Enea Aptilo SMP

SIM Authentication

SIM authentication provides a seamless and secure user experience

EAP-SIM/AKA/AKA’/5G-AKA

What is SIM Authentication?

SIM Authentication, also known as EAP-SIM/AKA/AKA’/5G-AKA, is all about a seamless and secure user experience. Users are automatically connected to the encrypted (802.1x) Wi-Fi network(s) defined in the Wi-Fi connection profile. A 3GPP AAA, such as the one in Enea Aptilo SMP and Enea Access Manager, integrates with the mobile core’s user identity database to authenticate and authorize the user. SIM authentication is also used to derive keys for setting up an IPsec tunnel to the mobile core for Wi-Fi Calling.

EAP-SIM/AKA/AKA’, is also one of the cornerstones of Passpoint (Hotspot 2.0).

the why & how of

Wi-Fi Offloading

Download our white papers now.

Why? : An overview of the business benefits for mobile network operators (MNOs).

How?: A deep technical dive into successfully deploying a Wi-Fi offloading solution.

Download our white papers Wi-Fiu Offloading Why? and How?

Seamless and Secure Authentication

The key to a successful mobile data offloading strategy is the ease of use with a seamless and secure user experience. A SIM-based authentication is a powerful tool for achieving these goals. This is the method whereby mobile/cellular devices use the credentials in a SIM card / eSIM to authenticate the device for Wi-Fi service on a secure 802.1x capable Wi-Fi network. Users will just automatically and securely fly onto the Wi-Fi network.

 

EAP-SIM/AKA/AKA’/5G-AKA Optimized for Wi-Fi Offloading

Our SIM Authentication server, an integrated module in Enea Aptilo SMP, performs EAP-SIM/AKA/AKA’/5G-AKA authentication optimized with the standard 3GPP AAA functionalities needed for an offloading scenario, enabling SIM-based authentication for any secure Wi-Fi network. Furthermore, the Enea Aptilo mobile offloading solution supports various alternative authentication methods for devices without SIM cards or lacking support for the EAP-SIM/AKA/AKA’ method.

In the table below we sumarize the diffrences between the different EAP methods for SIM authentication.

 

Consideration EAP-SIM EAP-AKA EAP-AKA’ 5G-AKA
Network Generation 2G/3G 3G/4G 4G/5G For 5G SA architecture. (Note that EAP-AKA′ will be used for a long time.)
Use Case Wi-Fi authentication. Wi-Fi authentication. Wi-Fi authentication. Cellular and Wi-Fi authentication.
Key Management K_i (shared with USIM). The key is derived from the SIM. The key is derived from the SIM and will be further enhanced with Perfect Forward Secrecy (PFS)1. The key is derived from the home network.
Security Features Weak encryption. Advanced security. Further improved key management and security features. Enhanced user equipment identity protection, no clear text identifiers2 enforced by SUCI in 5G.
Authentication Type Challenge-response. Challenge-response. Challenge-response. Challenge-response.
Key Derivation Based on GSM algorithms. Based on 3G/4G algorithms. Improved key derivation (SHA-256). Enhanced key separation.
Identity Protection Limited. Improved with protection against active attacks. Further improved with stronger encryption. Strong protection (SUCI)
Mutual Authentication3 Yes Yes Yes Yes

1) PFS is a cryptographic property that protects past sessions against future compromises of the underlying secret keys in the SIM.

2) The Enea Aptilo SMP IMSI encryption is a non-standard extension supported by both iPhone and Android, which means that identifiers will not be communicated in cleartext for EAP-SIM/AKA/AKA′. This provides a similar protection as 5G SUCI for EAP-AKA/AKA’.

3) Both the device and cellular network are verified in the process. It is not possible to present a “fake” mobile core.

In conclusion, the most common EAP method for Wi-Fi offloading today is EAP-AKA, closely followed by EAP-AKA′. For obvious reasons, EAP-SIM is mostly used in legacy deployments, and it will take time before we see widespread adoption of 5G-AKA.

SIM Authentication for Wi-Fi as Secure as Cellular

One of the key benefits of using the SIM / eSIM for authentication (EAP-SIM/AKA/AKA’/5G-AKA) is that both the authentication process and the data becomes as secure as the cellular network. Learn more technical details under the How does it work? tab.

 

EAP-SIM/AKA/AKA’/5G-AKA for Mobile Devices

Delivered as a module on Enea Aptilo Service Management Platform (SMP), the Aptilo SMP SIM Authentication server integrates with the mobile core to obtain a seamless and secure user experience when authenticating the mobile device. As Enea Aptilo SMP (software) or SMP-S (service on AWS) is the core platform, you can get seamless Wi-Fi Offload, Carrier Wi-Fi, and B2B Guest Wi-Fi support from the same scalable platform.

We can also provide the 3GPP AAA functionality for Wi-Fi Calling, even though we recommend the Enea Access Manager if this is all you want to do.

 

Enea Aptilo SMP SIM authentication and OSS/BSS integration

Using Existing Mobile Infrastructure

A mobile operator (MNO/MVNO) can leverage the existing infrastructure for HLR/HSS/AUSF by adding a dedicated EAP-SIM/AKA/AKA’/5G-AKA authentication function.

The Enea Aptilo SMP SIM Authentication server provides a means for authentication with the subscriber credentials in the SIM card /eSIM. It provides SIM/USIM-based authentication for Wi-Fi users based on the information retrieved from the existing HSS over the Diameter Wx interface (supporting 3GPP Release 7 and onwards). It can do the same with data from the HLR over the SS7/MAP D’/Gr’ interface (supporting 3GPP Release 6 and onwards).

It can also interact with existing core network systems such as PCRF/PCF and DPI and OSS/BSS systems such as CRM to build advanced policies for the session. One example is first to authenticate the user seamlessly. Then engage them with a portal experience or send an SMS/e-mail if policies for the current location and user type dictate.

Using our vendor-agnostic solution, you can use the existing mobile infrastructure independent of the HLR/HSS vendor and regardless of system generation.

Scalability and Availability

When automatically and actively offloading cellular users, mobile operators need to handle Wi-Fi as a service that is as critical as mobile broadband.

This calls for an exceptionally scalable architecture with high availability. Our solution caters to this as we have built it on our SMP ALE architecture which takes the scalability and availability issue out of the equation with linear scalability and high availability, including geographic redundancy.

It supports SNMP-based network management, meaning service providers can integrate this node into the overall NOC operations.

Flexible Connectivity to HSS/HLR in the Mobile Core

The Enea Aptilo SMP SIM Authentication server can easily connect to existing SS7 networks and can be delivered with an optional SS7 PCI-Express board. Additionally, to facilitate connection with next-generation IP networks, it can handle SS7 over IP using the built-in support for SIGTRAN. The physical link for the IP-based SIGTRAN protocol and Diameter Wx is the native high-capacity IP network adapter in the server hardware. Many SS7 and SIGTRAN protocols are supported to facilitate smooth integration with the mobile core. Different national variants (ANSI, ITU, Chinese, and Japanese) and hybrid variants are also supported. Authentication for both USIM- and SIM-based devices simultaneously provides a seamless migration path from older to newer devices.

Enea Aptilo SMP SIM authentication multi-HLR/HSS/AUSF environment

With a dedicated and purpose-built function for SIM-based authentication, a service provider gets the most flexibility in terms of network topology. In a multi-HLR and -HSS environment, we provide a central aggregation point for all Wi-Fi-based SIM authentication requests. We can perform authentications to multiple HLR and HSS nodes from different vendors. As discussed under the real-world solution tab, we could also potentially do SIM authentication for 5G standalone (5G), even if the 3GPP AAA is no longer part of the specifications for 5G SA. Thanks to the central aggregation point based on Enea Aptilo SMP multi-vendor support, it is possible to connect various other Wi-Fi systems that perform RADIUS signaling for the individual Wi-Fi networks.

It is also possible to deploy co-located with each HLR/HSS and configure a connection to the Wi-Fi AAA from each authentication node.