2. Outline
• Introduction
• ISIM Structure
• ISIM Initialisation
• ISIM Security Mechanism
• IMS AKA security
• GBA_U security
• HTTP Digest security
• Other : No ISIM Provide
3. Introduction
• ISIM is the new module in UICC.
• ISIM stores IMS-specific subscriber data mainly provisioned
by an IMS operator.
• The store data can be divide into six groups:
Security keys
Private user
identity
Public user
identity
Home network
domain name
P-CSCF
address
Administrative
data
5. ISIM Structure (2/7)
• Security Keys
• EF-GBABP : GBA Bootstrapping Parameter
• Store B-TID and RAND
• EF-GBANL : GBA NAF List
• NAF-ID and B-TID pair
• EF-NAFKCA
• NAF key address
6. ISIM Structure (3/7)
• Private User Identity
• EF-IMPI
• The ID using for Register, Authorisation, Administration,
Charging to IMS
• Store in HSS and provide from operator
• NAI format
Ex. username@operator.com
• Public User Identity
• EF-IMPU
• Use by request communication to other user.
• Contain one or more record in ISIM, but will store at least
one IMPU for emergency registration.
• SIP/TEL URI format
• Ex. sip:kimmy@fih.com or tel:77654321
7. ISIM Structure (4/7)
• Home Network Domain Name
• EF-DOMAIN
• This used to find the home network during the
registration procedure.
• They can only be one home network domain name URI
stored in ISIM.
• Ex.
• Public user identify : username@operator.com
• Home domain name : operator.com
8. ISIM Structure (5/7)
• P-CSCF Address
• EF-P-CSCF
• This EF contains one or more Proxy Call Session Control
Function addresses .
• The first record in the EF shall be considered to be of the
highest priority. The last record in the EF shall be
considered to be the lowest priority.
9. ISIM Structure (6/7)
• ISIM Service Table
• EF-IST
• This EF indicates which optional services are available.
• Mandatory :Services n°1 to n°8
11. ISIM Initialisation
SELECT EF-PL from
other application or
using Default
Verify PIN Code
SELECT EF-AD
Request
IMPU/IMPI/SIP
Domain/Service
Table/P-CSCF
address
ISIM
application
closure
Using STATUS cmd
to terminate session
Idle Mode
presence detection
using STATUS cmd
12. ISIM Security Mechanism (1/2)
• The function can be used in several different
contexts:
• IMS AKA security : SIP-based services
• GBA_U security : HTTP application
• HTTP Digest security
14. IMS AKA security (1/4)
• IMS AKA security context during the procedure for
authenticating the ISIM to its.
• The function shall be used whenever an IMS context shall
be established, i.e. when the terminal receives a
challenge from the IMS.
• UE will first send REGISTER command with null
authentication value.
15. IMS AKA security (2/4)
• Using AKA Algorithm from HSS.
• AuC which locate in HSS will generate SQN and RAND.
• HSS will using shared secret key K which also stored in
UICC.
• AK = f5K (RAND)
• MAC = f1K (SQN || RAND || AMF)
• XRES = f2K (RAND)
• CK = f3K (RAND)
• IK = f4K (RAND)
• AUTN = SQN xor AK || AMF || XMAC
• AV = RAND || XRES || CK || IK || AUTN
16. IMS AKA security (3/4)
• IMS server will send 401 UNAUTHORIZED to UE, which
bring RAND and AUTN for UE to use AKA algorithm
reproduce other key value :
• RADN AK
• AK SQN
• SQN, RAND, AMF XMAC
• Calculate ATUN and compare the answer with network
• Check current SQN is bigger than old SQN, if SQN is
invalid, UE will send RESGISTER command again.
• If SQN is valid, and reproduce IK and CK, and UE will
store IK and CK for data encrypt.
• Final, UE will reverser RES and send REGISTER again.
17. IMS AKA security (4/4)
• Compare RES and XRES which store in S-CSCF
• If compare success, and send 200 OK to UE.
• If compare fail, and send 403 FORBIDDEN to UE
Challenge
18. GBA_U security (1/2)
• ISIM operations in GBA security context are supported if service n°2
is "available”.
• Using AKA algorithm to verify RES
• Using Ks to reproduce Ks_ext_NAF and Ks_int_NAF use between
UE and NAF for authorized data.
Ks_ext_NAF = KDF(Ks, "gba-me", RAND, IMPI, NAF_Id)
Ks_int_NAF = KDF(Ks, "gba-u, RAND, IMPI, NAF_Id)
Ks=CK || IK
20. HTTP Digest security
• ISIM operations in HTTP-Digest security context are
supported if service n°3 is "available"
• Digest access authentication is one of the agreed-upon
methods a web server can use to negotiate credentials,
such as username or password, with a user's web
browser.
21. Other : No ISIM Provide
• If no ISIM application, we can derived IMPI/IMPU/Domain name based on IMSI
Example :IMSI=234150999999999, MNC=15, MCC=234
IMPI :
<IMSI>@ims.mnc<MNC>.mcc<MCC>.3gppnetwork.org
234150999999999@ims.mnc015.mcc234.3gppnetwork.org
IMPU :
sip: <IMSI>@ims.mnc<MNC>.mcc<MCC>.3gppnetwork.org
sip:234150999999999@ims.mnc015.mcc234.3gppnetwork.org
Domain name :
mnc<MNC>.mcc<MCC>.3gppnetwork.org
ims.mnc015.mcc234.3gppnetwork.org
EF-GBABP : This EF contains the AKA Random challenge (RAND) and Bootstrapping Transaction Identifier (B-TID) associated with a GBA bootstrapping procedure.
儲存GBA驗證過程中的兩組key, bootstrapping id 和 RAND參數
EF-GBANL : This EF contains the list of NAF_ID and B-TID associated to a GBA NAF derivation procedure
當NAF有許多組時, 儲存對應的NAF_ID的 bootstrapping id
EF-NAFKCA : This EF contains one or more NAF Key Centre addresses. The first record in the EF shall be considered to be of the highest priority. The last record in the EF shall be considered to be the lowest priority.
當NAF有許多組時, 儲存NAF的address, 第一個record的NAF最高, 依序下降
Local break out : As the PDN-GW is located in the visited network, user plane traffic doesn’t necessarily need to traverse back to the home network. This is known as the ‘local-breakout’ architecture. (指p-cscf 和pdn-gw在visited network 不再home network, 所以ue不用穿越回home network去連p-cscf)
IARI, IMS application reference identifier :似乎是一個id reference,
可以讓user重複利用sip 區分不同的application service? 可以利用此id, 去區分計價方式?
An IMS application is an application that uses an IMS communication service(s) in order to provide a specific service to the end-user. The IMS application uses specific IMS Communication Service(s) and provides the end user service through the reuse of the SIP communication part of service. The IMS application does not extend the definition of the IMS communication service. The IMS application reference identifies the application utilising the IMS communication service.
A Communication Service is an aggregation of one or several media components and the service logic managing the aggregation, represented in the protocols used.
An IMS application is an application that uses an IMS Communication Service(s) in order to provide a specific service to the end-user. Only IMS applications other than the default application associated to the Communication Service are identified through IARIs.
Ks_ext_NAF is computed in the UICC as Ks_ext_NAF = KDF(Ks, "gba-me", RAND, IMPI, NAF_Id), and Ks_int_NAF is computed in the UICC as Ks_int_NAF = KDF(Ks, "gba-u, RAND, IMPI, NAF_Id), where KDF
但是終端在這個網絡中是否能夠實行一個具體的業務,是透過GBA來完成,對於IMS來講,這是後面AS的事情,IMS只要判斷用戶能夠使用這個網絡就足夠了。
比如用戶開機註冊,這個時候並沒有實際的業務請求出現。
那用戶和AS 之間通過GAA/GBA的實現來補足這塊的不足。
所以GBA是實現讓AS和終端在後續的業務階段