Project

General

Profile

Actions

Bug #2793

closed

phone "swiss one SC230" fails to do ciphering with 2G and 3G auth tokens present

Added by neels about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
12/29/2017
Due date:
% Done:

100%

Resolution:
Spec Reference:

Description

on 34c3, person comes with above MS, and I see Location Updating Rejects.
Authentication works with UMTS AKA, but Ciphering Mode Command times out.

As soon as I remove the aud_3g tokens from the HLR, the phone is happy, i.e. doing GSM AKA.

Not sure what action we should be taking, just noting this down so far.
It is the first time that I notice an R99 MS being unable to handle UMTS AKA on GERAN.


Files

Actions #1

Updated by neels about 6 years ago

like one minute later another MS came to the GSM room with the same problem: Samsung GT-E1050

This time I also tried with just 3G tokens, which results in SRES mismatch.
Removing 3G tokens from the HLR makes the MS work with our network.

Actions #2

Updated by neels about 6 years ago

another identical report from Nokia 2610 RH-86
Maybe we're still doing something wrong after all.

Actions #3

Updated by laforge about 6 years ago

  • Assignee set to neels

I ordered a SC230 so we can hopefully reproduce.

Actions #4

Updated by neels about 6 years ago

I took the SC 230, just in case someone wonders where it went.

Actions #5

Updated by neels about 6 years ago

Also got the Samsung B2100 and was able to reproduce the issue.

In attached trace, I have 2G comp128v1 and 3G milenage tokens set up in the database.
Authentication goes fine, but the Ciphering Mode Command times out.
The cause is this:
  • We send a UMTS AKA challenge in the Authentication Request.
  • But we receive back a GSM AKA result (SRES) -- the VLR log clearly states:
    "VLR INFO OsmoMSC SUBSCR AUTH established GSM security context"
    (see packet 115 in os2793_samsungB2100_ciph_fail.pcapng )
  • Nevertheless, we use the UMTS AKA Kc as ciphering key, while the MS clearly went for GSM AKA.

A fix is coming up...

Actions #6

Updated by neels about 6 years ago

The fix https://gerrit.osmocom.org/7187 is preceded by a test that pinpoints the failure.
In attached pcap, notice how the log says "established GSM security context" (again packet 115) and now the ciphering works out.

In the process, I also found a fix for gracefully rejecting malformed auth responses: https://gerrit.osmocom.org/7188
and threw in a bunch of more tests with various auth response failures around SRES/RES sizes.

Actions #7

Updated by neels about 6 years ago

  • Tracker changed from Feature to Bug
  • Project changed from Cellular Network Infrastructure to OsmoMSC
Actions #8

Updated by neels about 6 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

fix is merged

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)