EFFICIENT MECHANISM FOR THE SETUP OF UE-INITIATED TUNNELS IN 3GPP-WLAN INTERWORKING. 1. Introduction

Similar documents
3GPP security. Valtteri Niemi 3GPP SA3 (Security) chairman Nokia

3GPP TS V7.2.0 ( )

ETSI TS V6.2.0 ( )

3GPP TS V ( )

ETSI TS V ( )

ETSI TS V ( )

Overview. 3G WLAN Systems Interworking Architecture. Introduction. 3GPP and 3G Systems. 3G network architecture. WLAN Systems

Overview of IEEE Networks. Timo Smura

USIM based Authentication Test-bed For UMTS-WLAN Handover 25 April, 2006

3GPP TR v0.4.0( )

ETSI TS V ( )

ETSI TS V6.1.0 ( )

3GPP TS V7.0.0 ( )

3GPP TS V9.2.0 ( )

A Review of 3G-WLAN Interworking

ETSI TS V ( )

Request for Comments: Cisco Systems January 2006

ETSI TS V8.2.0 (2015

3GPP TSG SA WG3 Security S November 19-22, 2002 Oxford, UK. WLAN Pseudonym Generation for EAP-SIM/AKA Discussion and decision

Key Management Protocol for Roaming in Wireless Interworking System

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Support of Multiple Access Technologies in 3GPP

WLAN Roaming Guidelines (also known as Inter-Operator Handbook)

Point-to-Point Extensions Working Group Internet Draft April EAP SIM Authentication (Version 1) draft-haverinen-pppext-eap-sim-01.

A Seamless Handoff Scheme for UMTS-WLAN Interworking

3GPP TS V9.0.0 ( )

3GPP TS V8.4.0 ( )

Virtual Private Networks

Cisco ASR 5000 Series Small Cell Gateway

3GPP TS V6.1.0 ( )

Improved One-Pass IP Multimedia Subsystem Authentication for UMTS

Wireless Network Security

Mobile WiMAX Security

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

Radiator. EAP-SIM and EAP- AKA Support

From wired internet to ubiquitous wireless internet

WiMAX End-to-End Network Systems Architecture

City Research Online. Permanent City Research Online URL:

Security Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks

ETSI TS V ( )

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Technical Specification Smart Cards; Extensible Authentication Protocol support in the UICC (Release 9)

ETSI TS V ( )

CSCE 715: Network Systems Security

Wireless Specifications. Wi-Fi Roaming Architecture and Interfaces Specification. WR-SP-WiFi-ROAM-I ISSUED. Notice

8. Network Layer Contents

The EN-4000 in Virtual Private Networks

ETSI TS V9.3.0 ( ) Technical Specification

3GPP TS V6.4.0 ( )

Radiator. EAP-SIM and EAP- AKA Support

Wireless LAN Based GPRS Support Node

Secure 3G user authentication in ad-hoc serving networks

ETSI TS V ( ) Technical Specification

ETSI TS V ( )

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Internet Engineering Task Force (IETF) Request for Comments: Independent September An Extension for EAP-Only Authentication in IKEv2

ETSI TS V7.0.0 ( ) Technical Specification. Smart Cards; Extensible Authentication Protocol support in the UICC (Release 7)

L13. Reviews. Rocky K. C. Chang, April 10, 2015

3GPP security hot topics: LTE/SAE and Home (e)nb

Internet security and privacy

What is Eavedropping?

3GPP TS V9.4.0 ( )

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Network Encryption 3 4/20/17

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Lecture 13 Page 1. Lecture 13 Page 3

VPN Overview. VPN Types

Part II. Raj Jain. Washington University in St. Louis

ETSI TS V ( )

ETSI TS V ( ) Technical Specification

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

3GPP SIP Security Requirements for IETF

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Cisco ASR 5000 SaMOG Gateway Administration Guide

Efficient GSM Authentication and Key Agreement Protocols with Robust User Privacy Protection

3GPP TSG SA WG3 Security SA3#35 S St. Paul s Bay, Malta, 5 8 October, 2004

Lecture 12 Page 1. Lecture 12 Page 3

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Secure and Seamless Handoff Scheme for a Wireless LAN System

GTP-based S2b Interface Support on the P-GW and SAEGW

Expires: September 2, 2005 F. Bari Cingular Wireless P. Eronen Nokia March 2005

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Mobile Communications

Ju-A A Lee and Jae-Hyun Kim

Integrating EAP in SIM-IP smartcards

Chapter 6/8. IP Security

A Secure Wireless LAN Access Technique for Home Network

CSC 4900 Computer Networks: Security Protocols (2)

5G-ENSURE. Privacy Enablers. (Project Number )

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Federated access service authorization

IxLoad EPC Wi-Fi Offload Testing

Cryptography and Network Security. Sixth Edition by William Stallings

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

EAP-TLS Smartcards, from Dream to Reality

WAP Security. Helsinki University of Technology S Security of Communication Protocols

IPSec Network Applications

Diameter NASREQ Application. Status of this Memo. This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026.

Transcription:

Trends in Mathematics Information Center for Mathematical Sciences Volume 8, Number 1, June, 2005, Pages 77 85 EFFICIENT MECHANISM FOR THE SETUP OF -INITIATED TUNNELS IN 3GPP-WLAN INTERWORKING SANG UK SHIN Abstract. We propose an efficient mechanism for the setup of (User Equipment)- initiated tunnels in 3GPP(3rd Generation Project Partnership)-WLAN(Wireless Local Area Network) interworking. The proposed mechanism is based on a secret key which is pre-distributed in the process of authentication and key agreement between and (Authentication Authorization Accounting) server. Therefore it can avoid modular exponentiation and public key signature which need a large amount of computation in. Also the proposed scheme provides mutual authentication and session key establishment between and PDG(Packet Data Gateway). 1. Introduction 3GPP-WLAN interworking refers to the utilization of resources and access to services within the 3GPP system by the WLAN and user respectively. The intent of 3GPP-WLAN Interworking is to extend 3GPP services and functionality to the WLAN access environment. 3GPP considers the following 6 scenarios for 3GPP-WLAN interworking: (1) Common billing and customer care (2) 3GPP system based access control and charging (3) Access to 3GPP system PS(packet switched) based services (4) Service continuity (5) Seamless service provision (6) Access to 3GPP CS(circuit switched) services, For scenario 3, access to external IP networks should, as far as possible, be technically independent of WLAN Access Authentication and Authorization. However, access to external IP networks from 3GPP WLAN interworking systems shall be possible only if WLAN Access Authentication/Authorisation has been completed first. Scenario 3 requires a combination of both. The PDG supports access to external IP networks, including those supporting 3GPP PS Domain based services. To setup -initiated tunnels between and PDG in scenario 3, 3GPP TS [3] is considering that the WLAN and PDG use IKEv2(Internet Key Exchange version 2)[8] in order to establish IPsec(Internet Protocol Security) SAs(security 1991 Mathematics Subject Classification. Primary 94A60, 94A62, 94A99; Secondary 14G50, 68P25. Key words and phrases. 3GPP, WLAN, security, authentication, key agreement. 77 c 2005 Information Center for Mathematical Sciences

78 SANG UK SHIN Intranet / Internet HSS 3GPP Home Network HLR Wx D' / Gr' CGw/ CCF WLAN Ww WLAN Access Network Wa Wn Server Wg WAG Wm Wp Wo PDG OCS Wi Wu Scenario 3 Figure 1. Non-roaming reference model associations). However this mechanism requires the modular exponentiation for Diffie-Hellman key exchange and the public key signature which impose heavy computational overhead on. This paper proposes an efficient mechanism using a secret symmetric key without public key operations, which is pre-distributed in the process of authentication and key agreement between and server. The proposed mechanism can avoid modular exponentiation and public key signature which need a large amount of computation in. Also the proposed scheme provides mutual authentication and session key establishment between and PDG. 2. Security architecture and security features for 3GPP-WLAN Interworking 3GPP TS [1] describes three reference models for WLAN interworking, Fig. 1 Fig. 3. In the first reference model(fig. 1)the home network is responsible for access control and tunnel establishment. In Fig. 2 the home network is responsible for access control and tunnel establishment, and the traffic is routed through the visited network (using the WAG). In Fig. 3, the home network is responsible for access control, but the authorization decision of tunnel establishment will be taken by the 3GPP proxy AAA based on own information plus information received from the home network. The visited network will take part in tunnel establishment (either the WAG or the PDG). The list below describes the network elements of the 3GPP-WLAN interworking Reference Model: A WLAN is the (equipped with UICC card including (U)SIM) utilized by a 3GPP subscriber to access the WLAN network for 3GPP interworking purpose. For examples, a laptop computer or PDA with a WLAN card, UICC card reader and suitable software applications. The Proxy represents a logical proxying functionality that may reside in any network between the WLAN and the Server.

EFFICIENT MECHANISM FOR THE SETUP OF -INITIATED TUNNELS 79 Intranet / Internet 3GPP Visited Network WLAN Ww WLAN Access Network Wn WAG Wa Wg Proxy CGw/CCF Wd Wu Scenario 3 Wp Packet Data Gateway Wm Server Wo OCS Wx D' / Gr' HSS HLR CGw/ CCF Wi 3GPP Home Network Figure 2. : Roaming reference model - 3GPP PS based services provided via the 3GPP Home Network Intranet / Internet 3GPP Visited Network WLAN Access Network Wa Wg Proxy CGw/CCF WLAN Ww Wn WAG Wp Packet Data Gateway Wu Scenario 3 Wi Wd Server Wx D' / Gr' HSS Wo HLR OCS CGw/ CCF 3GPP Home Network Figure 3. Roaming reference model - 3GPP PS based services provided via the 3GPP Visited Network

80 SANG UK SHIN These AAA proxies are able to relay the AAA information between WLAN and the Server. The server retrieves authentication information and subscriber profile from the HLR/HSS of the 3GPP subscriber s home 3GPP network, authenticates the 3GPP subscriber based on the authentication information retrieved from HLR/HSS, and communicates authorization information to the WLAN potentially via AAA proxies. The HLR/HSS located within the 3GPP subscriber s home network is the entity containing authentication and subscription data required for the 3GPP subscriber to access the WLAN interworking service. 3GPP PS based services(scenario 3) are accessed via a Packet Data Gateway(PDG). The PDG enforces tunnel authorization and establishment with the information received from the via the Wm interface. Security requirements for 3GPP-WLAN interworking are as follows: The authentication scheme shall be based on a challenge response protocol and mutual authentication shall be supported. All long-term security credentials used for subscriber and network authentication shall be stored on UICC or SIM card. The subscriber should have at least the same security level for WLAN access as for his current cellular access subscription in [2]. Signalling and user data protection shall be supported. User identity privacy shall be provided. 3GPP TS describes the following security features in WLAN interworking environment. (1) Authentication of the subscriber and the network and SA(Security Association) management - It supports mutual authentication between WLAN- and server using IEEE 802.11i[9], EAP(Extensible Authentication Protocol)[6], DIAMETER[11] and RADIUS[10]. (2) Confidentiality and integrity protection - In scenario 2, confidentiality protection in the WLAN AN link layer is required. The specification of this feature is, however, out of scope of 3GPP. Confidentiality protection in scenario 3 shall be possible to protect the confidentiality of IP packets sent through a tunnel between the and the PDG. - Integrity protection is similar to confidentiality protection. The integrity of IP packets sent through a tunnel between the and the PDG shall be protected. (3) User Identity Privacy - User identity privacy (Anonymity) is used to avoid sending any cleartext permanent subscriber identification information which would compromise the subscriber s identity and location on the radio interface,

EFFICIENT MECHANISM FOR THE SETUP OF -INITIATED TUNNELS 81 or allow different communications of the same subscriber on the radio interface to be linked. - User identity privacy is based on temporary identities, or pseudonyms. The AAA server generates and delivers the pseudonym to the WLAN- as part of the authentication process. 3. Efficient mechanism for the set-up of -initiated tunnels in 3GPP-WLAN interworking 3.1. WLAN access authentication, key agreement and -initiated tunnel establishment mechanism. In 3GPP WLAN interworking, first it requires to perform mutual authentication between WLAN and server. It is required that all long-term security credentials used for authentication shall be stored on UICC or SIM card. We consider only the case of UICC in this paper(similarly to the case of SIM card). WLAN shall first complete the process of authentication and key agreement(aka) in order to access 3GPP service. 3GPP TS is considering USIM(Universal Subscriber Identity module)-based WLAN access authentication as Fig. 4 excluding the italic, bold and shaded parts. USIM-base WLAN access authentication is based on EAP(Extensible Authentication Protocol)-AKA. After completing mutual authentication between WLAN and server, when WLAN uses 3GPP PS based service, WLAN accesses PDG and then obtains services. In this case, it requires to provide data confidentiality and integrity between and PDG. To do this, 3GPP TS [3] is considering that the WLAN and PDG use IPsec ESP(Encapsulating Security Payload) tunnel[7]. In this mechanism, IKEv2 is used to allow IPsec ESP SA establishment between the WLAN and the PDG. requires the public key operations in the process of IKEv2 and needs the exchange of 6 times messages to perform EAP-AKA within IKEv2 3.2. Efficient mechanism for the set-up of -initiated tunnels. To setup -initiated tunnels between and PDG in scenario 3, 3GPP TS [3] is considering that the WLAN and PDG use IKEv2[8] in order to establish IPsec SAs. However this mechanism requires the modular exponentiation for Diffie-Hellman key exchange and the public key signature which impose heavy computational overhead on. This paper proposes an efficient mechanism using a secret symmetric key without public key operations, which is pre-distributed in the process of authentication and key agreement between and server. First, AKA is performed by WLAN and server. 3GPP TS [3] describes USIM-base WLAN Access Authentication mechanism which is based on EAP-AKA[5]. We modify this mechanism as follows. In the Fig. 4, the italic, bold and shaded parts are included additionally, and other parts are equal to section 6.1.1 of [3]. In the step 3 of the Fig. 4, a PS Service parameter indicates that wants to access 3GPP PS Domain based services. In the step 6, it checks the PS Service indicator. If want to access 3GPP PS domain based services, a PS Key is

82 SANG UK SHIN WLAN AN 3GPP AAA-serv HSS/ HLR 1. 2. EAP Request/Identity 3. EAP Response/Identity [NAI based on a pseudonym or IMSI], PS_Service 4. 5. EAP Response/Identity [NAI based on a pseudonym or IMSI], PS_Service 6. Check PS_Service indicator. If needs, generate a PS_Key 7. 9. EAP Request/AKA -Challenge [RAND, AUTN, MAC, Protected pseudonym, Next re-auth id] 10. EAP Request/AKA -Challenge [RAND, AUTN, MAC, Protected pseudonym, Next re-auth id] 8. 11.If needs, derive a PS_Key 12. EAP Response/AKA-Challenge [RES, MAC] 13. EAP Response/AKA-Challenge [RES, MAC] 14. 16. EAP Success 15. EAP Success + keying material Figure 4. Authentication based on EAP-AKA scheme generated additionally. The PS Key may be generated by using 3GPP MILE- NAGE algorithm[4] as IK(Integrity Key) and CK(Cipher Key), and will be used to setup -initiated tunnels in Scenario 3. In the step 11, the WLAN also can derive the PS Key by using the same method.after completing the authentication and key agreement between and server, WLAN can access PDG which provides 3GPP PS Domain based services. To do this, 3GPP TS [3] is considering to use IKEv2 to setup secure tunnels between and PDG, which requires public key cryptography. However we provide more efficient method which does not use public key cryptography. The proposed scheme as follows(see Fig. 5).

EFFICIENT MECHANISM FOR THE SETUP OF -INITIATED TUNNELS 83 (1) sends Tunnel Setup Request message. This message includes the pseudonym based NAI(Network Access Identifier) which was assigned in the process of the authentication and key agreement between and 3GPP AAA server, and the nonce N generated randomly by the. (2) PDG routes PS Key Request message towards proper Server based on the realm part of the NAI. (3) server sends the subscriber s PS Key to PDG. (4) PDG generates the session master key MK and then derives encryption key MK C and integrity key MK I as the following; MK = prf(ps Key, NAI N N PDG), (MK C, MK I) = prf+(ps Key, N PDG N NAI), where N PDG is a randomly generated nonce by the PDG, prf and prf+ are cryptographically secure pseudorandom functions, which may be functions defined in IKEv2[8]. PDG computes authenticator Auth PDG using MK I and sends Tunnel Setup Response message to the. This message includes N PDG and Auth PDG. Auth PDG = MAC(MK I, NAI N N PDG), where MAC is a cryptographically secure message authentication code such as HMAC-SHA1. (5) generates the session master key MK and derives encryption key MK C and integrity key MK I using the same method as PDG. MK = prf(ps Key, NAI N N PDG), (MK C, MK I) = prf+(ps Key, N PDG N NAI). verifies the received authenticator Auth PDG. If Auth PDG is correct, the computes authenticator Auth using MK I and sends Tunnel Setup Complete message to PDG, which includes encrypted authenticator, E(MK C, Auth ). A function E denotes a block cipher such as AES(Advanced Encryption Standard). (6) PDG decrypts the received message and then verifies the authenticator Auth. If it succeeds, PDG allows to access the service. 3.3. Analysis of the proposed mechanism. Our solution minimally modifies EAP AKA based authentication mechanism which is described in [3]. It includes the parameter PS Service additionally in the step 3 of the Fig. 1, and the generation of PS Key in the step 6 and the step 11. Therefore it minimizes the communication and computation overhead.for the setup of -initiated tunnels, 3GPP TS is considering IKEv2 to establish a SA(Security Association) between and PDG. IKEv2 requires modular exponentiation operations to perform Diffie-Hellman key exchange, and public key signature based authentication. However, the proposed scheme is based on only the symmetric key. Therefore it can avoid modular exponentiation and public key signature which need a large amount of computation. Our solution provides mutual authentication between the and the PDG. In the step 4 the authenticates the PDG by verifying the authenticator Auth PDG

84 SANG UK SHIN PDGW 1. Tunnel Setup Request [NAI based pseudonym, N_] 2. PS_Key Request [NAI based pseudonym] 3. PS_Key Response [PS_Key] a. Generate keying material MK = prf(ps_key, NAI N_ N_PDGW) (MK_C, MK_I) = prf+(mk, N_PDGW N_ NAI) b. Generate Auth_PDGW Auth_PDGW = MAC(MK_I, NAI N_ N_PDGW) Server 4. Tunnel Setup Response [N_PDGW, Auth_PDGW] a. Generate Keying material MK = prf(ps_key, NAI N_ N_PDGW) (MK_C, MK_I) = prf+(mk, N_PDGW N_ NAI) b. Verify Auth_PDGW Auth_PDGW MAC(MK_I, NAI, N_, N_PDGW) c. Generate Auth_ Auth_ = MAC(MK_I, N_ N_PDGW NAI) d. Encrypt Auth_ with MK_C, E(MK_C, Auth_) 5. Tunnel Setup Complete E(MK_C, Auth_) Decrypt the received message with MK_C, and then verify Auth_ Figure 5. The proposed scheme: efficient mechanism for the setup of -initiated tunnels and in the step 5 the PDG authenticates the by checking Auth. Even if keys which were used in previous sessions are revealed, an attacker can not obtain any information about the PS Key. Also an attacker can not obtain any useful information for current session keys because keys for each session are derived by applying the prf with the PS Key and random nonces. Therefore the proposed scheme is secure against the known-key attack[12]. It guarantees that generated keying materials are unique by nonces N and N PDG and cryptographic properties of the prf. Also the proposed scheme provides the user privacy by sending the pseudonym based NAI in the step 1. A replay attack is protected by randomly generated nonces, N PDG and N for each session. The security of the proposed scheme depends on the properties of prf, prf+ and MAC function. These functions must be selected in order to guarantee the freshness of a session and session keys, and the randomness of session keys. 4. Conclusion In this paper we introduced the security for 3GPP-WLAN interworking system. According to 3GPP TS 33.234 document[3], the WLAN can access the PDG which provides 3GPP PS Domain based services after completing the authentication and key agreement between the and server. To do this, 3GPP is considering to use IKEv2 to setup secure tunnels between the and the PDG. In the process of IKEv2 requires the public key operations and needs the exchange

EFFICIENT MECHANISM FOR THE SETUP OF -INITIATED TUNNELS 85 of 6 times messages to perform EAP-AKA within IKEv2. It imposes heavy burdens on the and the PDG for authentication and key agreement. Therefore, we proposed the mechanism that a secret key is pre-distributed during WLAN Access Authentication/Authorisation between and server and then it is used for the set-up of -initiated tunnels. The proposed mechanism can avoid modular exponentiation and public key signature which need a large amount of computation in. Also the proposed scheme provides mutual authentication and session key establishment between and PDG. References 1. 3GPP TS 23.234: 3GPP system to Wireless Local Area Network (WLAN) Interworking; System Description 2. 3GPP TS 33.102: 3G Security; Security Architecture 3. 3GPP TS 33.234: WLAN Interworking Security 4. 3GPP TR 35.205: 3G Security; Specification of the MILENAGE Algorithm Set: An example algorithm set for the 3GPP authentication and key generation functions f1, f1*, f2, f3, f4, f5 and f5*; Document 1: General 5. draft-arkko-pppext-eap-aka-11, October 2003: EAP AKA Authentication 6. draft-ietf-eap-rfc2284bis-06.txt, October 2003: PPP Extensible Authentication Protocol (EAP) 7. draft-ietf-ipsec-esp-v3-06.txt, July 2003: IP Encapsulating Security Payload (ESP) 8. draft-ietf-ipsec-ikev2-12.txt, January 2004: Internet Key Exchange (IKEv2) Protocol 9. IEEE Std 802.11i/D2.0, March 2002: Draft Supplement to Standard for Telecommunications and Information Exchange Between Systems - LAN/ MAN Specific Requirements - Part 11: Wireless Medium Access Control (MAC) and physical layer (PHY) specifications: Specification for Enhanced Security 10. RFC 2865, June 2000: Remote Authentication Dial In User Service (RADIUS) 11. RFC 3588, September 2003: Diameter base protocol 12. Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanston: Handbook of Applied Cryptography, CRC Press, 1996 Div. of Electronic, Computer and Telecommunication Engineering, Pukyong National University, Busan, 608-737, Korea E-mail address: shinsu@pknu.ac.kr

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback