IETF Logo Mail Archive

Re: [Emu] draft-ietf-emu-aka-pfs and IMSI privacy for Wi-Fi

John Mattsson <john.mattsson@ericsson.com> Sat, 17 December 2022 14:43 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 792FBC14CE4D for <emu@ietfa.amsl.com>; Sat, 17 Dec 2022 06:43:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4xVbj9qABFS for <emu@ietfa.amsl.com>; Sat, 17 Dec 2022 06:43:52 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on2053.outbound.protection.outlook.com [40.107.14.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E63FC14CE2F for <emu@ietf.org>; Sat, 17 Dec 2022 06:43:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LCkceG1H/F6PeJNfHwxb/eVhDwiR2gbcEnnkr8dBSaGhVulAq6evOFAMdOnEyxvVD6cFiAvBKo4/WeGoSTrfECXroUyiNEE0UipnRzZVZvIG6kztdEVBlwFyk5ZhUAtwUmZcJdls8PJ+GtP7dIPbd99YeB/MMztcqWiDupB8uNcEvuLIwNJpWRYpmCSdZ22uhN0GPhdPqGwx6ViwtVlU0vnwW30QqyJNRkhX8/r8BPQDBCYkBXGpbmsSKVBEETxHRQenbFLlvtWpxxofWV2D5/jD6acuD2GUGgWSd8YCHRJG+kHI1ydbb/vUBEERn1aqETXwhd1V2KiEgxtMn1gTtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2RvV5qOb2CSKMIWB4qmoHYV8UGcnzuKKgkykAwOdYDA=; b=hFj3wHtScb2q4Gb/q7wa0LXBeG/Le65GLNZQer5lwSuwi8bJywo1+EJcg6BoLLzdnj0lDPYo4IUc63bYGXMJiHxkAm6uP6ycFMrqXOTNorcTJPJJq0y5x5q0Mj/KwVzkFfpo9S+MQOhuO1wYDNfTTPHjH1KRJCBlfSN6howuY/7BSHAZQLnjYeKou3t4a6wmnFds0Hzj+UOiv8eLGXz1oKKM60+7o45szArb5lrx7Zb6DMoJi92LsSs0AnHz5KP/qzVA5oYp2fpQTaePt09FGbWYh2qtiO298/nNsST4lSd7YlnYYZC64O4FCwEKaSz8UBDFpfgZH5S5Qtwl4wCQfQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2RvV5qOb2CSKMIWB4qmoHYV8UGcnzuKKgkykAwOdYDA=; b=GzbEZSguE5cTvyseEiCCrdUkg/GmBY1GKt03NWAcYE15PluBdy2fm1RCG48J6SVHSFbT1+hD6w3sVZt/BjxejT0uj1YZCMGwMXRjHOtZJ0zNsDuJ3Y0049mwx/b8j16gpbhgxKxreoRLn3swCtjAtr5EwjhY6poqv4k0Z8SZgOA=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by DB9PR07MB9222.eurprd07.prod.outlook.com (2603:10a6:10:458::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5924.16; Sat, 17 Dec 2022 14:43:48 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::99e7:5b55:a0ca:8a73]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::99e7:5b55:a0ca:8a73%6]) with mapi id 15.20.5924.016; Sat, 17 Dec 2022 14:43:48 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Heikki Vatiainen <hvn@radiatorsoftware.com>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] draft-ietf-emu-aka-pfs and IMSI privacy for Wi-Fi
Thread-Index: AQHY+1xHJx1sjbkjPkCUQHxqg8W1ea5yTkt5
Date: Sat, 17 Dec 2022 14:43:48 +0000
Message-ID: <HE1PR0701MB3050A7982141BEB256F429C989E79@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <CAA7Lko8-pouLJDR6X08Gn-OW957BA94POBoaDXUJYr_2Ej1vyQ@mail.gmail.com>
In-Reply-To: <CAA7Lko8-pouLJDR6X08Gn-OW957BA94POBoaDXUJYr_2Ej1vyQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|DB9PR07MB9222:EE_
x-ms-office365-filtering-correlation-id: 9e625476-aae8-45e1-fa9b-08dae03d1b55
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3Z6SSVLpqCu8mWw2jMxRKkhM5ZOmO/2ySE4HSzXff54LQmFiQ0Pk/88mb0kk25LmBg0hSQ6neAJN3ofkDONxDBm1pLtNqYOjETQC798FclJ5FK//ASiSWafr/8E2CZd5q0UUqfw9XtfmTahrCnRvK9bckrOgzuskODR8RrZZzGJZfKW9v94xbipA+qgW7JcYZ1BPrIiaZaos04IPJP6nAFoXO678TRDfMPoXHqKqGTidHxyQaUfWMdg/CQGradUm59XiQXu6QZVeN1mlpo8A2qEJFek/eTFjUfCWzhl9vV7MTa40sxEQUASn6ehjkwZhAlHQhoFEoKmu9w0wEzsx8y8ZX4h2mmK171X6Ydsv6nhrDUWBB34fkWzipbbJWl4m0c9wvslt9CuOR7/dWVEkVcj/1lbxts4x6Vjn96mPscfEf/PHDNlIH3DwVMoXBgY58IHEES2XubQXnq3JnZjY51ayM8CqeYbh5ui+2dQ/2AuhKFoF7VyKgfLElo70Oz81HU79+gKPc64JpsTdgm0yCP4VyP0g9GGLSlNmRp6PC/B1S4TsTk66nfDLbXtMwGMw4QlIrjkd0Ym3ILetTyQEoFrowFxqk9JlLe/nTHdrfLUPxoANOGTkxy1Bxiz9ZY08CHyU3dUKmnhlbfJoD15jTka1VnxdL+2Exhc7Gr1dctOwXJkT5wIA72tId/oZI4EVnOw3m3lTUF6ICjxstwsdv7MWiikmUwQ9Rl1GQ9bha7E=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(39860400002)(366004)(376002)(346002)(136003)(451199015)(76116006)(66946007)(91956017)(86362001)(66476007)(66556008)(66446008)(64756008)(8676002)(316002)(52536014)(5660300002)(8936002)(41300700001)(33656002)(7696005)(6506007)(9686003)(53546011)(26005)(186003)(38070700005)(71200400001)(122000001)(110136005)(966005)(38100700002)(55016003)(82960400001)(478600001)(166002)(44832011)(2906002)(66899015); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: HFzImh3Wm8gTk9Q6yTrwyz56fCRDYS3v9FY1TpGFGed/lNtQiHEWbrgbcutqaR1zDvhVurC3JGY8iM4TEywnbjn9cvrpffjrDxloyozbCcg8nHth89nAQhrlqz8ORSh7WpcTV/6cXRlQIkgt8l7YtZdynxCiKHtrvgEHPSWefgmCpJKr56wPs1E43daygZdZtRrsZ5jGpXplxKOaEkWsV/o+nCvoDK3T3J4Sszq3Y1OFrOgb7q9zsjPNf3cC2Im7336puvVHYGIbZ9NB5R0gjxcpRT+PyDnochJSTyZKp4y88vhAAGYFevIz375mNdRYS5Uavbk35zEo9j6heQMjlq16MyojUJyauJ0cVFfqMAN9guQLNTcr/unrVhFTepUGl+SvDv9zKV+LdtmAkyVoSrL9f1huiRf5mRd6Va1ynFni7Id+VVdfqQfIGga/9/QkZ10Se62YnBuGGRMuwLl1/kvVsQSipzT/Re5RGSkW2ylegY8LZlybwyuuX2mAlH18LDJvCn2jCfJOU4p8/bNfzH616DSigrv7Bgnf1s6/Oy4sqJl0S2w30HHRss+JBI05PkLnhK58Mtpe0oXIGGKcdlp86NxPAQ/h1JNrhtWyfnWweYOU+YIOePG2jA0UseE7mc/+EiysLhLtGO5yqpeRoAGUFPlOXQwbN763fbzamvG226FQ/EkbL7vUgwqh2SLnrkTHNdffZguTQDvlR4rhJU8tNmkeNcKII+wn9B9IsL0v0Wzj8bOGFJmA4Nrfpi4ZKWsN7ElmvC3YIIb5jPTTvFbFF5t+YBibzKYLpYGofQYhw8qO3PhAUl+wmL5jbrSkCBQt94RWD74nMUKQ9OynjZ6KZN0CCm0uETVMROenAZM7VwVSH/TAoFF5EQrWYMU1p6F6O8hpVzoW6pmrFkzoDCoDul3d3LCjUge7qRZ8UBwXFKeaiTTanhoA8qqoG/GjdeZY1i0s+xS05I0yDoGT8PsGj4SwHkO5WLP6EzygBzOmCV0zY8A0QPJ7Furr3Kkr0ir5JuEj7YUF3+XemV1DbuxumJyhzv8qT5ruF1rbJYNKtPL2iiFGe8C8FygWSY0pkZijkh+huQ0St4moUw0JshhpncBSm58Uhemv8JWKY1w0CmkV1h1NP0p81LuxHypuPosjUSDveh3cEKUrnkZ2m/weCSA/li+72YQzLT3rZhX8bUqGDOEcnvvJTMpfQhVFYL3m+388WVpGzw2AD5Ww+LMnzSouY5o0KML4ZvVmFsmz9VWFMCs+6+wFPjyWCJJ8BGFe86LeF3scYKf4fZVd0u5KCgZtSGWh0WJULoPrpUb6RWERO6SZPKbVH9mzzVuCmQLzBx6nZtlzWNkCeUKxCa84rvJ5cIQCc7Ygpg3xRqQ7WCSdWXF5B/nUkAKJCFUy0NwSqQskB5268uxvYD7BzFk6Kxti9GDYl2bGtjy6S3HZTJ8XAN+uJWpRGzVJTm3X6Oar99zUztmuyGlzBfjzKNM/5wu5770FbwPX6BH1fxXiiEnzF/aVoUtjvxQqQM0M+1b+kCDR6aO/nHNZ4j96qz3mrPw6kcmt1ItEJmontRtoF7dBtj6C+gtoIZi6u4qWV1RI7ni8lNBxtPQ9o1UIs8vxXqiM8iqRiBiP58jh4R4=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050A7982141BEB256F429C989E79HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9e625476-aae8-45e1-fa9b-08dae03d1b55
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2022 14:43:48.2436 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IAMrJW9YXh0lRWz77Ms10sTPIe+QOOOwBMAHsG41JaOwy4ynxcVkprqZk2WwN5p+dtkKdTTD57TsJrr6Ivi8FFZ3WwbVhIgUb34buBdjXzU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB9222
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/q5XWmTYtfqPFWcI4fi1bjJyXV6Y>
Subject: Re: [Emu] draft-ietf-emu-aka-pfs and IMSI privacy for Wi-Fi
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Dec 2022 14:43:57 -0000

Thanks Heikki,

- Looking at the Android page below (I did not want to register at WBA) it seems like EAP-AKA' FS will be treated the same as EAP-AKA'. They use the same EAP-Method prefix.
https://source.android.com/docs/core/connect/carrier-wifi

- draft-ietf-emu-aka-pfs-08 only mentions SUCI once:

  “The two initially registered elliptic curves and their wire format is
   chosen to align with the elliptic curves and formats specified for
   Subscription Concealed Identifier (SUCI) encryption in Appendix C.3.4
   of 3GPP TS 33.501 [TS.33.501].”

This is still true and I don’t see any need for changes based on ‘IMSI Privacy Protection for Wi-Fi’.

Even if I don’t see any changes needed. I will open an Issue on GitHub.

It is always great with more privacy, but the IMSI Privacy Protection for Wi-Fi seems a bit weird to me. Do anybody know the background and reason behind the standard? 3GPP standardized a mechanism to encrypt IMSIs already in 2018. I have a hard time seeing what the WBA standard adds that is not available in the 3GPP mechanism.
- In 5G, the permanent identities can be any NAI (i.e., not only NAIs derived from IMSIs) these devices cannot use the WBA standard
- RSA-2048 is according to NIST only allowed to use until 2031 – the lifetime of the data you are protecting. If you want to protect your data more than 8 years (2031 - 2023) the WBA standard is already forbidden to use by NIST.

Cheers,
John

From: Emu <emu-bounces@ietf.org> on behalf of Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Friday, 18 November 2022 at 15:44
To: EMU WG <emu@ietf.org>
Subject: [Emu] draft-ietf-emu-aka-pfs and IMSI privacy for Wi-Fi
In the last week's EMU meeting I had a question about draft-ietf-emu-aka-pfs with relation to IMSI privacy protection defined for Wi-Fi networks. As promised, here's more information about the Wi-Fi privacy specification.

The Wi-Fi privacy specification is by the Wireless Broadband Alliance (WBA) and it's called 'IMSI Privacy Protection for Wi-Fi'. It's available from here:
   https://wballiance.com/imsi-privacy-protection-for-wi-fi/<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-473097d06eeafcdd&q=1&e=c3c29606-e7db-42f1-85b7-a6e8b480c4d7&u=https%3A%2F%2Fwballiance.com%2Fimsi-privacy-protection-for-wi-fi%2F>

I'm not familiar with draft-ietf-emu-aka-pfs, the first time I thought about these two documents was during the meeting, but I've looked into the WBA specification. What it does is that it tells how to encrypt the permanent identity hiding the IMSI from eavesdropper.

Thanks,
Heikki
--
Heikki Vatiainen
hvn@radiatorsoftware.com<mailto:hvn@radiatorsoftware.com>

v2.23.0 | Report a Bug | By Email