If you need some example pcap traces generated by any of these tools, just send an email to fasferraz@gmail.com


5/4/11

UMTS Security Algorithm – Milenage

I’ve done this application in 2004, in the beginning of the UMTS rollout.
In this application I’ve implemented the MILENAGE algorithm defined in 3GPP 35.206, that is one example of the AKA algorithm that runs in the HLR and in the USIM as specified in 3GPP 33.102: 

Generation of authentication vectors in HLR:
 


User authentication function in the USIM:


Construction of the parameter AUTS:


The MILENAGE algorithm framework is the following:


With this application every parameter used in the MILENAGE algorithm can be changed, and the corresponding f1 to f5 functions generated.
I’ve added also the conversion functions for inter-operation and handover between UMTS and GSM defined in 3GPP 33.102.


I’ve tested it successfully using the “Implementers’ Test Data” examples provided in 3GPP 35.207, and also with real examples.
This application can be used to detect erroneous behaviors of the ME, USIM or Network Elements (HLR, SGSN and RNC) in terms of security procedures.

This application can be downloaded for free. You can get it here
Note: This installation includes a test file (teste.dat that can be found inside the installation directory).
Posted by at
Labels: , , , ,

12 comments:

  1. Unknown5/20/13, 12:22 AM

    Caro Fabricio
    Obrigado por a sua informação desponibilizada mas diga me o algoritimo A3A8 implementado no sistema Comp128 v2 v3 vai ser alterado? Ou já se encontra implementado nas novas SIM Card?
    Agradecido por alguma informação
    J.Fonseca
    joanfonseka@gmail.com
    PT

    ReplyDelete
  2. SUBHAM SINGH3/13/14, 9:53 AM

    Really very helpful tool for testing keys calculation.... thanks Fabricio Ferraz

    ReplyDelete
  3. krishnu mvc10/29/14, 11:46 AM

    Its really helpfull tool..Great work Fabricio Ferraz.. Thanks allot

    ReplyDelete
  4. krishnu mvc10/29/14, 11:48 AM

    If AUTS too included in the tool. it helps for Re-synchronization case

    ReplyDelete
  5. Unknown7/14/15, 2:10 PM

    I'm working on D2D in LTE , i need to execute AKA for my simulation in matlab. could you please explain the procedure to link it with matlab?

    ReplyDelete
  6. chiranjiv12/2/16, 6:35 AM

    Hi Fabrício,
    Can you help me how to generate the Sequence no. for UMTS-Milenage for each Authentication request SQN (SEQ,IND).
    How SEQ and IND coming into picture and used to generate the SQN.

    Thanks

    ReplyDelete
  7. Fabricio Ferraz12/2/16, 9:58 AM

    There are different methods to generate SQN. please check Annex C of 33.102 (https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2262)

    ReplyDelete
  8. ISRAEL4/9/17, 3:08 AM

    Thanks works like charm, good work Fabrico.
    Best Reagards

    ReplyDelete
  9. veenone8/6/20, 7:16 AM

    Hello Fabricio,
    I just stumbled to your page and it's great what you posted here!

    however I have a question,
    How can you calculate SEQ & ID for f5 &f5*?
    I couldn't find the reference anywhere..

    ReplyDelete
    Replies
    1. Fabricio Ferraz8/6/20, 10:27 PM

      SQN is a 48 bits variable, that can be decomposed in two parts: SQN = SEQ || IND. For all the profiles referred in annex C of 33.102, IND is 5 bits , so you can decompose the SQN in IND with: IND = SQN mod 32. And SEQ = SQN div 32.

      Delete
    2. veenone8/10/20, 9:06 AM

      I see, thanks for the info :)

      Additionally, about AUTS.. when this AUTS returned by the UICC actually?
      How to make the AUTS returned instead of RES, and Kc value?

      Delete
  10. Unknown2/25/21, 12:48 AM

    Hi Fabricio

    What is the correct formatting of the dat file? I would like to calculate OPc from Ki and OP

    ReplyDelete

Subscribe to: Post Comments (Atom)