190 likes | 442 Views
2G/3G Authentication with SIM cards: usage & roaming basics for the Internet challenged. Michael Haberler Internet Foundation Austria. outline. a SIM card mini-tutorial features, protocol flow, usage, production, addressing UMTS authentication and key agreement principles and protocol flow
E N D
2G/3G Authentication with SIM cards:usage & roaming basics for the Internet challenged Michael Haberler Internet Foundation Austria
outline • a SIM card mini-tutorial • features, protocol flow, usage, production, addressing • UMTS authentication and key agreement • principles and protocol flow • the universal integrated circuit card (UICC) • USIM app • how 2G, 3G roaming works • „over the air“ (OTA) loading of UICC apps • example: X.509 certificate download • (U)SIM‘s and Internet access authentication • how SIMs and RADIUS roaming works • (U)SIM‘s and SIP authentication • what the SIP server does • How the parameter logistics works • a bonus business model thrown in • summary
what‘s a 2G SIM card • crypto smart card as per ISO 7816 • access protected by a PIN code(s) („card holder verification“) • fixed storage of subscriber identity – IMSI (international mobile subscriber identity) – „GSM MAC address“ • E.164 number to IMSI mapping at the operator only • safe storage for shared secret - accessible only through CHAP operation • not broken as of today except for most stupid CHAP algorithm known • CHAP algorithm in hardware • operator chooses algorithm • tree structured filesystem • stream, record, cyclic record files • can be readonly, read/write or none at all (for the key) • some permission hierarchy
how are SIM cards produced • unprogrammed chips are „personalized“ and „closed“ (parameters written & sealed) • mass product - $5-$7 apiece at 1000+ • GEMplus, Giesecke & Devrient .... • everybody can have SIM‘s made – even Mom&Pop ISP • not everybody may • roam with other cellular operators • use the GSM algorithm „A3/A8“ – you wouldnt want it anyway • must be member of GSM association for that • having your own algorithm in a chip mask is a circa $50K+ affair • for testing & development unprogrammed castrated chips used (XOR algorithm for CHAP...)
how are (U)SIM cards accessed • 2G, 3G use • builtin reader in the mobile handset • for Internet use: • maybe builtin in PDA, PC (e.g.DELL) • external USB token – 20$ apiece • re-use a mobile SIM card via Bluetooth SIG SIM Access Profile (only if roaming against 2G/3G operator) • read 3G „(U)SIM Security Reuse by Peripheral Decices on local interfaces“ – contains some threat analysis
access request – present IMSI present challenge („RAND“) send RESP (challenge response) SIM usage in 2G authentication Authentication Center 2G GSM handset keys shared secret
IMSI structure • MCC/MNC uniquely designates an operator and his authentication center • when roaming, MCC/MNC tells the visiting network where to route the authentication request • this is done via SS7 MAP (mobile application part)
what is „OTA“ (over the air) loading? • SIM cards are writable by mobile equipment • if authenticated to network • if instructed by operator „over the air“ • if file/directory is writable • example: ISIM X.509 certificate „bootstrap“ • AKA authenticated: • let user visit PKI portal • download certificates through HTTP/Digest mechanism • certificates are stored in record structured files, as ar CA certifcates • „The Air“ can also be an IP connection • download of executable applets possible • SIM Toolkit, USAT (USIM Application toolkit) • bytecode instructions sent encrypted by 3DES, stored on card • regularly used in 2G networks today – for functionality upgrades & parameter download
UMTS authentication and key agreement (AKA) • substantially improved over 2G SIM • protection against replay, MITM attacks • sports also network-to-user authentication • more complex algorithm • compatibility functions 2G network/3G card, 3G network/2G card
access request – present IMSI send RESP (challenge response) 3G AKA authentication flow Authentication Center 3G UMTS handset challenge RAND || AUTN token keys shared secret, Sequence numbers result: Cipher key Integrity key
what‘s the universal integrated circuit card (UICC) about • generic support mechanism for multiple applications on one card • 2G,3G authentication become „applications“ selected as needed • USIM application implements AKA • 2G SIM app implements 2G CHAP • additional apps possible (ISIM, PKI certificate storage etc) • ISIM is pretty close to SIP client needs!! • mobile equipment chooses application
using (U)SIMs for Internet access authentication • embed flow in EAP and tunnel in RADIUS • between 802.1x „supplicant“ in client and RADIUS EAP backend using EAP-SIM or EAP-AKA • RADIUS server MAY gateway to SS7 MAP and „roam“ • WiFi network looks like a GSM roaming partner • example: WiFi roaming through www.togewanet.com • OR RADIUS server access an ISP-style database for keys • ISP is the SIM card issuer!
using (U)SIM for SIP authentication • speak HTTP/AKA (RFC3310) between SIP UA and proxy • proxy translates into EAP-AKA-in-RADIUS • RFC specified only for AKA (3G auth) • no mapping of EAP-SIM onto HTTP/SIM for 2G auth • bad – almost all networks today use 2G auth – which breaks SIP authentication through GSM/UMTS operators • we need to address this and spec HTTP/SIM
how 2G roaming works • mobile equipment presents IMSI • visited network looks at MCC,MNC part of IMSI • if no roaming agreement, drop him • otherwise send access request thru SS7 MAP to home network • the home network verifies IMSI and sends a „triplet“: (challenge, expected response, cipher key) authentication vector • visited network presents challenge, reads response • if (response == expected response), service user • the triplet is essentially an access ticket • note no replay detection – these fellows seem to trust each other
how 3G roaming works • not much different from 3G, just more parameters needed for AKA • „triplets“ become „quintets“
how the 2G/3G user ids (IMSI‘s) are mapped to RADIUS authentication: • take mobile country code, mobile network code • use them to create a realm • Example • IMSI = 232011234567890 • means mcc=232 (Austria) mnc=01 (Mobilkom) • resulting realm • mnc01.mcc232.owlan.org • resulting RADIUS user • 232011234567890@mnc01.mcc232.owlan.org • routing to Radius servers decided by „subdomain“ • convention established by Nokia • Nokia owns owlan.org domain pro-bonofrom thereon this is vanilla RADIUS roaming • but its just fine if we call it mnc01.mcc232.visionNG.org if that sounds better, realms just gotta be unique
how does 2G/3G address logistics work • if you are a service provider and have E.164 ranges, get a MNC from your MCC administrator (FCC, regulator...) • the E.164 range might also be, for example, from visionNG (+87810 ff) MCC = 901 • this doesnt mean you‘re part of 2G/3G roaming yet – contracts & regulatory prerequisites needed • but the addressing is all set to go!!
a bonus business model thrown in: • combine a SIP-based iTSP with a Mobile Virtual Network Operator (MVNO) • an MVNO has authentication, billing, customers, numbers, but the radio network is outsourced from somewhere else • issue (U)SIM cards which work both in a 2/3G handset AND as WiFi/SIP auth tokens – note the same card authenticates both uses! • leave choice to user how to connect – Internet or cellular – using the same E.164 number
Summary • 2G/3G has a strong/very strong authentication architecture • it is almost copy & paste for iTSP use at WiFi access, WiFi roaming acces, SIP and other levels (TBD!) • it can serve to solve the X.509 certificate distribution problem • operator model (2G/3G home network, ISP home network) has no impact on Internet-side terminals • numbering & addressing resources are compatible and available (maybe not obviously so) • the Internet could become the biggest (U)SIM authenticated mobile network ever to roam with 2G/3G land