| Re: EAP-SIM fast re-auth identity | <– Date –> <– Thread –> |
From: Thomas Wieland (twieland cisco.com)
|
|
| Date: Wed, 6 Apr 2005 03:41:37 -0400 (EDT) | |
Hi Madjid,
I'm not an author but "other people", but maybe I can shed
some light on this. Henry can always correct and expand.
There is nothing "wrong" with the identities used during full
authentication (i.e. either permanent identity, e.g. 1IMSI @realm,
or pseudonym identity). The "problem", if you will, is that by
definition of a full authentication, these identities require the
use of 2 or 3 GSM triplets to authenticate.
For one, this implies at least one round trip to a remote server,
i.e. the HLR/AuC where the triplets are generated. This is
usually much slower than going through the calculations
necessary to iterate the keying material locally at the AAA
server. It also means additional load on the HLR/AuC.
The second "bad" aspect is that each full EAP-SIM authentication uses
up 2 or 3 triplets. The number of triplets that can be generated by each
SIM is usually limited (e.g. to 50,000) due to security concerns. This
doesn't matter too much in a GSM mobile network as authentications
only use only one triplet and occur relatively infrequently compared to,
for example, public WLAN. For EAP-SIM used in a PWLAN scenario,
not only do you use up 2 or 3 triplets per authentication, the authentications
also happen much more frequently. For example every time every time
a PC gets turned on (or woken up), when a user roams between access
points etc. You can see how you could be chewing through the available
triplets pretty fast and once you've reached the limit hard-wired into the
SIM, your SIM is dead and needs to be replaced.
By using the fast re-auth mechanism, not only do you speed up
EAP-SIM authentications (hence "fast" :-), you also reduce the
load on the back-end server (AuC) and extend the life of your SIM.
In other words, "it's a good thing".
Regards,
Thomas
At 10:05 05-04-05 -0500, Nakhjiri Madjid-MNAKHJI1 wrote:
Hi,
I have a question regarding the EAP-SIM method for fast re-authentication and would appreciate it if the authors and other people respond. Why is a specific identity used for fast re-authentication? What is the problem with using the identities that were used during the full authentication? The initial identity that is sent in EAP-Response/ Identity should not have a problem, right?
Thanks in advance,
Madjid Nakhjiri
-
EAP-SIM fast re-auth identity Nakhjiri Madjid-MNAKHJI1, April 5 2005
- Re: EAP-SIM fast re-auth identity Thomas Wieland, April 6 2005
- RE: EAP-SIM fast re-auth identity henry.haverinen, April 6 2005
- RE: EAP-SIM fast re-auth identity Nakhjiri Madjid-MNAKHJI1, April 6 2005
- RE: EAP-SIM fast re-auth identity Nakhjiri Madjid-MNAKHJI1, April 6 2005
- RE: EAP-SIM fast re-auth identity henry.haverinen, April 11 2005
Results generated by Tiger Technologies using MHonArc.