1、 ETSI TR 133 871 V12.0.0 (2014-10) Universal Mobile Telecommunications System (UMTS); LTE; Study on Security for WebRTC IMS Client access to IMS (3GPP TR 33.871 version 12.0.0 Release 12) TECHNICAL REPORT ETSI ETSI TR 133 871 V12.0.0 (2014-10)13GPP TR 33.871 version 12.0.0 Release 12Reference DTR/TS
2、GS-0333871vc00 Keywords LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The p
3、resent document can be downloaded from: http:/www.etsi.org The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of
4、any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document ma
5、y be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/cha
6、ircor/ETSI_support.asp Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written
7、 authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2014. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM a
8、nd LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 133 871 V12.0.0 (2014-10)23GPP TR 33.871 version 12.0.0 Release 12Intellectual Property Rig
9、hts IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential
10、, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by
11、ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI 3rd Generation Partnership
12、 Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identiti
13、es can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “may not“, “need“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Draft
14、ing Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TR 133 871 V12.0.0 (2014-10)33GPP TR 33.871 version 12.0.0 Release 12Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs
15、 terminology 2g3Foreword . 5g31 Scope 6g32 References 6g33 Definitions, symbols and abbreviations . 8g33.1 Definitions 8g33.2 Symbols 8g33.3 Abbreviations . 8g34 Overview 9g34.1 WebRTC. 9g34.1.1 General 9g34.1.2 WebRTC control plane . 9g34.1.3 WebRTC user plane 9g34.2 WebRTC IMS Client access to IMS
16、 11g34.2.1 Overview 11g34.2.2 Architecture 11g35 Assumptions, Risks and Security requirements . 13g35.1 Assumptions . 13g35.2 Risks . 13g35.2.1 Impact of security breach at WWSF on arbitrary IMS subscribers 13g35.2.2 Lack of means to identify potentially compromised WWSF in the IMS core 13g35.2.3 Ri
17、sks relating to the determination of IMS identities by the WWSF 13g35.2.4 Risks relating to assignment of IMS identities to WebRTC IMS Client from pool of IMS subscriptions held by WWSF 14g35.3 Potential security requirements 15g36 Solutions . 17g36.1 Authentication and Authorization 17g36.1.1 Authe
18、ntication of WebRTC IMS Client with IMS subscription re-using existing IMS authentication mechanisms. 17g36.1.1.1 General 17g36.1.1.2 Use of SIP Digest credentials 17g36.1.1.3 Use of IMS AKA 19g36.1.2 Authentication of WebRTC IMS Client with IMS subscription using web credentials . 20g36.1.2.1 Gener
19、al 20g36.1.2.2 Use of Trusted Node Authentication (TNA) . 21g36.1.2.3 Example of web authentication using IMS AKA credentials 27g36.1.2.4 Use of direct authentication between WIC and eP-CSCF . 28g36.1.2.5 Trusted Node Authentication using OAuth 2.0 Implicit Grant . 29g36.1.3 Assignment of IMS identi
20、ties to WebRTC IMS Client from pool of IMS subscriptions held by WWSF 32g36.1.3.1 General 32g36.1.3.2 Use of Trusted Node Authentication (TNA) . 32g36.2 Enhancements to IMS media plane security . 37g36.2.1 Media security for RTP . 37g36.2.1.1 General 37g36.2.1.2 e2ae security for RTP using DTLS-SRTP
21、 37g36.2.2 Media security for WebRTC Data Channels 39g36.2.2.1 General 39g3ETSI ETSI TR 133 871 V12.0.0 (2014-10)43GPP TR 33.871 version 12.0.0 Release 126.2.2.2 e2ae security for WebRTC Data Channels 39g36.3 Other security aspects . 41g36.3.1 Firewall traversal 41g37 Assessment of solutions . 42g38
22、 Conclusions and recommendations 42g3Annex A: Secure usage of GBA with UE browser 43g3Annex B: Profiling of DTLS-SRTP 47g3Annex C: Linking IMS identities and web identities - Example security mechanisms . 48g3Annex D: Mapping OAuth 2.0 to IMS WebRTC . 49g3Annex E: Change history 52g3History 53g3ETSI
23、 ETSI TR 133 871 V12.0.0 (2014-10)53GPP TR 33.871 version 12.0.0 Release 12Foreword This Technical Report has been produced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval
24、. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or g
25、reater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, I.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. ETSI ETSI TR 133 8
26、71 V12.0.0 (2014-10)63GPP TR 33.871 version 12.0.0 Release 121 Scope The goal of WebRTC IMS Client access to IMS is to significantly expand the pool of clients able to access IMS. The present document contains a study on security issues following the potential modifications of the IMS architecture a
27、nd stage 2 procedures as required by the support of WebRTC IMS Client access to IMS. For this purpose the present document is addressing: - WebRTC IMS Client authentication mechanisms, including the re-use of existing IMS authentication mechanisms from WebRTC IMS Clients; - Required enhancements to
28、IMS media plane security; - Control plane security related aspects. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. - References are either specific (identified by date of publication, edition number, versi
29、on number, etc.) or non-specific. - For a specific reference, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of t
30、hat document in the same Release as the present document. 1 3GPP TR 21.905: “Vocabulary for 3GPP Specifications“. 2 3GPP TS 22.228: “Service requirements for the Internet Protocol (IP) multimedia core network subsystem (IMS); Stage 1“. 3 3GPP TS 23.228: “IP Multimedia Subsystem (IMS); Stage 2“. 4 3G
31、PP TR 23.701: “Study on the Support of WebRTC IMS Client access to IMS“. 5 3GPP TS 33.203: “3G security; Access security for IP-based services“. 6 3GPP TS 33.328: “IP Multimedia Subsystem (IMS) media plane security“. 7 W3C Web Real-Time Communications Working Group, http:/www.w3.org/2011/04/webrtc-c
32、harter.html 8 IETF Real-Time Communication in WEB-browsers Working Group, http:/tools.ietf.org/wg/rtcweb/ 9 IETF RFC 5763: “Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)“. 10 draft-ietf-rtcweb-security: “Securi
33、ty Considerations for WebRTC“. 11 3GPP TS 33.222: “Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)“. 12 3GPP TS 33.220: “Generic Authentication Architecture (GAA); Generic Bootstrapping Archite
34、cture (GBA)“. 13 IETF RFC 6749: “The OAuth 2.0 Authorization Framework“. 14 IETF RFC 6750: “The OAuth 2.0 Authorization Framework: Bearer Token Usage“. ETSI ETSI TR 133 871 V12.0.0 (2014-10)73GPP TR 33.871 version 12.0.0 Release 1215 3GPP TS 29.228: “IP Multimedia (IM) Subsystem Cx and Dx interfaces
35、; Signalling flows and message contents“. 16 3GPP TS 24.292: “IP Multimedia (IM) Core Network (CN) subsystem Centralized Services (ICS); Stage 3“. 17 IETF RFC 5764: “Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)“. 18 draft-iet
36、f-rtcweb-data-protocol: “RTCWeb Data Channel Protocol “. 19 draft-ejzak-dispatch-webrtc-data-channel-sdpneg: “SDP-based WebRTC data channel negotiation“. 20 RFC 6714: “Connection Establishment for Media Anchoring (CEMA) for the Message Session Relay Protocol (MSRP)“. 21 RFC 2617: “HTTP Authenticatio
37、n: Basic and Digest Access Authentication“. 22 3GPP TR 33.830: “Study on Firewall traversal (Stage 2)“. 23 IETF RFC 4169: “Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2“. 24 IETF RFC 3310 (2002): “HTTP Digest Authentication Using AKA“
38、. April, 2002. ETSI ETSI TR 133 871 V12.0.0 (2014-10)83GPP TR 33.871 version 12.0.0 Release 123 Definitions, symbols and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in TR 21.905 1 and the following apply. A term defined in the present docum
39、ent takes precedence over the definition of the same term, if any, in TR 21.905 1. Web Real-Time Communications (WebRTC): A set of browser extensions enabling web applications to define real-time services. WebRTC IMS Client (WIC): A WebRTC-capable browser running a JavaScript application that allows
40、 a user to access IMS services. 3.2 Symbols For the purposes of the present document, the following symbols apply: Cx Reference Point between a CSCF and an HSS Gm Reference Point between a UE and a P-CSCF or between an IP-PBX and a P-CSCF Iq Reference Point between the IMS Application Level Gateway
41、(ALG) (IMS-ALG) and the IMS Access Gateway (IMS-AGW) Mb Reference Point between a UE and IP network services used for user data transport Mw Reference Point between a CSCF and another CSCF W1 Reference Point between a WIC and WWSF W2 Reference Point between a WIC and eP-CSCF W3 Reference Point betwe
42、en a WIC and eIMS-AGW 3.3 Abbreviations For the purposes of the present document, the abbreviations given in TR 21.905 1 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905 1. DTLS-SRTP Datagram
43、Transport Layer Security SRTP eP-CSCF P-CSCF enhanced for WebRTC eIMS-AGW IMS-AGW enhanced for WebRTC ICE Interactive Connectivity EstablishmentNAT Network Address Translation P-CSCF Proxy CSCF RTP Real-time Transport Protocol S-CSCF Serving CSCF SDP Session Description Protocol SIP Session Initiati
44、on Protocol SRTP Secure RTP WebRTC Web Real-Time Communication WIC WebRTC IMS Client WWSF WebRTC Web Server Function WAF WebRTC Authorization Function ETSI ETSI TR 133 871 V12.0.0 (2014-10)93GPP TR 33.871 version 12.0.0 Release 124 Overview 4.1 WebRTC 4.1.1 General Web Real-Time Communication (WebRT
45、C) is specified by the W3C WebRTC WG 7 in collaboration with the IETF RTCWeb WG 8. Although it is still work in progress, the technology has already been implemented in many different browsers. As W3C specifies the API and IETF the protocols, the IETF specifications are likely to be more relevant fo
46、r the WebRTC IMS Client access to IMS work. 4.1.2 WebRTC control plane The WebRTC control plane is sent over HTTP/WebSocket and is controlled by the WebRTC IMS Client (WIC) application of the UE. While HTTP is a request-response protocol, WebSocket provides a full-duplex communication channel over T
47、CP. Current WebRTC specifications 7 do not specify any control-plane protocol to establish the connection between WIC peers. The WIC application can implement any signalling protocol such as SIP or RESTful HTTP or JSON over WebSocket. The WIC exchanges WebRTC User plane parameters with the peer WIC
48、over the chosen signalling protocol. These parameters are retrieved from the WebRTC compliant browser in the form of SDPs. WebRTC compliant browser shall support the following security requirements specified by the IETF RTCWeb WG (see 10): - DTLS-SRTP shall be used. DTLS certificate fingerprint are
49、shared with the peer DTLS endpoint. This fingerprint binds the DTLS key exchange in the media plane to the WebRTC control plane. - ICE shall be used. ICE candidates are needed for the WebRTC media plane to traverse through firewalls and NATs. - The WebRTC control plane that transports SDP between two W2 end points shall be integrity-protected. 4.1.3 WebRTC user plane The WebRTC user plane consists of media channels for audio and video and data channels for peer-to-peer communication of arbitrary data. The user