Closed abousselmi closed 5 months ago
linouxis9
commented
5 months ago Hi @abousselmi!
Thanks for your report. Does it work if only NIA2 and NEA2 are set to true? If so, does it work with all NEA/NIA algorithms set to true except NEA3/NIA3?
I don't remember exactly the content of ngKsi, I'll review TS 24.501 and report back. I'll also take a look at the pcap, thanks!
abousselmi
commented
5 months ago Hi @linouxis9
Thanks for your feedback!
Only NIA2/NEA2 set to true I've tested setting only NIA2 and NEA2 to true as you suggested but the issue is still there. It was expected because algorithm selection happens in the security mode command procedure.
ngKSI
Coming back to the ngKsi, according to TS 24.501, Table 9.11.3.32.1:NAS key set identifier information element, 111 (or 7) corresponds to the case when no key is available (UE to network), which I suppose is the case of the Initial message.
In UERANSIM, the default value of the ksi is set to 7:
https://github.com/aligungr/UERANSIM/blob/392b71414c48d75b5723ebcbcfad27906d90db6b/src/lib/nas/ie1.hpp#L139
Auth failure It seems there is nothing wrong with the milenage functions. I compared the results using MilenageTest and it was the same. I'm still not able to see what could possibly make the MAC sent by the network different from what the UE is computing
INFO[0000] Loaded config at: /config/config.yml
INFO[0000] PacketRusher version 1.0.1
INFO[0000] ---------------------------------------
INFO[0000] [TESTER] Starting test function: Testing an ue attached with configuration
INFO[0000] [TESTER][UE] Number of UEs: 1
INFO[0000] [TESTER][UE] disableTunnel is false
INFO[0000] [TESTER][GNB] Control interface IP/Port: 10.100.200.200/9487
INFO[0000] [TESTER][GNB] Data interface IP/Port: 10.100.200.200/2152
INFO[0000] [TESTER][AMF] AMF IP/Port: amf.free5gc.org/38412
INFO[0000] ---------------------------------------
INFO[0000] [GNB] SCTP/NGAP service is running
INFO[0000] [GNB] Initiating NG Setup Request
INFO[0000] [GNB][SCTP] Receive message in 0 stream
INFO[0000] [GNB][NGAP] Receive NG Setup Response
INFO[0000] [GNB][AMF] AMF Name: AMF
INFO[0000] [GNB][AMF] State of AMF: Active
INFO[0000] [GNB][AMF] Capacity of AMF: 255
INFO[0000] [GNB][AMF] PLMNs Identities Supported by AMF -- mcc: 208 mnc:93
INFO[0000] [GNB][AMF] List of AMF slices Supported by AMF -- sst:01 sd:010203
INFO[0000] [GNB][AMF] List of AMF slices Supported by AMF -- sst:01 sd:112233
INFO[0001] [TESTER] TESTING REGISTRATION USING IMSI 0000000003 UE
INFO[0001] [GNB] Received incoming connection from new UE
INFO[0001] [UE] Initiating Registration
INFO[0001] [UE] Switched from state 0 to state 1
INFO[0001] [GNB][SCTP] Receive message in 0 stream
INFO[0001] [GNB][NGAP] Receive Downlink NAS Transport
INFO[0001] [UE][NAS] Message without security header
INFO[0001] [UE][NAS] Receive Authentication Request
======== SQN from AUTN = [233 74 12 88 255 85]
======== AUTN = [100 159 24 118 251 29 128 0 88 217 62 6 203 114 13 68]
======== OPC = [139 175 71 63 47 143 208 148 135 204 203 215 9 124 104 98]
======== K = [142 39 182 175 14 105 46 117 15 50 102 122 59 20 96 93]
======== RAND = [127 218 63 75 141 5 101 255 60 250 117 222 59 30 178 177]
======== sqnHn = [233 74 12 88 255 85]
======== AMF = [128 0]
======== RES = [124 153 121 19 125 91 72 118]
======== sqnUE = [0 0 0 0 0 35]
======== mac_aHn (received) = [88 217 62 6 203 114 13 68]
======== mac_a (generated) = [179 162 144 69 253 45 14 172]
======== mac_s = [20 23 15 242 142 39 58 138]
INFO[0001] [UE][NAS][MAC] Authenticity of the authentication request message: FAILED
INFO[0001] [UE][NAS] Send authentication failure with MAC failure
INFO[0001] [GNB][SCTP] Receive message in 0 stream
INFO[0001] [GNB][NGAP] Receive Downlink NAS Transport
INFO[0001] [UE][NAS] Message without security header
INFO[0001] [UE][NAS] Receive Authentication Reject
INFO[0001] [UE][NAS] Authentication of UE 1 failed
INFO[0001] [UE] Switched from state 1 to state 1
INFO[0001] [GNB][SCTP] Receive message in 0 stream
INFO[0001] [GNB][NGAP] Receive UE Context Release Command
INFO[0001] [GNB] Initiating UE Context Complete
WARN[0001] [UE][0000000003] Stopping UE as communication with gNB was closed
INFO[0001] [GNB][NGAP] Releasing UE Context, cause: nas: Authentication failure######################################################################################
# welcome to milenage based authentication troubleshooting tool. #
# please input the number below to call different menu. #
# 1. compute MAC and RES/RES* based on secret key,OP,RAND and AUTN. #
# 2. compute MAC and RES/RES* based on secret key,OPc,RAND and AUTN. #
# 3. print value of constant C1-C5 and R1-R5 in 3gpp 35.206 used for above item 1&2 #
# 4. print the source code from 3gpp 35.206 used for above item 1&2 #
# 5. print the source code of RES* value calculation for 5G based on HMAC_SHA256 #
######################################################################################
Please select the menu by input number 1-5:2
please input hex value of secret key(padded by 00 if less than 16 bytes)(no space allowed):8e27b6af0e692e750f32667a3b14605d
please input hex value of opc(no space allowed):8baf473f2f8fd09487cccbd7097c6862
please input hex value of rand(no space allowed):7fda3f4b8d0565ff3cfa75de3b1eb2b1
please input hex value of AUTN(no space allowed):649f1876fb1d800058d93e06cb720d44
The SQN_XOR_AK from network should be first 6 bytes of AUTN, which is (0x): 649f1876fb1d
The AMF from network should be the 7th and 8th byte of AUTN, which is (0x): 8000
The MAC-A from network should be the last 8 bytes of AUTN, which is (0x): 58d93e06cb720d44
Based on the above provided parameters:
The AK computed by f2 function in 3gpp 35.206 should be (0x):8dd5142e0448
The SQN computed by AK XOR SQN_XOR_AK should be (0x):e94a0c58ff55
The CK computed by F3 function in 3gpp 35.206 should be (0x):c93dd980dbf676570cd87c03d955651f
The IK computed by F4 function in 3gpp 35.206 should be (0x):4cddc011da0ed1c43ff004264e03252b
The RES(4G) computed by F2 function in 3gpp 35.206 should be (0x):7c9979137d5b4876
the mac-a computed by f1 function in 3gpp 35.206 should be (0x):b3a29045fd2d0eac
The MAC-A retrieved from AUTN is (0x):58d93e06cb720d44
The computed mac_a and retrieved mac_a from AUTN are not matchedAny ideas ?
linouxis9
commented
5 months ago Hi @abousselmi!
Thank you for the reference about ngKsi, I'll fix it :-)
Are you sure that you correctly provisioned the same AMF value (8000) for your SUPI in your UDR than in PR's configuration? The Authentication Management Field is used as part of the MAC calculation and you often end up with this kind of weird MAC failure when using the wrong AMF value.
Cheers, Valentin
abousselmi
commented
5 months ago Hi @linouxis9
I just made a PR for the ngKsi. I don't know if that's the best way to do it though.
Regarding the AMF, yes, it's 8000. I'm using the default config of free5gc-compose project.
Besides, I have a UERANSIM container running and I can register the UE. The configuration is basically the same.
I'll keep digging and let you know in case I find something.
Thanks again.
linouxis9
commented
5 months ago Hi @abousselmi,
I'll take a look, thanks!
It's interesting that you are getting this error as I didn't have any issues with free5gc (and Open5GS and some proprietary 5GC) and the free5gc devs didn't seem to have issues with PacketRusher as well. Something else comes to my mind: Were you ever able to have an UE register with PR and free5gc, if so, what did you change for it to not work? One thing that I see is you commenting the routing indicator messing the configuration, only sd has been tested to be commented out. Other values may not necessarily yet have default values set when they are commented out. Can you try setting routingindicator: "0000"? Also, as with tac, make sure to respect the default length.
Make sure to have a configuration as close as possible to that of the default one in terms of things commented out and in lengths.
Thanks and cheers! Valentin
abousselmi
commented
5 months ago Hi @linouxis9
After taking a closer look into the configuration, I found that I've mixed up K and OPc 🤦♂️ Now the UE is running just fine 👍
Thanks again for your support 💯
Cheers,
linouxis9
commented
5 months ago Haha no worries, but indeed, I was really not seeing how the issue could be something else than a provisioning or configuration issue :-) Good luck!
Describe the bug MAC verification failure using Free5GC and packetrusher.
I've tried to comment out the MAC verification step here https://github.com/HewlettPackard/PacketRusher/blob/d892028d4c4a73cba0c2bad3eabb1be7b6ae0e19/internal/control_test_engine/ue/context/context.go#L590
to find out that RES in UE's Authentication response is different from the AV's RES*
Also, do you know why the UE is sending a key set id = 1 in the initial registration message ? shouldn't it be 7 ?
Thanks !
To Reproduce Steps to reproduce the behavior:
Expected behavior UE registration OK
Architecture (please complete the following information):
Log:
PR config:
Pcap: mac-failure.zip
Additional context Add any other context about the problem here.