The Sentinel Authentication Gateway comes with the naf-key and naf-digest tools, for creating keys during testing.

Both are command-line Java-based tools, in the build directory of the SDK:

 build/bin/sentinel-gaa-tools
Tip The tools will need execute permissions added (for example, 'chmod 755 naf-key')

NAF Key

The naf-key tool generates a NAF-specific shared key for a bootstrapping session. You use this key as the password input for the NAF Digest tool.

Example usage

Here is typical naf-key output:

./naf-key -ciphersuite TLS_RSA_PSK_WITH_AES_256_CBC_SHA -algorithm milenage -k 01230123012301230123012301230123 -op 01230123012301230123012301230123 -nonce 01230123012301230123012301230123 -impi foo -naf localhost -d

Used 'milenage' to calculate:
 RAND[d35db7d35db7d35db7d35db7d35db7d3]
 XRES[9e36e4504d6c1642]
 CK[54db12b604c37068d5de7002ad73d549]
 IK[f48eaf850176834c9f17771b43951a6e]

14:21:45,336 DEBUG <main> [sentinel.gaa.keydata] generateKsNAF:
14:21:45,336 DEBUG <main> [sentinel.gaa.keydata]   ck:                           CK[54db12b604c37068d5de7002ad73d549]
14:21:45,337 DEBUG <main> [sentinel.gaa.keydata]   ik:                           IK[f48eaf850176834c9f17771b43951a6e]
14:21:45,337 DEBUG <main> [sentinel.gaa.keydata]   ks:                           Ks[54db12b604c37068d5de7002ad73d549f48eaf850176834c9f17771b43951a6e]
14:21:45,337 DEBUG <main> [sentinel.gaa.keydata]   rand:                         RAND[d35db7d35db7d35db7d35db7d35db7d3]
14:21:45,337 DEBUG <main> [sentinel.gaa.keydata]   impi:                         foo
14:21:45,337 DEBUG <main> [sentinel.gaa.keydata]   nafAddress:                   localhost
14:21:45,337 DEBUG <main> [sentinel.gaa.keydata] => KsNAF:                       [9129f2e75d0e5847497c4eb835a39b932b3fc21d9c278f8cfaa4a34ec2761a32]

kSny510OWEdJfE64NaObkys/wh2cJ4+M+qSjTsJ2GjI=

Available flags

Here is the help output showing the tool options:

Usage: naf-key [options]
  Options:
    -algorithm
       The HSS algorithm
       Default: milenage
    -ciphersuite
       The TLS ciphersuite name used for the UE<->NAF HTTPS connection
    -d
       Show debugging output
       Default: false
    -h, -help
       Display this usage message
       Default: false
  * -impi
       The IMPI (private identity) for this security association
  * -k
       The 128-bit subscriber key
    -list-ciphersuites
       List supported cipher suite names
       Default: false
  * -naf
       The NAF address used by the UE (Host header)
  * -nonce
       The NONCE value
  * -op
       The 128-bit Operator Variant Algorithm Configuration Field
Note At the moment only the milenage algorithm is supported.

NAF Digest Calculation

The naf-digest calculation tool creates an HTTP message digest response.

Example usage

Here is typical naf-digest output:

./naf-digest -method GET -body bodyOfMessage -realm foo -qop auth-int -username btid -uri / -password kSny510OWEdJfE64NaObkys/wh2cJ4+M+qSjTsJ2GjI= -nc 1 -cnonce foo -nonce bar -d

16:43:58,792 DEBUG <main> [sentinel.gaa.digest] calculateMessageDigest:
16:43:58,792 DEBUG <main> [sentinel.gaa.digest]   username: btid
16:43:58,793 DEBUG <main> [sentinel.gaa.digest]   password: "kSny510OWEdJfE64NaObkys/wh2cJ4+M+qSjTsJ2GjI=" (0x6b536e793531304f5745644a664536344e614f626b79732f776832634a342b4d2b71536a54734a32476a493d)
16:43:58,793 DEBUG <main> [sentinel.gaa.digest]   realm:    foo
16:43:58,793 DEBUG <main> [sentinel.gaa.digest]   method:   GET
16:43:58,793 DEBUG <main> [sentinel.gaa.digest]   uri:      /
16:43:58,793 DEBUG <main> [sentinel.gaa.digest]   qop:      auth-int
16:43:58,793 DEBUG <main> [sentinel.gaa.digest]   nonce:    bar
16:43:58,793 DEBUG <main> [sentinel.gaa.digest]   nc:       1
16:43:58,793 DEBUG <main> [sentinel.gaa.digest]   cnonce:   foo
16:43:58,793 DEBUG <main> [sentinel.gaa.digest]   body:     [626f64794f664d657373616765]
16:43:58,793 DEBUG <main> [sentinel.gaa.digest] => DIGEST:  [4a5ca659f406b6625d143adbd4124f3c]

4a5ca659f406b6625d143adbd4124f3c

Available flags

Here is the help output showing the tool options:

Usage: naf-digest [options]
  Options:
    -body
       The entity-body of the challenge response
       Default: <empty string>
  * -cnonce
       Client nonce string in challenge response
    -d
       Show debugging output
       Default: false
    -h, -help
       Display this usage message
       Default: false
    -hexpassword
       The password in hex encoding (commonly the output from the 'naf-key'
       tool). Cannot be used with '-password'.
    -method
       The HTTP method (For example GET or PUT)
  * -nc
       Nonce count string from challenge
  * -nonce
       Nonce string from challenge
    -password
       The password string. Cannot be used with '-hexpassword'.
    -qop
       Quality of protection
       Default: auth-int
  * -realm
       The authentication realm
  * -uri
       The Request-URI
  * -username
       B-TID value from the challenge response
Note

The password used in the digest calculation is specified using either -password or -hexpassword. The -password parameter may be used if the password is a simple ASCII string. If the password is a binary value (such as RES/XRES), or contains non-ASCII characters, then -hexpassword must be used instead. This means the password bytes are specified exactly without any character encoding issues.
Previous page Next page