The GSM (Global System for Mobile Communications) authentication system has a number of problems, such as the lack of network authentication, the lack of replay protection, and that only the network contributes to the cryptographic independence of session keys. The EAP/SIM (Extensible Authentication Protocol/Subscriber Identity Module) authentication specifies how GSM authentication can be used to provide authentication for WLAN (Wireless Local Area Network) access in the IEEE 802.1X framework. EAP/SIM authentication is an extension to the EAP proposed by the IETF (Internet Engineering Task Force) enabling authentication and session key distribution using the GSM SIM.
The EAP/SIM mechanism specifies enhancements to GSM authentication and key agreement whereby multiple authentication triplets—a so-called RAND (random number) value, a root key Ki, and a 32-bit value SRES—can be combined to create authentication response and encryption keys of greater strength than the individual GSM triplets. The mechanism also introduces network authentication, user anonymity and a re-authentication procedure.
The current EAP/SIM authentication specification addresses some of the problems. Some problems remain, partly because they were not considered a concrete threat, and partly because their solutions were considered too complex. For example, the known solutions for replay protection were considered too complex. Recently, in a note posted on the EAP discussion list (S. Patel; Analysis of EAP SIM Session key Agreement; IETF EAP mailing list, May 29, 2003), S. Patel (of Lucent Technologies) discussed two problems in the EAP/SIM mechanism: using a simple active attack the 128-bit security level of EAP/SIM authentication can be reduced to the 64-bit security of GSM; and sessions are not independent, in the sense that if an attacker gets hold of an authentication triplet, it can force the terminal to use an encryption key known to the attacker.
To raise its security level from the 64-bit GSM level, EAP/SIM combines secret session keys from two or three authentication triplets. Patel's first attack is performed by repeating the same triplet as many times as needed by one EAP/SIM authentication.
Previously, it was shown that EAP/SIM security can be reduced to the GSM security level in case of a dual-mode terminal by implementing a false GSM base station that challenges the terminal by resending RAND values previously used in an EAP/SIM authentication (by the terminal). (The RAND is a 128-bit number used with a root key Ki (up to 128 bits) to generate a 64-bit key Kc and a 32-bit value SRES. The RAND, SRES, and Ki values are said to form a triplet.) Then by analyzing the encrypted GSM voice or data sent by the terminal, the attacker recovers the GSM encryptions keys. This is feasible in particular if the false base station forces the terminal to use the weak A5-2 GSM encryption algorithm. The reason why this attack works is that different session keys are not independent, which is also the main security problem in Patel's second attack. Patel's second attack typically involves reused triplets. If an attacker gets hold of fresh triplets, clearly nothing can be done.
The prior art does not provide a solution to the EAP/SIM authentication problems; in Patel's report a solution by storing all previous used RANDs is discussed but deemed impractical. (In UMTS (Universal Mobile Telecommunications System) security, the replay problem of GSM has been taken into account and removed by a specification of a complex replay prevention method, which involves both HLR (Home Location Register) and the terminal.)