Search This Blog

Friday, August 6, 2010

3GPP2 CDMA Authentication

1. Introduction

CDMA mobile network authentication mechanism evolved with the network evolution from CDMAone to CDMA2000 Rev.0, A, B, C and later.

Cellular Authentication and Voice Encryption (CAVE) is the mechanism used in CDMA2000 Rev.B and earlier generations. Authentication and Key Agreement (AKA) plus optional UIM authentication procedure to prove presence of a valid UIM and prevent rogue shell attacks is an enhanced mechanism used by CDMA2000 Rev C and later generations. With the network gradually migrates toward all IP solutions, IS-856 specified the authentication and security key assignment mechanism used for authenticating mobile users with RAN/PDSN etc. core network elements.

2. CAVE

CAVE is the access authentication mechanism used in CDMA/1xRTT Rev.B and earlier systems. Two key network entities involved in the CAVE-based authentication are the Authentication Center (AC) a.k.a. HLR/AC, AuC, and the Visitor Location Register (VLR).

Authentication Center (AC) is a home network element, responsible for controlling the authentication process by either authenticating the Mobile Station or sharing the shared secret data (SSD) with the serving VLR to allow authentication bing done locally.

Visitor Location Register (VLR) is in the visiting network. If SSD is shared with the visited network, the VLR can locally authenticates a roamer. Otherwise, the VLR proxies authentication requests and responses between the roamers and their home HLR/AC for authentication.

CAVE uses a symmetry key cryptosystem together with a Challenge-Response protocol to achieve the authentication functions. It is based on the CAVE algorithm and two shared keys, respectively the Authentication key (A-key) – A 64-bit primary secret key known only to the MS and AC, and the Shared Secret Data (SSD) – A 128-bit secondary secret key that is calculated using the CAVE algorithm during an SSD Update procedure. SSD consists of two 64-bit keys: SSD_A, which is used during authentication to calculate authentication signatures, and SSD_B, which is used in the generation of session keys for encryption and voice privacy.

CAVE-based authentication provides two types of challenges, Global challenge and Unique challenge respectively.

Global challenge is the procedure that requires any MS attempting to access the serving network to respond to a common challenge value being broadcast in the overhead message train. The MS must generate an authentication signature response (AUTHR) using CAVE with inputs of the global challenge value, ESN, either the last six dialed digits (for an origination attempt) or IMSI_S1 (for any other system access attempt), and SSD_A.

AUTHU generation for global challenge



Global challenge when SSD is not shared



Global challenge when SSD is shared



Unique challenge is the procedure that allows a visited network (if SSD is shared) and/or home network to uniquely challenge a particular MS for any reason. The MS must generate an authentication signature response (AUTHU) using CAVE with inputs of the unique challenge value, ESN, IMSI_S1, and SSD_A.

AUTHU generation for unique challenge



Unique challenge initiated by roamer’s home system



Unique challenge initiated by visited system



SSD update process when SSD is not shared



SSD update process when SSD is shared



3. AKA

AKA stands for the Authentication and Key Agreement. It is a security protocol used in 3G networks (both CDMA and UMTS). In the CDMA world, it is the successor to the CAVE-based Authentication. AKA provides procedures for mutual authentication of the MS and serving system. The successful execution of AKA results in the establishment of a security association (i.e., set of security data) between the MS and serving system.

Compared to the CAVE-based authentication, AKA has the following advantages

--> Larger authentication keys (128-bit )
--> Stronger hash function (SHA-1)
--> Support for mutual authentication
--> Support for signaling message data integrity
--> Support for signaling information encryption
--> Support for user data encryption
--> Protection from rogue MS when dealing with R-UIM

In order to ensure interoperability with current devices and partner networks, support for AKA in CDMA networks and handsets will likely be in addition to CAVE-based authentication.



Authentication vectors (AVs)

A fundamental concept in AKA is the authentication vector (AV). An AV is essentially a group of information used for one AKA attempt. AVs are generated by the home AC and distributed to the visited network. Each AV contains all information required by the visited network to locally perform AKA with an AKA-enabled mobile station.



AKA authentication process

Similar to CAVE, AKA relies on an authentication key associated with the MS and available only to the MS and its home AC. In CAVE, this key is known as the authentication key (A-key). In AKA, the key is known as the master key (K).

Also similar to CAVE, AKA involves a challenge process that allows the network to authenticate the MS. However, in AKA the information provided during this challenge also enables the MS to authenticate the network, providing for bilateral authentication.

An AKA process includes 4 phases

1. Distribution of AVs. Authentication vectors (AVs) are generated by the home system and provided to the visited system in an AV list
2. Authentication of the network by the MS. The message authentication code (MAC_A) received from the network is verified against the expected MAC_A (XMAC_A) generated by the MS. The sequence number (SQN) received from the network is verified against the SQN locally maintained by the MS.
3. Authentication of the MS by the network. The authentication response (RES) received from the MS is verified against the expected RES (XRES) received from the home system in the network authentication token (AUTN).
4. Establishment of security association between MS and MSC. Cipher key (CK), integrity key (IK), and UIM authentication key (UAK) are generated by the MS in such a way that they are identical to the ones provided to the visited network in the AV. The security association between MS and MSC involves using these keys to support security services such as confidentiality and integrity.



4. IS-856 Authentication

In IS-856 Authentication mechanism, RAN and PDSN are the two network elements that serve authenticating the mobile users.

* RAN:
--> Initial connection establishment is neither authenticated nor encrypted.
--> Session establishment includes Diffie-Hellman key negotiation.
--> Subsequent RAN-domain messages can be authenticated and/or encrypted using the negotiated keys.
--> PPP/LCP setup follows session establishment.
--> RAN user identity is optionally authenticated by CHAP via the RAN-AAA.
--> Data integrity protection (encryption, keyed MAC) prevents packet insertion or similar theft of service.

* PDSN:
--> Separate PPP/LCP instance created.
--> CHAP and/or MIP authentication of PDSN user identity via the home AAA server.
--> RAN security ensures integrity of the PPP connection.

3GPP UMTS Authentication and Key Agreement

1. Overview

3GPP defined authentication and key agreement procedure specified in TS 33.102 V9.2.0 (2010-03) defined the mechanism for achieving mutual authentication between the user and the network by showing knowledge of a secret key K which is shared between and available only to the Universal Subscriber Identity Module (USIM) and the AuC in the user's Home Environment (HE).

The mechanism was chosen to achieve maximum compatibility with the current GSM security architecture and facilitate migration from GSM to UMTS.

The mechanism is composed of a challenge/response protocol identical to the GSM subscriber authentication and key establishment protocol combined with a sequence number-based one-pass protocol for network authentication derived from ISO/IEC 9798-4(section 5.1.1).



2. Authentication Vector Distribution

Upon receipt of a request from the VLR/SGSN, the HE/AuC sends an ordered array of n authentication vectors (the equivalent of a GSM "triplet") to the VLR/SGSN. The authentication vectors are ordered based on sequence number.

Each authentication vector consists of the following components:
--> a random number RAND,
--> an expected response XRES,
--> a cipher key CK,
--> an integrity key IK and
--> an authentication token AUTN.

Each authentication vector is good for one authentication and key agreement between the VLR/SGSN and the USIM.

3. Authentication and key Establishment

When the VLR/SGSN initiates an authentication and key agreement with the MS, it selects the next authentication vector from the ordered array and sends the parameters RAND and AUTN to the MS.

The MS/USIM checks whether AUTN can be accepted and, if so, produces a response RES which is sent back to the VLR/SGSN. The MS/USIM also computes CK and IK.

The VLR/SGSN compares the received RES with XRES. If they match the VLR/SGSN considers the authentication and key agreement exchange to be successfully completed.

The established keys CK and IK will then be transferred by the MS/USIM and the VLR/SGSN to the entities which perform ciphering and integrity functions.

4. Other Aspects

VLR/SGSNs can offer secure service even when HE/AuC links are unavailable by allowing them to use previously derived cipher and integrity keys for a user so that a secure connection can still be set up without the need for an authentication and key agreement. Authentication is in that case based on a shared integrity key, by means of data integrity protection of signalling messages.

5. Authentication Vector (AV) Generation

Authentication vector (AV) is generated by the HE/AuC.



f1 and f2 are message authentication functions, f3, f4 and f5 are key generating functions.

6. User Authentication Function

Upon receipt of RAND and AUTN the USIM first computes the anonymity key AK = f5K (RAND) and retrieves the sequence number SQN = (SQN * AK) * AK.

After that, the USIM computes XMAC = f1K (SQN || RAND || AMF) and compares this with MAC which is included in AUTN. If they are different, the user sends user authentication reject back to the VLR/SGSN with an indication of the cause and the user abandons the procedure. In this case, VLR/SGSN shall initiate an Authentication Failure Report procedure towards the HLR. VLR/SGSN may also decide to initiate a new identification and authentication procedure towards the user.

Finally, the USIM verifies that the received sequence number SQN is in the correct range. If the USIM considers the sequence number to be not in the correct range, it sends synchronisation failure back to the VLR/SGSN including an appropriate parameter, and abandons the procedure.

Tuesday, August 3, 2010

Mobile Network Numbering and Routing

1. Overview

* Mobile Subscriber ISDN Number (MSISDN)
--> is a number uniquely identifying a subscription in a mobile network.
--> it is the telephone number of the SIM card in a mobile/cellular phone.
--> it is Mapped to the Mobile Station Roaming Number (MSRN) by HLR.

* International Mobile Subscriber Identify (IMSI)
--> is a unique number associated with all mobile phone users.
--> Stored in SIM/HLR

* Temporary Mobile Subscriber Identity (TMSI)
--> is randomly assigned by the VLR to every mobile in the area, the moment it is switched on.
--> is local to a location area
--> is assigned by VLR and stored in VLR

* International Mobile Equipment Identity (IMEI)
--> Unique ID to handset, used by air interface

2. Encoding

* MSISDN = CC + NDC + SN
--> MSISDN: Mobile Station ISDN Number
--> CC: Country Code
--> NDC: National Destination Code
--> SN: Subscriber Number

* IMSI = MCC + MNC + MSIN
--> IMSI: International Mobile Subscriber Identity
--> MCC: Mobile Country Code
--> MNC: Mobile Network Code
--> MSIN: Mobile Station Identification Number

* MSRN = CC + NDC + SN
--> MSRN: Mobile Station Roaming Number
--> CC: Country Code
--> NDC: National Destination Code
--> SN: Subscriber Number

* LAI = MCC + MNC + LAC
--> MCC: Mobile Country Code
--> MNC: Mobile Network Code
--> LAC: Location Area Code

* IMEI = TAC + FAC + SNR + spare
--> IMEI: Internal Mobile Equipment Identity
--> TAC: Type Approval Code
--> FAC: Final Assembly Code
--> SNR: Serial Number

* IMEISV = TAC + FAC + SNR + SVN
--> IMEISV: International Mobile Equipment Identity and Software Version Number
--> SVN: Software Version Number

* CGI = MCC + MNC + LAC + CI
--> CGI: Cell Global Identity
--> CI: Cell Identity
--> BSIC: = NCC + BCC
--> BSIC: Base Station Identity Code
--> NCC: Network Color Code (3bits)
--> BCC: Base Station Color Code (3bits)

* LN = CC + NCD + LSP
--> LN: Location Number
--> CC: Country Code
--> NCD: National Destination Code
--> LSP: Locally Significant Part

* RSZI = CC + NDC + ZC
--> RSZI: Regional Subscription Zone Identity
--> CC: Country Code
--> NDC: National Destination Code
--> ZC: length of the Zone code (2 octets)

3. Usage

* Information resident in MS & SIM
--> IMSI
--> TMSI
--> IMEI
--> misc. information

* Routing Information used by Network
--> MSISDN
--> MSRN

4. Numbering and Routing