1. 21-08-0xxx-00-0sec IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-08-0xxx-00-0sec-3gpp-security-non802handover Title: A Study on Security Solutions in non- IEEE 802 Wireless – 3GPP AKA and Interworking with WLAN Date Submitted: September 3, 2008 Presented at IEEE 802.21 session #28 in Big Island, HI Authors or Source(s): Lily Chen (NIST) Abstract: This presentation reviews security solutions for 3GPP and 3GPP - WLAN interworking. The purpose is to explore possible security handover strategies with non-802 networks.

2. 21-08-0xxx-00-0sec IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEEs name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEEs sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/guide.html> Section 6.3 of the IEEE-SA Standards Board Operations Manualhttp://standards.ieee.org/guides/opman/sect6.html#6.3 http://standards.ieee.org/board/pat/guide.html IEEE 802.21 presentation release statements This document has been prepared to assist the IEEE 802.21 Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEEs name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEEs sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21. The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/faq.pdf> Section 6 of the IEEE-SA Standards Board bylawshttp://standards.ieee.org/guides/bylaws/sect6-7.html#6 http://standards.ieee.org/board/pat/faq.pdf

3. 21-08-0xxx-00-0sec Purpose Study non-IEEE 802 wireless network security solutions Explore possible security handover strategies with non-IEEE 802 networks.

4. 21-08-0xxx-00-0sec Outline UMTS Authentication and Key Agreement (AKA) EAP-AKA 3GPP and WLAN interworking Interworking vs. handover

5. 21-08-0xxx-00-0sec UMTS Network Architecture BS RNC MSC/VLR SGSN HE/AuC PSTN / ISDN IP Networks USIM K K K – Long term authentication key stored in the USIM card at the mobile side and Authentication Center (AuC) at the network side. USIM – UMTS Subscriber Identity Module BS- Base Station RNC – Radio Network Controlor VLR – Visitor Location Register SGSN – Serving GPRS Support Node HE – Home Environment AuC – Authentication Center PSTN – Public Switched Telephone Network

6. 21-08-0xxx-00-0sec Authentication and Key Agreement (AKA) - Introduction AKA is the subscriber authentication and session key generation protocol specified in 3GPP for UMTS (see 3GPP TS33.102). The authentication is based on symmetric key method, assuming that the subscriber and the network share a long term key K. The main idea is to use Authentication Vectors (AVs) to delegate the authentication to VLR/SGSN.

7. 21-08-0xxx-00-0sec Authentication and Key Agreement (AKA) - Authentication Vector An authentication vector is a quintuplet: AV = (RAND||AUTN||XRES||CK||IK) The components are RAND – Random challenge AUTN – Authentication token to authenticate the network XRES – Expected response to RAND CK – Cipher (encryption) key IK – Integrity key

8. 21-08-0xxx-00-0sec Authentication and Key Agreement (AKA) - Generation of Authentication Vector Generate SQN Generate RAND RAND K f5f5 AK f4f4 f3f3 f2f2 f1f1 IKCKXRESMAC AMF Long term authentica tion key Random challenge AUTN:= SQN AK||AMF||MAC f i s are operator specified functions. 3GPP developed an example algorithm (Milenage).

9. 21-08-0xxx-00-0sec Authentication and Key Agreement (AKA) - Protocol Subscriber device with USIM K VLR/SGSN HLR/AuC K Access RequestAuthentication Data Request Authentication Vectors RAND j || AUTN j RES j RNC IK j and CK j Protected AV i = { RAND j || AUTN j || XRES j || CK j || IK j } j =1,2, …t Verify AUTN j =? XRES j f2f2 f3f3 f4f4 CK j IK j

10. 21-08-0xxx-00-0sec UMTS Security in Handover AKA is executed for each registration not for each handover. Session keys IK and CK are generated for each AKA execution. The same session keys can be used by different RNCs. They are distributed through handover. UMTS allows the different RNCs to share the same session keys, while in IEEE 802.11, different APs are not trusted to share the same session keys! Radio Access Network MSC VLR HLR Authentication Center RNC 1 RNC 2 CK, IK

11. 21-08-0xxx-00-0sec EAP-AKA - Motivation and main ideas USIM is considered as an asset to service providers. It holds credentials to authenticate subscribers. Use common credentials for both cellular and WLAN access authentication will get the best use of USIM. EAP-AKA is an EAP method using USIM to conduct authentication for WLAN access. WLAN AAA server interfaces with the 3GPP AuC to get authentication vectors. WLAN AAA server uses AVs to derive EAP keys. WLAN Device Access Point AAA server EAP-AKA Derive EAP keys from AV Deliver MSK Protected data HLR/AuC AVs Derive EAP keys from AV

12. 21-08-0xxx-00-0sec EAP-AKA - How to use authentication vectors Use RAND and XRES as random challenge and response. AUTN is used for network authentication. Use IK and CK to derive EAP Keys. RANDXRESCKIKAUTN AT(RAND) Verify AT(RES) AT(AUTN) Hash MK KDF TEKsMSKEMSK K encr K aut

13. 21-08-0xxx-00-0sec EAP-AKA Protocol Outline* WLAN Device AAA server HLR/AC AV i EAP-Request / Identity EAP-Response / Identity EAP-Request / AKA-challenge (RAND, AUTN, MAC) EAP-Response / AKA-Challenge (RES, MAC) Generate MK. MAC is generated using K aut. EAP-Success (or Failure) MSK *For details, see RFC 4187.

14. 21-08-0xxx-00-0sec 3GPP and WLAN Interworking 3GPP and WLAN interworking is to allow a device to access Internet through WLAN by authenticating through 3GPP network (direct access). to access Internet through 3GPP IP network (WLAN 3GPP IP Access). The security in interworking is specified in 3GPP 33.234. It allows User Equipment (UE) to authenticate to WLAN network using the same credentials of 3GPP AKA through EAP-AKA. It specifies interfaces between 3GPP network and WLAN to pass all sorts of information and also support access authentication. It is 3GPP specific with 3GPP specified network function entities. It is an application of EAP-AKA. Internet 3GPP Network WLAN Access Network Packet data gateway 3GPP AAA AuC WLAN UE 3GPP AAA HLR/AuC AVs EAP-AKA

15. 21-08-0xxx-00-0sec AKA vs. EAP-AKA Interworking allows using AKA authentication vector for WLAN access authentication and key establishment. AKA and EAP-AKA have different trust models: Session keys generated through AKA can be shared among RNCs. MSK, generated through EAP-AKA, is specific for an given authenticator. Wireless protection session keys are AP specific. UMTS and IEEE 802 network have different secure handover solutions. UMTS has infrastructure to handover the session keys. IEEE 802 (e.g. 802.11r) executes a handshake in each handover to generate new session keys. Interworking does not provide mechanisms to handover keys between IEEE 802 wireless network and non-802 network.

16. 21-08-0xxx-00-0sec Different Trust Models and Secure Handover Solutions - Illustration HLR/AuC VLR/SGSN Authenticator RNC 1 RNC 2 AV 1 CK, IK AAA Server AV 2 AKA MSK PTK 1 PTK 2 EAP-AKA Handover

17. 21-08-0xxx-00-0sec Summary 3GPP AKA employs a different trust model from EAP-AKA. From security perspective, real handover between 802 and non-802 network is barely possible. Switch from 3GPP to IEEE 802.11 (or others) can use pre- authentication through EAP-AKA, if 3GPP AuC can provide authentication vectors to 802.11 network. (This can hardly be called handover, since it is really a full authentication.) The possibility of security handover is questionable if a MN roams from a 802 network to a 3GPP network, when the 802 network uses some other authentication methods than EAP-AKA, e.g. EAP-TLS.

18. 21-08-0xxx-00-0sec Back Up slides

19. 21-08-0xxx-00-0sec EAP-AKA Fast Re-authentication After a full EAP-AKA execution, the TEK = (K encr, K aut ) can be used for a fast re-authentication. The server generates a random number N S and use K encr to encrypt it. The server message includes a MAC. Upon receiving E(K encr,N S ), the peer decrypts it. The MN generates a MAC over N S using K aut and sends it to the server. The MAC serves as an authentication response. For each fast re-authentication, it generates a new MK using the old MK and N S. A counter is maintained to record the number of fast re- authentications.