Authentication in NGN networks ´ Mar´ın Lopez ´ Andres
[email protected]
Invited talk by ISG Telematics Engineering Department Polytechnical University of Catalunya July 2009
Authentication in NGN networks – p. 1
Index Introduction to IMS and NGN IMS entities IMS Registration UMTS AKA UMTS AKA Weaknesses Proposals Conclusions
Authentication in NGN networks – p. 2
Introduction The two main specification bodies of the 3G world defined the All-IP Core Multimedia Telecommunication architecture. IP Multimedia Subsystem (IMS) merges cellular networks and the Internet to host new application servers using different technologies: OSA/Parlay, Parlay X, SIP CGI, SIG CPL, SIP Servlet, etc. IMS is a subsystem of the packet swiched domain and dissociated from network access. IMS facilitates fixed-mobile convergence. IP Multimedia Subsytem (IMS) separates signalling and transport Based on IETF protocols like SIP (for call and session control) and Diameter (AAA and profile exchange).
Authentication in NGN networks – p. 3
3GPP and 3GPP2 3GPP started by 1998 is currently composed of the following partners: ARIB (Japan) CCSA (China) ETSI (Europe) ATIS (United States) TTA (Korea) TTC (Japan) 3GPP2 includes also: CDMA Development Group, IPv6 Forum, MobileIgnite, Femto Forum.
Authentication in NGN networks – p. 4
Beginning of IMS IMS specification began in 3GPP Release 5 IMS where part of the core network evolution from circuit-switching to packet-switching Refined by subsequent Releases 6,7,8, and 9. Originally designed to evolve UMTS networks to deliver Internet Protocol multimedia to mobile users. All-IP system designed to assist mobile operators deliver next generation interactive and interoperable services, cost-effectively, over an architecture providing the flexibility of the Internet. IMS has become the core component within 3G, cable TV and next generation networks. The IM subsystem comprises all Core Networks (CN) elements for provision of IP multimedia services comprising audio, video, text, chat, etc.
Authentication in NGN networks – p. 5
IP Multimedia Overview [1]
Authentication in NGN networks – p. 6
TISPAN IMS Functional Architecture [1] ETSI standardization body for NGN (2003) Telecommunications and Internet converged Services and Protocols for Advanced Networking Initially harmonizing the IMS core for wired(-less). NGN Release 1 (Dec. 2005) adopted 3GPP IMS, adding functionality to handle non-SIP applications. In early 2008, IMS specs were transferred back to 3GPP for providing a Common IMS NGN Release 2 (2008): added IPTV, Home Networks, interconnect with Corporate Networks. TISPAN IPTV: access independent, multi-service combining features from triple/quadruple-play offers. Working on Rel 3: IPTV enhancements, IP network interconnection, NGN security enhancements, and QoS with overload control.
Authentication in NGN networks – p. 7
TISPAN IMS Overview (Rel. 7) The 3GPP TISPAN NGN
Authentication in NGN networks – p. 8
IMS entities Call Session Control functions (CSCF): P-CSCF, I-CSCF, S-CSCF Home Subscriber Server (HSS) Media Gateway Control Function (MGCF), Multimedia Resource Function Controller (MRFC) Application Server (AS) Breakout Gateway Control Function (BGCF)
Authentication in NGN networks – p. 9
Proxy (P-CSCF) First contact point within IMS: User Equipment (UE) messages go through it, UE only accepts requests and responses sourced at it. Discover I-CSCF by examining home domain name Forward SIP requests (REGISTER to UE’s home domain I-CSCF, others to S-CSCF) and responses (back to UE). Security gateway for IMS signalling (Gm interface, IPsec). Checks and enforce signalling policies (service routes, dialog routes). Others: authorize bearer resources and QoS management, emergency calls, monitoring, header compression.
Authentication in NGN networks – p. 10
Interrogating (I-CSCF) Entry point in home domain (both for local and roaming subscribers). Functions: assign (and forward) S-CSCF during SIP registration; obtain (HSS) S-CSCF address and route SIP requests: HSS provides required capabilites, operator preferences HSS stores session signalling transport parameters (CSCF IP and port, transport, etc.) Topology hiding (ciphering S-CSCF addresses); generate Charging Data Records (CDRs) Requests terminated in a foreign network are forwarded to Interconnection Border Control Function (BGCF Rel 5).
Authentication in NGN networks – p. 11
Serving (S-CSCF) Handles users session states User registration collaborating with HSS authentication store contact locations and user subscription information (and updates) resolve public identities into contact addresses add routes as indicated in path headers retrieve user profile from HSS, SIP proxy server/user agent Others: provide endpoints with service events, locate I-CSCF (other operator) and forward SIP requests (also to BGCF for call routing), generation of CDRS
Authentication in NGN networks – p. 12
Home Subscriber Server (HSS) Mappings (1-1) IMS subscription-Private user identity (IMPI), (1-n) IMPI-Public user identities (IMPU). Central database of IMS core: Contains subscription related information Defines and maintains IMS Service Profiles. User identification, numbering and addressing Supports other entities in handling sessions: User security information: authentication vectors Indicates I-CSCF if user is allowed to register in a given P-CSCF Helps in S-CSCF selection Provides S-CSCF with service profiles Stores location information and inter-system location information
Authentication in NGN networks – p. 13
HSS Functions
Authentication in NGN networks – p. 14
MGCF Media Gateway Control Function Controls a media gateway functional entity (MG-FE) allocation and deallocation of resources of the media gateway modification of resources usage Communicates with the CSCF, BGCF, and circuit switched networks Protocol conversion ISUP-SIP Determine next hop for incoming calls from legacy networks Routing transit traffic
Authentication in NGN networks – p. 15
MRFC Multimedia Resource Function Controller Provides resources within the core network for supporting services In conjunction with a Multimedia Resource Processor-Functional Entity Interprets information coming from AS-FE via an S-CSCF and controls MRP-FE Multiway conference bridges Announcement playback Video transcoding
Authentication in NGN networks – p. 16
BGCF Breakout gateway control function Determines the MGCF a call should go through to reach the local PSTN If the call goes to another domain, it should select the BGCF of that domain Selects MGCF within that network Selects peer BGCF
Authentication in NGN networks – p. 17
IMS registration UE
P−CSCF
I−CSCF
HSS
S−CSCF
SM1:Register SM2:Register Cx−Selection−Info SM3: Register Cx−Put CM1: AV−Req CM2: AV−Req−Resp SM5: 4xx Auth_challenge
SM4: 4xx Auth_challenge
SM6: 4xx Auth_challenge
SM7: Register
SM8: Register Cx−Query SM9: Register Cx−Put Cx−Pull
SM11: 2xx Auth_ok
SM10: 2xx Auth_ok
SM12: 2xx Auth_ok Authentication in NGN networks – p. 18
Information stored in registration
Authentication in NGN networks – p. 19
Calling another user Providing identity to other party
Authentication in NGN networks – p. 20
Calling another user II Blocking identity to other party
Authentication in NGN networks – p. 21
IMS Security Architecture
Authentication in NGN networks – p. 22
Security Mechanisms Network access: User identity confidentiality, entity authentication, confidentiality, integrity, Mobile equipment identification Network domain: fraud information gathering User domain: User-USIM, USIM-Terminal Application: USIM Application Toolkit
Authentication in NGN networks – p. 23
IMS registration UE
P−CSCF
I−CSCF
HSS
S−CSCF
Register(IMPI, IMPU) Register Register Cx−AV−Req (IMPI, m) Cx−AV−Req−Resp (IMPI, ...,RANDi||AUTNi||XRESi||CKi||IKi...) 4xx Auth_challenge 4xx Auth_challenge 4xx Auth_challenge (IMPI, RAND, AUTN)
Register (IMPI,RES)
(IMPI, ...,RANDi||AUTNi||XRESi||CKi||IKi...) (IMPI, ...,RANDi||AUTNi||XRESi||CKi||IKi...)
Register (if RES=XRES)
Register
2xx Auth_ok
2xx Auth_ok
2xx Auth_ok
Authentication in NGN networks – p. 24
IMS UMTS AKA IMS Authentication and Key Agreement provides mutual authentication Home Network and user share a long-term key (128 bit) associated with IMPI HN uses RAND (128 bit) to avoid replays Security parameters are transported by SIP The Authentication Vectors (AVs) are generated by AuC (HSS) AVs include RAND, XRES, CK, IK, and AUTN AVs cannot be reused UE and P-CSCF setup 2 security associations (SAs) using CK (128 bit), IK (128 bit) If ME registers another IMPU, no extra SAs All SIP messages will be integrity protected
Authentication in NGN networks – p. 25
Authentication Vectors Value
Computation
MAC XRES CK IK AK AUTN
At Home Network f 1K (SQN||RAND||AMF) f 2K (RAND) f 3K (RAND) f 4K (RAND) f 5K (RAND) SQN ⊕ AK||AMF||MAC)
At User Equipment AK-S f 5 ∗K (RAND) MAC-S f 1 ∗K (SQNMS ||RAND||AMF) AUTS SQN ⊕ AK − S||MAC − S)
Description Message authenticated code Expected response Cipher key Integrity key Anonymity key Authentication token
Anonymity key AMF set to zeros Sync failure Authentication in NGN networks – p. 26
Registration failures The UE sends back authentication reject with a cause of failure if RES6=XRES, or if the received SQN is out of range UE computes and sends back AUTS if AUTS correct, the HN will set its SQN to the UE and generate new AVs HN not automatically de-register IMPU due to registration failure: operator policies explicit de-registry mechanisms registration initiated by HN Authentication in NGN networks – p. 27
UMTS AKA Weaknesses Sequence numbers per user kept at HSS, complex synchronization process AV generation at HSS becomes a bottleneck Attacks (see [4]) redirection and attacks in corrupted networks UE uses a false base radio station, the adversary can intercept and impersonate both the mobile user and the serving network. User traffic redirected to unintended network. If a network is corrupted, the adversary can: forge the authentication data request to obtain authentication vectors force the SQN to high value by flooding authetication data to HN, and attack all legitimate users
Authentication in NGN networks – p. 28
Improvements to UMTS AKA In [4] UE keeps list of unused AVs indexes verify if AV is unsused verify if AV comes from serving network [5]
propose AKA based on vector combination of AVs (RAND1 , XRES1 ), (RAND2 , XRES2 ), ... (RAND1 ⊕ RAND2 , XRES1 ⊕ XRES2 ) Up to 2n − 1 combinations Both the UE and the Network entities keep track of used combinations Two protocols proposed: for distribution and establishment of AVs for selecting combination of AVs for AKA Authentication in NGN networks – p. 29
Other approaches In [6] we propose to cryptographically bind IMS registration to access network (AN) registration Reduce registration time General authentication framework for upcoming technologies Fulfill 3GPP requirements Backwards compatibility
Authentication in NGN networks – p. 30
Authentication Scenarios
Authentication in NGN networks – p. 31
Scenario 1 ME opens a tunnel with NAS using EAP-TLS over L2 (or PANA) ME provides HN id to NAS NAS and ME extract key material from tunnel (TLS exporter) PN and PI using PRF master key with two texts ME sends signed SIP Register including PN NAS sends PN and PI to HSS using Diameter HSS verifies ME checking signature, and PN relates AN to IMS HSS derives IPSec keys: ′ = PRF(C |P ), I ′ = PRF(I |P ) CK K I K I K
HSS can explicitly authenticate ME (signature) NAS can implicitly authenticate ME ME can implicitly authenticate NAS Asumption: user can register public key at HSS In scenario 2 the EAP-TLS tunnel is opened directly with HSS
Authentication in NGN networks – p. 32
Authentication Scenarios
Authentication in NGN networks – p. 33
Conclusions Technology is evolving fast! 2G, 2.5G, 3G, IMS, NGN, LTE, . . . Standards evolve much faster! Competition among standardization bodies? Do telcos fear Internet and its actors? Manufacturers and users are much slower Backwards compatibility is a necessity Need for designs thinking on the user and user requirements That is our main goal under crypto binding AN access and IMS access
Authentication in NGN networks – p. 34
References 3GPP TS 23.002: Technical Specification Group Services and Systems Aspects; Network architecture
[1]
3GPP TS 23.002: Technical Specification Group Services and Systems Aspects; Functional Architecture
[2]
3GPP TS 33.102: Technical Specification Group Services and Systems Aspects; 3G Security; Security Architecture
[3]
M. Zhang and Y. Fang, “Security Analysis and enhancements of 3GPP authentication and key agreement protocol”, IEEE Trans. on Wireless Comm., vol. 4, no 2, pp. 734-742, Mar. 2005.
[4]
Yaohui Lei, Samuel Pierre, and Alejandro Quintero, “Enhancing UMTS AKA with Vector Combination”, Ubiquitous Comp. and Comm. Journal, vol. 3, no 2, pp. 602-610, apr. 2008.
[5]
Daniel Díaz, Davide Proserpio, Andrés Marín, Florina Almenárez, and Peter Weik, “A General IMS registration protocol for wireless network interworking”, accepted at 2nd. IFIP Wireless and Mobile Networking Conference, sep. 2009, Gdansk, Poland.
[6]
Authentication in NGN networks – p. 35