EAP-AKA' Authentication

EAP-AKA' Authentication

Last updated: November 29, 2010

This section is only applicable to the lab application.

EAP-AKA' Authentication Overview

Extensible Authentication Protocol, abbreviated as EAP, is an authentication framework which supports multiple authentication methods.

The EAP-AKA is an EAP method for authentication and session key distribution that uses AKA mechanism. Authentication and Key Agreement (AKA) is based on challenge-response mechanisms and symmetric cryptography. AKA typically runs in a UMTS Subscriber Identity Module (USIM) or a CDMA2000 (Removable) User Identity Module ((R)UIM). Based on EAP-AKA, EAP-AKA' is a new EAP method that binds the derived keys to the name of the access network.

In eHRPD network (see eHRPD Support in the Test Set ), the authentication signaling and procedure are based on EAP-AKA' protocol. When the test set is configured to eHRPD mode ( Session Application Type is set to Alternate EMPA ) with the Authentication State set to On , the test set can act as an authentication server and start an EAP-AKA' Authentication Procedure with the UE during the PPP session negotiation (the UE acts as an EAP-AKA' peer). The test set and the UE mutually authenticate each-other. Upon successful authentication, the UE is authorized to access the network.

   
NOTE
Before the EAP-AKA' authentication, make sure your UE is EAP-AKA' capable and the Authentication State is set to On . Besides, the Authentication Key (K) (Hex) , Operator Variant Parameter Type and the Authentication Management Field (AMF) (Hex) must be set to the same value as they are in the UE.

   

EAP-AKA' Authentication Procedure

A basic, successful full EAP-AKA' authentication procedure is shown as below.

A Basic, Successful Full EAP-AKA' Authentication Procedure

  1. The UE (or the identity module in it) and the test set (as an authentication server) have agreed on a shared authentication key beforehand.
  2. The test set sends an EAP-Request /Identity message to the UE. The UE replies with an EAP-Response /Identity message which includes the UE's NAI (Network Access Identifier). The NAI will be used in the following step as an input parameter to generate the authentication vector.
  3. The actual authentication process starts. The test set produces an authentication vector based on the authentication key, the sequence number and the network name etc. The authentication vector contains a random part RAND, an authenticator part AUTN used for authenticating the network to the UE, and other keys including IK' for integrity check, CK' for encryption etc.
  4. The RAND, AUTN and the network name are delivered to the UE via EAP-Request/AKA'-Challenge message.
  5. The UE verifies the AUTN, again based on the authentication key and the sequence number. If the AUTN is valid and the sequence number used to generate AUTN is within the correct range, the UE produces an authentication result RES and sends it to the test set via EAP-Response/AKA'-Channelled message.
  6. The test set verifies the RES and MAC values received from the UE. If the results are correct, the test set sends an EAP success message to the UE. IK', CK' together with other key materials can be used to protect further communications between the UE and the test set.

EAP-AKA' Authentication Parameters and Operations

EAP-AKA' Authentication Parameters

Manual Operation: To access the EAP-AKA' Authentication Parameters menu, first press the CALL SETUP softkey, go to the Call Control 3 of 3 and press Data Channel Info ( F2 ), continue to go to Data Channel 2 of 2 and press EAP-AKA' Auth Info ( F1 ), then press Authentication Parameters ( F1 ).

When the test set is in the Active Cell operating mode, the EAP-AKA' Authentication parameters are only applicable if the Protocol Rel is set to A (1xEV-DO-A) , the Release A Physical Layer Subtype is set to Subtype 2 and the Session Application Type is set to Alternate EMPA .

EAP-AKA' Authentication Parameters

  • Authentication State

    This parameter specifies whether the test set will propose EAP-AKA' as the authentication protocol during the PPP session negotiation between the test set and the UE. If it is set to On , the EAP-AKA' will be used as the authentication method during PPP negotiation. If it is set to Off , the EAP-AKA' authentication procedure will be skipped during the negotiation.

    GPIB Command: CALL:SECurity:AUTHenticate:AKAPrime:STATe

  • Authentication Key (K) (Hex)

    This parameter specifies the authentication key (in 32 hex-digits) shared by UE and the test set used in the authentication procedure.

    GPIB Command: CALL:SECurity:AUTHenticate:AKAPrime:KEY

  • Operator Variant Parameter Type

    This parameter specifies whether Operator Variant Parameter Value (Hex) is used as OP or OPc value for authentication.

    GPIB Command: CALL:SECurity:AUTHenticate:AKAPrime:OPVariant:PTYPe

  • Operator Variant Parameter Value (Hex)

    You can choose whether to set OP or OPc value as the input parameter for authentication (see Operator Variant Parameter Type ). If Operator Variant Parameter Type is set to OP , then Operator Variant Parameter Value (Hex) is used as OP value; likewise if Operator Variant Parameter Type is set to OPc , then Operator Variant Parameter Value (Hex) is used as OPc value for authentication.

    The relationship between OP and OPc is: OP and Authentication Key (K) are used to compute OPc, which is then used to compute other authentication keys like IK', CK', RES etc.

    Operators use this value to change the authentication algorithms in an operator-specific manner.

    GPIB Command: CALL:SECurity:AUTHenticate:AKAPrime:OPVariant:CFIeld

  • Random (RAND) Value (Hex)

    It's a 32-digit Hex String to control the RAND value used in the AKA' authentication algorithms.

    • If the RAND value is set to 0, the test set will randomly generate a RAND value instead of using 0 as the RAND value.
    • If the RAND value is not set to 0, the test set will use the input value as RAND value.

    GPIB Command: CALL:SECurity:AUTHenticate:AKAPrime:RANDom

  • Authentication Management Field (AMF) (Hex)

    This parameter specifies the Authentication Management Field (AMF, in 4 hex digits) which is an input parameter of the AKA' authentication algorithms.

    The 4 hex digits of AMF value corresponds to a 16-bit number in binary, numbered from 0 to 15, where bit 0 is called the "AMF separation bit" and is the most significant bit. After the UE receive the EAP-Request/AKA'-Challenge message in step 5 of the authentication procedure (see A Basic, Successful Full EAP-AKA' Authentication Procedure ), the UE checks the AMF separation bit and decides whether to continue the AKA' algorithms. If the bit is not 1, the UE will reject the authentication. In this case, you must set the AMF to a value whose bit 0 equals 1 before an authentication procedure starts.

    GPIB Command: CALL:SECurity:AUTHenticate:AKAPrime:AMF

   
NOTE
According to the standard, the Authentication Network Name is fixed to "HRPD". See Fixed Settings .

   

EAP-AKA' Authentication Result

The EAP-AKA' authentication result is displayed on the EAP-AKA' Authentication Result window .

  • Authentication result: This result indicates whether the authentication is successful or failed due to some reason in the PPP session negotiation.The possible authentication results include:

    • None - EAP-AKA' authentication is not performed.
    • Success - The test set and the UE authenticate each other successfully after the EAP-AKA' authentication procedure.
    • Authentication Failure, MAC Not Match - When the MAC value in the EAP Response/AKA'-Challenge message is not correct, the test set rejects the UE and the authentication is failed.
    • Authentication Failure, RES Not Match - When the RES value in the EAP Response/AKA'-Challenge message is not correct, the test set rejects the UE and the authentication is failed.
    • Authentication Failure, Incorrect RES Length: When the RES Length in the EAP Response/AKA'-Challenge message is not correct, the test set rejects the UE and the authentication is failed.
    • Authentication Failure, General Failure - The test set discovers an error in a received response message, or detects an integrity error in the received messages from UE.
    • Authentication Failure, No Response - The test set fails to receive an EAP Response message from the UE after sending the EAP Request message.
    • Authentication Failure, Synch Failure - When the UE discovers an inappropriate sequence number in the EAP-Request/AKA'-Challenge message, it sends an EAP-Response/AKA'-Synchronization-Failure message to the test set. The test set proceeds with a new EAP-Request/AKA-Challenge message. Then if receiving another EAP-Response/AKA'-Synchronization-Failure message from the UE, the test set stops the re-synchronization and disconnect the PPP connection. Note that the test set will not update the authentication result if the first EAP-Response/AKA'-Synchronization-Failure message is received.
    • UE Authentication Failure, AUTN Rejected by UE - When the AUTN in the EAP-Request/AKA'-Challenge from the test set can not be verified, the UE rejects the test set and the authentication is failed. Other cases that also cause this error include: 1) the network name mismatch between the test set and the UE, 2) the AMF separation bit is not 1.
    • UE Authentication Failure, General Failure Reported by UE - The UE detects an error in a received EAP-AKA' packet and responds with an error message indicating "unable to process packet" etc.

    GPIB Command: CALL:SECurity:AUTHenticate:AKAPrime:RESult?

Reset the Authentication Sequence Number

Sequence number is one of the parameters during the authentication procedure (see A Basic, Successful Full EAP-AKA' Authentication Procedure ). When the test set is started with the 1xEV-DO lab application, the sequence number is set to zero. The sequence number increments each time an authentication procedure is performed. Neither full preset nor format switch will reset this number.

In certain circumstances, the sequence number may get out of sequence. When the UE discovers an inappropriate sequence number, it will send a failure message to the test set. Then the test set will perform a re-synchronization. Resetting the sequence number to zero will force the sequence number out of sequence and start a re-synchronization between the test set and the UE.

The sequence number can be reset regardless of the authentication state.

You can reset the Authentication Sequence Number (SQN) in the test set to zero by pressing the Reset Auth SQN (F2), or by the GPIB command: CALL:SECurity:AUTHenticate:AKAPrime:SQN:RESet[:IMMediate] .

Operating Considerations

  • The Authentication Key (K) (Hex) must be set equal to the shared authentication key programmed in the UE. A mismatched key will result in an authentication failure.
  • The Authentication Key (K) (Hex) , Operator Variant Parameter Type, Operator Variant Parameter Value(Hex) and Authentication Management Field (AMF) (Hex) are only useful when the Authentication State is set to On . Changing these parameters after a PPP session negotiation will not cause a PPP re-negotiation. The new settings will take effect in the next PPP negotiation.
  • The authentication result is shown in the EAP-AKA' Authentication Result window. You can also get this result by querying with the GPIB command: CALL:SECurity:AUTHenticate:AKAPrime:RESult? .