Manually Testing USIM Authentication » History » Revision 3
Revision 2 (laforge, 04/27/2022 05:19 PM) → Revision 3/4 (laforge, 04/27/2022 05:23 PM)
h1. Manually Testing USIM Authentication {{>toc}} This page describes how you can use Osmocom tools to manually test USIM / ISIM authentication against a SIM card. h2. Prerequisites * A USIM card of which you know the secret key K + OP/OPc * A smart card interface device ("reader") supported by pysim (such as any pcsc-lite / libccid compatible reader) * @osmo-auc-gen@ program (part of [[libosmocore:]]) * @pySim-shell@ program (part of [[pysim:]]) h2. Step-by-step guide h3. Generate a 16-byte random challenge Let's use @/dev/random@ to generate 16 bytes of randomness; conver it to hexadecimal <pre> $ dd if=/dev/random bs=16 count=1 2>/dev/null | xxd -p -l 100 8188388ad5cdd481b02298ff29827791 </pre> h3. Generating the actual quintuple using @osmo-auc-gen@ This process mimics what is happening inside the Authentication Centre part of the HLR/HSS of your 2G/3G/4G network: Deriving RES from K, OP/OPc and SEQ/SQN. We use the card-specific K + OPc values we received from the card manufacturer, as well as the random value we generated in the previous step <pre> $ osmo-auc-gen --3g --algorithm MILENAGE --key 77291F1E17132ADD86DC23A3AF601C89 --opc 831AFD01EF48692EC6FD18AEAB6CF381 --rand 8188388ad5cdd481b02298ff29827791 osmo-auc-gen (C) 2011-2012 by Harald Welte This is FREE SOFTWARE with ABSOLUTELY NO WARRANTY RAND: 8188388ad5cdd481b02298ff29827791 AUTN: 7f62c464f6d60000b77b88e0f6b9449c IK: 43c7bc1e8e193ed2e0e7e164126bbed5 CK: a0188b5f7724878b86b9a336d8f2e327 RES: b4013d66d107a2b6 IMS nonce: gYg4itXN1IGwIpj/KYJ3kX9ixGT21gAAt3uI4Pa5RJw= IMS res: tAE9ZtEHorY= SRES: 65069fd0 Kc: 8581751333a4e4ab SQN: 32 IND: 0 </pre> This shows us the following information * input data (RAND, IND, SQN) * the challenge the network would send via radio interface to the UE/phone/modem (RAND, AUTN) * the data the network keeps on the network side and does *not* send over radio: ** the A3 authentication result value (RES) ** the A8 generated keys for integrity protection and ciphering (IK, CK) ** the derived GSM values in case of fall-back to 2G (Kc, SRES) h3. Performing authentication with the card, using @pySim-shell@ We now perform what the phone/modem does with the SIM card when it receives the RAND + AUTN values from the cellular network via a @AUTHENTICATION REQUEST@. For this, we use [[pysim:]], specifically the @authentication@ command in it. It takes two parameters: @rand@ and @autn@ (copy+pated from the above execution of osmo-auc-gen) As we want to do UMTS-AKA against the USIM application on the card, we must first select @ADF.USIM@. <pre> $ ./pySim-shell.py -p0 Using PC/SC reader interface Waiting for card... Autodetected card type: sysmoISIM-SJA2 Info: Card is of type: UICC-SIM AIDs on card: USIM: a0000000871002ffffffff8907090000 (EF.DIR) ISIM: a0000000871004ffffffff8907090000 (EF.DIR) ADF.ISD: a000000003000000 ARA-M: a00000015141434c00 Detected CardModel: SysmocomSJA2 Welcome to pySim-shell! pySIM-shell (MF)> select ADF.USIM pySIM-shell (MF/ADF.USIM)> authenticate 8188388ad5cdd481b02298ff29827791 7f62c464f6d60000b77b88e0f6b9449c { "successful_3g_authentication": { "res": "b4013d66d107a2b6", "ck": "a0188b5f7724878b86b9a336d8f2e327", "ik": "43c7bc1e8e193ed2e0e7e164126bbed5", "kc": "8581751333a4e4ab" } } </pre> In this successful case, we see the card has accepted the AUTN nonce and generated the following output parameters: * authentication result (RES); would be sent back to the network, where the network compares it with the expected RES value it has computed earlier. If it matches, authentication is OK. * integrity protection (IK) and ciphering (CK) keys ** used for air interface protection on 3G/UMTS after a @CIPHERING MODE COMMAND ** used in derived forms for air interface protection and NAS protection in 4G/LTE * GSM ciphering key (Kc); used for encryption on 2G/GSM/GPRS after a @CIPHERING MODE COMMAND@ h4. Unsuccessful case (re-synchronization) If the SQN/SEQ number on the card and on the network (HSS/HLR) side don't match, the card will refuse authentication and return an @AUTS@ value for re-synchronization. If this happens with pySim-shell, it will look like below: <pre> pySIM-shell (MF/ADF.USIM)> authenticate 8188388ad5cdd481b02298ff29827791 7f62c464f6d60000b77b88e0f6b9449c { "synchronisation_failure": { "auts": "3156b88af1197c4611e142d75ef0" } } </pre> You must then go back to @osmo-auc-gen@ and re-execute it using the same @rand@ value, but in addition specifying @auts@ <pre> $ osmo-auc-gen --3g --algorithm MILENAGE --key 77291F1E17132ADD86DC23A3AF601C89 --opc 831AFD01EF48692EC6FD18AEAB6CF381 --rand 8188388ad5cdd481b02298ff29827791 --auts 3156b88af1197c4611e142d75ef0 osmo-auc-gen (C) 2011-2012 by Harald Welte This is FREE SOFTWARE with ABSOLUTELY NO WARRANTY RAND: 8188388ad5cdd481b02298ff29827791 AUTN: 7f62c464f6b60000dc15fe983df347ae IK: 43c7bc1e8e193ed2e0e7e164126bbed5 CK: a0188b5f7724878b86b9a336d8f2e327 RES: b4013d66d107a2b6 IMS nonce: gYg4itXN1IGwIpj/KYJ3kX9ixGT2tgAA3BX+mD3zR64= IMS res: tAE9ZtEHorY= SRES: 65069fd0 Kc: 8581751333a4e4ab SQN: 64 IND: 0 SQN.MS: 32 </pre> This will now generate you a new AUTN value for the same RAND. Use that again in pySim, and it will succeed again: <pre> pySIM-shell (MF/ADF.USIM)> authenticate 8188388ad5cdd481b02298ff29827791 7f62c464f6b60000dc15fe983df347ae { "successful_3g_authentication": { "res": "b4013d66d107a2b6", "ck": "a0188b5f7724878b86b9a336d8f2e327", "ik": "43c7bc1e8e193ed2e0e7e164126bbed5", "kc": "8581751333a4e4ab" } } </pre> h4. Unsuccessful case (MAC failure) If you used the wrong K/OP/OPc key material on the network/osmo-auc-gen side, then the card will report a MAC failure: <pre> pySIM-shell (MF/ADF.USIM)> authenticate 7188388ad5cdd481b02298ff29827791 7f62c464f6b60000dc15fe983df347ae EXCEPTION of type 'SwMatchError' occurred with message: 'SW match failed! Expected 9000 and got 9862: Security management - Authentication error, incorrect MAC' </pre>