ETSI TS 133 203-2017 Digital cellular telecommunications system (Phase 2+) (GSM) Universal Mobile Telecommunications System (UMTS) LTE 3G security Access security for IP-based serv.pdf

1、 ETSI TS 133 203 V14.0.0 (2017-04) Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Access security for IP-based services (3GPP TS 33.203 version 14.0.0 Release 14) TECHNICAL SPECIFICATION ETSI ETSI TS 133 203 V14.0.0 (

2、2017-04)13GPP TS 33.203 version 14.0.0 Release 14Reference RTS/TSGS-0333203ve00 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregis

3、tre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present docum

4、ent shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive withi

5、n ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the presen

6、t document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized

7、 by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTEST

8、STM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members GSM and the GSM logo are T

9、rade Marks registered and owned by the GSM Association. ETSI ETSI TS 133 203 V14.0.0 (2017-04)23GPP TS 33.203 version 14.0.0 Release 14Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these esse

10、ntial IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest update

11、s are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server

12、) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities

13、 or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“

14、, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citat

15、ion. ETSI ETSI TS 133 203 V14.0.0 (2017-04)33GPP TS 33.203 version 14.0.0 Release 14Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 9g31 Scope 10g32 References 10g33 Definitions, symbols and abbreviations . 13g33.1 Definitions 13g33.2 Symbols 13g33.3 Abbr

16、eviations . 13g34 Overview of the security architecture. 14g35 Security features . 17g35.1 Secure access to IMS 17g35.1.1 Authentication of the subscriber and the network . 17g35.1.2 Re-Authentication of the subscriber . 17g35.1.3 Confidentiality protection . 17g35.1.4 Integrity protection . 18g35.2

17、 Network topology hiding 18g35.3 SIP Privacy handling in IMS Networks . 18g35.4 SIP Privacy handling when interworking with non-IMS Networks . 19g36 Security mechanisms 19g36.1 Authentication and key agreement . 19g36.1.0 General 19g36.1.1 Authentication of an IM-subscriber 19g36.1.2 Authentication

18、failures 22g36.1.2.1 User authentication failure 22g36.1.2.2 Network authentication failure 22g36.1.2.3 Incomplete authentication . 23g36.1.3 Synchronization failure . 23g36.1.4 Network Initiated authentications . 24g36.1.5 Integrity protection indicator 25g36.2 Confidentiality mechanisms . 25g36.3

19、Integrity mechanisms . 26g36.4 Hiding mechanisms 26g36.5 CSCF interoperating with proxy located in a non-IMS network 26g37 Security association set-up procedure 27g37.0 General . 27g37.1 Security association parameters . 27g37.2 Set-up of security associations (successful case) 30g37.3 Error cases i

20、n the set-up of security associations . 33g37.3.1 Error cases related to IMS AKA . 33g37.3.1.0 General 33g37.3.1.1 User authentication failure 33g37.3.1.2 Network authentication failure 33g37.3.1.3 Synchronisation failure . 33g37.3.1.4 Incomplete authentication . 33g37.3.2 Error cases related to the

21、 Security-Set-up . 33g37.3.2.1 Proposal unacceptable to P-CSCF . 33g37.3.2.2 Proposal unacceptable to UE. 33g37.3.2.3 Failed consistency check of Security-Set-up lines at the P-CSCF 34g37.4 Authenticated re-registration 34g37.4.0 General 34g3ETSI ETSI TS 133 203 V14.0.0 (2017-04)43GPP TS 33.203 vers

22、ion 14.0.0 Release 147.4.1 Void 34g37.4.1a Management of security associations in the UE . 34g37.4.2 Void 35g37.4.2a Management of security associations in the P-CSCF . 35g37.5 Rules for security association handling when the UE changes IP address . 36g38 ISIM . 36g38.0 General . 36g38.1 Requirement

23、s on the ISIM application . 37g38.2 Sharing security functions and data with the USIM . 37g39 IMC 38g3Annex A: Void . 39g3Annex B: Void . 40g3Annex C: Void . 41g3Annex D: Void . 42g3Annex E: Void . 43g3Annex F: Void . 44g3Annex G (informative): Management of sequence numbers 45g3Annex H (normative):

24、 The use of “Security Mechanism Agreement for SIP Sessions“ 21 for security mode set-up 46g3Annex I (normative): Key expansion functions for IPsec ESP . 48g3Annex J (informative): Recommendations to protect the IMS from UEs bypassing the P-CSCF . 49g3Annex K: Void . 50g3Annex L (Normative): Applicat

25、ion to fixed broadband access 51g3L.1 Introduction 51g3L.2 Application of clause 4 . 51g3Annex M (normative): Enhancements to the access security for IP based services to enable NAT traversal for signaling messages 53g3M.0 General . 53g3M.1 Scope 53g3M.2 References 53g3M.3 Definitions, symbols and a

26、bbreviations . 53g3M.4 Overview of the security architecture. 53g3M.5 Security features . 53g3M.6 Security mechanisms 54g3M.6.1 Authentication and key agreement . 54g3M.6.2 Confidentiality mechanisms . 54g3M.6.3 Integrity mechanisms . 54g3M.6.4 Hiding mechanisms 54g3M.6.5 CSCF interoperating with pr

27、oxy located in a non-IMS network 55g3M.7 Security association set-up procedure 55g3M.7.0 General . 55g3ETSI ETSI TS 133 203 V14.0.0 (2017-04)53GPP TS 33.203 version 14.0.0 Release 14M.7.1 Security association parameters . 55g3M.7.2 Set-up of security associations (successful case) 59g3M.7.3 Error ca

28、ses in the set-up of security associations . 64g3M.7.3.1 Error cases related to IMS AKA . 64g3M.7.3.2 Error cases related to the Security-Set-up . 64g3M.7.3.2.1 Proposal unacceptable to P-CSCF . 64g3M.7.3.2.2 Proposal unacceptable to UE. 64g3M.7.3.2.3 Failed consistency check of Security-Set-up line

29、s at the P-CSCF 64g3M.7.3.2.4 Missing NAT traversal capabilities in the presence of a NAT 64g3M.7.4 Authenticated re-registration 64g3M.7.4.0 General 64g3M.7.4.1 Void 65g3M.7.4.1a Management of security associations in the UE . 65g3M.7.4.2 Void 65g3M.7.4.2a Management of security associations in the

30、 P-CSCF . 65g3M.7.5 Rules for security association handling when the UE changes IP address . 66g3M.8 ISIM . 67g3M.9 IMC 67g3Annex N (normative): Enhancements to the access security to enable SIP Digest . 68g3N.1 SIP Digest . 68g3N.2 Authentication 68g3N.2.1 Authentication Requirements . 68g3N.2.1.1

31、Authentication Requirements for Registrations 68g3N.2.1.2 Authentication Requirements for Non-registration Messages 71g3N.2.2 Authentication failures . 73g3N.2.2.1 User Authentication failure . 73g3N.2.2.2 Network authentication failure . 73g3N.2.2.3 Incomplete Authentication 73g3N.2.3 SIP Digest sy

32、nchronization failure . 73g3N.2.4 Network Initiated authentications . 74g3N.2.5 Support for dynamic password change . 74g3Annex O (normative): Enhancements to the access security to enable TLS . 76g3O.1 TLS . 76g3O.1.1 TLS Access Security 76g3O.1.2 Confidentiality protection . 76g3O.1.3 Integrity pr

33、otection . 76g3O.1.4 TLS integrity protection indicator 77g3O.2 TLS Session set-up procedure 77g3O.2.1 TLS Profile for TLS based access security. 77g3O.2.2 TLS session set-up during registration . 78g3O.2.3 TLS session set-up prior to Initial registration . 79g3O.3 Error cases in the set-up of TLS s

34、essions . 79g3O.3.1 Error cases related to TLS 79g3O.3.1.0 General 79g3O.3.1.1 User authentication failure 79g3O.3.1.2 Network authentication failure . 80g3O.3.1.3 Synchronisation failure . 80g3O.3.1.4 Incomplete authentication . 80g3O.3.2 Error cases related to the Security-Set-Up . 80g3O.4 Managem

35、ent of TLS sessions. 80g3O.4.1 Management of TLS sessions at the UE . 80g3O.4.2 Management of TLS sessions at the P-CSCF . 80g3O.4.3 Authenticated re-registration 80g3O.5 TLS Certificate Profile and Validation. 81g3ETSI ETSI TS 133 203 V14.0.0 (2017-04)63GPP TS 33.203 version 14.0.0 Release 14O.5.1

36、TLS Certificate . 81g3O.5.2 Certificate validation 81g3O.5.3 Certificate Revocation 82g3Annex P (normative): Co-existence of authentication schemes IMS AKA, GPRS-IMS-Bundled Authentication, NASS-IMS-bundled authentication, SIP Digest and Trusted Node Authentication 83g3P.1 Scope of this Annex . 83g3

37、P.2 Requirements on co-existence of authentication schemes . 83g3P.3 P-CSCF procedure selection 83g3P.4 Determination of requested authentication scheme in S-CSCF . 85g3P.4.1 Stepwise approach 85g3P.4.2 Mechanisms for performing steps 1 to 3 in P.4.1 . 86g3P.5 Co-existence of PANI-aware and other P-

38、CSCFs 87g3P.6 Considerations on the Cx interface 87g3Annex Q (informative): Usage of the authentication mechanisms for non-registration messages in Annexes N and O . 88g3Q.1 General . 88g3Q.2 Assertion of identities by the P-CSCF 88g3Q.3 Strengths and boundary conditions for the use of authenticatio

39、n mechanisms for non-registration messages . 89g3Annex R (normative): NASS-IMS-bundled authentication . 91g3R.1 Overview 91g3R.2 Use Cases and Limitations . 91g3R.3 Detailed description 91g3Annex S (Normative): Application to 3GPP2Access 94g3S.1 Introduction 94g3S.2 Application of clause 4 . 94g3S.3

40、 Application of clauses 5 through 9 . 95g3S.4 3GPP2 AKA Credentials 96g3S.4.1 Realisations of 3GPP2 AKA Credentials . 96g3S.5 Network Domain Security for IMS 96g3S.5.1 General . 96g3S.5.2 Inter-domain Domain Security . 96g3S.5.3 Intra-domain Domain Security . 97g3S.5.4 Profiles of Network Domain Sec

41、urity Methods . 97g3S.5.4.1 General 97g3S.5.4.2 Support of IPsec ESP 97g3S.5.4.2.1 General 97g3S.5.4.2.2 Support of ESP authentication and encryption 97g3S.5.4.3 Support of TLS . 98g3Annex T (normative): GPRS-IMS-Bundled Authentication (GIBA) for Gm interface 99g3T.1 Introduction 99g3T.2 Requirement

42、s 99g3T.3 Threat Scenarios . 100g3ETSI ETSI TS 133 203 V14.0.0 (2017-04)73GPP TS 33.203 version 14.0.0 Release 14T.3.0 General . 100g3T.3.1 Impersonation on IMS level using the identity of an innocent user . 100g3T.3.2 IP spoofing . 100g3T.3.3 Combined threat scenario . 100g3T.4 GIBA Security Mechan

43、ism 101g3T.5 Restrictions imposed by GIBA . 101g3T.6 Protection against IP address spoofing in GGSN . 102g3T.7 Interworking cases 102g3T.8 Message Flows . 105g3T.8.1 Successful registration 105g3T.8.2 Unsuccessful registration . 106g3T.8.3 Successful registration for a selected interworking case 108

44、g3Annex U (normative): Trusted Node Authentication (TNA) . 111g3U.1 Overview 111g3U.2 Use case and detailed description . 111g3Annex V (informative): NAT deployment considerations for GIBA . 114g3Annex W (normative): Tunnelling of IMS Services over Restrictive Access Networks . 115g3W.1 Overview 115

45、g3W.2 Service and Media Reachability for Users over Restrictive Firewalls Tunneled Firewall Traversal for IMS traffic 115g3W.2.0 General . 115g3W.2.1 Firewall detection procedure 116g3W.3 Service and Media Reachability for Users over Restrictive Firewalls Extensions to STUN/TURN/ICE 117g3W.3.1 Intro

46、duction 118g3W.3.1.1 General 118g3W.3.1.2 Firewall traversal for IMS control plane using SIP over TLS/TCP 118g3W.3.1.3 Firewall traversal for IMS media plane using ICE and TURN . 118g3W.3.2 Reference model . 119g3W.3.3 Required functions of the UE . 119g3W.3.4 Required functions of the P-CSCF . 120g

47、3W.3.5 Required functions of the TURN server . 120g3W.3.6 Required functions of the IMS-ALG and IMS-AGW 120g3Annex X (Normative): Security for WebRTC IMS Client access to IMS . 121g3X.1 Introduction 121g3X.2 Authentication of WebRTC IMS Client with IMS subscription re-using existing IMS authenticati

48、on mechanisms . 121g3X.2.0 General . 121g3X.2.1 General requirements . 121g3X.2.2 Solution 1.1: Use of SIP Digest credentials 121g3X.2.2.1 General 121g3X.2.2.2 Requirements 122g3X.2.2.3 Procedures. 122g3X.2.3 Solution 1.2: Use of IMS AKA 123g3X.2.3.1 General 123g3X.2.3.2 Requirements 124g3X.2.3.3 Pr

49、ocedures. 124g3X.3 Authentication of WebRTC IMS Client with IMS subscription using web credentials . 125g3X.3.0 General . 125g3X.3.1 General requirements . 126g3ETSI ETSI TS 133 203 V14.0.0 (2017-04)83GPP TS 33.203 version 14.0.0 Release 14X.3.2 Solution 2.1 126g3X.3.2.1 General 126g3X.3.2.2 Requirements 126g3X.3.2.3 Procedures. 127g3X.4 Assignment of IMS identities to WebRTC IMS Client from pool of IMS subscriptions held by WWSF 131g3X.4.0 General . 131g3X.4.1 General requirements . 131g3X.4.2 Solution 3.1 132g3X.4.2.1 General 132g3X.4.2.2 Requirements 132g3X.4.2.3 Pro