rlm_sim_files.so
(Re-)Start the freeradius server with:
sudo /etc/init.d/freeradius restart
Set up of the freeradius server
All configuration files for freeradius are located in /etc/freeradius and below.Add to or change clients.conf that it contains
client 192.168.0.0/16 { secret = eap-sim shortname = eap-sim }
The secret and shortname can be chosen freely, but you have to setup on your WLAN AP the same secret. e.g. on a LinkSys WRT54GL
![](http://seek-for-android.googlecode.com/svn/wiki/img/EapSim_LinksysWpaEapSetup.png)
In the config directory /etc/freeradius/modules create a file sim_files with following content:
sim_files { simtriplets = "/etc/freeradius/simtriplets.dat" }
In the config file eap.conf add at the end but before the closing }
aka { } sim { }
In the config file default add
sim_files
directly before
eap { ok = return }
After changes on the configuration files a restart of the server is necessary.
simtriplets.dat
Create the file /etc/freeradius/simtriplets.dat with the content from your (U)SIMs you want to use.Sample of a simtriplets.dat file
# IMSI RAND SRES Kc SIM,1262074920549791,64BC736EF7684de1921F9C9C0E0679E2,0B7e4e4b,D2119f41D8840400 SIM,1262074920549791,97D0C531F2A84000ACB5E4F966157908,181c8ac1,E2f6976a226bc800 SIM,1262074920549791,1E4FD2861D0848a499C91162234B255C,211056b1,8Bbdd2385B3a0400 # SIM,0262074920549791,64BC736EF7684de1921F9C9C0E0679E2,0B7e4e4b,D2119f41D8840400 SIM,0262074920549791,97D0C531F2A84000ACB5E4F966157908,181c8ac1,E2f6976a226bc800 SIM,0262074920549791,1E4FD2861D0848a499C91162234B255C,211056b1,8Bbdd2385B3a0400 # IMSI RAND RES AUTN IK CK AKA,0262073961704408,9FDDC72092C6AD036B6E464789315B78,F553BBC042452202,478412477BFF61DFD5BE5A85664C0820,359CF653FDC8BD365AD32A264811B7EE,CA31C86C64F1C274565CFA7966E2CE0D
The first triplet block ist for EAP-SIM on a SIM card, the second block is for EAP-SIM on a USIM card and the last line contains the values for EAP-AKA of a USIM card.
It is mandatory to have at least 3 different records for one IMSI when it is used for EAP-SIM.
It is not possible to use a single USIM for EAP-AKA and EAP-SIM at the same time. Only one of the methods may be active, the other method can be disabled by adding a # as prefix.
agsm
The EAP-SIM values can be creates using the tool asgm which kann be found herehttp://agsm.sourceforge.net/download.html
![](http://seek-for-android.googlecode.com/svn/wiki/img/EapSim_AgsmMiscGsmAuth.png)
相关文章推荐
- springMVC项目异步处理请求的错误Async support must be enabled on a servlet and for all filters involved in async
- Android: Simplified source code for parsing and working with XML data and web services in Android
- Drag and Drop support for column reordering in DataGrid control
- [转]UTF-8 encoding support for the BCP utility and BULK INSERT Transact-SQL command in SQL Server 2014 SP2
- Some jar(v4 support, ActionBarSherlock and etc.) import error in Android Studio
- Is there any way to define a min and max value for edittext in android?
- 解决Conflict with dependency 'com.android.support:support-v4' in project ':app'. Resolved versions for
- springMVC项目异步错误处理请求Async support must be enabled on a servlet and for all filters involved in async
- OWIN support for the Web API 2 and MVC 5 integrations in Autofac
- Unicode database support in Tiburon for Delphi and C++
- springMVC项目异步处理请求的错误Async support must be enabled on a servlet and for all filters involved in async
- [React Native] Writing Platform-Specific Components for iOS and Android in React Native
- 【Android】Do not requestWindow.FEATURE_SUPPORT_ACTION_BAR and set windowActionBar to false in your th
- Archive for required library: '/libs/android-support-v4.jar' in project '' cannot be read or is not
- 错误:Found both android-support-v4 and android-support-v13 in the dependency list.
- Adding support for MrSid and other raster data formats in GeoServer
- Codelab for Android Design Support Library used in I/O Rewind Bangkok session
- warn: Appium support for versions of node < 0.12 has been deprecated and will be removed in a future
- Compile android source and kernel for emulator in Debian
- spaCy is a library for advanced natural language processing in Python and Cython:spaCy 工业级自然语言处理工具