110 likes | 298 Views
EAP/CDMA2000 WLAN Access Authentication Using R-UIM. Lily Chen and Louis Finkelstein Motorola Inc. April 8, 2004. Outline. Introduction Basic Ideas Protocols. Introduction. The proposal assumes the WLAN terminal interfaces with the CDMA2000 R-UIM. MT0 model and MT2-TE2 model
E N D
EAP/CDMA2000WLAN Access Authentication Using R-UIM Lily Chen and Louis Finkelstein Motorola Inc. April 8, 2004
Outline • Introduction • Basic Ideas • Protocols
Introduction • The proposal assumes the WLAN terminal interfaces with the CDMA2000 R-UIM. • MT0 model and MT2-TE2 model • It executes the EAP protocol for WLAN access authentication. • It assumes the same architecture as in the Lucent contribution. • The EAP-Server (e.g., AAA) shall be able to interface with a CDMA2000 CAVE-based Authentication Center (AC); therefore, it supports the necessary subset of the SS7 authentication protocol. • It generates a WLAN Master Key (WKEY) as proposed by Lucent. • It supports both the SSD-shared and the SSD-not shared situation as proposed by Huawei. • It demands no changes to the CDMA2000 HLR/AC. • It minimizes the network traffic when adding WLAN service to an existing infrastructure.
Basic Ideas • EAP/CDMA2000 generates a WLAN master key (WKEY) from the CDMA2000 encryption key SMEKEY (or KEY/VPM) as defined in IS-41. • A WKEY update can be triggered by the HLR/AC via the SSD update procedure or by the WLAN AAA via the global challenge. • In the case that the SSD is not shared with the remote network, the WLAN-EAP server can use a WKEY for WLAN authentication without interacting with the HLR for each and every WLAN access. • It can significantly minimize the network traffic, especially the traffic to the CDMA2000 HLR/AC for WLAN service. • It supports SSD update with the WLAN terminal initiated by HLR/AC. • It supports the unique challenge initiated by the HLR/AC.
EAP/CDMA2000 ANSi-41 WLAN Device WLAN Auth Server CDMA HLR/AC Access Request Auth Data? Yes No EAP/Global Global ch/resp EAP/Global Resp EAP/Unique Unique Ch Unique Resp EAP/Unique Resp Success EAP/Success AUTHREQ SMEKEY WLAN/CDMA Auth & derive session keys High Level Illustration
Client Server EAP-Request / Identity EAP-Response / Identity EAP-Request / CDMA2000/Start EAP-Response / CDMA2000/Start (RAND/req) EAP-Request / CDMA2000/Global EAP-Response / CDMA2000/Global EAP-Request / CDMA2000/Unique EAP-Response / CDMA2000/Unique EAP-Request / CDMA2000/Challenge (RANDch) EAP-Response / CDMA2000/Challenge EAP-Success EAP/CDMA2000 Full Authentication CDMA2000 HLR/Ac Depending on whether SSD shared or not shared
Client Server EAP-Request / Identity EAP-Response / Identity EAP-Request / CDMA2000/Start EAP-Response / CDMA2000/Start (RAND/req) EAP-Request / CDMA2000/Global EAP-Response / CDMA2000/Global EAP-Request / CDMA2000/Challenge (RANDch) EAP-Response / CDMA2000/Challenge EAP-Success EAP/CDMA2000 Authentication with WKEY Update CDMA2000 HLR/Ac Depending on whether SSD shared or not shared
Client Server EAP-Request / Identity EAP-Response / Identity EAP-Request / CDMA2000/Start EAP-Response / CDMA2000/Start (RAND/req) EAP-Request / CDMA2000/Challenge (RANDch) EAP-Response / CDMA2000/Challenge EAP-Success EAP/CDMA2000 Authentication without WKEY Update CDMA2000 HLR/Ac No traffic even when SSD is not shared
Client Server EAP-Request / Identity EAP-Response / Identity EAP-Request / CDMA2000/Start EAP-Response / CDMA2000/Start (RAND/req) EAP-Request / CDMA2000/SSD EAP-Response / CDMA2000/SSD (RANDBS) EAP-Request / CDMA2000/SSDBS (AUTHBS) EAP-Response / CDMA2000/SSDBS EAP-Request / CDMA2000/Unique EAP-Response / CDMA2000/Unique EAP-Request / CDMA2000/Challenge (RANDch) EAP-Response / CDMA2000/Challenge EAP-Success EAP/CDMA2000 SSD Update CDMA2000 HLR/Ac Initiated by CDMA2000 HLR/AC
Proposal • We propose • That the WLAN and CDMA2000 inter-working architecture support R-UIM-based authentication under the following conditions. • Considers both the SSD-shared and the SSD-not shared situation. • Maintains the CDMA2000 HLR/AC interface without changes. • Does not increase network traffic significantly by using the WLAN service. • Uses EAP/CDMA2000 as the authentication protocol for R-UIM- based authentication.
Issues • IETF Effort • Currently, there are no IETF RFCs for the EAP/CDMA2000 prortocol. • We can work with the IETF in order to generate a draft (similar to EAP/SIM and EAP/AKA). • Current name of the protocol – EAP/CDMA2000 • We would like to emphasize the CDMA2000 authentication credentials and protocols. • However, we have no objection to any suggested names for the proposed protocol :>).