IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-08-0xxx-00-0sec-3gpp-security-non802handover Title: A Study on Security Solutions in non- IEEE 802 Wireless – 3GPP AKA and Interworking with WLAN Date Submitted: September 3, 2008 Presented at IEEE 802.21 session #28 in Big Island, HI Authors or Source(s):  Lily Chen (NIST) Abstract: This presentation reviews security solutions for 3GPP and 3GPP - WLAN interworking. The purpose is to explore possible security handover strategies with non-802 networks. 21-08-0xxx-00-0sec

IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws <http://standards.ieee.org/guides/bylaws/sect6-7.html#6> and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf>  IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual <http://standards.ieee.org/guides/opman/sect6.html#6.3> and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/guide.html>  21-08-0xxx-00-0sec

Purpose Study non-IEEE 802 wireless network security solutions Explore possible security handover strategies with non-IEEE 802 networks. 21-08-0xxx-00-0sec

Outline UMTS Authentication and Key Agreement (AKA) EAP-AKA 3GPP and WLAN interworking Interworking vs. handover 21-08-0xxx-00-0sec

UMTS Network Architecture BS RNC MSC/VLR SGSN HE/AuC PSTN / ISDN IP Networks USIM K UE K – Long term authentication key stored in the USIM card at the mobile side and Authentication Center (AuC) at the network side. USIM – UMTS Subscriber Identity Module BS- Base Station RNC – Radio Network Controlor VLR – Visitor Location Register SGSN – Serving GPRS Support Node HE – Home Environment AuC – Authentication Center PSTN – Public Switched Telephone Network 21-08-0xxx-00-0sec

Authentication and Key Agreement (AKA) - Introduction AKA is the subscriber authentication and session key generation protocol specified in 3GPP for UMTS (see 3GPP TS33.102). The authentication is based on symmetric key method, assuming that the subscriber and the network share a long term key K. The main idea is to use “Authentication Vectors (AVs)” to delegate the authentication to VLR/SGSN. 21-08-0xxx-00-0sec

Authentication and Key Agreement (AKA) - Authentication Vector An authentication vector is a quintuplet: AV = (RAND||AUTN||XRES||CK||IK) The components are RAND – Random challenge AUTN – Authentication token to authenticate the network XRES – Expected response to RAND CK – Cipher (encryption) key IK – Integrity key 21-08-0xxx-00-0sec

Authentication and Key Agreement (AKA) - Generation of Authentication Vector Generate SQN Generate RAND RAND K f5 AK f4 f3 f2 f1 IK CK XRES MAC AMF Long term authentication key Random challenge AUTN:= SQNAK||AMF||MAC fi ‘s are operator specified functions. 3GPP developed an example algorithm (Milenage). 21-08-0xxx-00-0sec

Authentication and Key Agreement (AKA) - Protocol Subscriber device with USIM K VLR/SGSN HLR/AuC K Access Request Authentication Data Request Authentication Vectors RANDj || AUTNj RESj RNC IKj and CKj Protected AVi = { RANDj || AUTNj || XRESj || CKj || IKj} j =1,2, …t Verify AUTNj =? XRESj f2 f3 f4 CKj IKj 21-08-0xxx-00-0sec

UMTS Security in Handover AKA is executed for each registration not for each handover. Session keys IK and CK are generated for each AKA execution. The same session keys can be used by different RNCs. They are distributed through handover. UMTS allows the different RNCs to share the same session keys, while in IEEE 802.11, different APs are not trusted to share the same session keys! HLR Authentication Center MSC VLR CK, IK CK, IK RNC2 Radio Access Network RNC1 21-08-0xxx-00-0sec

EAP-AKA - Motivation and main ideas USIM is considered as an asset to service providers. It holds credentials to authenticate subscribers. Use common credentials for both cellular and WLAN access authentication will get the best use of USIM. EAP-AKA is an EAP method using USIM to conduct authentication for WLAN access. WLAN AAA server interfaces with the 3GPP AuC to get authentication vectors. WLAN AAA server uses AVs to derive EAP keys. HLR/AuC AVs WLAN Device Access Point AAA server EAP-AKA Derive EAP keys from AV Derive EAP keys from AV Deliver MSK Protected data 21-08-0xxx-00-0sec

EAP-AKA - How to use authentication vectors RAND XRES CK IK AUTN AT(RAND) Verify AT(RES) AT(AUTN) Hash MK KDF TEKs MSK EMSK Use “RAND” and “XRES” as random challenge and response. AUTN is used for network authentication. Use IK and CK to derive EAP Keys. Kaut Kencr 21-08-0xxx-00-0sec

EAP-AKA Protocol Outline* WLAN Device AAA server HLR/AC AVi EAP-Request / Identity EAP-Response / Identity Generate MK. MAC is generated using Kaut. EAP-Request / AKA-challenge (RAND, AUTN, MAC) Generate MK. MAC is generated using Kaut. EAP-Response / AKA-Challenge (RES, MAC) EAP-Success (or Failure) MSK *For details, see RFC 4187. 21-08-0xxx-00-0sec

3GPP and WLAN Interworking WLAN UE 3GPP AAA HLR/AuC AVs EAP-AKA 3GPP and WLAN interworking is to allow a device to access Internet through WLAN by authenticating through 3GPP network (direct access). to access Internet through 3GPP IP network (WLAN 3GPP IP Access). The security in interworking is specified in 3GPP 33.234. It allows User Equipment (UE) to authenticate to WLAN network using the same credentials of 3GPP AKA through EAP-AKA. It specifies interfaces between 3GPP network and WLAN to pass all sorts of information and also support access authentication. It is 3GPP specific with 3GPP specified network function entities. It is an application of EAP-AKA. Internet 3GPP Network WLAN Access Network Packet data gateway 3GPP AAA AuC 21-08-0xxx-00-0sec

AKA vs. EAP-AKA EAP-AKA allows using AKA authentication vector for WLAN access authentication and key establishment. AKA and EAP-AKA have different trust models: Session keys generated through AKA can be shared among RNCs. MSK, generated through EAP-AKA, is specific for an given authenticator. Wireless protection session keys are AP specific. UMTS and IEEE 802 network have different secure handover solutions. UMTS has infrastructure to handover the session keys. IEEE 802 (e.g. 802.11r) executes a handshake in each handover to generate new session keys. Interworking does not provide mechanisms to handover keys between IEEE 802 wireless network and non-802 network. 21-08-0xxx-00-0sec

Different Trust Models and Secure Handover Solutions - Illustration HLR/AuC VLR/SGSN Authenticator RNC1 RNC2 AV1 CK, IK AAA Server AV2 AKA MSK PTK1 PTK2 EAP-AKA Handover Transition 21-08-0xxx-00-0sec

Summary 3GPP AKA employs a different trust model from EAP-AKA. From security perspective, real handover between 802 and non-802 network is barely possible. “Transition” from 3GPP to IEEE 802.11 (or others) can use pre-authentication through EAP-AKA, if 3GPP AuC can provide authentication vectors to 802.11 network. (This can hardly be called “handover”, since it is really a full authentication.) The possibility of security handover is questionable if a MN roams from a 802 network to a 3GPP network. In the case that the 802 network uses EAP-AKA. If an authentication vector is used in EAP-AKA, then it cannot be re-used back to 3GPP network based on 33.234. When the 802 network uses some other authentication methods than EAP-AKA, e.g. EAP-TLS, then it will need to change the 3GPP trust model completely to allow (IK, CK) being generated from MSK (or other EAP keys). 21-08-0xxx-00-0sec

Back Up slides 21-08-0xxx-00-0sec

EAP-AKA Fast Re-authentication After a full EAP-AKA execution, the TEK = (Kencr, Kaut) can be used for a fast re-authentication. The server generates a random number NS and use Kencr to encrypt it. The server message includes a MAC. Upon receiving E(Kencr,NS), the peer decrypts it. The MN generates a MAC over NS using Kaut and sends it to the server. The MAC serves as an authentication response. For each fast re-authentication, it generates a new MK using the old MK and NS. A counter is maintained to record the number of fast re-authentications. 21-08-0xxx-00-0sec