sipping ietf51 3gpp security final

8/3/2019 Sipping Ietf51 3gpp Security Final

1/21

SIPPING IETF51

3GPP Security and Authentication

Peter Howard

3GPP SA3 (Security) delegate

[email protected]


2/21

3GPP IP Multimedia Subsystem (Release 5)

Visited

Home

HSS

RAN

SGSN

GGSN

Cx interface based onDiameter

SIP proxies get authorisation andauthentication information

P-CSCFREGISTER/INVITE

I-CSCFREGIST

ER/INVITE

S-CSCF

REGISTER/INVITE

SIP proxy serversSIP-based interfaces

PS domain

UA


3/21

3GPP Release 5 Security

Packet Switched (PS) domain

access security features retained from 3GPP Release 99

specifications

IP Multimedia Subsystem (IMS) domain

new access security features to be specified

to protect the access link to the IMS domain

independent of underlying PS domain security features

network domain security features to protect signalling

links between network elements with the IMS domain


4/21

IP Multimedia Subsystem: Access Security

Visited

Home

HSS

RAN

SGSN

GGSN


I-CSCFREGIST

ER/INVITE

S-CSCF

REGISTER/INVITE

4. Protection of SIP signalling

using agreed session key

2. Mutual authentication and session key agreement

3. Session key distribution

1. Distribution of

authentication information

UA

Draft 3GPP TS 33.203


5/21

IP Multimedia Subsystem: Network Domain Security

Visited

Home

HSS

RAN

SGSN

GGSN


I-CSCFREGIST

ER/INVITE

S-CSCF

REGISTER/INVITE

Per-hop protection of

signalling using IPsec/IKE

UA

Draft 3GPP TS 33.210


6/21

Access Security:

Authentication Principles

3GPP authentication protocol (3GPP AKA)

based on secret key stored in UAs tamper-proof

subscriber identity module (SIM) and in the HSS Authentication check located in S-CSCF

Working assumption is to authenticate only at SIPregistrations with on-demand re-authentication

requiring re-registration Use SIP authentication rather than an outer layer

protocol such as TLS or IKE in order to minimiseroundtrips


7/21

Integration of Authentication Protocol into

DIAMETER and SIP

Distribution of authentication information to S-

CSCF using DIAMETER

distribution of authentication vectors for 3GPP AKA

Integration of authentication protocol into SIP

registration

3GPP AKA protocol between UA and S-CSCF

distribution of session key to P-CSCF


8/21

Possible Information Flow for Authentication and Session

Key Establishment (from draft 3GPP TS 33.203)

Cx-Put

Cx-Pull

Changed to 407 Proxy

Authentication

Required


9/21

Use of Extensible Authentication Protocol (EAP)

There is a desire to minimise impact on protocols

and equipment if 3GPP AKA is updated or if other

schemes are used a generic/extensible scheme to carry the authentication

messages is desirable

candidates include SASL, EAP, GSS_API

current working assumption is EAP which has much ofthe necessary machinery in place


10/21

EAP AKA in SIP

HTTP EAP

SIP

HTTP Authentication PGP

HTTP DigestHTTP Basic

EAP AKAEAP GSMEAP TLS EAP ...EAP Token Card


11/21

Concrete Authentication Example in SIP

1.p REGISTERsip: SIP/2.0

Authorization: eap base64_eap_identity_response

...

2.n SIP/2.0 407 Proxy Authentication Required

WWW-Authenticate: eap base64_eap_aka_challenge_request

3.p REGISTERsip: SIP/2.0

Authorization: eap base64_eap_aka_challenge_response

4.n SIP/2.0 200 OK

WWW-Authenticate: eap base64_eap_aka_success

...


12/21

EAP AKA in DIAMETER

EAP Extensions

DIAMETER base

EAP AKAEAP GSMEAP TLS EAP ...EAP Token Card


13/21

Access Security: Security Mode

Establishment between UA and P-CSCF

Determines when to start applying protection and

which algorithm to use

includes secure algorithm negotiation

Uses session key derived during authentication

Integration into SIP registration with no new

roundtrips


14/21

Access security: Protection of SIP signalling

between UA and P-CSCF

Integrity protection of SIP signalling between UA

and P-CSCF

Uses session key derived during authentication

Symmetric scheme because of efficiency concerns

Candidate mechanisms include modified CMS and

ESP


15/21

IP Multimedia Subsystem:

Access Security Documentation

TS 23.228

(SA2)

TS 24.228

(CN1)

TS 29.228

(CN4)

TS 29.229

(CN4)

3GPP IETF

SIPPING

WG

TS 33.203

(SA3)

TS 24.229

(CN1)AAA, PPPEXT, IPsec,

Other specs

(e.g. AKA)(SA3)

High level

architecture

Protocol detail


16/21

Summary of 3GPP dependencies on IETF

relating to security

3GPP AKA in EAP

draft-arkko-pppext-aka-00.txt

EAP and session key transport in SIP draft-torvinen-http-eap-00.txt (to appear)

EAP and session key transport in DIAMETER

SIP extensions to support security mode

establishment


17/21

References

Draft 3GPP TS 33.203, Access security for IP-basedservices (Release 5).

Draft 3GPP TS 33.210, Network domain security; IPnetwork layer security (Release 5).

J. Arkko and H. Haverinen, EAP AKA Authenticationdraft-arkko-pppext-aka-00.txt.

V. Torvinen, J. Arkko, A. Niemi, HTTP Authentication

with EAP, draft-torvinen-http-eap-00.txt (to appear). L. Blunk, J. Vollbrecht, PPP Extensible Authentication

Protocol (EAP), RFC 2284.

P. Calhoun et al. DIAMETER NASREQ Extensions,draft-ietf-aaa-diameter-nasreq-06.txt.


18/21

Questions?

Peter Howard

[email protected]


19/21

Authentication and Key Agreement Protocol

(3GPP AKA)ISIM/UA S-CSCF HSS

Authentication vector request

Authentication request

Authentication response

Authentication vector response

Three party protocol

Two-pass mutual authentication

protocol between UA and S-CSCF Each authentication vector is good

for one authentication

Authentication vectors can bedistributed in batches to minimise

signalling/load on HSS

Distribution of session

key to P-CSCFP-CSCF


20/21

Other IP Multimedia Subsystem Security Issues (1)

Hide callers public ID from called party

by encrypting remote party ID header at callers S-

CSCF and decrypting by same S-CSCF is there a requirement to hide callers IP addresses that

are dynamically assigned?

Network configuration hiding

mechanism being developed to hide host domain nameof CSCFs and number of CSCFs within one operators

network


21/21

Session transfer

guidance on security aspects based on GSM call

transfer feature authorisation and accounting of transferred leg needs toinvolve transferring party who has dropped out of session

should there be a limit to the number of transferred sessions?

should final destination be hidden from calling party?

Security aspects of other IP multimedia subsystemservices?

End-to-end security

Other IP Multimedia Subsystem Security Issues (2)

sipping ietf51 3gpp security final

Documents