One-Pass GPRS and IMS Authentication Procedure for UMTS By Yi-Bing, Ming-Feng Chang, Meng-Ta Hsu, and Lin-Yi Wu An Overvie...
Evolution of Mobile Networks <ul><li>Analog    Digital    Multimedia </li></ul>http://www.mobile3g.com/whatis3g.htm GPRS...
UMTS Background <ul><li>UMTS (Universal Mobile Telecommunications System) specification created by the 3GPP consortium </l...
IMS Overview <ul><li>IMS (IP Multimedia Subsystem) used by UMTS for providing IP telecommunications </li></ul><ul><li>Supp...
CSCF Overview <ul><li>Three types of Call Session Control Functions in IMS: </li></ul><ul><ul><li>P-CSCF (Proxy) </li></ul...
UMTS Architecture
Goal: Security <ul><li>GPRS Authentication </li></ul><ul><ul><li>User authentication – between MS and SGSN </li></ul></ul>...
USIM Smart Card <ul><li>Provides mobile station identification </li></ul><ul><li>Must be present in terminal  </li></ul><u...
GPRS Authentication MS   SGSN       HSS/AuC Select authentication vector AV = (RAND, AUTN, XRES, CK, IK) Verify AUTN, Comp...
IMS Authentication MS   SGSN     HSS/AuC  CSCF Multimedia Auth Request (IMPI) Multimedia Auth Answer (AVs) Select authenti...
Similarities CSCF    MS 200 OK SGSN    MS Attach Accept MS    CSCF Register (RES) MS    SGSN Auth & Ciphering Request ...
IMS One-Pass Authentication <ul><li>Make use of GPRS authentication </li></ul><ul><li>SGSN implements a SIP Application Le...
IMS Registration: One-Pass Authentication MS   SGSN     HSS/AuC  CSCF Store (IMSI, IMPI) pair Check if IMSI HSS (IMPI) = I...
IMS Authentication MS   SGSN     HSS/AuC  CSCF Register (IMPI) Server Assignment Answer Server Assignment Request 200 OK M...
Cost Analysis <ul><li>How much signaling has one-pass procedure saved? </li></ul>MS   SGSN     HSS/AuC  CSCF Cost = 1 Cost...
<ul><li>Cost C 2  for two-pass IMS procedure: </li></ul><ul><ul><li>If AVs needed to perform authentication,  C 2,1  = 4 +...
Improvement  S  of One-Pass Over Two-Pass Procedure n  = AV array size β  =  Cost   HSS/AuC    CSCF S  = ( n  +  β ) / (...
Conclusion <ul><li>After GPRS authentication, IMS two-pass authentication can be simplified using one-pass authentication....
Glossary <ul><li>3GPP  – Third Generation Partnership Project </li></ul><ul><li>AuC  – Authentication Center </li></ul><ul...
References <ul><li>“ aSIP-Access Security for IP-Based Services”, presentation by Krister Boman, Apr 2001. http://www.3gpp...
Upcoming SlideShare
Loading in …5
×

Presentation

1,811 views
1,675 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,811
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
82
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Analog: You could only easily use analogue cellular to make voice calls, and typically only in any one country. Digital mobile phone systems added fax, data and messaging capabilities as well as voice telephone service in many countries. Multimedia services add high speed data transfer to mobile devices, allowing new video, audio and other applications through mobile phones- allowing music and television and the Internet to be accessed through a mobile terminal. International support. Moving from multiple standards to single standard. Moving from unsecured communications to end-to-end secured communications.
  • 3GPP - 3rd Generation Partnership Project GSM – (Global System for Mobile communication) Was primarily a European standard (2G). Has now spread throughout North America. GPRS – (General Packet Radio Service) 2.5G. I nvolves overlaying a packet based air interface on the existing circuit switched GSM network
  • IMS is a framework for providing IP telecommunication services. SIP , the Session Initiation Protocol (developed by IETF), is a signaling protocol for Internet conferencing, telephony, presence, events notification and instant messaging. SIP runs on top of different IP transport protocols like UDP and TCP. CSCF – Call Session Control Function. The CSCF provides session control for subscribers accessing services within the IM (IP Multimedia) CN . In essence the CSCF is a SIP Server. It has responsibility for interacting with network databases such as the HSS for mobility and AAA (Access, Authorization and Accounting) Servers for security.
  • CSCF – Call Session Control Function. The CSCF provides session control for subscribers accessing services within the IM (IP Multimedia) CN . In essence the CSCF is a SIP Server. It has responsibility for interacting with network databases such as the HSS for mobility and AAA (Access, Authorization and Accounting) Servers for security.
  • SGSN – Serving GPRS Support Node. Responsible for the delivery of data packets from and to the mobile stations within its service area. Its tasks include packet routing and transfer, mobility management (attach/detach and location management), logical link management, and authentication and charging functions. The location register of the SGSN stores location information and user profiles of all GPRS users registered with this SGSN. GGSN – Gateway GPRS Support Node. Interface between the GPRS wireless data network and other networks such as the Internet or private networks. To external packet data networks the GGSN performs the task of an IP router. Firewall and filtering functionality, to protect the integrity of the GPRS core network, are also associated with the GGSN along with a billing function. CSCF – Call Session Control Function P-CSCF (Proxy) - Directs SIP messages from MS to home network. S-CSCF (Serving) - Located in home network to provide session control of multimedia services. OSA – Open Service Access. Provides a standard interface through which developers can design services that may interact with functions within the network. I-CSCF (Interrogating) - Firewall for SIP messages directed toward home network. Selects S-CSCF for the MS. HSS – Home Subscriber Server. The master database for the wireless network, and while logically it is viewed as one entity, in practice it will be made up of several physical databases. The HSS holds variables and identities for the support, establishment and maintenance of calls and sessions made by subscribers. This includes the subscriber’s IMSI , security variables and location information. AuC – Authentication Center. Provides authentication vectors (AVs) for the authentication process.
  • USIM – Universal Subscriber Identity Module. Only emergency calls are permissible if not present in terminal. ISMI – It’s a unique identifier allocated to each mobile subscriber in a GSM and UMTS network. It consists of a MCC (Mobile Country Code), a MNC (Mobile Network Code) and a MSIN (Mobile Station Identification Number).
  • USIM – Universal Subscriber Identity Module. Only emergency calls are permissible if not present in terminal. ISMI – It’s a unique identifier allocated to each mobile subscriber in a GSM and UMTS network. It consists of a MCC (Mobile Country Code), a MNC (Mobile Network Code) and a MSIN (Mobile Station Identification Number).
  • Two things happening here: 1) User Authentication – between MS and SGSN 2) Network Authentication – between MS and HSS/AuC SGSN – Serving GPRS Support Node. Responsible for the delivery of data packets from and to the mobile stations within its service area. Its tasks include packet routing and transfer, mobility management (attach/detach and location management), logical link management, and authentication and charging functions. The location register of the SGSN stores location information and user profiles of all GPRS users registered with this SGSN. HSS – Home Subscriber Server. The m aster database for the wireless network, and while logically it is viewed as one entity, in practice it will be made up of several physical databases. This depending on the number of subscribers and the extent of the services which need to be supported. The HSS holds variables and identities for the support, establishment and maintenance of calls and sessions made by subscribers. This includes the subscriber’s IMSI , security variables and location information. AuC – Authentication Center. Provides authentication vectors ( AV s) for the authentication process. Step G.1. Consider an MS with the IMSI value imsi and the IMPI value impi . To access the GPRS services, the MS sends a GMM Attach Request (with the parameter IMSI = imsi ) to the SGSN. Step G.2. If the SGSN has the AVs of the MS, then Steps G.2 and G.3 are skipped. Otherwise, the SGSN must obtain the AVs from the HSS/AuC. That is, the SGSN invokes the authentication vector distribution procedure by sending a MAP SEND AUTHENTICATION INFO Request message to the HSS/AuC (with the parameter IMSI = imsi ). Step G.3. The HSS/AuC uses imsi to retrieve the record of the MS, and generates an ordered array of AVs (based on the pre-shared secret key K in the MS record). The generated AV array is sent to the SGSN through a MAP SEND AUTHENTICATION INFO Response message. Each AV is good for one authentication and key agreement between the SGSN and the MS. Step G.4. The SGSN selects the next unused authentication vector in the ordered AV array and sends the parameters RAND and AUTN (from the selected authentication vector) to the MS through a GMM Authentication and Ciphering Request message. AV – Authentication Vector. Can only use one per authentication request. RAND – Random number AUTN – Authentication Token created by concatenating 3 fields and SQN added bit-by-bit to AK (Anonymity key), AMF (Authentication Management Field), and MAC (Message Authentication Code). XRES – Signed Response CK – Cipher Key IK – Integrity Key Step G.5. The MS checks whether the received AUTN can be accepted (uses pre-shared key K to decrypt) to authenticate the network. If so, it produces a response RES (using key K and RAND) that is sent back to the SGSN through a GMM Authentication and Ciphering Response message. The SGSN compares the received RES with the XRES . If they match, then the authentication and key agreement exchange is successfully completed. Step G.6. The SGSN sends a GMM Attach Accept message to the MS, and the attach procedure is completed.
  • SGSN – Serving GPRS Support Node. HSS – Home Subscriber Server. AuC – Authentication Center. CSCF - Call Session Control Function. Represents P-CSCF (Proxy-CSCF), S-CSCF (Service-CSCF), I-CSCF (Interrogating-CSCF) IMPI – IP Multimedia Private Identity Step I.1. The MS sends a SIP Register message to the CSCF (with the parameter IMPI = impi) through the SGSN. Step I.2. Assume that the CSCF does not have the AVs for the MS (or the array has been used up and a new one is needed). The CSCF invokes the 7 authentication vector distribution procedure by sending a Cx Multimedia Authentication Request message to the HSS/AuC (with the parameter IMPI = impi). Step I.3. The HSS/AuC uses impi to retrieve the record of the MS, and generate an ordered array of AVs. The HSS/AuC sends the AV array to the CSCF through a Cx Multimedia Authentication Answer message. Step I.4. The CSCF selects the next unused authentication vector from the ordered AV array and sends the parameters RAND and AUTN (from the selected authentication vector) to the MS through a SIP 401 Unauthorized message. (Similar to HTTP 401 Unauthorized message) Step I.5 . The MS checks whether the received AUTN can be accepted. If so, it produces a response RES. The MS sends this response back to the CSCF through a SIP Register message. The CSCF compares the received RES with the XRES. If they match, then the authentication and key agreement exchange is successfully completed. Step I.6. The CSCF sends a Cx Server Assignment Request message to the HSS/AuC. Step I.7. Upon receipt of the Server Assignment Request, the HSS/AuC stores the CSCF name and replies a Cx Server Assignment Answer message to the CSCF. Step I.8. The CSCF sends a 200 Ok message to the MS through the SGSN, and the IMS registration procedure is completed. In the above procedure, Steps I.1-I.5 exercise authentication, and Steps I.6-I.8 perform registration.
  • SGSN – Serving GPRS Support Node. HSS – Home Subscriber Server. AuC – Authentication Center. CSCF - Call Session Control Function. Represents P-CSCF (Proxy-CSCF), S-CSCF (Service-CSCF), I-CSCF (Interrogating-CSCF) IMPI – IP Multimedia Private Identity Step I*.1. The MS sends a SIP Register message to the SGSN with the parameter IMPI = impi . Note that after GPRS auth, the SGSN can identify the IMSI of the MS that transmits the GPRS packets. The SIP ALG in the SGSN adds the IMSI value of the MS in the Register message and forwards it to the CSCF. Step I*.2. The CSCF stores the ( imsi, impi ) pair in the MS record, and sends a Cx Server Assignment Request message to the HSS/AuC with the parameter IMPI = impi . We note that if the CSCF has stored the ( imsi, impi ) pair before, then Steps I*.2 and I*.3 are skipped. Step I*.3. The HSS/AuC uses the received IMPI value impi as an index to retrieve the IMSI and the user profile of the MS. We denote IMSI-HSS(IMPI) as the IMSI value retrieved from the HSS/AuC. The HSS/AuC stores the CSCF name and sends a Cx Server Assignment Answer to the CSCF (with the parameters IMSI-HSS(IMPI) and user profile). Step I*.4. The CSCF checks whether the value IMSI-HSS(IMPI) and IMSI are the same. If so, the CSCF sends a SIP 200 Ok message to the SGSN and the authentication is considered successful. If they aren’t equal, the registration is illegal; possibly a MS is trying to illegally access the IMS service of some other MS.
  • β &lt; 1 because 1) CSCF and HSS/AuC exchange messages through IP network. MS must transmit message via radio to SGSN and then through GPRS core network to HSS/AuC, then to CSCF.
  • USIM – Universal Subscriber Identity Module. Only emergency calls are permissible if not present in terminal.
  • Presentation

    1. 1. One-Pass GPRS and IMS Authentication Procedure for UMTS By Yi-Bing, Ming-Feng Chang, Meng-Ta Hsu, and Lin-Yi Wu An Overview, by Frank McCown Mobile Computing CS 795 - Old Dominion University October 22, 2004
    2. 2. Evolution of Mobile Networks <ul><li>Analog  Digital  Multimedia </li></ul>http://www.mobile3g.com/whatis3g.htm GPRS, EDGE Late 1990s Higher data rate 2.5G UMTS 2010s Digital multimedia 3G GSM, CDMA, TDMA 1990s Digital 2G AMPS, NMT, TACS 1980s Analog 1G Standards Time Type Generation
    3. 3. UMTS Background <ul><li>UMTS (Universal Mobile Telecommunications System) specification created by the 3GPP consortium </li></ul><ul><li>Progression from GSM (2G) to GPRS (2.5G) </li></ul><ul><li>Data rates: 144 kbps – 2 Mbps </li></ul><ul><li>10 million users as of Sept 2004 1 </li></ul>1 http://www.umts-forum.org/servlet/dycon/ztumts/umts/Live/en/umts/News_PR_Article220904
    4. 4. IMS Overview <ul><li>IMS (IP Multimedia Subsystem) used by UMTS for providing IP telecommunications </li></ul><ul><li>Supports voice telephony, live video streaming, instant messaging, etc. </li></ul><ul><li>Performs signaling operations using the Session Initiation Protocol (SIP) </li></ul><ul><li>Uses CSCF to provide multimedia services </li></ul>http://www.alcatel.com/doctypes/articlepaperlibrary/html/ATR2003Q4/ATR2003Q4A16_EN.jhtml
    5. 5. CSCF Overview <ul><li>Three types of Call Session Control Functions in IMS: </li></ul><ul><ul><li>P-CSCF (Proxy) </li></ul></ul><ul><ul><ul><li>Directs SIP messages from MS to home network. </li></ul></ul></ul><ul><ul><li>S-CSCF (Serving) </li></ul></ul><ul><ul><ul><li>Located in home network to provide session control of multimedia services. </li></ul></ul></ul><ul><ul><li>I-CSCF (Interrogating) </li></ul></ul><ul><ul><ul><li>Firewall for SIP messages directed toward home network. Selects S-CSCF for the MS. </li></ul></ul></ul>
    6. 6. UMTS Architecture
    7. 7. Goal: Security <ul><li>GPRS Authentication </li></ul><ul><ul><li>User authentication – between MS and SGSN </li></ul></ul><ul><ul><li>Network authentication – between MS and HSS/AuC </li></ul></ul><ul><li>IMS Authentication </li></ul><ul><ul><li>between MS and CSCF </li></ul></ul>
    8. 8. USIM Smart Card <ul><li>Provides mobile station identification </li></ul><ul><li>Must be present in terminal </li></ul><ul><li>Contains data about subscriber </li></ul><ul><ul><li>IMSI (International Mobile Station Identifier) for GPRS authentication </li></ul></ul><ul><ul><li>IMPI (IP Multimedia Private Identity) for IMS authentication </li></ul></ul><ul><ul><li>Encryption and integrity keys </li></ul></ul><ul><ul><li>Other: Identities, preferred languages, etc. </li></ul></ul>
    9. 9. GPRS Authentication MS SGSN HSS/AuC Select authentication vector AV = (RAND, AUTN, XRES, CK, IK) Verify AUTN, Compute RES Compare RES and XRES Attach Request (IMSI) Send Auth Info Request (IMSI) Send Auth Info Response (AVs) Auth & Ciphering Request (RAND, AUTN) Auth & Ciphering Response (RES) Attach Accept Compute CK and IK Select CK and IK
    10. 10. IMS Authentication MS SGSN HSS/AuC CSCF Multimedia Auth Request (IMPI) Multimedia Auth Answer (AVs) Select authentication vector AV Register (IMPI) Verify AUTN, Compute RES 401 Unauthorized (RAND, AUTN) Compare RES and XRES Register (RES) Server Assignment Answer Server Assignment Request 200 OK
    11. 11. Similarities CSCF  MS 200 OK SGSN  MS Attach Accept MS  CSCF Register (RES) MS  SGSN Auth & Ciphering Request (RES) CSCF  MS 401 Unauthorized (RAND, AUTN) SGSN  MS Auth & Ciphering Request (RAND, AUTN) HSS/AuC  CSCF Multimedia Auth Answer (AVs) HSS/Auc  SGSN Send Auth Info Response (AVs) CSCF  HSS/AuC Multimedia Auth Request (IMPI) SGSN  HSS/AuC Send Auth Info Request (IMSI) IMS Authentication GPRS Authentication
    12. 12. IMS One-Pass Authentication <ul><li>Make use of GPRS authentication </li></ul><ul><li>SGSN implements a SIP Application Level Gateway (ALG) </li></ul><ul><li>Slight modification of SIP message format </li></ul>
    13. 13. IMS Registration: One-Pass Authentication MS SGSN HSS/AuC CSCF Store (IMSI, IMPI) pair Check if IMSI HSS (IMPI) = IMSI Server Assignment Request (IMPI) Server Assignment Answer (IMSI HSS (IMPI), User Profile) Register (IMPI, IMSI) 200 OK Retrieve IMSI value Register (IMPI)
    14. 14. IMS Authentication MS SGSN HSS/AuC CSCF Register (IMPI) Server Assignment Answer Server Assignment Request 200 OK Multimedia Auth Request (IMPI) Multimedia Auth Answer (AVs) Select authentication vector AV Verify AUTN, Compute RES Compare RES and XRES 401 Unauthorized (RAND, AUTH) Register (RES) No longer needed!
    15. 15. Cost Analysis <ul><li>How much signaling has one-pass procedure saved? </li></ul>MS SGSN HSS/AuC CSCF Cost = 1 Cost = β where β < 1 One-pass procedure: C 1 = 2 + 2 β MS  CSCF, CSCF  HSS/AuC, HSS/AuC  CSCF, CSCF  MS
    16. 16. <ul><li>Cost C 2 for two-pass IMS procedure: </li></ul><ul><ul><li>If AVs needed to perform authentication, C 2,1 = 4 + 4 β </li></ul></ul><ul><ul><li>If AVs not needed, C 2,2 = 4 + 2 β </li></ul></ul><ul><li>AV array is of size n . 1 out of n IMS registrations incurs C 2,2. </li></ul><ul><li>C 2 = ( )C 2,1 + ( )C 2,2 = 4 + ( )2 β </li></ul><ul><li>Improvement S = C 2 - C 1 = n + β </li></ul>Cost Analysis C 2 2 n + ( n + 1) β 1 n n -1 n n +1 n
    17. 17. Improvement S of One-Pass Over Two-Pass Procedure n = AV array size β = Cost HSS/AuC  CSCF S = ( n + β ) / (2 n + ( n + 1) β ) s β
    18. 18. Conclusion <ul><li>After GPRS authentication, IMS two-pass authentication can be simplified using one-pass authentication. </li></ul><ul><li>New approach can save up to 50% of network traffic generated by IMS registration. </li></ul><ul><li>50% of the storage for buffering AVs is alleviated. </li></ul><ul><li>One-pass procedure is pending ROC and US patents. </li></ul>
    19. 19. Glossary <ul><li>3GPP – Third Generation Partnership Project </li></ul><ul><li>AuC – Authentication Center </li></ul><ul><li>AV – Authentication Vector </li></ul><ul><ul><li>RAND – Random number </li></ul></ul><ul><ul><li>AUTN – Authentication Token </li></ul></ul><ul><ul><li>XRES – Signed Response </li></ul></ul><ul><ul><li>CK – Cipher Key </li></ul></ul><ul><ul><li>IK – Integrity Key </li></ul></ul><ul><li>CSCF – Call Session Control Function </li></ul><ul><ul><li>P-CSCF – Proxy-CSCF </li></ul></ul><ul><ul><li>S-CSCF – Service-CSCF </li></ul></ul><ul><ul><li>I-CSCF – Interrogating-CSCF </li></ul></ul><ul><li>GGSN – Gateway GPRS Support Node </li></ul><ul><li>GPRS – General Packet Radio Service </li></ul><ul><li>HSS – Home Subscriber Server </li></ul><ul><li>IMPI – IP Multimedia Private Identity </li></ul><ul><li>IMSI – International Mobile Station Identifier </li></ul><ul><li>IMS – IP Multimedia Core Network Subsystem </li></ul><ul><li>PS CN – Packet Switched Core Network </li></ul><ul><li>SGSN – Serving GPRS Support Node </li></ul><ul><li>SIP – Session Initiation Protocol </li></ul><ul><li>UMTS – Universal Mobile Telecommunications System </li></ul><ul><li>USIM - Universal Subscriber Identity Modules </li></ul><ul><li>UTRAN – UMTS Terrestrial Radio Access Network </li></ul>
    20. 20. References <ul><li>“ aSIP-Access Security for IP-Based Services”, presentation by Krister Boman, Apr 2001. http://www.3gpp.org/ftp/tsg_sa/WG3_Security/2001_meetings/TSGS3_21_Sophia/Docs/PDF/S3-010640.pdf </li></ul><ul><li>http:// www.mpirical.com/companion/mpirical_companion.html </li></ul><ul><li>http://www.mobile3g.com/whatis3g.htm </li></ul><ul><li>“ Security in GSM, GPRS and 3GPP”, presentation by Tahar Ktari and David Mayor, Apr 2004. http://lasecwww.epfl.ch/securityprotocols/gsm/Presentation_Security_in_GSM_GPRS_3GPP_Tahar_Ktari_David_Mayor.pdf </li></ul><ul><li>“ Security in the Mobile Internet”, tutorial by Ram Gopal and Lakshmi Narayanan, 2004. http://www.atmforum.com/meetings/ICBN_04_Proceedings/Tutorial/Tutorial%201.pdf </li></ul><ul><li>UMTS Security , Boman, K., et. al., Electronics & Communication Engineering Journal , Oct 2002. </li></ul>

    ×