Network Smart Card Performing U(SIM) Functionalities in AAA Protocol Architectures Joaquin Torres, A. Izquierdo, M. Carbonell and J.M. Sierra Carlos III University of Madrid, Spain Computer Science Department

Outline Smart Devices Convergence NGN …?

WISTP 2008, May 13-16, Introduction WLANs deployment: SOHO, campus, residential and public environments public hotspots the number of public hotspots is continuously proliferating, and this allows the information to be accessible in any time and any place 3G mobile systems as a competitive solution wide geographical area coverage effective roamings other advantages: such as reliability, throughput, value-added services and contents

WISTP 2008, May 13-16, Networks Convergence However, expensive investment expensive investment required by the 3G networks look for more profitable and versatile solutions  forces to the operators to look for more profitable and versatile solutions (leakage of subscribers?) Comparing features: WLANs significant transmission rates… provide services with significant transmission rates… high demand zones in high demand zones and mobility is not a requirement when the mobility is not a requirement 3G systems high mobility, wide coverage, well-established voice services… lower transmission rates low/medium demand …but lower transmission rates, so they are more adequate for low/medium demand

WISTP 2008, May 13-16, Convergence: 3G/WLAN interworking complementary WLAN and 3G networks are complementary: 3G/WLAN interworking I-3G/WLAN is a clear trend in the public access infrastructures (PWLAN, Public Wireless LAN) 3GPP TS v7.3.0: 3GPP System to Wireless Local Area Network (WLAN) Interworking System Description (September 2006)

WISTP 2008, May 13-16, 3G/WLAN Interworking features mobile services development of mobile services with high transmission rates e.g. IP-based multimedia services, IMS roaming transparent roaming between both technologies smart switching, with the goal: keep initiated sessions QoS Ad-hoc user services: QoS profiled subscribers, preserving the quality of services.

WISTP 2008, May 13-16, 3G/WLAN Authentication Infrastructure Subscriber authenticated must be authenticated before her access to network services is authorized credentials personalized credentials User’s multimode devices e.g. laptops, smartphones, PDAs, etc. secure module require the appropriate secure module Solution: the authentication schemes are based on a combination of the solutions that were initially supported by these two systems.

WISTP 2008, May 13-16, 3G/WLAN: authentication convergence SIM-based solution, simultaneously inherit from: EAPoL-based WLAN systems: EAPoL-based (i.e X/EAP, RADIUS or DIAMETER) chip card-based U(SIM) chip card-based U(SIM) inherited from stand-alone 3G systems subscriber registers authentication schemes supported by 3GPP subscriber registers (i.e. HLR/HSS) Advantages… Devices are ready! User is accustomed to SIM Module/HW secure 3G/WLAN Netw. Operators do not require additional security credentials

WISTP 2008, May 13-16, 3G/WLAN Reference Model 3GPP AAA Proxy Offline Charging System WAG Acceso IP WLAN/ 3GPP 3GPP AAA Server SLF Home 3GPP Network WLAN- UE PacketData Gateway HSS HLR Offline Charging System OCS ' Intranet/ Internet WLAN Access Network WLAN- UE PacketData Gateway HSS HLR Offline Charging System OCS ' Intranet/ Internet Visited 3GPP Network 3GPP AAA Proxy Offline Charging System WAG IP WLAN/ 3GPP Access 3GPP AAA Server SLF Internet 3GPP TS v7.3.0: 3GPP System to Wireless Local Area Network (WLAN) Interworking System Description (September 2006) ETSI TS V7.5.0, 3GPP System to Wireless Local Area Network (WLAN) Interworking Security System (June 2007)

WISTP 2008, May 13-16, 3G Mobile Systems Authentication: AKA {RAND||CK|| IK|| AUTN} AUTH [ {RAND||CK|| IK|| AUTN} ] 3G MSU(SIM) RES RNS3G-SGSN {RAND,XRES,CK, IK, AUTN} =f(IMSI) RES= f2(K, RAND) RES =? XRES HLR/AuC Verifies MAC by f1 Decrypts SQN by f5 Checks freshness SQN Derives CK by f3 Derives IK by f4

WISTP 2008, May 13-16, AAASERVER Visited WLAN Home WLAN Example scenario: convergence authentication Home 3G Network Proxy AAA HLR/AuC Proxy AAA 3G-SGSNgateway

WISTP 2008, May 13-16, 3G/WLAN: convergence in authentication EAP-SIM and EAP-AKA SIM-based authentication schemes standardized protocols mobile stationbackend authentication server End-to-end mutual authentication between the mobile station and the backend authentication server EAPoL EAP EAPoL EAP RADIUS/DIAMETER Client UDP/IP L2/L1 RADIUS/DIAMETER Server UDP/IP L2/L1 EAP EAP-SIM/AKA WLAN MS RADIUS/DIAMETER Proxies UDP/IP L2/L1 APNetwork AAA Proxies 3G AAA Server U(SIM) WLAN DOMAIN WAN DOMAIN + CELLULAR NETWORK

WISTP 2008, May 13-16, A quick trust analysis blindly trust both devices blindly trust each other unique supplicant they behave as an unique supplicant this is not a by default recommendable assumption against any potential scenario the authentication scheme should be designed to protect against any potential scenario a priori untrustworthy e.g.WLAN MS is an a priori untrustworthy terminal. Conclusion: additional authentication mechanisms additional authentication mechanisms should be provided?

WISTP 2008, May 13-16, Stand-alone device…stand-alone suplicant Access NetworkCore NetworkAccess DeviceSupplicant Device PSTN Dedicated-lines 3GPP Multimode MS Smart Cards AAA services IP-based AAA User Other Services InternetWLAN

WISTP 2008, May 13-16, Motivation a different authentication model Our new approach starts from a different authentication model that considers: an isolated U(SIM) with autonomy during the authentication process. participates as stand-alone supplicant or claimant, and not relies on the access terminal (i.e. WLAN mobile station) for this functionality. a priori untrustworthy environment Additionally, this work assumes an a priori untrustworthy environment: WLAN MSpotential attacker the WLAN MS is considered as a potential attacker. Hence, the WLAN MS should be authenticated by the network as a different host from U(SIM). Required: Device Authentication  previous to SM

WISTP 2008, May 13-16, Goals To define an AAA architecture, which represents a more robust and flexible solution in terms of security. Feasible for untrustworthy environments To provide efficient SIM-based mobile stations’ customization or personalization in critical or public environments. Convergence (netw1,netw2) Convergence (Smart Device, )Authentication

WISTP 2008, May 13-16, Our Network Smart Card concept Network Smart Card (NSC) with authentication purposes In a previous work, we proposed a Network Smart Card (NSC) with authentication purposes: Atomic smart card authentication protocol design: the authentication protocol should be designed as an integral part of the smart card. We propose a specific protocol stack for the card End-to-end mutual authentication schema: the smart card participates as a communication extreme. IETF Layer 2 authentication (IP layer is not required)

WISTP 2008, May 13-16, …details Our Network Smart Card (NSC) approach Other approaches… ISO7816 PPP EAP ISO7816 PPP EAP pass-through EAP-type Supplicant Smart Card Terminal Pass-through authenticator Pass-through authenticator according to EAP (acc. IETF) AP/ NAS EAP-based AP/ NAS EAP-based EAP-type=EAP-AKA

WISTP 2008, May 13-16, Related Work EAP-SIM/AKA solutions: many works but focused on 3G/WLAN interworking security (network side) usually, problems derived from original SIM/AKA protocols Alternatives: EAP-TTLS, EAP-TLS, etc. Assumption about the (U)SIM-WLAN_UE trust relationship blind trust: they behave as an unique supplicant Summarized: storessubscriber authentication credentials U(SIM) stores the corresponding subscriber authentication credentials cryptographic algorithms And computes the envisaged cryptographic algorithms in SIM/AKA protocols, on the behalf of mobile station.

WISTP 2008, May 13-16, Related Work Versatile solutions are missed Example: consider an U(SIM) that may be an external smart card that customizes (temporal personalization) a public wireless terminal for a 3G/WLAN access. In such a case, the U(SIM) behaviour as an stand-alone supplicant is highly recommendable. So it should be isolated and protected.

WISTP 2008, May 13-16, New NSC-based AAA Protocol Architecture in 3G/WLAN ISO7816 PPP EAP ISO7816 PPP EAP DIAMETER Client UDP/IP DIAMETER Server UDP/IP L2/L1 EAP EAP-AKA NSC-based U(SIM) DIAMETER Proxies UDP/IP L2/L1 WLAN MSNetwork AAA Proxies L2/L1 AP Bridge3G AAA Server

WISTP 2008, May 13-16, Features U(SIM) remote authentication scheme: stand-alone supplicant stand-alone supplicant functionality instead of split supplicant functionality: the U(SIM) and WLAN MS does not cooperate in the authentication process as an unique device. authentication protocol stack integral part of the U(SIM) the authentication protocol stack is designed as an integral part of the U(SIM) (atomic design) to participate as actual endpoint in the authentication process with a 3G AAA server. ISO7816 PPP EAP EAP-AKA NSC-based U(SIM)

WISTP 2008, May 13-16, …features Minimal changes in the original architecture 3G network side does not require changes proxies and end-equipments keep settings and implementation features. DIAMETER Server UDP/IP L2/L1 EAP EAP-AKA DIAMETER Proxies UDP/IP L2/L1 Network AAA Proxies 3G AAA Server

WISTP 2008, May 13-16, Network Access Server (NAS) implementing the role of pass-through authenticator WLAN Mobile Station participates as a Network Access Server (NAS) implementing the role of pass-through authenticator as a DIAMETER client This reinforces the stand-alone supplicant functionality in the U(SIM), since WLAN MS cannot act as supplicant and authenticator at the same time for the same U(SIM). ISO7816 PPP EAP DIAMETER Client UDP/IP WLAN MS L2/L1 AP Bridge

WISTP 2008, May 13-16, …features U(SIM) isolation: advantages with regard to assure the security of the entire scheme in untrustworthy scenarios. Our architecture takes advantage of the functions of the LCP protocol (i/ PPP): LCP/PPP protocol may be easily hosted in the U(SIM) stack. EAP was initially designed for PPP EAP Layer allows: packets exchange between the EAP-SIM/AKA methods and LCP frames duplication and retransmissions control.

WISTP 2008, May 13-16, Authentication Flow in our AAA Architecture WLAN MS 3G AAA Server NSC-based U(SIM) XRE S=? RES 4. DIAMETER/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID] 4. DIAMETER/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID] 2. PPP/EAP Response/Identity [IMSI or Pseudonym] 2. PPP/EAP Response/Identity [IMSI or Pseudonym] 6. PPP/EAP Response/AKA-Challenge [RES, MAC] 6. PPP/EAP Response/AKA-Challenge [RES, MAC] 7. DIAMETER/EAP Response/AKA-Challenge [RES, MAC] 7. DIAMETER/EAP Response/AKA-Challenge [RES, MAC] 3. DIAMETER/EAP Response/Identity [IMSI or Pseudonym] 3. DIAMETER/EAP Response/Identity [IMSI or Pseudonym] 0. EAP Request/Identity 0. EAP Request/Identity 5. PPP/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID] 5. PPP/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID] 9. DIAMETER/EAP Success 9. DIAMETER/EAP Success 11. Secure channel establishment 11. Secure channel establishment 10. PPP/EAP Success 10. PPP/EAP Success 1. PPP/EAP Request/Identity 1. PPP/EAP Request/Identity 8. Validation 8. Validation

WISTP 2008, May 13-16, Security and Trust Issues not proposing a new U(SIM) authentication protocol We are not proposing a new U(SIM) authentication protocol in the context of 3G/WLAN interworking. designed by well-known protocols Our architecture is designed by well-known protocols that are implemented inside the U(SIM) with a novel approach. new way to transport authentication messages between the U(SIM) and a 3G AAA server and U(SIM) takes the control in the user side. Security weakness and threats Security weakness and threats are derived by the own nature of such standardized protocols and the correctness of their implementation.

WISTP 2008, May 13-16, Security and Trust Issues new secure algorithms, key material or cryptographic techniques are not required new secure algorithms, key material or cryptographic techniques are not required EAP-AKA method is transparently reused The implementation of the EAP-AKA method is transparently reused, both in the U(SIM) side and in the 3G AAA Server side.

WISTP 2008, May 13-16, Trust Models Relevant impact of our proposal is related to the trust models original Trust model, derived from the original AAA protocol architecture in a 3G/WLAN interworking scenario: nAUT AAA 3GPP Server U(SIM) WLAN MS explicit Proxie s AP implicit explicit User Domain Pu blic Domain, untrustworthy environment blind

WISTP 2008, May 13-16, Our Trust Model “blind trust” assumption “blind trust” assumption should not be applied to all scenarios and a more flexible solution is required new trust model Our goal: to introduce a more realistic architecture, which a new trust model is derived from nAUT AAA 3GPP Server U(SIM) WLAN MS explicit Proxie s AP implicit explicit Public Domain, untrustworthy environment User Domain implicit

WISTP 2008, May 13-16, Our Trust Model 3G AAA server is supported by DIAMETER the trust relationship between the WLAN MS and the 3G AAA server is supported by DIAMETER protocol Access Point the WLAN MS is part of the network and it behaves as an Access Point for the U(SIM) just when U(SIM) and 3G AAA server mutually trust each other, then U(SIM) trusts WLAN MS. Our AAA architecture aims to provide robustness with this goal This is a reasonable result in a priori untrustworthy scenarios

WISTP 2008, May 13-16, Implementation and Testbed Testbed for the AAA network architecture for NSC- based U(SIM) Implemented by means of the OpenDiameter libraries: C++ API both to EAP and Diameter EAP NSC-based U(SIM) WLAN MS DIAMETER Client Network AAA Proxy 3G AAA Diameter Server

WISTP 2008, May 13-16, Details about implementation 3G AAA Server: back-end authentication server is basically implemented by: the libdiametereap and libeap libraries. The Diameter EAP API is extensible and allows define authorization (DEA attributes EAP API is extended in order to support EAP-AKA method. OpenSSL library (partially included) provides a set of AKA cryptographic functionalities. For simplicity’s sake, the implementation of functions f3 and f4 has not been carried out. Network AAA proxy standard Diameter base protocol procedure relay version (Diameter proxy) is provided by the libdiameter. Allows to complete the implementation of the protocol stack in a layer 2 wireless Access Point. WLAN MS common laptop - IEEE g wireless interface. functionality of NAS (Diameter client) is provided by the implementation of the libdiametereap library.

WISTP 2008, May 13-16, Details about implementation Network Smart Card with U(SIM) functionalities JavaCard: bulk LCP/EAP protocol stack -according to the standardized state-machines enhancing with a set of functionalities corresponding EAP-AKA method. CK and IK derivation, as well as, synchronization and re- authentication functionalities have been avoided with testbed experiments purposes. (rxReq, rxSuccess, rxFailure, reqId, reqMethod) = parseEapReq(eapReqData) RECEIVED if (allowMethod(reqMethod)) { aka.Method = reqMethod methodState = INIT } else { eapRespData = buildNak(reqId) } GET_METHOD ignore = aka.check(eapReqData) if (!ignore) { (methodState, decision, allowNotifications) = aka.process(eapReqData) eapRespData = aka.buildResp(reqId) if (aka.isKeyAvailable()) eapKeyData = aka.getKey() } AKA_METHOD lastId = reqId lastRespData = eapRespData eapReq = FALSE eapResp = TRUE SEND_RESPONSE eapRespData eapReqData

WISTP 2008, May 13-16, Conclusion Our testbed shows the feasibility and robustness of the proposed NSC-based AAA protocol architecture for 3G/WLAN interworking scenarios. Standardized EAP-AKA protocol is transparently implemented in a common U(SIM), which participates as stand-alone supplicant (NSC-based U(SIM)) A novel trust model that assumes an a priori untrustworthy environment is defined Therefore, our approach represents a more flexible solution in terms of security. Beyond these benefits, it also may provide efficient mobile stations’ customization or personalization in critical or public environments. Further works: Study and complete EAP-AKA functionalities New EAP-types methods

WISTP 2008, May 13-16, Network Smart Card Performing U(SIM) Functionalities in AAA Protocol Architectures Thank you for your attention! Questions/Comments?