1、 TIA-1141 November 2011CAVE Based IMS Security NOTICE TIA Engineering Standards and Publications are designed to serve the public interest through eliminating misunderstandings between manufacturers and purchasers, facilitating interchangeability and improvement of products, and assisting the purcha
2、ser in selecting and obtaining with minimum delay the proper product for their particular need. The existence of such Standards and Publications shall not in any respect preclude any member or non-member of TIA from manufacturing or selling products not conforming to such Standards and Publications.
3、 Neither shall the existence of such Standards and Publications preclude their voluntary use by Non-TIA members, either domestically or internationally. Standards and Publications are adopted by TIA in accordance with the American National Standards Institute (ANSI) patent policy. By such action, TI
4、A does not assume any liability to any patent owner, nor does it assume any obligation whatever to parties adopting the Standard or Publication. This Standard does not purport to address all safety problems associated with its use or all applicable regulatory requirements. It is the responsibility o
5、f the user of this Standard to establish appropriate safety and health practices and to determine the applicability of regulatory limitations before its use. (From Project No. 3-0296-1, formulated under the cognizance of the TIA TR-45 Mobile (b) there is no assurance that the Document will be approv
6、ed by any Committee of TIA or any other body in its present or any other form; (c) the Document may be amended, modified or changed in the standards development or any editing process. The use or practice of contents of this Document may involve the use of intellectual property rights (“IPR”), inclu
7、ding pending or issued patents, or copyrights, owned by one or more parties. TIA makes no search or investigation for IPR. When IPR consisting of patents and published pending patent applications are claimed and called to TIAs attention, a statement from the holder thereof is requested, all in accor
8、dance with the Manual. TIA takes no position with reference to, and disclaims any obligation to investigate or inquire into, the scope or validity of any claims of IPR. TIA will neither be a party to discussions of any licensing terms or conditions, which are instead left to the parties involved, no
9、r will TIA opine or judge whether proposed licensing terms or conditions are reasonable or non-discriminatory. TIA does not warrant or represent that procedures or practices suggested or provided in the Manual have been complied with as respects the Document or its contents. If the Document contains
10、 one or more Normative References to a document published by another organization (“other SSO”) engaged in the formulation, development or publication of standards (whether designated as a standard, specification, recommendation or otherwise), whether such reference consists of mandatory, alternate
11、or optional elements (as defined in the TIA Engineering Manual, 4thedition) then (i) TIA disclaims any duty or obligation to search or investigate the records of any other SSO for IPR or letters of assurance relating to any such Normative Reference; (ii) TIAs policy of encouragement of voluntary dis
12、closure (see Engineering Manual Section 6.5.1) of Essential Patent(s) and published pending patent applications shall apply; and (iii) Information as to claims of IPR in the records or publications of the other SSO shall not constitute identification to TIA of a claim of Essential Patent(s) or publi
13、shed pending patent applications. TIA does not enforce or monitor compliance with the contents of the Document. TIA does not certify, inspect, test or otherwise investigate products, designs or services or any claims of compliance with the contents of the Document. ALL WARRANTIES, EXPRESS OR IMPLIED
14、, ARE DISCLAIMED, INCLUDING WITHOUT LIMITATION, ANY AND ALL WARRANTIES CONCERNING THE ACCURACY OF THE CONTENTS, ITS FITNESS OR APPROPRIATENESS FOR A PARTICULAR PURPOSE OR USE, ITS MERCHANTABILITY AND ITS NONINFRINGEMENT OF ANY THIRD PARTYS INTELLECTUAL PROPERTY RIGHTS. TIA EXPRESSLY DISCLAIMS ANY AN
15、D ALL RESPONSIBILITIES FOR THE ACCURACY OF THE CONTENTS AND MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CONTENTS COMPLIANCE WITH ANY APPLICABLE STATUTE, RULE OR REGULATION, OR THE SAFETY OR HEALTH EFFECTS OF THE CONTENTS OR ANY PRODUCT OR SERVICE REFERRED TO IN THE DOCUMENT OR PRODUCED OR R
16、ENDERED TO COMPLY WITH THE CONTENTS. TIA SHALL NOT BE LIABLE FOR ANY AND ALL DAMAGES, DIRECT OR INDIRECT, ARISING FROM OR RELATING TO ANY USE OF THE CONTENTS CONTAINED HEREIN, INCLUDING WITHOUT LIMITATION ANY AND ALL INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES FOR LOSS
17、OF BUSINESS, LOSS OF PROFITS, LITIGATION, OR THE LIKE), WHETHER BASED UPON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING NEGATION OF DAMAGES IS A FUNDAMENTAL ELEMENT OF THE USE OF
18、 THE CONTENTS HEREOF, AND THESE CONTENTS WOULD NOT BE PUBLISHED BY TIA WITHOUT SUCH LIMITATIONS. S.S0127-0 v1.0 CAVE Based IMS Security ii 1 2 3 EDITOR Zhibi Wang Alcatel-Lucent zhibiwangalcatel- 4 5 REVISION HISTORY 6 REVISION HISTORY 1.0 Initial Publication Version June 2008 7 Table of Contents 1
19、2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1 Introduction . 1 2 Scope . 1 3 References . 1 3.1 Normative References 1 3.2 Informative References . 2 4 Definitions and Abbreviations 2 4.1 Definitions 2 4.2 Abbreviations . 2 5 High Level Principles . 3 6 Requirements 5 6.1 ME Requirements . 5 6.2 HSS
20、Requirements 7 6.3 AKA Vector Emulation 9 7 Call Flows . 10 7.1 IMS Authentication 10 7.2 Re-Synchronization Procedure . 12 7.3 Get CAVE Credentials From HLR/AC 14 S.S0127-0 v1.0 CAVE Based IMS Security 1 1 Introduction 1 IP Multimedia Subsystem (IMS) security is defined for cdma20001networks in 3.
21、This document 3 defines how the SIP signaling is protected between the User Equipment (UE) and the Proxy Call Session Control Function (P-CSCF), how the subscriber is authenticated and how the subscriber authenticates the IMS using AKA authentication credentials present at the UE. 2 3 4 5 6 7 8 9 10
22、 11 12 13 14 This document defines the mechanism for secure access to the IMS for UEs equipped with legacy Removable User Identity Modules (R-UIM). The legacy R-UIMs do not support AKA authentication, but only support CAVE authentication based on the A-Key shared between the R-UIM and the HLR/AC. Fu
23、rthermore, the IMS HSS does not contain any CAVE authentication information related to the legacy R-UIM and is only available from the HLR/AC. In this document, several key words are used to signify the requirements. The key words “shall”, “shall not”, “should”, “should not” and “may” are to be inte
24、rpreted as described in the TIA Engineering Style Manual. 2 Scope 15 This document defines the stage-2/3 procedures for the IMS security based on the CAVE authentication. 16 17 18 19 This document only covers the aspects that differ from the procedures defined in 3 for IMS security based on the CAVE
25、 authentication. Unless otherwise specified in this document, the IMS security procedures shall comply with 3. 3 References 20 3.1 Normative References 21 1 IETF RFC 2617 (1999): “HTTP Authentication: Basic and Digest Access Authentication“. 22 23 24 25 26 27 28 29 30 2 IETF RFC 3310 (2002): “Hypert
26、ext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA)”. 3 3GPP2 S.S0086: “IMS Security Framework“. 4 3GPP2 X.S0004-540-E: “MAP Operations Signaling Protocols“. 5 3GPP2 S.S0078: “Common Security Algorithms“. 6 3GPP2 S.S0055: “Enhanced Cryptographic Algorithms
27、“. 7 3GPP2 C.S0005-D v2.0: “Upper Layer (Layer 3) Signaling Standard for cdma2000 Spread Spectrum Systems, Release D“, October 2005. 1cdma2000 is the trademark for the technical nomenclature for certain specifications and standards of the Organizational Partners (OPs) of 3GPP2. Geographically (and a
28、s of the date of publication), cdma2000 is a registered trademark of the Telecommunications Industry Association (TIA-USA) in the United States S.S0127-0 v1.0 CAVE Based IMS Security 2 1 2 3.2 Informative References 3 3GPP2 C.S0023-0: “Removable User Identity Module for Spread Spectrum Systems“. 4 5
29、 6 4 Definitions and Abbreviations 7 4.1 Definitions 8 For the purposes of the present document, the following terms and definitions apply: 9 10 11 12 13 14 15 16 17 18 19 User Equipment (UE): For the purposes of this document, the User Equipment is considered as two separate entities, consisting of
30、 the User Identity Module (UIM) and the Mobile Equipment (ME). The ME contains a higher power processor. Removable UIM (R-UIM): An UIM that can be physically removed from the UE. The R-UIM can be either a stand-alone module as defined in , or a multi-application platform (also called a UICC) that ma
31、y hold several applications that can be operated concurrently (e.g. ISIM application, cdma2000 SIM application). User Identity Module (UIM): The User Identity Module is a lower power processor that securely stores, among other things, the security credentials. The User Identity Module may be a Remov
32、able UIM (R-UIM) or part of the UE itself. 4.2 Abbreviations 20 For the purposes of the present document, the following abbreviations apply: 21 22 23 24 25 26 27 28 29 AC Authentication Center AKA Authentication and Key Agreement AUTN Authentication Token CAVE Cellular Authentication and Voice Encry
33、ption CDMA Code Division Multiple Access CK Cipher Key ESN Electronic Serial Number HLR Home Location Register S.S0127-0 v1.0 CAVE Based IMS Security 3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 HSS Home Subscriber Server IETF Internet Engineering Task Force IK Integrity Key IMS IP Multim
34、edia Subsystem IMPI IM Private user Identity IMPU IM Public User Identity IMSI International Mobile Station Identity MAC Message Authentication Code MD5 Message Digest version 5 ME Mobile Equipment NAI Network Access Identifier P-CSCF Proxy Call Session Control Function PLCM Private Long Code Mask R
35、ADIUS Remote Authentication Dial In User Service R-UIM Removable User Identity Module UIMID User Identity Module Identifier SHA-256 Secure Hash Algorithm 256 SQN Sequence Number SSD Shared Secret Data UIM User Identity Module VLR Visited Location Register 5 High Level Principles 22 All procedures cl
36、osely follow currently defined procedures in 3. Such as: 23 S.S0127-0 v1.0 CAVE Based IMS Security 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 The same HTTP Digest AKA 1, 2 as specified in 3 is used for mutual authentication and for establishing the security association between the UE and the P-CSCF. The
37、AKA Authentication Vector is created in the HSS, while the AKA root key for it is generated from two set of CAVE KEYS obtained from the HLR, as a result of successful CAVE-based authentications. The AKA procedures and algorithms are terminated at the ME instead of at the legacy R-UIM. The legacy R-U
38、IM is used for performing conventional CAVE-based authentications and returning its result to the ME. The ME will use the results of successful CAVE-based authentications for performing AKA processing 5, 6. Standard AKA functions are used after AKA_KEY derivation 5, 6. The IMPI and IMPU of subscribe
39、r are created from the IMSI. In all the CAVE calculations 5, 6, ESN is set to 32 LSBs of UIMID. In case CAVE based AKA is used in multiple contexts, the AKA_KEY and SQN are shared among all the contexts. The figure below illustrates the high-level call flow for using CAVE with IMS AKA. 16 17 Figure
40、1 High Level flow of CAVE based IMS AKA authentication S.S0127-0 v1.0 CAVE Based IMS Security 5 1 2 3 4 5 6 Both the ME and the HSS establish a SQN (sequence number) and a RANDM (Mobiles Random Number) using the AKA re-synchronization procedure. Once agreed, SQN is used to provide replay protection
41、for the AKA authentication. How the AKA fields are used with CAVE is described in more details in the subsequent sections. In this document, the MS identifier is assumed to be true IMSI or MIN based IMSI. In case of true IMSI, the IMSI_S1 and IMSI_S2 should be used in the place of MIN1 and MIN2 7. 6
42、 Requirements 7 6.1 ME Requirements 8 In order to bootstrap the AKA root key using the R-UIM security functions, the ME shall support the following requirements: 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 The ME shall be able to translate the authentication interrogation
43、contents received from the HTTP Digest AKA messages into the CAVE authentication requests similar to those issued by ME to the R-UIM while accessing the cdma2000 systems using CAVE authentication. The ME shall terminate and process the HTTP Digest AKA procedures specified in 3 by using the CAVE sess
44、ion keys received from the R-UIM. The ME shall be able to communicate the response to the IMS network, as specified in 3. In case CAVE based AKA is used by the ME in multiple contexts, the ME shall use the same AKA_KEY and SQN for all the contexts. The ME shall use 32 LSBs of the R-UIMs UIMID as its
45、 ESN. Upon detecting the insertion of a new R-UIM, the ME shall generate a 58 bit RANDM value according to the following rules: The 8 MSBs (bits 57 - 50) shall be random, but not be all zeroes. The 24 bits following the 8 MSBs shall be random (bits 49-26). The 20 bits following the 32 MSBs (bits 25
46、- 6) shall be random, but shall have a decimal value from 000,000 to 999,999. The remaining 6 LSBs (bits 5 - 0) shall be random. The ME shall store the generated RANDM as RANDMME. Upon detecting the insertion of a new R-UIM, the ME also stores a 40 bit SQN value, SQNME, which is initialized to be a
47、24 bit value, TIME (bits 39 - 16), followed by 16 zeroes (bits 15 - 0). TIME is set by counting the 20 second intervals modulo 224that have elapsed from the beginning of January 1st 2008 till present time. SQNMEis updated during Re-synchronization procedures and is incremented after each successful
48、challenge verification. S.S0127-0 v1.0 CAVE Based IMS Security 6 1 2 3 Upon receiving the 401 Auth_Challenge message 3, the ME shall extract RANDM, RANDN (94 random bits of RAND_AKA) and SQN from the received AUTN and RAND as shown below (see 6.3 for how to construct AUTN and RAND parameters). 4 5 6
49、 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 Figure 2 AKA-Challenge Parameters Format If the ME finds that the received RANDM is equal to RANDMMEand has the KEYSMMEcorresponding to the RANDMEthat was previously calculated and stored at the last re-synchronization procedure then the ME shall use the KEYSMME, otherwise, the ME shall calculate KEYSM as follows: Use the 32 MSBs of RANDM as a CAVE RAND. If the value of the 20 bits (bit
