Michael C. Richardson
Sandelman Software Works Inc.
mcr@sandelman.ottawa.on.ca
August 27, 2003
The FreeRadius project is an open source radius server supporting EAP. The EAP-SIM method permits SIM authentication to be carried in the EAP protocol. This document describes a project to augment the freeradius server to support authenticating SIM credentials against a database, a custom (XOR) testing facility, and stubs for SS7.
The purpose of this project is to provide infrastructure such that a compatible client can authenticate itself using a SIM card.
There are five systems involved:
The protocol between client and radius server is EAP.
The protocol between client and authentication system is SIM.
The protocol between gateway/server system and radius server is radius.
The protocol between client system and gateway/server system is application dependant, and may be PPP, 802.11i, IKEv2, etc.
The goal is that a client may use its SIM card to authenticate itself to the server using EAP-SIM over X.
An extension to the freeradius client will be done. This will be new EAP type code for modules/rlm_eap/types/rlm_eap_sim.
Only a single EAP-SIM mechanism will be supported at one time.
Initial work will focus on a faked ``XOR'' SIM challenge. This will be done via a call interface that will permit an SS7 to later be interfaced.
An EAP-SIM capable radius client will be created in order to perform testing, and provide a structure into which a SIM-card reader could be attached.
The document draft-haverinen-pppext-eap-sim-11.txt will be used as the basis for the EAP-SIM protocol.
All files will be delivered in patch form to the customer, and to freeradius.org for inclusion into the server.
A new radius module called eap_sim will be created.
A new program will be created that acts as a radius EAP-SIM client.
This project represents no more than 5 days of effort.
Work will be done before approximately September 22, 2003.
Install and test fresh copy of radius server. Review documentation on EAP and EAP-SIM, and formulate plan of attack.
Write radeapclient client based upon ``radclient''. Test with EAP-MD5 mode.
Write skeleton of EAP-SIM server component, and link it in, configure server to offer challenge of this kind.
Test skeleton code.
Build XOR dummy SIM authenticator - client and server.
Refactor code (if necessary) to expose SIM challenge/lookup code more clearly. Document how this would be interfaced to a database of challenges.
Test with challenge in database.
Document database interaction and limits of method.
Document possible SS7 interface API.
Clean up code and submit it.
Contingency day.
The price is US $1000/day. All source code will be provided, and will be licensed under the GPL.