1 /* 2 * 3GPP AKA - Milenage algorithm (3GPP TS 35.205, .206, .207, .208) 3 * Copyright (c) 2006-2007 <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 * 14 * This file implements an example authentication algorithm defined for 3GPP 15 * AKA. This can be used to implement a simple HLR/AuC into hlr_auc_gw to allow 16 * EAP-AKA to be tested properly with real USIM cards. 17 * 18 * This implementations assumes that the r1..r5 and c1..c5 constants defined in 19 * TS 35.206 are used, i.e., r1=64, r2=0, r3=32, r4=64, r5=96, c1=00..00, 20 * c2=00..01, c3=00..02, c4=00..04, c5=00..08. The block cipher is assumed to 21 * be AES (Rijndael). 22 */ 23 24 #include "includes.h" 25 26 #include "common.h" 27 #include "crypto/aes_wrap.h" 28 #include "milenage.h" 29 30 31 /** 32 * milenage_f1 - Milenage f1 and f1* algorithms 33 * @opc: OPc = 128-bit value derived from OP and K 34 * @k: K = 128-bit subscriber key 35 * @_rand: RAND = 128-bit random challenge 36 * @sqn: SQN = 48-bit sequence number 37 * @amf: AMF = 16-bit authentication management field 38 * @mac_a: Buffer for MAC-A = 64-bit network authentication code, or %NULL 39 * @mac_s: Buffer for MAC-S = 64-bit resync authentication code, or %NULL 40 * Returns: 0 on success, -1 on failure 41 */ 42 int milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand, 43 const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s) 44 { 45 u8 tmp1[16], tmp2[16], tmp3[16]; 46 int i; 47 48 /* tmp1 = TEMP = E_K(RAND XOR OP_C) */ 49 for (i = 0; i < 16; i++) 50 tmp1[i] = _rand[i] ^ opc[i]; 51 if (aes_128_encrypt_block(k, tmp1, tmp1)) 52 return -1; 53 54 /* tmp2 = IN1 = SQN || AMF || SQN || AMF */ 55 os_memcpy(tmp2, sqn, 6); 56 os_memcpy(tmp2 + 6, amf, 2); 57 os_memcpy(tmp2 + 8, tmp2, 8); 58 59 /* OUT1 = E_K(TEMP XOR rot(IN1 XOR OP_C, r1) XOR c1) XOR OP_C */ 60 61 /* rotate (tmp2 XOR OP_C) by r1 (= 0x40 = 8 bytes) */ 62 for (i = 0; i < 16; i++) 63 tmp3[(i + 8) % 16] = tmp2[i] ^ opc[i]; 64 /* XOR with TEMP = E_K(RAND XOR OP_C) */ 65 for (i = 0; i < 16; i++) 66 tmp3[i] ^= tmp1[i]; 67 /* XOR with c1 (= ..00, i.e., NOP) */ 68 69 /* f1 || f1* = E_K(tmp3) XOR OP_c */ 70 if (aes_128_encrypt_block(k, tmp3, tmp1)) 71 return -1; 72 for (i = 0; i < 16; i++) 73 tmp1[i] ^= opc[i]; 74 if (mac_a) 75 os_memcpy(mac_a, tmp1, 8); /* f1 */ 76 if (mac_s) 77 os_memcpy(mac_s, tmp1 + 8, 8); /* f1* */ 78 return 0; 79 } 80 81 82 /** 83 * milenage_f2345 - Milenage f2, f3, f4, f5, f5* algorithms 84 * @opc: OPc = 128-bit value derived from OP and K 85 * @k: K = 128-bit subscriber key 86 * @_rand: RAND = 128-bit random challenge 87 * @res: Buffer for RES = 64-bit signed response (f2), or %NULL 88 * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL 89 * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL 90 * @ak: Buffer for AK = 48-bit anonymity key (f5), or %NULL 91 * @akstar: Buffer for AK = 48-bit anonymity key (f5*), or %NULL 92 * Returns: 0 on success, -1 on failure 93 */ 94 int milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand, 95 u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar) 96 { 97 u8 tmp1[16], tmp2[16], tmp3[16]; 98 int i; 99 100 /* tmp2 = TEMP = E_K(RAND XOR OP_C) */ 101 for (i = 0; i < 16; i++) 102 tmp1[i] = _rand[i] ^ opc[i]; 103 if (aes_128_encrypt_block(k, tmp1, tmp2)) 104 return -1; 105 106 /* OUT2 = E_K(rot(TEMP XOR OP_C, r2) XOR c2) XOR OP_C */ 107 /* OUT3 = E_K(rot(TEMP XOR OP_C, r3) XOR c3) XOR OP_C */ 108 /* OUT4 = E_K(rot(TEMP XOR OP_C, r4) XOR c4) XOR OP_C */ 109 /* OUT5 = E_K(rot(TEMP XOR OP_C, r5) XOR c5) XOR OP_C */ 110 111 /* f2 and f5 */ 112 /* rotate by r2 (= 0, i.e., NOP) */ 113 for (i = 0; i < 16; i++) 114 tmp1[i] = tmp2[i] ^ opc[i]; 115 tmp1[15] ^= 1; /* XOR c2 (= ..01) */ 116 /* f5 || f2 = E_K(tmp1) XOR OP_c */ 117 if (aes_128_encrypt_block(k, tmp1, tmp3)) 118 return -1; 119 for (i = 0; i < 16; i++) 120 tmp3[i] ^= opc[i]; 121 if (res) 122 os_memcpy(res, tmp3 + 8, 8); /* f2 */ 123 if (ak) 124 os_memcpy(ak, tmp3, 6); /* f5 */ 125 126 /* f3 */ 127 if (ck) { 128 /* rotate by r3 = 0x20 = 4 bytes */ 129 for (i = 0; i < 16; i++) 130 tmp1[(i + 12) % 16] = tmp2[i] ^ opc[i]; 131 tmp1[15] ^= 2; /* XOR c3 (= ..02) */ 132 if (aes_128_encrypt_block(k, tmp1, ck)) 133 return -1; 134 for (i = 0; i < 16; i++) 135 ck[i] ^= opc[i]; 136 } 137 138 /* f4 */ 139 if (ik) { 140 /* rotate by r4 = 0x40 = 8 bytes */ 141 for (i = 0; i < 16; i++) 142 tmp1[(i + 8) % 16] = tmp2[i] ^ opc[i]; 143 tmp1[15] ^= 4; /* XOR c4 (= ..04) */ 144 if (aes_128_encrypt_block(k, tmp1, ik)) 145 return -1; 146 for (i = 0; i < 16; i++) 147 ik[i] ^= opc[i]; 148 } 149 150 /* f5* */ 151 if (akstar) { 152 /* rotate by r5 = 0x60 = 12 bytes */ 153 for (i = 0; i < 16; i++) 154 tmp1[(i + 4) % 16] = tmp2[i] ^ opc[i]; 155 tmp1[15] ^= 8; /* XOR c5 (= ..08) */ 156 if (aes_128_encrypt_block(k, tmp1, tmp1)) 157 return -1; 158 for (i = 0; i < 6; i++) 159 akstar[i] = tmp1[i] ^ opc[i]; 160 } 161 162 return 0; 163 } 164 165 166 /** 167 * milenage_generate - Generate AKA AUTN,IK,CK,RES 168 * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.) 169 * @amf: AMF = 16-bit authentication management field 170 * @k: K = 128-bit subscriber key 171 * @sqn: SQN = 48-bit sequence number 172 * @_rand: RAND = 128-bit random challenge 173 * @autn: Buffer for AUTN = 128-bit authentication token 174 * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL 175 * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL 176 * @res: Buffer for RES = 64-bit signed response (f2), or %NULL 177 * @res_len: Max length for res; set to used length or 0 on failure 178 */ 179 void milenage_generate(const u8 *opc, const u8 *amf, const u8 *k, 180 const u8 *sqn, const u8 *_rand, u8 *autn, u8 *ik, 181 u8 *ck, u8 *res, size_t *res_len) 182 { 183 int i; 184 u8 mac_a[8], ak[6]; 185 186 if (*res_len < 8) { 187 *res_len = 0; 188 return; 189 } 190 if (milenage_f1(opc, k, _rand, sqn, amf, mac_a, NULL) || 191 milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL)) { 192 *res_len = 0; 193 return; 194 } 195 *res_len = 8; 196 197 /* AUTN = (SQN ^ AK) || AMF || MAC */ 198 for (i = 0; i < 6; i++) 199 autn[i] = sqn[i] ^ ak[i]; 200 os_memcpy(autn + 6, amf, 2); 201 os_memcpy(autn + 8, mac_a, 8); 202 } 203 204 205 /** 206 * milenage_auts - Milenage AUTS validation 207 * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.) 208 * @k: K = 128-bit subscriber key 209 * @_rand: RAND = 128-bit random challenge 210 * @auts: AUTS = 112-bit authentication token from client 211 * @sqn: Buffer for SQN = 48-bit sequence number 212 * Returns: 0 = success (sqn filled), -1 on failure 213 */ 214 int milenage_auts(const u8 *opc, const u8 *k, const u8 *_rand, const u8 *auts, 215 u8 *sqn) 216 { 217 u8 amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */ 218 u8 ak[6], mac_s[8]; 219 int i; 220 221 if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak)) 222 return -1; 223 for (i = 0; i < 6; i++) 224 sqn[i] = auts[i] ^ ak[i]; 225 if (milenage_f1(opc, k, _rand, sqn, amf, NULL, mac_s) || 226 memcmp(mac_s, auts + 6, 8) != 0) 227 return -1; 228 return 0; 229 } 230 231 232 /** 233 * gsm_milenage - Generate GSM-Milenage (3GPP TS 55.205) authentication triplet 234 * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.) 235 * @k: K = 128-bit subscriber key 236 * @_rand: RAND = 128-bit random challenge 237 * @sres: Buffer for SRES = 32-bit SRES 238 * @kc: Buffer for Kc = 64-bit Kc 239 * Returns: 0 on success, -1 on failure 240 */ 241 int gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres, u8 *kc) 242 { 243 u8 res[8], ck[16], ik[16]; 244 int i; 245 246 if (milenage_f2345(opc, k, _rand, res, ck, ik, NULL, NULL)) 247 return -1; 248 249 for (i = 0; i < 8; i++) 250 kc[i] = ck[i] ^ ck[i + 8] ^ ik[i] ^ ik[i + 8]; 251 252 #ifdef GSM_MILENAGE_ALT_SRES 253 os_memcpy(sres, res, 4); 254 #else /* GSM_MILENAGE_ALT_SRES */ 255 for (i = 0; i < 4; i++) 256 sres[i] = res[i] ^ res[i + 4]; 257 #endif /* GSM_MILENAGE_ALT_SRES */ 258 return 0; 259 } 260 261 262 /** 263 * milenage_generate - Generate AKA AUTN,IK,CK,RES 264 * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.) 265 * @k: K = 128-bit subscriber key 266 * @sqn: SQN = 48-bit sequence number 267 * @_rand: RAND = 128-bit random challenge 268 * @autn: AUTN = 128-bit authentication token 269 * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL 270 * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL 271 * @res: Buffer for RES = 64-bit signed response (f2), or %NULL 272 * @res_len: Variable that will be set to RES length 273 * @auts: 112-bit buffer for AUTS 274 * Returns: 0 on success, -1 on failure, or -2 on synchronization failure 275 */ 276 int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand, 277 const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len, 278 u8 *auts) 279 { 280 int i; 281 u8 mac_a[8], ak[6], rx_sqn[6]; 282 const u8 *amf; 283 284 wpa_hexdump(MSG_DEBUG, "Milenage: AUTN", autn, 16); 285 wpa_hexdump(MSG_DEBUG, "Milenage: RAND", _rand, 16); 286 287 if (milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL)) 288 return -1; 289 290 *res_len = 8; 291 wpa_hexdump_key(MSG_DEBUG, "Milenage: RES", res, *res_len); 292 wpa_hexdump_key(MSG_DEBUG, "Milenage: CK", ck, 16); 293 wpa_hexdump_key(MSG_DEBUG, "Milenage: IK", ik, 16); 294 wpa_hexdump_key(MSG_DEBUG, "Milenage: AK", ak, 6); 295 296 /* AUTN = (SQN ^ AK) || AMF || MAC */ 297 for (i = 0; i < 6; i++) 298 rx_sqn[i] = autn[i] ^ ak[i]; 299 wpa_hexdump(MSG_DEBUG, "Milenage: SQN", rx_sqn, 6); 300 301 if (os_memcmp(rx_sqn, sqn, 6) <= 0) { 302 u8 auts_amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */ 303 if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak)) 304 return -1; 305 wpa_hexdump_key(MSG_DEBUG, "Milenage: AK*", ak, 6); 306 for (i = 0; i < 6; i++) 307 auts[i] = sqn[i] ^ ak[i]; 308 if (milenage_f1(opc, k, _rand, sqn, auts_amf, NULL, auts + 6)) 309 return -1; 310 wpa_hexdump(MSG_DEBUG, "Milenage: AUTS", auts, 14); 311 return -2; 312 } 313 314 amf = autn + 6; 315 wpa_hexdump(MSG_DEBUG, "Milenage: AMF", amf, 2); 316 if (milenage_f1(opc, k, _rand, rx_sqn, amf, mac_a, NULL)) 317 return -1; 318 319 wpa_hexdump(MSG_DEBUG, "Milenage: MAC_A", mac_a, 8); 320 321 if (os_memcmp(mac_a, autn + 8, 8) != 0) { 322 wpa_printf(MSG_DEBUG, "Milenage: MAC mismatch"); 323 wpa_hexdump(MSG_DEBUG, "Milenage: Received MAC_A", 324 autn + 8, 8); 325 return -1; 326 } 327 328 return 0; 329 } 330
