User's Manual

Mobile WiMAX RAS SPI-2L10 System Description/Ed.00
© SAMSUNG Electronics Co., Ltd.
4-5
Category Description
(0)~(2) When receiving the MS_PreAttachment_Ack message from the RAS as a response
to the SBC-RSP message, the ACR sends the RAS the AuthRelay-EAP-Transfer
message containing the EAP Request/Identity payload to begin EAP authentication.
The RAS relays the received EAP payload to the MS using the PKMv2 EAP-Transfer/
PKM-RSP message.
(3)~(5) The MS includes the NAI in the EAP Response/Identity and sends the RAS the
PKMv2 EAP-Transfer/PKM-REQ message. The RAS relays the received information
to the ACR using the AuthRelay-EAP-Transfer message. The authenticator of the
ACR analyzes the NAI and transmits the Diameter EAP Request (DER) message
(when using the Diameter protocol) or the Access Request (AR) message (when
using the RADIUS protocol) to the home AAA server of the MS.
(6)~(11) In accordance with the EAP method, the subscriber authentication procedure is
performed between the MS and AAA server.
The authentication procedure is performed using the Diameter EAP Request
(DER)/Diameter EAP Answer (DEA) message (when the Diameter protocol is used) or
the Access-Challenge/Access-Request message (when the RADIUS protocol is used).
(12)~(16) When the authentication is successfully completed, the ACR receives the Master
Session Key (MSK) that is the upper key to provide security and provisioned policy
information per subscriber from the AAA server using the Diameter EAP Answer
(DEA) message (when the Diameter protocol is used) or the Access-Accept message
(when the RADIUS protocol is used). The ACR creates an AK from the MSK and
sends the RAS the Key_Change_Directive message containing the created AK
Context information and Security Association (SA) information of the MS. Moreover,
the RAS communicates EAP Success to the MS using the PKMv2-EAP-Transfer
message.
(17)~(19) After EAP authentication, the RAS sends the MS the SA-TEK-Challenge message to
verify the AK key value of the MS and notify the start of SA negotiation. The MS
verifies the CMAC of the SA-TEK-Challenge message, verifies the AK key value, and
then sends the RAS the SA negotiation information using the SA-TEK-Request.
The RAS sends the MS the SA-TEK-Response message containing not only the
AKID but also the SA Descriptor, which is the final SA negotiation result.
(20)~(21) The MS requests a Traffic Encryption Key (TEK) from the RAS using the PKMv2 Key-
Request message. The RAS creates a TEK randomly and sends it to the MS using
the PKMv2 Key-Reply message. At this time, the TEK is sent encrypted, with a Key
Encryption Key (KEK).
Types and Uses of Keys
The types and uses of keys are as follows:
- MSK: Used to create an AK
- AK: Used to create a CMAC key
- KEK: Used to encrypt a TEK
- CMAC key: Used to provide integrity for the MAC management message
- TEK: Used to encrypt traffic in the air section