1、 ETSI TS 1Digital cellular telecoUniversal Mobile TelAccess sec(3GPP TS 33.2TECHNICAL SPECIFICATION133 203 V13.1.0 (2016communications system (Phaelecommunications System (LTE; 3G security; ecurity for IP-based services .203 version 13.1.0 Release 1316-01) hase 2+); (UMTS); 13) ETSI ETSI TS 133 203
2、V13.1.0 (2016-01)13GPP TS 33.203 version 13.1.0 Release 13Reference RTS/TSGS-0333203vd10 Keywords GSM,LTE,SECURITY,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucrati
3、f enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the pres
4、ent document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network dr
5、ive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present
6、 document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized
7、by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTS
8、TM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. E
9、TSI ETSI TS 133 203 V13.1.0 (2016-01)23GPP TS 33.203 version 13.1.0 Release 13Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI member
10、s and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.o
11、rg/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the p
12、resent document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being
13、references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “wil
14、l not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TS 133 203 V13.1.0 (2016-01)33GPP TS 33.20
15、3 version 13.1.0 Release 13Contents Intellectual Property Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 9g31 Scope 10g32 References 10g33 Definitions, symbols and abbreviations . 13g33.1 Definitions 13g33.2 Symbols 13g33.3 Abbreviations . 13g34 Overview of the security architecture.
16、14g35 Security features . 17g35.1 Secure access to IMS 17g35.1.1 Authentication of the subscriber and the network . 17g35.1.2 Re-Authentication of the subscriber . 17g35.1.3 Confidentiality protection . 17g35.1.4 Integrity protection . 18g35.2 Network topology hiding 18g35.3 SIP Privacy handling in
17、IMS Networks . 18g35.4 SIP Privacy handling when interworking with non-IMS Networks . 19g36 Security mechanisms 19g36.1 Authentication and key agreement . 19g36.1.0 General 19g36.1.1 Authentication of an IM-subscriber 19g36.1.2 Authentication failures 22g36.1.2.1 User authentication failure 22g36.1.
18、2.2 Network authentication failure 22g36.1.2.3 Incomplete authentication . 23g36.1.3 Synchronization failure . 23g36.1.4 Network Initiated authentications . 24g36.1.5 Integrity protection indicator 25g36.2 Confidentiality mechanisms . 25g36.3 Integrity mechanisms . 26g36.4 Hiding mechanisms 26g36.5
19、CSCF interoperating with proxy located in a non-IMS network 26g37 Security association set-up procedure 27g37.0 General . 27g37.1 Security association parameters . 27g37.2 Set-up of security associations (successful case) 30g37.3 Error cases in the set-up of security associations . 33g37.3.1 Error c
20、ases related to IMS AKA . 33g37.3.1.0 General 33g37.3.1.1 User authentication failure 33g37.3.1.2 Network authentication failure 33g37.3.1.3 Synchronisation failure . 33g37.3.1.4 Incomplete authentication . 33g37.3.2 Error cases related to the Security-Set-up . 33g37.3.2.1 Proposal unacceptable to P
21、-CSCF . 33g37.3.2.2 Proposal unacceptable to UE. 33g37.3.2.3 Failed consistency check of Security-Set-up lines at the P-CSCF 34g37.4 Authenticated re-registration 34g3ETSI ETSI TS 133 203 V13.1.0 (2016-01)43GPP TS 33.203 version 13.1.0 Release 137.4.0 General 34g37.4.1 Void 34g37.4.1a Management of
22、security associations in the UE . 34g37.4.2 Void 35g37.4.2a Management of security associations in the P-CSCF . 35g37.5 Rules for security association handling when the UE changes IP address . 36g38 ISIM . 36g38.0 General . 36g38.1 Requirements on the ISIM application . 37g38.2 Sharing security func
23、tions and data with the USIM . 37g39 IMC 38g3Annex A: Void . 39g3Annex B: Void . 40g3Annex C: Void . 41g3Annex D: Void . 42g3Annex E: Void . 43g3Annex F: Void . 44g3Annex G (informative): Management of sequence numbers 45g3Annex H (normative): The use of “Security Mechanism Agreement for SIP Session
24、s“ 21 for security mode set-up 46g3Annex I (normative): Key expansion functions for IPsec ESP . 48g3Annex J (informative): Recommendations to protect the IMS from UEs bypassing the P-CSCF . 49g3Annex K: Void . 50g3Annex L (Normative): Application to fixed broadband access 51g3L.1 Introduction 51g3L.
25、2 Application of clause 4 . 51g3Annex M (normative): Enhancements to the access security for IP based services to enable NAT traversal for signaling messages 53g3M.0 General . 53g3M.1 Scope 53g3M.2 References 53g3M.3 Definitions, symbols and abbreviations . 53g3M.4 Overview of the security architect
26、ure. 53g3M.5 Security features . 54g3M.6 Security mechanisms 54g3M.6.1 Authentication and key agreement . 54g3M.6.2 Confidentiality mechanisms . 54g3M.6.3 Integrity mechanisms . 54g3M.6.4 Hiding mechanisms 55g3M.6.5 CSCF interoperating with proxy located in a non-IMS network 55g3M.7 Security associa
27、tion set-up procedure 55g3ETSI ETSI TS 133 203 V13.1.0 (2016-01)53GPP TS 33.203 version 13.1.0 Release 13M.7.0 General . 55g3M.7.1 Security association parameters . 55g3M.7.2 Set-up of security associations (successful case) 59g3M.7.3 Error cases in the set-up of security associations . 64g3M.7.3.1
28、Error cases related to IMS AKA . 64g3M.7.3.2 Error cases related to the Security-Set-up . 64g3M.7.3.2.1 Proposal unacceptable to P-CSCF . 64g3M.7.3.2.2 Proposal unacceptable to UE. 64g3M.7.3.2.3 Failed consistency check of Security-Set-up lines at the P-CSCF 64g3M.7.3.2.4 Missing NAT traversal capab
29、ilities in the presence of a NAT 64g3M.7.4 Authenticated re-registration 64g3M.7.4.0 General 64g3M.7.4.1 Void 65g3M.7.4.1a Management of security associations in the UE . 65g3M.7.4.2 Void 65g3M.7.4.2a Management of security associations in the P-CSCF . 65g3M.7.5 Rules for security association handli
30、ng when the UE changes IP address . 66g3M.8 ISIM . 67g3M.9 IMC 67g3Annex N (normative): Enhancements to the access security to enable SIP Digest . 68g3N.1 SIP Digest . 68g3N.2 Authentication 68g3N.2.1 Authentication Requirements . 68g3N.2.1.1 Authentication Requirements for Registrations 68g3N.2.1.2
31、 Authentication Requirements for Non-registration Messages 71g3N.2.2 Authentication failures . 73g3N.2.2.1 User Authentication failure . 73g3N.2.2.2 Network authentication failure . 73g3N.2.2.3 Incomplete Authentication 73g3N.2.3 SIP Digest synchronization failure . 73g3N.2.4 Network Initiated authe
32、ntications . 74g3N.2.5 Support for dynamic password change . 74g3Annex O (normative): Enhancements to the access security to enable TLS . 76g3O.1 TLS . 76g3O.1.1 TLS Access Security 76g3O.1.2 Confidentiality protection . 76g3O.1.3 Integrity protection . 76g3O.1.4 TLS integrity protection indicator 7
33、7g3O.2 TLS Session set-up procedure 77g3O.2.1 TLS Profile for TLS based access security. 77g3O.2.2 TLS session set-up during registration . 78g3O.2.3 TLS session set-up prior to Initial registration . 79g3O.3 Error cases in the set-up of TLS sessions . 79g3O.3.1 Error cases related to TLS 79g3O.3.1.
34、0 General 79g3O.3.1.1 User authentication failure 79g3O.3.1.2 Network authentication failure . 80g3O.3.1.3 Synchronisation failure . 80g3O.3.1.4 Incomplete authentication . 80g3O.3.2 Error cases related to the Security-Set-Up . 80g3O.4 Management of TLS sessions. 80g3O.4.1 Management of TLS sessions
35、 at the UE . 80g3O.4.2 Management of TLS sessions at the P-CSCF . 80g3O.4.3 Authenticated re-registration 80g3ETSI ETSI TS 133 203 V13.1.0 (2016-01)63GPP TS 33.203 version 13.1.0 Release 13O.5 TLS Certificate Profile and Validation. 81g3O.5.1 TLS Certificate . 81g3O.5.2 Certificate validation 81g3O.
36、5.3 Certificate Revocation 82g3Annex P (normative): Co-existence of authentication schemes IMS AKA, GPRS-IMS-Bundled Authentication, NASS-IMS-bundled authentication, SIP Digest and Trusted Node Authentication 83g3P.1 Scope of this Annex . 83g3P.2 Requirements on co-existence of authentication scheme
37、s . 83g3P.3 P-CSCF procedure selection 83g3P.4 Determination of requested authentication scheme in S-CSCF . 85g3P.4.1 Stepwise approach 85g3P.4.2 Mechanisms for performing steps 1 to 3 in P.4.1 . 86g3P.5 Co-existence of PANI-aware and other P-CSCFs 87g3P.6 Considerations on the Cx interface 87g3Anne
38、x Q (informative): Usage of the authentication mechanisms for non-registration messages in Annexes N and O . 88g3Q.1 General . 88g3Q.2 Assertion of identities by the P-CSCF 88g3Q.3 Strengths and boundary conditions for the use of authentication mechanisms for non-registration messages . 89g3Annex R
39、(normative): NASS-IMS-bundled authentication . 91g3R.1 Overview 91g3R.2 Use Cases and Limitations . 91g3R.3 Detailed description 91g3Annex S (Normative): Application to 3GPP2Access 94g3S.1 Introduction 94g3S.2 Application of clause 4 . 94g3S.3 Application of clauses 5 through 9 . 95g3S.4 3GPP2 AKA C
40、redentials 96g3S.4.1 Realisations of 3GPP2 AKA Credentials . 96g3S.5 Network Domain Security for IMS 96g3S.5.1 General . 96g3S.5.2 Inter-domain Domain Security . 96g3S.5.3 Intra-domain Domain Security . 97g3S.5.4 Profiles of Network Domain Security Methods . 97g3S.5.4.1 General 97g3S.5.4.2 Support o
41、f IPsec ESP 97g3S.5.4.2.1 General 97g3S.5.4.2.2 Support of ESP authentication and encryption 97g3S.5.4.3 Support of TLS . 98g3Annex T (normative): GPRS-IMS-Bundled Authentication (GIBA) for Gm interface 99g3T.1 Introduction 99g3T.2 Requirements 99g3ETSI ETSI TS 133 203 V13.1.0 (2016-01)73GPP TS 33.2
42、03 version 13.1.0 Release 13T.3 Threat Scenarios . 100g3T.3.0 General . 100g3T.3.1 Impersonation on IMS level using the identity of an innocent user . 100g3T.3.2 IP spoofing . 100g3T.3.3 Combined threat scenario . 100g3T.4 GIBA Security Mechanism 101g3T.5 Restrictions imposed by GIBA . 101g3T.6 Prot
43、ection against IP address spoofing in GGSN . 102g3T.7 Interworking cases 102g3T.8 Message Flows . 105g3T.8.1 Successful registration 105g3T.8.2 Unsuccessful registration . 106g3T.8.3 Successful registration for a selected interworking case 108g3Annex U (normative): Trusted Node Authentication (TNA)
44、. 111g3U.1 Overview 111g3U.2 Use case and detailed description . 111g3Annex V (informative): NAT deployment considerations for GIBA . 114g3Annex W (normative): Tunnelling of IMS Services over Restrictive Access Networks . 115g3W.1 Overview 115g3W.2 Service and Media Reachability for Users over Restr
45、ictive Firewalls Tunneled Firewall Traversal for IMS traffic 115g3W.2.0 General . 115g3W.2.1 Firewall detection procedure 116g3W.3 Service and Media Reachability for Users over Restrictive Firewalls Extensions to STUN/TURN/ICE 117g3W.3.1 Introduction 118g3W.3.1.1 General 118g3W.3.1.2 Firewall traver
46、sal for IMS control plane using SIP over TLS/TCP 118g3W.3.1.3 Firewall traversal for IMS media plane using ICE and TURN . 118g3W.3.2 Reference model . 119g3W.3.3 Required functions of the UE . 119g3W.3.4 Required functions of the P-CSCF . 120g3W.3.5 Required functions of the TURN server . 120g3W.3.6
47、 Required functions of the IMS-ALG and IMS-AGW 120g3Annex X (Normative): Security for WebRTC IMS Client access to IMS . 121g3X.1 Introduction 121g3X.2 Authentication of WebRTC IMS Client with IMS subscription re-using existing IMS authentication mechanisms . 121g3X.2.0 General . 121g3X.2.1 General r
48、equirements . 121g3X.2.2 Solution 1.1: Use of SIP Digest credentials 121g3X.2.2.1 General 121g3X.2.2.2 Requirements 122g3X.2.2.3 Procedures. 122g3X.2.3 Solution 1.2: Use of IMS AKA 123g3X.2.3.1 General 123g3X.2.3.2 Requirements 124g3X.2.3.3 Procedures. 124g3X.3 Authentication of WebRTC IMS Client wi
49、th IMS subscription using web credentials . 125g3X.3.0 General . 125g3ETSI ETSI TS 133 203 V13.1.0 (2016-01)83GPP TS 33.203 version 13.1.0 Release 13X.3.1 General requirements . 126g3X.3.2 Solution 2.1 126g3X.3.2.1 General 126g3X.3.2.2 Requirements 126g3X.3.2.3 Procedures. 127g3X.4 Assignment of IMS identities to WebRTC IMS Client from pool of IMS subscriptions held by WWSF 131g3X.4.0 General . 131g3X.4.1 General requirements . 131g3X.4.2 Solution 3.1 132g3X.4.2.1 General 132g3X.4.2.2 Requirements 132g3X.4.2.3 Procedures. 132g3X.5 TURN credential provisioning and authen