1 3GPP2 GBA Overview Adrian Escott Chair, TSG-S WG4 24 May 2006.

Slides:

Advertisements

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Advertisements

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Pre-Shared Key TLS with GBA support Thesis presentation ESPOO, Finland.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

By: E. Susheel Chandar M. Guna Sekaran Intranet Mail Server.

1/xx AKA Support In IS-820-B Stage 2 Lijun Zhao QUALCOMM Incorporated Apr 14, 2003 Notice QUALCOMM Incorporated grants a free, irrevocable license to 3GPP2.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

One-Pass GPRS and IMS Authentication Procedure for UMTS

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From ： Proceeding of the First International Conference on Security and Privacy for.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) Web Service Description KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Summary of 3GPP TR GPP2 TSG-S WG4 S Source: Qualcomm Incorporated Contact(s): Anand Palanigounder,

FileSecure Implementation Training Patch Management Version 1.1.

Secure Sockets Layer 1 / 99  SSL is perhaps the widest used security protocol on the Internet today.  Together with DC enables secure communication.

Presentation of ETSI TC M2M security features Group Name: WG4 Securtity Source: Francois Ennesser, Gemalto Meeting Date: Agenda Item: SEC.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

UICC UICC is a smart card used in mobile terminals in GSM and UMTS networks It provides the authentication with the networks secure storage crypto algorithms.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

1 R-UIM Support for Secure LBS (Stage 2) Zhimin Du Lijun Zhao zdu, QUALCOMM Incorporated June 20, 2005.

Web Services An introduction for eWiSACWIS May 2008.

World Class Standards WG8 presentation of current Subscription Management Activities TISPAN WG8 – 3GPP SA#5 Joint meeting Sophia Antipolis, May14th - 15.

1x Device Binding Framework Overview to TSG-AC 3GPP2 TSG-AC AC Source: TSG-SX WG4 Contact(s): Anand Palanigounder,

Revised Solution for Device Binding Revised from S GPP2 TSG-SX WG4 SX Source: Qualcomm Incorporated Contact(s): Anand Palanigounder,

SWIM-SUIT Information Models & Services

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.

QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.

Leveraging UICC with Open Mobile API for Secure Applications and Services.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

CP-a Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS Keith Drage.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.

INTRODUCTION. 1.1 Why the Internet Protocol Multimedia Subsystem 1.2 Where did it come from?

Proposed Solution for Device Binding 3GPP2 TSG-S WG4 S Source: Qualcomm Incorporated Contact(s): Anand Palanigounder,

May 12, 2008 Alcatel Lucent, Cisco, Motorola, Nortel, Verizon ABSTRACT: Proposed is additional key hierarchy and derivation for EPS access over eHRPD.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.

16 June Lucent Technologies grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other copyrightable.

1/19 BCMCS Support In IS-820-C (Stage 2) Lijun Zhao QUALCOMM July 20th, 2004.

1 3GPP2 GBA Overview Adrian Escott Chair, TSG-S WG4 24 May 2006.

Draft-ietf-dime-ikev2-psk-diameter-0draft-ietf-dime-ikev2-psk-diameter-08 draft-ietf-dime-ikev2-psk-diameter-09 in progress Diameter IKEv2 PSK: Pre-Shared.

Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Zhibi Wang January, 2007.

1 Replay protection method for CAVE based AKA Anand Palanigounder Qualcomm Inc.

User Notification Protocol Nikolai Leung, QUALCOMM Incorporated (703) Notice: QUALCOMM Incorporated grants.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

3GPP GBA Overview Adrian Escott.

Location Service Security Philip Hawkes

August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.

N. Asokan, Kaisa Nyberg, Valtteri Niemi Nokia Research Center

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Diameter SIP Application

11/18/2003 Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer.

S Postgraduate Course in Radio Communications. Application Layer Mobility in WLAN Antti Keurulainen,

1 On 3GPP2 Femto Security Anand Palanigounder Qualcomm Inc. Notice: Contributors grant a free, irrevocable license to 3GPP2 and its Organization.

Replay protection for CAVE based AKA when moving R-UIM between mobiles.

1 Rogue Mobile Shell Problem Verizon Wireless October 26, 2000 Christopher Carroll.

1 BCMCS Framework TSG-X BCMCS Adhoc August 20, 2003.

Presentation transcript:

1 3GPP2 GBA Overview Adrian Escott Chair, TSG-S WG4 24 May 2006

2 Aims of GBA To provide shared keying material that can be used to secure applications between a mobile and a network element –Avoids the need to provision new keys for each new service –Simplifies the development of new services, as there is a standard key management method –Re-uses the currently developed authentication method in order to generate the shared keying material –Simplifies adding new services to a legacy phone (that supports GBA), as no change is needed to a UIM to support key management –Also provides a method of generating shared keying material that does not leave the UIM (UIM enhancement needed) Using TLS-PSK with GBA key is complete (used in Presence Security) –Other security mechanisms using GBA key will be developed as needed

3 Published GBA Specifications S.S0112 Generic Bootstrapping Architecture Requirements –Contains high level system requirements for GBA S.S0109 Generic Bootstrapping Architecture (GBA) Framework –Contains the architecture and architectural level requirements for GBA –Contains full description of the bootstrapping procedures (Ub interface) and stage 2 for the Zn and Zh interfaces S.S0114 Security Mechanisms using GBA –Contains TLS-PSK with GBA keys

4 GBA Architecture Bootstrapping Server Function (BSF) and UE mutually authenticate and agree on a shared key. BSF is always in home network Once that shared key is available, UE and Network Application Function (NAF) can communicate securely using keying material derived from this shared key. HSS/HLR/AAA are used to provide the necessary data for BSF and UE to authenticate and generate shared key.

5 Example GBA message flows NAF UE HSS/HLR/ AAA BSF 1. UE contacts NAF for service 2. NAF responds with request for bootstrapping 6. UE sends request including B-TID 9. NAF sends response 3/5. UE and BSF perform bootstrapping 4. BSF requests authentication info 7. NAF requests key from BSF 8. BSF sends key to NAF

6 Ub interface Interface over which UE and BSF generate a shared key and agree a Bootstrapping Transaction identifier (B-TID) Uses HTTP Digest for CAVE and MN-AAA based bootstrapping, or HTTP Digest AKA for AKA based bootstrapping BSF selects bootstrapping method when UE supports more than one Covered in S.S0109 Additional methods of bootstrapping could be supported

7 Ua interface This is the interface that will use the GBA derived keys to secure the application specific interface Application specific interface could be –Operator specific »Fully proprietary (only using key management from S.S0109) »Using method from S.S0114 (e.g. HTTPS using TLS-PSK with GBA keys) –Fully standardized »Fully standardized Ua interface (e.g. if BCMCS used GBA keys) »3GPP2 application using a method from S.S0114 (e.g. Presence security) In general it is necessary to include the following in a Ua protocol to enable it to use GBA keys –The UE and NAF agree on the NAF-ID (i.e. FQDN of the NAF and the Ua security protocol identifier) –The UE needs to pass the B-TID to the NAF –The NAF indicates to the UE that it can use bootstrapping (optional) »This may be mandated for a particular protocol

8 Zn interface This is used by the NAF to request keys and other related information from the BSF There is only one type of interaction on this interface –NAF sends B-TID, NAF-ID, Random numbers (optional), … to the BSF –BSF calculate Ks_NAF (key for that particular NAF) using shared key, NAF-ID etc –BSF responds with Ks_NAF, Key lifetime and any required User Security Settings (application related security data that is needed by the NAF, e.g., user identity)

9 Zh interfaces The Zh interfaces are used to retrieve authentication information from the relevant entity Assumption is that the BSF is always in the home system

10 GBA_U GBA establishes session keys between the ME and the NAF An enhanced version called GBA_U also allows keys to be established between the UIM and the NAF –The bootstrapped and the UIM specific keys are not revealed outside of the UIM –Part of the application-specific NAF protocol could be implemented on the UIM –This enhancement offers a higher level of security which is needed for certain applications, e.g., for BCMCS if GBA was used to provide RK. Possible with AKA and MN-AAA based bootstrapping

11 Issues for TSG-C SWG1.4 MN-AAA GBA_U Bootstrapping AKA GBA_U Bootstrapping Ks_ext/int_NAF Generation

12 GBA_U MN-AAA Bootstrapping First message –Input 128 bit BS_Challenge* and MS_Challenge* –Calculates and stores MN-AAA Authenticator as described –Returns 160 bit H0(MN-AAA Authenticator) Second message –Input 128 bit AKA_challenge and 160 bit Hash –Generates 128 bit random number and uses inputs and MN-AAA authenticator to calculate 256 bit Ks (stores this) and 128 bit RES –Return RES and random number Third message –Just a confirmation message –Store Ks and AKA_challenge to calculate keys later Fourth message –Input B-TID and lifetime –Stores these and keeps them available to be read by mobile

13 GBA_U AKA Bootstrapping First message –Input RAND | AUTN* with both 128 bits long –Check AUTN* correct as described in S.S0109 (similar to AKA but with slight difference) –If AUTN OK calculates RES and Ks(=CK|IK) –Stores Ks and RAND for later key generation –Returns RES Second message –Same as fourth message of GBA_U MN-AAA Bootstrapping

14 Ks_ext/int_NAF Generation Inputs NAF-ID, NAI and Key Derivation Parameter (Optional) From inputs and stored Ks and RAND/AKA_Challenge, the UIM calculates Ks_int_NAF and Ks_ext_NAF (both 256 bits long) Ks_int_NAF is stored along with B-TID and NAF-ID Ks_ext_NAF is returned to the mobile

15 Thank you