EAP-AKA-Prime

What is the Expansion of EAP-AKA-Prime?

• EAP-AKA-Prime stands for Extensible Authentication Protocol - Authentication and Key Agreement (AKA) Prime.

• It is an enhanced version of EAP-AKA, designed for authentication and key management in mobile networks, specifically 5G and 4G LTE.

What is EAP-AKA-Prime?

• EAP-AKA-Prime is an authentication protocol used for secure communication between mobile devices (like smartphones) and network servers.

• It is an evolved version of EAP-AKA, primarily used in 5G networks for authentication and key agreement between devices and the network.

• It provides stronger protection against certain types of attacks compared to its predecessor (EAP-AKA).

Why is EAP-AKA-Prime useful?

• Improved Security: EAP-AKA-Prime is more resistant to security threats, such as man-in-the-middle attacks and credential theft, offering enhanced protection for mobile network communications.

• Enhanced Authentication: It uses a more secure process for mutual authentication, which ensures that both the client and the network are verified.

• Supports 5G Networks: EAP-AKA-Prime is built for next-generation mobile networks, making it essential for 5G technology.

How it works?

• Key Exchange: The device and network exchange cryptographic keys using EAP-AKA-Prime to secure communications and ensure that unauthorized devices cannot connect.

• Mutual Authentication: Both the device and the network authenticate each other, ensuring trust and secure data transfer.

• Session Key Generation: After authentication, a session key is generated, which is used to encrypt communication between the device and the network.

Where is EAP-AKA-Prime used?

• Mobile Networks: It is used extensively in 4G LTE and 5G mobile networks for authentication and secure key management.

• SIM-based Authentication: Used in scenarios where a SIM card is present in mobile devices, especially for cellular and Wi-Fi networks.

Which OSI layer does this protocol belong to?

• EAP-AKA-Prime operates at the Application Layer (Layer 7) of the OSI model.

• It is part of the EAP framework and relies on lower layers for transport (such as RADIUS).

Is EAP-AKA-Prime Windows specific?

• No, EAP-AKA-Prime is not Windows-specific.

• It can be used on any platform that supports the EAP framework, including Android, iOS, Linux, and Windows.

Is EAP-AKA-Prime Linux Specific?

• No, EAP-AKA-Prime is not Linux-specific.

• It can work across multiple operating systems, as long as the network supports the EAP-AKA-Prime protocol, which is designed to be OS-agnostic.

Which Transport Protocol is used by EAP-AKA-Prime?

• EAP-AKA-Prime uses the RADIUS protocol for communication between the client (mobile device) and the server (authentication server).

• RADIUS typically uses UDP (User Datagram Protocol) as the transport protocol.

Which Port is used by EAP-AKA-Prime?

• EAP-AKA-Prime operates over UDP port 1812 for authentication requests, which is the default port for RADIUS.

Is EAP-AKA-Prime using Client-server model?

• Yes, EAP-AKA-Prime follows the client-server model.

• The client (e.g., mobile device) authenticates with the server (e.g., network authentication server), and the server makes decisions based on the client’s credentials.

Whether EAP-AKA-Prime protocol uses certificates?

• Yes, EAP-AKA-Prime can utilize certificates in certain cases to verify the authenticity of the server or the client during the authentication process.

• These certificates help in securing the authentication process and preventing man-in-the-middle attacks.

How many frame exchanges are seen during connection for EAP-AKA-Prime protocol?

• The EAP-AKA-Prime connection procedure typically involves three frame exchanges:

  1. Initial Authentication Request

  2. Authentication Response

  3. Authentication Success/Failure

Whether EAP-AKA-Prime Protocol uses client certificates?

• No, EAP-AKA-Prime generally does not require client certificates.

• It relies on SIM-based authentication and other methods for verifying the client’s identity.

Whether EAP-AKA-Prime Protocol uses Server Certificates?

• Yes, EAP-AKA-Prime typically uses server certificates to verify the authenticity of the network (server) during the authentication process.

Is EAP-AKA-Prime Protocol depends on TCP?

• No, EAP-AKA-Prime typically depends on UDP, since it uses the RADIUS protocol for transport, which operates over UDP.

Is EAP-AKA-Prime Protocol depends on UDP?

• Yes, EAP-AKA-Prime relies on UDP for transport, since it uses RADIUS over UDP for authentication and other communication.

What are the roles involved when testing EAP-AKA-Prime Protocol?

• Testers/Engineers: Individuals responsible for validating the functionality and security of the protocol.

• RADIUS Server: The server that handles authentication requests.

• Client Devices: Mobile devices, such as smartphones, which are involved in the connection process.

Does EAP-AKA-Prime Protocol work with free radius server on Linux?

• Yes, EAP-AKA-Prime can work with the FreeRADIUS server on Linux.

• FreeRADIUS supports various EAP protocols, including EAP-AKA-Prime, for authentication purposes.

Does EAP-AKA-Prime Protocol work with Internal radius server of hostapd?

• Yes, EAP-AKA-Prime can work with the internal RADIUS server provided by hostapd on Linux systems.

• Hostapd supports various EAP methods, including EAP-AKA-Prime.

What is the RFC version used for EAP-AKA-Prime Protocol?

• The RFC version for EAP-AKA-Prime is RFC 4187.

• It is part of the broader EAP framework for authentication.

During Connection Procedure which EPoL Packets are encrypted?

• During the connection procedure, the EAP-AKA-Prime protocol encrypts the authentication and key exchange packets to ensure privacy and prevent tampering.

Can you Explain different stages of Connection Procedure for EAP-AKA-Prime Protocol?

• Stage 1: The mobile device sends an EAP-Request/Identity packet.

• Stage 2: The server responds with an EAP-Response/Identity packet and performs authentication.

• Stage 3: The key exchange process is completed, followed by the EAP-Success message.

What is the final output of Connection Procedure?

• The final output is the generation of a session key (PMK), which is used to establish a secure connection between the client device and the network.

What is the format of the key generated after the connection procedure?

• The key generated is typically a PMK (Pairwise Master Key) used for encrypting data traffic during the session.

Where is the use of PMK generated by the Connection Procedure?

• The PMK is used to generate the PTK (Pairwise Transient Key) during the connection process, ensuring encrypted communication between the mobile device and the network.

Topics in this section,

• Learnings in this section

• Terminology

• Version Info

• EAP_AKA_Prime Version&IEEE Details

• EAP_AKA_Prime Basic Setup on Ubuntu

• EAP_AKA_Prime Protocol Packet Details

• EAP_AKA_Prime Usecases

• EAP_AKA_Prime Basic Features

• Reference links

Learnings in this section

• In this section, you are going to learn

Terminology

• Terminology

Version Info

• Version Info

EAP_AKA_Prime Version&RFC Details

• rfc details

EAP_AKA_Prime Basic Setup on Ubuntu

• setup

EAP_AKA_Prime Protocol Packet Details

• packet details

EAP_AKA_Prime Usecases

• usecases

EAP_AKA_Prime Basic Features

• features

Reference links

• Reference links