1. Proposed Solution for Device Binding 3GPP2 TSG-S WG4 S40-20120829-001 Source: Qualcomm Incorporated Contact(s): Anand Palanigounder, apg@qualcomm.comapg@qualcomm.com Aram Perez, aramp@qualcomm.comaramp@qualcomm.com Recommendation: For Discussion & Decision Notice QUALCOMM Incorporated grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include all or portions of this contribution; and at the Organizational Partner’s sole discretion to permit others to reproduce in whole or in part such contribution or the resulting Organizational Partner’s standards publication. QUALCOMM Incorporated is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non- discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution. This document has been prepared by QUALCOMM Incorporated to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on QUALCOMM Incorporated. QUALCOMM Incorporated specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of QUALCOMM Incorporated other than provided in the copyright statement above.

2. Overview Background Terms Solution Principles Device Binding Function Message Flow 2

3. Background This presentation proposes a high level solution to the Device Binding requirement in document S.R0146-0 3

4. Terms BSC – Base Station Controller DBF – Device Binding Function FFS – For Future Study IE – Information Element IMSI – International Mobile Subscription Identifier MEID – Mobile Equipment Identifier MSC – Mobile Switching Center N – nonce S[x] – signature of x, calculated using a private key VLR – Visitor Location Register 4

5. Solution Principles (1) The solution is proposed for cdma2000 1x networks – Whether a solution is required for (e)HRPD is FFS If required, applicability of this proposed solution to (e)HRPD is FFS Device manufacturer provisions a private key associated with device identity (MEID) – How the device manufacturer obtains the key pairs and whether public key or certificates are used is FFS The network obtains the public key of a UE; options include: – Certificate sent by UE – Get the public key or certificate from a database 5

6. Solution Principles (2) During the 1x registration process, the MSC/VLR (based on either network configuration or subscription profile) determines whether to perform device binding MSC/VLR sends a Status Request message requesting MEID authentication The BSC transparently forwards the Status Request / Response message from the MSC/VLR (Status Request) or UE (Status Response) – The assumption that the BSC can transparently forward these messages need to be verified 6

7. Solution Principles (3) UEs that support the Device Binding functionality responds with a authentication signature in the Status Response message – If Device Binding is not supported by the UE, there are two possibilities (depending on the legacy UE behavior): 1.UE ignores the new IE in the Status Request message and responds with error code; – in this case, the MSC/VLR may decide to issue a Status Request without the IEs needed for device authentication 2.UE ignores the new IE and responds with a Status Response with only MEID NOTE: If the subscription requires Device Binding, but the UE does not respond with a signature, the network should deny service to the UE 7

8. Device Binding Function The Device Binding Function (DBF) is a new logical function in the network that – maintains the mapping between IMSI and MEID bindings – Performs validation of MEID and sends a response to MSC/VLR indicating whether to allow / deny service to the UE – After successful validation, the MSC/VLR may store IMSI- MEID binding info to avoid unnecessary device binding check DBF could be part of an existing network element or a new network element 8

9. Message Flow for 1x (1) The figure in the following slide shows the high level message flow for Device Binding in cdma2000 1x networks Steps 1 – 6 are the normal (and existing) 1x registration message flow Color coding: – Items in red means something new being added 9

10. Message Flow for 1x (2) 10

11. Message Flow (3) 1.The UE sends 1x Registration request to BSC 2.The BSC, MSC/VLR and HLR perform Location Updating and exchange subscription authentication information 3.The BSC and UE perform the subscription authentication using either CAVE or AKA 4.The BSC and MSC/VLR confirms subscription authentication 5.The BSC informs the UE that it has been registered 6.Optionally, the MSC/VLR initiates a security mode with the UE 11

12. Message Flow (4) 7.The MSC/VLR decides whether or not to perform Device Binding – This can be either part of the subscription profile or a setting in the MSC/VLR – If Device Binding is to be applied, the message flow continues with step 8 8.The MSC/VLR sends a Status Request via the BSC – Ask for the Device’s MEID – Includes N, a nonce, requesting a device authentication signature 9.The BSC forwards the Status Request to the UE 12

13. Message Flow (5) 10.The UE that supports Device Binding sends a Status Response to the BSC – Contains the MEID – Contains a digital signature over the MEID and N (nonce) calculated by the UE using it’s private key associated with MEID 11.The BSC forwards the Status Response to the MSC/VLR 13

14. Message Flow (6) 12.The MSC/VLR sends a Check Device Binding Request to the DBF – Contains the Device’s MEID and IMSI – Contains the nonce sent to the UE – Contains the digital signature over MEID and nonce calculated by the UE 14

15. Message Flow (7) 13.Based on the IEs in the Check Device Binding Request, the DBF validates the UE – Verifies the signature (S[MEID+N]) How the DBF gets the device’s public key/certificate is FFS – Checks that the IMSI and MEID pairing is allowed 15

16. Message Flow (8) 14.Based on the validation result, the DBF sends a “Allow/Deny” service response to the MSC/VLR – Based on the response from the DBF, the MSC/VLR decides whether or not to allow further service to the UE 16

17. Proposal Discuss & Adopt the solution concept 17