EapSimAka - seek-for-android - Support for EAP-SIM and EAP-AKA in...

http://code.google.com/p/seek-for-android/wiki/EapSimAka

victordariovera@gmail.com | My favorites

| Profile | Sign out

Secure Element Evaluation Kit for the Android platform - the 'SmartCard API' Project Home Search Downloads for Wiki Issues Source Search

Search projects

Introduction How To Access Control UICC Support AT Command Extensions BIP Extensions EAP-SIM/AKA ASSD Support MSC Support PC/SC Interface Services Layer Applications FAQs Abbreviations Contributions

EapSimAka
Support for EAP-SIM and EAP-AKA in Android.

NOTE: The described EAP patch will only work on a real Android Smartphone which has an up and running SmartCard and PCSC System Service.

Introduction
EAP-SIM is a mechanism for authentication and session key generation using a GSM authentication algorithm on client EAP-AKA is like EAP-SIM but uses the authentication algorithms on an USIM. EAP-SIM is specified in RFC 4186. EAP-AKA is specified in RFC 4187. Specifications about EAP can be found here and here.

Details
An overview how a WLAN with EAP authentication may look like is shown below:

To run an EAP-SIM/AKA authentication you will need a client as wpa_supplicant which has access to a (U)SIM. The W network has to support EAP (which is often transcribed as WPA(2)-RADIUS or WPA(2)-ENTERPRISE). The WLAN AP RADIUS server who handles the authentication and session key generation. The RADIUS server in a productive environ EAP-SIM/AKA access to the home location register (HLR) of the MNO where the (U)SIMs are registered. For testing a values for authentication is sufficient. The next picture shows simplified the data flow during the authentication process.

1 de 5

28/05/2013 03:05 PM

EapSimAka - seek-for-android - Support for EAP-SIM and EAP-AKA in...

http://code.google.com/p/seek-for-android/wiki/EapSimAka

Changes to Android
In order to run EAP-SIM/AKA on an Android smartphone it is necessary to adapt two parts of the sources: the wpa_supplicant and the Settings.apk To get access to the (U)SIM it is necessary to enable the PC/SC interface and integrate the SmartCard API with UICC The EAP-SIM/AKA patch was tested against Android 2.3.5_r1, the SmartCard API 2.2.2 and the PCSC System Servic

wpa_supplicant
For the wpa_supplicant the use of the PCSC interface has to be enabled and the functions which encapsulate the PCS adapted so that they can handle the responses from the SmartCardService, since the original sources of the wpa_supp responses from the (U)SIM according to the T=0 protocol, but the SmartCardService returns response data according

Settings.apk
To give the user the possibility to enable EAP-SIM or EAP-AKA on his Smartphone it is necessary to extend the WiFi D to select the EAP methods. The WiFi Dialog is located in the package Settings.apk. Now the entries SIM and AKA are n selectable as EAP-Method. When selecting SIM or AKA the other fields like Phase 2 Authentication, CA-Cerifica empty or by their default values.

Patch
Download the EAP-SIM/AKA patch and extract the content. Apply the patch with
patch -p1 -i eap-sim-aka_0.4.1.patch

in the root directory of your Android Sources. Build the system how it is shown in BuildingTheSystem.

Additional Components
Compile freeradius with EAP-SIM/AKA support.
The EAP-AKA support for freeradius was introduced by a patch for Version 1.1.4. This patch is not available for Versio We have merged the old EAP-AKA patch and added some more features to the rlm_sim_files module so that it can and EAP-AKA module with the correct data and keys. The result is a patch was developed with version 2.1.9 of the freeradius server but it might also work for other 2.1.x ve NOTE: This patch will only work for EAP-AKA if on the USIM the sequence number check is disabled, since the AUTN rlm_sim_files is constant. Therefore check EF_AuthAlgo on your USIM. On a ubuntu machine get freeradius sources via (first change to the directory where you want to store the sources)

2 de 5

28/05/2013 03:05 PM

EapSimAka - seek-for-android - Support for EAP-SIM and EAP-AKA in...

http://code.google.com/p/seek-for-android/wiki/EapSimAka

sudo apt-get source freeradius

Get the build dependencies

sudo apt-get build-dep freeradius

A freeradius source directory will be created e.g. freeradius-2.1.9-dfsg. Change the ownership to your development account and the goto the source directory.
sudo chown -R <user>:<group> ./freeradius-2.1.9-dfsg cd freeradius-2.1.9-dfsg

Get the freeradius patch archive and extract the content. Apply the patch within the freeradius source directory of freer try it first with option --dry-run to check if everything will do fine.
patch -p2 -i freeradius-2.1.9-dfsg_eap-sim-aka-0.1.patch

Build the deb packages:

debian/rules binary

Install the packages

sudo deb -i ../libfreeradius2_2.1.9+dfsg-sch02_i386.deb sudo deb -i ../freeradius_2.1.9+dfsg-sch02_i386.deb sudo deb -i ../freeradius-common_2.1.9+dfsg-sch02_all.deb

Since the rlm_sim_files module is not build by the debian packages routines. It has to be built and copied manually.
cd ./src/modules/rlm_sim_files make

Copy the libraries and create a symbolic link

sudo cp ./.libs/rlm_sim_files-2.1.9.so /usr/lib/freeradius sudo ln -s /usr/lib/freeradius/rlm_sim_files-2.1.9.so /usr/lib/freeradius/rlm_sim_files.so

(Re-)Start the freeradius server with:

sudo /etc/init.d/freeradius restart

Set up of the freeradius server

All configuration files for freeradius are located in /etc/freeradius and below. Add to or change clients.conf that it contains
client 192.168.0.0/16 { secret = eap-sim shortname = eap-sim }

The secret and shortname can be chosen freely, but you have to setup on your WLAN AP the same secret. e.g. on a L

In the config directory /etc/freeradius/modules create a file sim_files with following content:

3 de 5

28/05/2013 03:05 PM

EapSimAka - seek-for-android - Support for EAP-SIM and EAP-AKA in...

http://code.google.com/p/seek-for-android/wiki/EapSimAka

sim_files { simtriplets = "/etc/freeradius/simtriplets.dat" }

In the config file eap.conf add at the end but before the closing }
aka { } sim { }

In the config file default add

sim_files

directly before
eap { ok = return }

After changes on the configuration files a restart of the server is necessary.

simtriplets.dat
Create the file /etc/freeradius/simtriplets.dat with the content from your (U)SIMs you want to use. Sample of a simtriplets.dat file
# IMSI RAND SRES Kc

SIM,1262074920549791,64BC736EF7684de1921F9C9C0E0679E2,0B7e4e4b,D2119f41D8840400 SIM,1262074920549791,97D0C531F2A84000ACB5E4F966157908,181c8ac1,E2f6976a226bc800 SIM,1262074920549791,1E4FD2861D0848a499C91162234B255C,211056b1,8Bbdd2385B3a0400

#
SIM,0262074920549791,64BC736EF7684de1921F9C9C0E0679E2,0B7e4e4b,D2119f41D8840400 SIM,0262074920549791,97D0C531F2A84000ACB5E4F966157908,181c8ac1,E2f6976a226bc800 SIM,0262074920549791,1E4FD2861D0848a499C91162234B255C,211056b1,8Bbdd2385B3a0400

IMSI

RAND

RES

AUTN

AKA,0262073961704408,9FDDC72092C6AD036B6E464789315B78,F553BBC042452202,478412477BFF61DFD5BE5A

The first triplet block ist for EAP-SIM on a SIM card, the second block is for EAP-SIM on a USIM card and the last line EAP-AKA of a USIM card. It is mandatory to have at least 3 different records for one IMSI when it is used for EAP-SIM. It is not possible to use a single USIM for EAP-AKA and EAP-SIM at the same time. Only one of the methods may be can be disabled by adding a # as prefix.

agsm
The EAP-SIM values can be creates using the tool asgm which kann be found here http://agsm.sourceforge.net/downlo

Comment by mahesa.a...@gmail.com, Jun 10, 2012 hi, where do i have to add sim_files ? is it in the eap.conf thx..

4 de 5

28/05/2013 03:05 PM

EapSimAka - seek-for-android - Support for EAP-SIM and EAP-AKA in...

http://code.google.com/p/seek-for-android/wiki/EapSimAka

Comment by mahesa.a...@gmail.com, Jun 11, 2012 nevermind i found it in /etc/freeradius/sites-available/default Comment by Mechou...@gmail.com, Dec 21, 2012 In french, please!! my english is too bad.thanks Comment by ricart.r...@gmail.com, Dec 21, 2012 "google traduction" is your friend ! I'm also french, but I don't complain if I come to an english forum ! ;-) Go to http://www.freenews.fr /spip.php?article12150 if you want a french explanation ! Comment by muhd.usm...@gmail.com, Jan 6, 2013 we are trying to connect Samsung Note II to an AP that supports EAP-SIM, when we connect WLAN using eap-sim, AP sends identity message to mobile device to which the mobile device does not respond...Any suggestions why mobile device is not sending its identity to AP?? Comment by Mez...@gmail.com, Jan 28, 2013 Hi, I would like to know how can I apply the patch eap-sim-aka_0.4.1.patch on my android phone 2.3.6. When I try, the phone returns me ":not found". is there some apps to install before ? Thanks for your help. Tyler Enter a comment: Hint: You can use Wiki Syntax.

Submit

Terms - Privacy - Project Hosting Help Powered by Google Project Hosting

5 de 5

28/05/2013 03:05 PM