Hi all, Currently taipei team are implementing the EAP-SIM WIFI authentication protocol for B2G device. We want to share current architecture to know if there are any problem or suggestion of this design. So any suggestion or question is welcome.
I will briefly describe what is EAP-SIM first then introduce how we are going to implement it. What is EAP-SIM? EAP-SIM protocol was developed by 3GPP and it is an authentication method based on Extensible Authentication Protocol(EAP) framework. It use SIM authentication algorithm between the cleint and the Authentication server to provide mutual authentication. The basic idea is each SIM card contain a private key and this key is also stored in operator's home location register(HLR) which can be identified by IMSI of SIM card. So device send it's IMSI to authentication server so server can retrieve the private key. Because both device and server have the same private key so they can use challenge-response based authentication algorithm to verify each other. Architecture - Modification: wpa_supplicant support the flow to handle EAP-SIM authentication, it use a component accessing card reader interface to communicate with SIM card to get necessary information.But this way is not supported in our B2G device. So what we are planing to do is use gecko RIL module instead of using card read interface. Although we are trying not to modify wpa_supplicant, this task cannot be done without any modification of code in wpa_supplicant. So we limit our changes only happen in one file (pcsc_funcs.c) which the original function of this file is using card reader interface to access sim card. What we do here is modify this file and redirect command from wpa_supplicant to gecko module to get sim information. The pcsc_funcs.c file provide following interface used by wpa_supplicant and we will modify the implementation of each interface: 1.scard_init : Establish IPC connection to gecko 2.scard_deinit : Close IPC channel 3.scard_get_imsi : Use established IPC connection to get IMSI 4.scard_gsm_auth : Use established IPC connection to notify RIL to do gsm authentication 5.scard_umts_auth : Use established IPC connection to notify RIL to do umts authentication You can use following link to get more clear view of this architecture. https://docs.google.com/drawings/d/1FsY1EU_NF7Rsu_D6VU9V0KZHHSdSCXmV_MhwZ-6Mc0U/edit Architecture - Flow of EPA-SIM: When WifiManager is initialized, it firstly create a worker thread listen on specific socket, We implement this component in gecko/ipc/wpasupplicant to handle this job. When wpa_supplicant is trying to connect to an AP with EAP-SIM protocol, it will call scard_init first. In scard_init we will establish an IPC channel with ipc/wpasupplicant. When wpa_supplicant need any sim information or operation, it will call API like scard_get_imsi, scard_gsm_auth ...etc We use the IPC channel established before and notify WifiManager that wpa_supplicant need sim operation. Since WifiManager do not have the ability to access sim card, we create a RIL instance in WifiManager and use API of RadioInterfaceLayer to execute opeartion we need. Following is API we will need to add in nsIRadioInterfaceLayer.idl interface nsIRadioInterfaceLayer : nsISupports { void simGSMAuthentication(in DOMString rand); void simUMTSAuthentication(in DOMString rand, in DOMString autn); ... }; Please feel free to share any suggestion, we are glad to hear any feedback :) Thanks, Best regards Dimi _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
