UMTS AKA support
Even over a GSM/GPRS RAN, most phone today can perform mutual authentication based on UMTS AKA.
libosmocore also already has the UMTS authentication code in place for years, but OsmoNITB is not using it. HLR changes are associated with it, as we need to store K+OPC+SQN.
#5 Updated by neels about 1 year ago
First UMTS AKA test suites have been added to osmo-hlr (testing e.g. correct tuples generated
for GSM with UMTS AKA with test vectors taken from 3GPP TS 55.205) and on openbsc on the
neels/vlr branch (testing pure UMTS AKA over UTRAN). More details: https://osmocom.org/issues/1711#note-12
#9 Updated by neels about 1 year ago
- % Done changed from 0 to 50
copied from "3G Auth" #1711:
Verified with real equipment that our GSM-Milenage algorithm (for abbreviated Milenage on pre-R99 networks)
works with a sysmoUSIM-SJS1 configured to do Milenage for both 2G and 3G.
One thing though, I expected this to now do full UMTS Auth when using an R99+ MS, and the GSM-Milenage fallback
only when the MS is pre-R99. But even though the USIM is in an R99+ MS (Samsung Galaxy S4m), the LU Request still
indicates "GSM phase 2" in the classmark and GSM-Milenage is used instead of normal UMTS Milenage.
Unless we find out how to test this on pre-R99, we will only be able to test full UMTS auth when we have the
sysmocom/iu branch rebased onto the VLR developments. So far the msc_vlr end-to-end tests suggest that UMTS AKA
will work on real equipment with OsmoNITB (branch neels/vlr).
#11 Updated by neels about 1 year ago
Indeed SI3 contains a Control Channel Description with a previously spare bit set to 1 for R99 or later,
which our MSC sends as 0 and thus indicates to the MS that we're not capable of UMTS.
3GPP TS 44.018 9.1.35 'System information type 3' and 10.5.2.11 'Control Channel Description'
#12 Updated by neels about 1 year ago
We currently send "MSC is pre R99" for MSC in SI3 and "SGSN is R99+" in SI13.
First test with MSCR set to R99 reveals that now the MS (Quectel EC20) indeed sends R99 in
classmark1 and happily runs an authentication sync request (Auth Failure with AUTS token),
after which our MSC/VLR fails to send another Authentication Request.
After a few attempts, the LU is successful because no sync is requested.
That's because the USIM was also used on another test setup and has a higher key SQN,
and the HLR db by coincidence caught up with that SQN after a few LU requests.
So the conclusion is that basic UMTS AKA works, but we still have some bug in the AUTS process.
Debugging it now.
#14 Updated by neels about 1 year ago
- % Done changed from 50 to 90
accompanied by tests and others:
With these fixes and the VLR branch, tests with real equipment show successful UMTS AKA
including AUTS resync with OsmoNITB on a GSM network with R99 MSC and MS. Excellent!