[PATCH 1/3] Add initial OAP protocol design document

[Neels Hofmeyr]

Hello all,

these patches are sitting in branch neels/sgsn-id in openbsc.git. The
planned new feature is outlined in the commit log messages.

It's my first larger patch submission for openbsc, which I am developing
as a sysmocom employee, while this work is sponsored by On-Waves ehf.

It's not completely done yet, in the sense of more tests and config UI,
and the authentication method/direction may be subject to discussion:

Currently, the server (MAP proxy) sends a 16 octet AUTN to authenticate
itself. The client (SGSN) only sends a 4 byte SRES in response. IMHO
that's not enough, so I've made the SGSN also send the Kc along with the
SRES as a challenge response. That's a bit untypical, since the Kc is
usually kept secret on both sides, to use as encryption key. We don't use
it as encryption key, but it could make sense to turn the authn process
around instead: let the *client* send a 16 bit AUTN, and have the server
reply with 4 SRES octets (and omit Kc). This would make it more difficult
to spoof an SGSN, while keeping Kc private as usual. (If a fake SGSN is
accepted, the upstream network infra may be compromised. Guarding against
a spoofed MAP proxy is less security sensitive, so 4 octets may suffice
there.)

Any comments are more than welcome!

Thanks,

~Neels

On Thu, Sep 24, 2015 at 01:44:06PM +0200, Neels Hofmeyr wrote:
> Sponsored-by: On-Waves ehf
> ---
>  openbsc/doc/osmocom-authn-protocol.txt | 191 +++++++++++++++++++++++++++++++++
>  1 file changed, 191 insertions(+)
>  create mode 100644 openbsc/doc/osmocom-authn-protocol.txt
[...]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20150924/51726c58/attachment.bin>