Information Technology Reference
In-Depth Information
Figure 4. The Conceptualized flow of UICC-based Stock Service
tion for 3G network authentication are reused to
authenticate the users in the WiFi, WiBro and
I-WLAN environments. The method to authen-
ticate users using the USIM application is EAP-
AKA defined in RFC4187, the abbreviation for
Extensible Authentication Protocol Method for
UMTS Authentication and Key Agreement. That
is, the EAP-AKA is an Extensible Authentication
Protocol (EAP) mechanism for authentication
and session key distribution using the Universal
Mobile Telecommunications System (UMTS)
Subscriber Identity Module (USIM).
Then, we'd like to explain more detail about
EAP and AKA, separately.
EAP is a kind of an authentication framework
frequently used in the wireless networks and de-
fines message formats to provide for the transport
and usage of keying material and parameters
generated by EAP methods. It is defined in RFC
3748, which made RFC 2284 obsolete, and was
updated by RFC 5247.
AKA is a kind of a key agreement protocol,
which is a security protocol, used in 3G networks.
AKA is a challenge-response based mechanism
that uses symmetric cryptography. AKA utilizes
the MILENAGE algorithm supported by UICC,
whose core is based on the AES algorithm, the
pre-shared key K stored in the UICC, the 128-bit
key guaranteeing the uniqueness for each UICC
and OP (Operator Variant Algorithm Configuration
Field) stored in the UICC, the input parameter
used by operators to change the authentication
algorithms in an operator-specific manner, to
compute the necessary values inside the UICC
for user authentication.
With the features mentioned above, EAP-AKA
provides the network authentication service using
the secure UICC as follows: First, the Authentica-
tor, usually AAA (Authentication, Authorization
and Accounting) server, sends the EAP-Request /
Identity message to the mobile terminal (UICC).
Receiving this message, the mobile terminal
sends the EAP-Response / Identity message by
generating NAI (Network Access Identifier)
from the IMSI (International Mobile Subscriber
Identity) stored in the UICC or other values such
as pseudonym ID and fast re-authentication ID
when this mobile terminal had already finished the
EAP-AKA procedure before. Then, the Authen-
ticator retrieves the required security parameters
to process the AKA against the received identity
from the mobile terminal, and executes the AKA
algorithms to generate the RAND and the AUTN.
The Authenticator sends the EAP-Request /
AKA-Challenge with the parameters AT_RAND,
AT_AUTN and AT_MAC using the values from
the results of the AKA algorithms. The mobile
terminal (UICC) also executes the AKA algo-
rithms, verifies the received AUTN and MAC,
and then derives the RES and the session key. The
mobile terminal (UICC) sends the EAP-Response /
AKA-Challenge with the parameters AT_RES and
AT_MAC using the values from the results of the
AKA algorithms. The Authenticator then checks
whether the given RES and MAC is correct or not
and finally sends the EAP-Success or EAP-Failure
Search WWH ::
Custom Search