Project

General

Profile

Bug #2793

phone "swiss one SC230" fails to do ciphering with 2G and 3G auth tokens present

Added by neels 4 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
12/29/2017
Due date:
% Done:

100%

Resolution:

Description

on 34c3, person comes with above MS, and I see Location Updating Rejects.
Authentication works with UMTS AKA, but Ciphering Mode Command times out.

As soon as I remove the aud_3g tokens from the HLR, the phone is happy, i.e. doing GSM AKA.

Not sure what action we should be taking, just noting this down so far.
It is the first time that I notice an R99 MS being unable to handle UMTS AKA on GERAN.

os2793_samsungB2100_ciph_fail.pcapng (34.6 KB) neels, 03/09/2018 11:49 PM

os2793_works_now.pcapng (51.2 KB) neels, 03/10/2018 03:34 AM

History

#1 Updated by neels 4 months ago

like one minute later another MS came to the GSM room with the same problem: Samsung GT-E1050

This time I also tried with just 3G tokens, which results in SRES mismatch.
Removing 3G tokens from the HLR makes the MS work with our network.

#2 Updated by neels 4 months ago

another identical report from Nokia 2610 RH-86
Maybe we're still doing something wrong after all.

#3 Updated by laforge 4 months ago

  • Assignee set to neels

I ordered a SC230 so we can hopefully reproduce.

#4 Updated by neels 4 months ago

I took the SC 230, just in case someone wonders where it went.

#5 Updated by neels about 2 months ago

Also got the Samsung B2100 and was able to reproduce the issue.

In attached trace, I have 2G comp128v1 and 3G milenage tokens set up in the database.
Authentication goes fine, but the Ciphering Mode Command times out.
The cause is this:
  • We send a UMTS AKA challenge in the Authentication Request.
  • But we receive back a GSM AKA result (SRES) -- the VLR log clearly states:
    "VLR INFO OsmoMSC SUBSCR AUTH established GSM security context"
    (see packet 115 in os2793_samsungB2100_ciph_fail.pcapng )
  • Nevertheless, we use the UMTS AKA Kc as ciphering key, while the MS clearly went for GSM AKA.

A fix is coming up...

#6 Updated by neels about 2 months ago

The fix https://gerrit.osmocom.org/7187 is preceded by a test that pinpoints the failure.
In attached pcap, notice how the log says "established GSM security context" (again packet 115) and now the ciphering works out.

In the process, I also found a fix for gracefully rejecting malformed auth responses: https://gerrit.osmocom.org/7188
and threw in a bunch of more tests with various auth response failures around SRES/RES sizes.

#7 Updated by neels about 2 months ago

  • Tracker changed from Feature to Bug
  • Project changed from Cellular Network Infrastructure to OsmoMSC

#8 Updated by neels about 2 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

fix is merged

Also available in: Atom PDF