Presentation is loading. Please wait.

Presentation is loading. Please wait.

One-Pass GPRS and IMS Authentication Procedure for UMTS

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "One-Pass GPRS and IMS Authentication Procedure for UMTS"— Presentation transcript:

1 One-Pass GPRS and IMS Authentication Procedure for UMTS
By Yi-Bing, Ming-Feng Chang, Meng-Ta Hsu, and Lin-Yi Wu An Overview, by Frank McCown Mobile Computing CS Old Dominion University October 22, 2004

2 Evolution of Mobile Networks
Analog  Digital  Multimedia Generation Type Time Standards 1G Analog 1980s AMPS, NMT, TACS 2G Digital 1990s GSM, CDMA, TDMA 2.5G Higher data rate Late 1990s GPRS, EDGE 3G Digital multimedia 2010s UMTS Analog: You could only easily use analogue cellular to make voice calls, and typically only in any one country. Digital mobile phone systems added fax, data and messaging capabilities as well as voice telephone service in many countries. Multimedia services add high speed data transfer to mobile devices, allowing new video, audio and other applications through mobile phones- allowing music and television and the Internet to be accessed through a mobile terminal. International support. Moving from multiple standards to single standard. Moving from unsecured communications to end-to-end secured communications.

3 UMTS Background UMTS (Universal Mobile Telecommunications System) specification created by the 3GPP consortium Progression from GSM (2G) to GPRS (2.5G) Data rates: 144 kbps – 2 Mbps 10 million users as of Sept 20041 3GPP - 3rd Generation Partnership Project GSM – (Global System for Mobile communication) Was primarily a European standard (2G). Has now spread throughout North America. GPRS – (General Packet Radio Service) 2.5G. Involves overlaying a packet based air interface on the existing circuit switched GSM network 1

4 IMS Overview IMS (IP Multimedia Subsystem) used by UMTS for providing IP telecommunications Supports voice telephony, live video streaming, instant messaging, etc. Performs signaling operations using the Session Initiation Protocol (SIP) Uses CSCF to provide multimedia services IMS is a framework for providing IP telecommunication services. SIP, the Session Initiation Protocol (developed by IETF), is a signaling protocol for Internet conferencing, telephony, presence, events notification and instant messaging. SIP runs on top of different IP transport protocols like UDP and TCP. CSCF – Call Session Control Function. The CSCF provides session control for subscribers accessing services within the IM (IP Multimedia) CN . In essence the CSCF is a SIP Server. It has responsibility for interacting with network databases such as the HSS for mobility and AAA (Access, Authorization and Accounting) Servers for security.

5 CSCF Overview Three types of Call Session Control Functions in IMS:
P-CSCF (Proxy) Directs SIP messages from MS to home network. S-CSCF (Serving) Located in home network to provide session control of multimedia services. I-CSCF (Interrogating) Firewall for SIP messages directed toward home network. Selects S-CSCF for the MS. CSCF – Call Session Control Function. The CSCF provides session control for subscribers accessing services within the IM (IP Multimedia) CN . In essence the CSCF is a SIP Server. It has responsibility for interacting with network databases such as the HSS for mobility and AAA (Access, Authorization and Accounting) Servers for security.

6 UMTS Architecture SGSN – Serving GPRS Support Node. Responsible for the delivery of data packets from and to the mobile stations within its service area. Its tasks include packet routing and transfer, mobility management (attach/detach and location management), logical link management, and authentication and charging functions. The location register of the SGSN stores location information and user profiles of all GPRS users registered with this SGSN. GGSN – Gateway GPRS Support Node. Interface between the GPRS wireless data network and other networks such as the Internet or private networks. To external packet data networks the GGSN performs the task of an IP router. Firewall and filtering functionality, to protect the integrity of the GPRS core network, are also associated with the GGSN along with a billing function. CSCF – Call Session Control Function P-CSCF (Proxy) - Directs SIP messages from MS to home network. S-CSCF (Serving) - Located in home network to provide session control of multimedia services. OSA – Open Service Access. Provides a standard interface through which developers can design services that may interact with functions within the network. I-CSCF (Interrogating) - Firewall for SIP messages directed toward home network. Selects S-CSCF for the MS. HSS – Home Subscriber Server. The master database for the wireless network, and while logically it is viewed as one entity, in practice it will be made up of several physical databases. The HSS holds variables and identities for the support, establishment and maintenance of calls and sessions made by subscribers. This includes the subscriber’s IMSI , security variables and location information. AuC – Authentication Center. Provides authentication vectors (AVs) for the authentication process.

7 Goal: Security GPRS Authentication IMS Authentication
User authentication – between MS and SGSN Network authentication – between MS and HSS/AuC IMS Authentication between MS and CSCF USIM – Universal Subscriber Identity Module. Only emergency calls are permissible if not present in terminal. ISMI – It’s a unique identifier allocated to each mobile subscriber in a GSM and UMTS network. It consists of a MCC (Mobile Country Code), a MNC (Mobile Network Code) and a MSIN (Mobile Station Identification Number).

8 USIM Smart Card Provides mobile station identification
Must be present in terminal Contains data about subscriber IMSI (International Mobile Station Identifier) for GPRS authentication IMPI (IP Multimedia Private Identity) for IMS authentication Encryption and integrity keys Other: Identities, preferred languages, etc. USIM – Universal Subscriber Identity Module. Only emergency calls are permissible if not present in terminal. ISMI – It’s a unique identifier allocated to each mobile subscriber in a GSM and UMTS network. It consists of a MCC (Mobile Country Code), a MNC (Mobile Network Code) and a MSIN (Mobile Station Identification Number).

9 GPRS Authentication MS SGSN HSS/AuC Attach Request (IMSI)
Send Auth Info Request (IMSI) Send Auth Info Response (AVs) Select authentication vector AV = (RAND, AUTN, XRES, CK, IK) Auth & Ciphering Request (RAND, AUTN) Two things happening here: 1) User Authentication – between MS and SGSN 2) Network Authentication – between MS and HSS/AuC SGSN – Serving GPRS Support Node. Responsible for the delivery of data packets from and to the mobile stations within its service area. Its tasks include packet routing and transfer, mobility management (attach/detach and location management), logical link management, and authentication and charging functions. The location register of the SGSN stores location information and user profiles of all GPRS users registered with this SGSN. HSS – Home Subscriber Server. The master database for the wireless network, and while logically it is viewed as one entity, in practice it will be made up of several physical databases. This depending on the number of subscribers and the extent of the services which need to be supported. The HSS holds variables and identities for the support, establishment and maintenance of calls and sessions made by subscribers. This includes the subscriber’s IMSI , security variables and location information. AuC – Authentication Center. Provides authentication vectors (AVs) for the authentication process. Step G.1. Consider an MS with the IMSI value imsi and the IMPI value impi. To access the GPRS services, the MS sends a GMM Attach Request (with the parameter IMSI = imsi) to the SGSN. Step G.2. If the SGSN has the AVs of the MS, then Steps G.2 and G.3 are skipped. Otherwise, the SGSN must obtain the AVs from the HSS/AuC. That is, the SGSN invokes the authentication vector distribution procedure by sending a MAP SEND AUTHENTICATION INFO Request message to the HSS/AuC (with the parameter IMSI = imsi). Step G.3. The HSS/AuC uses imsi to retrieve the record of the MS, and generates an ordered array of AVs (based on the pre-shared secret key K in the MS record). The generated AV array is sent to the SGSN through a MAP SEND AUTHENTICATION INFO Response message. Each AV is good for one authentication and key agreement between the SGSN and the MS. Step G.4. The SGSN selects the next unused authentication vector in the ordered AV array and sends the parameters RAND and AUTN (from the selected authentication vector) to the MS through a GMM Authentication and Ciphering Request message. AV – Authentication Vector. Can only use one per authentication request. RAND – Random number AUTN – Authentication Token created by concatenating 3 fields and SQN added bit-by-bit to AK (Anonymity key), AMF (Authentication Management Field), and MAC (Message Authentication Code). XRES – Signed Response CK – Cipher Key IK – Integrity Key Step G.5. The MS checks whether the received AUTN can be accepted (uses pre-shared key K to decrypt) to authenticate the network. If so, it produces a response RES (using key K and RAND) that is sent back to the SGSN through a GMM Authentication and Ciphering Response message. The SGSN compares the received RES with the XRES. If they match, then the authentication and key agreement exchange is successfully completed. Step G.6. The SGSN sends a GMM Attach Accept message to the MS, and the attach procedure is completed. Verify AUTN, Compute RES Auth & Ciphering Response (RES) Compare RES and XRES Attach Accept Compute CK and IK Select CK and IK

10 IMS Authentication MS SGSN HSS/AuC CSCF Register (IMPI)
Multimedia Auth Request (IMPI) Multimedia Auth Answer (AVs) Select authentication vector AV Verify AUTN, Compute RES 401 Unauthorized (RAND, AUTN) SGSN – Serving GPRS Support Node. HSS – Home Subscriber Server. AuC – Authentication Center. CSCF - Call Session Control Function. Represents P-CSCF (Proxy-CSCF), S-CSCF (Service-CSCF), I-CSCF (Interrogating-CSCF) IMPI – IP Multimedia Private Identity Step I.1. The MS sends a SIP Register message to the CSCF (with the parameter IMPI = impi) through the SGSN. Step I.2. Assume that the CSCF does not have the AVs for the MS (or the array has been used up and a new one is needed). The CSCF invokes the 7 authentication vector distribution procedure by sending a Cx Multimedia Authentication Request message to the HSS/AuC (with the parameter IMPI = impi). Step I.3. The HSS/AuC uses impi to retrieve the record of the MS, and generate an ordered array of AVs. The HSS/AuC sends the AV array to the CSCF through a Cx Multimedia Authentication Answer message. Step I.4. The CSCF selects the next unused authentication vector from the ordered AV array and sends the parameters RAND and AUTN (from the selected authentication vector) to the MS through a SIP 401 Unauthorized message. (Similar to HTTP 401 Unauthorized message) Step I.5. The MS checks whether the received AUTN can be accepted. If so, it produces a response RES. The MS sends this response back to the CSCF through a SIP Register message. The CSCF compares the received RES with the XRES. If they match, then the authentication and key agreement exchange is successfully completed. Step I.6. The CSCF sends a Cx Server Assignment Request message to the HSS/AuC. Step I.7. Upon receipt of the Server Assignment Request, the HSS/AuC stores the CSCF name and replies a Cx Server Assignment Answer message to the CSCF. Step I.8. The CSCF sends a 200 Ok message to the MS through the SGSN, and the IMS registration procedure is completed. In the above procedure, Steps I.1-I.5 exercise authentication, and Steps I.6-I.8 perform registration. Compare RES and XRES Register (RES) Server Assignment Request Server Assignment Answer 200 OK

11 Similarities GPRS Authentication IMS Authentication SGSN  HSS/AuC
Send Auth Info Request (IMSI) CSCF  HSS/AuC Multimedia Auth Request (IMPI) HSS/Auc  SGSN Send Auth Info Response (AVs) HSS/AuC  CSCF Multimedia Auth Answer (AVs) SGSN  MS Auth & Ciphering Request (RAND, AUTN) CSCF  MS 401 Unauthorized (RAND, AUTN) MS  SGSN Auth & Ciphering Request (RES) MS  CSCF Register (RES) Attach Accept 200 OK

12 IMS One-Pass Authentication
Make use of GPRS authentication SGSN implements a SIP Application Level Gateway (ALG) Slight modification of SIP message format

13 IMS Registration: One-Pass Authentication
MS SGSN HSS/AuC CSCF Register (IMPI) Register (IMPI, IMSI) Retrieve IMSI value Store (IMSI, IMPI) pair Server Assignment Request (IMPI) SGSN – Serving GPRS Support Node. HSS – Home Subscriber Server. AuC – Authentication Center. CSCF - Call Session Control Function. Represents P-CSCF (Proxy-CSCF), S-CSCF (Service-CSCF), I-CSCF (Interrogating-CSCF) IMPI – IP Multimedia Private Identity Step I*.1. The MS sends a SIP Register message to the SGSN with the parameter IMPI = impi. Note that after GPRS auth, the SGSN can identify the IMSI of the MS that transmits the GPRS packets. The SIP ALG in the SGSN adds the IMSI value of the MS in the Register message and forwards it to the CSCF. Step I*.2. The CSCF stores the (imsi, impi) pair in the MS record, and sends a Cx Server Assignment Request message to the HSS/AuC with the parameter IMPI = impi. We note that if the CSCF has stored the (imsi, impi) pair before, then Steps I*.2 and I*.3 are skipped. Step I*.3. The HSS/AuC uses the received IMPI value impi as an index to retrieve the IMSI and the user profile of the MS. We denote IMSI-HSS(IMPI) as the IMSI value retrieved from the HSS/AuC. The HSS/AuC stores the CSCF name and sends a Cx Server Assignment Answer to the CSCF (with the parameters IMSI-HSS(IMPI) and user profile). Step I*.4. The CSCF checks whether the value IMSI-HSS(IMPI) and IMSI are the same. If so, the CSCF sends a SIP 200 Ok message to the SGSN and the authentication is considered successful. If they aren’t equal, the registration is illegal; possibly a MS is trying to illegally access the IMS service of some other MS. Server Assignment Answer (IMSIHSS(IMPI), User Profile) Check if IMSIHSS(IMPI) = IMSI 200 OK

14 IMS Authentication MS SGSN HSS/AuC CSCF No longer needed!
Register (IMPI) Multimedia Auth Request (IMPI) Multimedia Auth Answer (AVs) Select authentication vector AV Verify AUTN, Compute RES Compare RES and XRES 401 Unauthorized (RAND, AUTH) Register (RES) No longer needed! Server Assignment Request Server Assignment Answer 200 OK

15 Cost Analysis How much signaling has one-pass procedure saved?
MS SGSN HSS/AuC CSCF Cost = 1 β < 1 because 1) CSCF and HSS/AuC exchange messages through IP network. MS must transmit message via radio to SGSN and then through GPRS core network to HSS/AuC, then to CSCF. Cost = β where β < 1 One-pass procedure: C1 = β MS  CSCF, CSCF  HSS/AuC, HSS/AuC  CSCF, CSCF  MS

16 Cost Analysis Cost C2 for two-pass IMS procedure:
If AVs needed to perform authentication, C2,1 = 4 + 4β If AVs not needed, C2,2 = 4 + 2β AV array is of size n. 1 out of n IMS registrations incurs C2,2. C2 = ( )C2,1 + ( )C2,2 = 4 + ( )2β Improvement S = C2 - C1 = n + β USIM – Universal Subscriber Identity Module. Only emergency calls are permissible if not present in terminal. 1 n n -1 n n +1 n C2 2n + (n + 1)β

17 Improvement S of One-Pass Over Two-Pass Procedure
β n = AV array size β = Cost HSS/AuC  CSCF S = (n + β) / (2n + (n + 1)β)

18 Conclusion After GPRS authentication, IMS two-pass authentication can be simplified using one-pass authentication. New approach can save up to 50% of network traffic generated by IMS registration. 50% of the storage for buffering AVs is alleviated. One-pass procedure is pending ROC and US patents.

19 Glossary 3GPP – Third Generation Partnership Project
AuC – Authentication Center AV – Authentication Vector RAND – Random number AUTN – Authentication Token XRES – Signed Response CK – Cipher Key IK – Integrity Key CSCF – Call Session Control Function P-CSCF – Proxy-CSCF S-CSCF – Service-CSCF I-CSCF – Interrogating-CSCF GGSN – Gateway GPRS Support Node GPRS – General Packet Radio Service HSS – Home Subscriber Server IMPI – IP Multimedia Private Identity IMSI – International Mobile Station Identifier IMS – IP Multimedia Core Network Subsystem PS CN – Packet Switched Core Network SGSN – Serving GPRS Support Node SIP – Session Initiation Protocol UMTS – Universal Mobile Telecommunications System USIM - Universal Subscriber Identity Modules UTRAN – UMTS Terrestrial Radio Access Network

20 References “aSIP-Access Security for IP-Based Services”, presentation by Krister Boman, Apr “Security in GSM, GPRS and 3GPP”, presentation by Tahar Ktari and David Mayor, Apr “Security in the Mobile Internet”, tutorial by Ram Gopal and Lakshmi Narayanan, UMTS Security, Boman, K., et. al., Electronics & Communication Engineering Journal, Oct 2002.

Download ppt "One-Pass GPRS and IMS Authentication Procedure for UMTS"

Similar presentations

21-08-0xxx-00-0sec IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-08-0xxx-00-0sec-3gpp-security-non802handover Title: A Study on Security Solutions in.

xxx-00-0sec IEEE MEDIA INDEPENDENT HANDOVER DCN: xxx-00-0sec-3gpp-security-non802handover Title: A Study on Security Solutions in.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,
Cryptography in Mobile Networks

Cryptography in Mobile Networks
GSM Security and Encryption

GSM Security and Encryption
Islamic University-Gaza Faculty of Engineering Electrical & Computer Engineering Department Global System for Mobile Communication GSM Group Alaa Al-ZatmaHosam.

Islamic University-Gaza Faculty of Engineering Electrical & Computer Engineering Department Global System for Mobile Communication GSM Group Alaa Al-ZatmaHosam.
DUE 402356 Vincente D’Ingianni Director of Professional Services Binary Systems, Inc. IMS.

DUE Vincente D’Ingianni Director of Professional Services Binary Systems, Inc. IMS.
Rev A Antti Miettinen 07.12.20041 H.248 Gateway Control Protocol Signaling Traffic Related Protocol Analysis Antti Miettinen S-38.310 Thesis Seminar on.

Rev A Antti Miettinen H.248 Gateway Control Protocol Signaling Traffic Related Protocol Analysis Antti Miettinen S Thesis Seminar on.
Signalling Flows for the IP Multimedia Call Control in 3G Wireless Network Master’s Project By Sanjeev Kayath.

Signalling Flows for the IP Multimedia Call Control in 3G Wireless Network Master’s Project By Sanjeev Kayath.
1 © NOKIA IPv6 / June 2003 / Jari Hamalainen Nokia North American Global IPv6 Summit San Diego, CA, U.S.A. June 26th, 2003 IPv6 Enabling Peer-to-Peer IMS.

1 © NOKIA IPv6 / June 2003 / Jari Hamalainen Nokia North American Global IPv6 Summit San Diego, CA, U.S.A. June 26th, 2003 IPv6 Enabling Peer-to-Peer IMS.
IP Multimedia Subsystem (IMS) 江培文. Agenda Background IMS Definition IMS Architecture IMS Entities IMS-CS Interworking.

IP Multimedia Subsystem (IMS) 江培文. Agenda Background IMS Definition IMS Architecture IMS Entities IMS-CS Interworking.
UNIVERSAL MOBILE TELECOMMUNICATION SYSTEM(UMTS). EVOLUATION OF MOBILE COMMUNICATION 1 st Generation : Analog Cellular 2 nd Generation : Multiple Digital.

UNIVERSAL MOBILE TELECOMMUNICATION SYSTEM(UMTS). EVOLUATION OF MOBILE COMMUNICATION 1 st Generation : Analog Cellular 2 nd Generation : Multiple Digital.
Telefónica Móviles España GPRS (General Packet Radio Service)

Telefónica Móviles España GPRS (General Packet Radio Service)
Mobile Communication MMS / GPRS. What is GPRS ? General Packet Radio Service (GPRS) is a new bearer service for GSM that greatly improves and simplifies.

Mobile Communication MMS / GPRS. What is GPRS ? General Packet Radio Service (GPRS) is a new bearer service for GSM that greatly improves and simplifies.
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.
SIP and the application of SIP as used in 3GPP Keith Drage - Lucent Technologies.

SIP and the application of SIP as used in 3GPP Keith Drage - Lucent Technologies.
IMS – The future of Fixed Mobile Convergence EduCause Walt Magnussen Ph.D. 12 October, 2010.

IMS – The future of Fixed Mobile Convergence EduCause Walt Magnussen Ph.D. 12 October, 2010.
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate

SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate
All IP Network Architecture 2001 년 12 월 5 일 통신공학연구실 석사 4 차 유성균

All IP Network Architecture 2001 년 12 월 5 일 통신공학연구실 석사 4 차 유성균

Similar presentations

Ads by Google