360 likes | 489 Views
Network Smart Card Performing U(SIM) Functionalities in AAA Protocol Architectures. Joaquin Torres , A. Izquierdo, M. Carbonell and J.M. Sierra Carlos III University of Madrid, Spain Computer Science Department. Outline. Convergence. NGN …?. Smart Devices. Introduction.
E N D
Network Smart Card Performing U(SIM) Functionalities in AAA Protocol Architectures Joaquin Torres, A. Izquierdo, M. Carbonell and J.M. Sierra Carlos III University of Madrid, Spain Computer Science Department
Outline Convergence NGN …? Smart Devices
joaquin.torres@uc3m.es Introduction WLANs deployment: SOHO, campus, residential and public environments the number of public hotspots is continuously proliferating, and this allows the information to be accessible in any time and any place 3G mobile systems as a competitive solution wide geographical area coverage effective roamings other advantages: such as reliability, throughput, value-added services and contents
joaquin.torres@uc3m.es Networks Convergence However, expensive investment required by the 3G networks forces to the operators to look for more profitable and versatile solutions (leakage of subscribers?) Comparing features: WLANs provide services with significant transmission rates… in high demand zones and when the mobility is not a requirement 3G systems high mobility, wide coverage, well-established voice services… …but lower transmission rates, so they are more adequate for low/medium demand
joaquin.torres@uc3m.es Convergence: 3G/WLAN interworking WLAN and 3G networks are complementary: 3G/WLAN interworking I-3G/WLAN is a clear trend in the public access infrastructures (PWLAN , Public Wireless LAN) 3GPP TS 23.234 v7.3.0: 3GPP System to Wireless Local Area Network (WLAN) Interworking System Description (September 2006)
joaquin.torres@uc3m.es 3G/WLAN Interworking features development of mobile services with high transmission rates e.g. IP-based multimedia services, IMS transparent roaming between both technologies smart switching, with the goal: keep initiated sessions Ad-hoc user services: QoS profiled subscribers, preserving the quality of services.
joaquin.torres@uc3m.es 3G/WLAN Authentication Infrastructure Subscriber must be authenticated before her access to network services is authorized personalized credentials User’s multimode devices e.g. laptops, smartphones, PDAs, etc. require the appropriate secure module Solution: the authentication schemes are based on a combination of the solutions that were initially supported by these two systems.
joaquin.torres@uc3m.es 3G/WLAN: authentication convergence SIM-based solution, simultaneously inherit from: WLAN systems: EAPoL-based (i.e. 802.1X/EAP, RADIUS or DIAMETER) chip card-based U(SIM)inherited from stand-alone 3G systems authentication schemes supported by 3GPP subscriber registers (i.e. HLR/HSS) Advantages… Devices are ready! User is accustomed to SIM Module/HW secure 3G/WLAN Netw. Operators do not require additional security credentials
joaquin.torres@uc3m.es 3G/WLAN Reference Model Intranet / Internet Red de Acceso WLAN WLAN - UE HSS ' HLR OCS Packet Data Gateway Offline Charging System Intranet Intranet / Internet / Internet Visited 3GPP Network Offline Offline 3GPP AAA 3GPP AAA Charging Charging Proxy Proxy System System WLAN Access Network WLAN WLAN - - UE UE WAG WAG SLF SLF 3GPP TS 23.234 v7.3.0: 3GPP System to Wireless Local Area Network (WLAN) Interworking System Description (September 2006) ETSI TS 133 234 V7.5.0, 3GPP System to Wireless Local Area Network (WLAN) Interworking Security System (June 2007) 3GPP AAA 3GPP AAA Acceso IP WLAN/ 3GPP IP WLAN/ 3GPP Access HSS HSS ' ' Server Server HLR HLR OCS OCS Packet Packet Data Data Gateway Gateway Offline Offline Charging Charging System System Home 3GPP Network Internet
joaquin.torres@uc3m.es 3G Mobile Systems Authentication: AKA HLR/AuC U(SIM) 3G MS RNS 3G-SGSN {RAND,XRES,CK, IK, AUTN} =f(IMSI) AUTH[{RAND||CK|| IK|| AUTN}] {RAND||CK|| IK|| AUTN} Verifies MAC by f1 Decrypts SQN by f5 Checks freshness SQN RES= f2(K, RAND) RES RES Derives CK by f3 Derives IK by f4 RES =? XRES
joaquin.torres@uc3m.es Example scenario: convergence authentication gateway AAA SERVER Proxy AAA Home WLAN Visited WLAN Proxy AAA 3G-SGSN HLR/AuC Home 3G Network
joaquin.torres@uc3m.es 3G/WLAN: convergence in authentication EAP-SIM and EAP-AKA SIM-based authentication schemes standardized protocols End-to-end mutual authentication between the mobile station and the backend authentication server U(SIM) EAP-SIM/AKA EAP-SIM/AKA EAP EAP EAP EAPoL EAPoL RADIUS/DIAMETER Client RADIUS/DIAMETER Proxies RADIUS/DIAMETER Server UDP/IP UDP/IP UDP/IP 802.11 802.11 L2/L1 L2/L1 L2/L1 WLAN MS AP Network AAA Proxies 3G AAA Server WAN DOMAIN + CELLULAR NETWORK WLAN DOMAIN
joaquin.torres@uc3m.es A quick trust analysis both devices blindly trust each other they behave as an unique supplicant this is not a by default recommendable assumption the authentication scheme should be designed to protect against any potential scenario e.g.WLAN MS is an a priori untrustworthy terminal. Conclusion: additional authentication mechanisms should be provided?
joaquin.torres@uc3m.es Stand-alone device…stand-alone suplicant Supplicant Device Access Device Access Network Core Network AAA services User PSTN Dedicated-lines AAA Other Services Smart Cards Multimode MS WLAN Internet IP-based AAA 3GPP
joaquin.torres@uc3m.es Motivation Our new approach starts from a different authentication model that considers: an isolated U(SIM) with autonomy during the authentication process. participates as stand-alone supplicant or claimant, and not relies on the access terminal (i.e. WLAN mobile station) for this functionality. Additionally, this work assumes an a priori untrustworthy environment: the WLAN MS is considered as a potential attacker. Hence, the WLAN MS should be authenticated by the network as a different host from U(SIM). Required: Device Authentication previous to SM
joaquin.torres@uc3m.es Goals To define an AAA architecture, which represents a more robust and flexible solution in terms of security. Feasible for untrustworthy environments To provide efficient SIM-based mobile stations’ customization or personalization in critical or public environments. Authentication Convergence (netw1,netw2) ) Convergence (Smart Device,
joaquin.torres@uc3m.es Our Network Smart Card concept In a previous work, we proposed a Network Smart Card (NSC) with authentication purposes: Atomic smart card authentication protocol design: the authentication protocol should be designed as an integral part of the smart card. We propose a specific protocol stack for the card End-to-end mutual authentication schema: the smart card participates as a communication extreme. IETF Layer 2 authentication (IP layer is not required)
joaquin.torres@uc3m.es …details Our Network Smart Card (NSC) approach EAP-type=EAP-AKA EAP-type EAP EAP pass-through PPP PPP • Pass-through authenticator • according to EAP (acc. IETF) • AP/ NAS EAP-based ISO7816 ISO7816 Supplicant Smart Card Terminal • Other approaches…
joaquin.torres@uc3m.es Related Work EAP-SIM/AKA solutions: many works but focused on 3G/WLAN interworking security (network side) usually, problems derived from original SIM/AKA protocols Alternatives: EAP-TTLS, EAP-TLS, etc. Assumption about the (U)SIM-WLAN_UE trust relationship blind trust: they behave as an unique supplicant Summarized: U(SIM) stores the corresponding subscriber authentication credentials And computes the envisaged cryptographic algorithms in SIM/AKA protocols, on the behalf of mobile station.
joaquin.torres@uc3m.es Related Work Versatile solutions are missed Example: consider an U(SIM) that may be an external smart card that customizes (temporal personalization) a public wireless terminal for a 3G/WLAN access. In such a case, the U(SIM) behaviour as an stand-alone supplicant is highly recommendable. So it should be isolated and protected.
joaquin.torres@uc3m.es New NSC-based AAA Protocol Architecture in 3G/WLAN EAP-AKA EAP-AKA EAP EAP EAP PPP PPP DIAMETER Client DIAMETER Proxies DIAMETER Server UDP/IP UDP/IP UDP/IP ISO7816 ISO7816 802.11 802.11 L2/L1 L2/L1 L2/L1 NSC-based U(SIM) WLAN MS AP Bridge Network AAA Proxies 3G AAA Server
joaquin.torres@uc3m.es Features U(SIM) remote authentication scheme: stand-alone supplicant functionality instead of split supplicant functionality: the U(SIM) and WLAN MS does not cooperate in the authentication process as an unique device. the authentication protocol stack is designed as an integral part of the U(SIM) (atomic design) to participate as actual endpoint in the authentication process with a 3G AAA server. EAP-AKA EAP PPP ISO7816 NSC-based U(SIM)
joaquin.torres@uc3m.es …features Minimal changes in the original architecture 3G network side does not require changes proxies and end-equipments keep settings and implementation features. EAP-AKA EAP DIAMETER Proxies DIAMETER Server UDP/IP UDP/IP L2/L1 L2/L1 Network AAA Proxies 3G AAA Server
joaquin.torres@uc3m.es ..features WLAN Mobile Station participates as a Network Access Server (NAS) implementing the role of pass-through authenticator as a DIAMETER client This reinforces the stand-alone supplicant functionality in the U(SIM), since WLAN MS cannot act as supplicant and authenticator at the same time for the same U(SIM). EAP PPP DIAMETER Client UDP/IP ISO7816 802.11 802.11 L2/L1 WLAN MS AP Bridge
joaquin.torres@uc3m.es …features U(SIM) isolation: advantages with regard to assure the security of the entire scheme in untrustworthy scenarios. Our architecture takes advantage of the functions of the LCP protocol (i/ PPP): LCP/PPP protocol may be easily hosted in the U(SIM) stack. EAP was initially designed for PPP EAP Layer allows: packets exchange between the EAP-SIM/AKA methods and LCP frames duplication and retransmissions control.
joaquin.torres@uc3m.es Authentication Flow in our AAA Architecture 3G AAA Server WLAN MS NSC-based U(SIM) 0. EAP Request/Identity 1. PPP/EAP Request/Identity 2. PPP/EAP Response/Identity [IMSI or Pseudonym] 3. DIAMETER/EAP Response/Identity [IMSI or Pseudonym] 4. DIAMETER/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID] 5. PPP/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID] 6. PPP/EAP Response/AKA-Challenge [RES, MAC] 7. DIAMETER/EAP Response/AKA-Challenge [RES, MAC] XRES=?RES 8. Validation 9. DIAMETER/EAP Success 10. PPP/EAP Success 11. Secure channel establishment
joaquin.torres@uc3m.es Security and Trust Issues We are not proposing a new U(SIM) authentication protocol in the context of 3G/WLAN interworking. Our architecture is designed by well-known protocols that are implemented inside the U(SIM) with a novel approach. new way to transport authentication messages between the U(SIM) and a 3G AAA server and U(SIM) takes the control in the user side. Security weakness and threats are derived by the own nature of such standardized protocols and the correctness of their implementation.
joaquin.torres@uc3m.es Security and Trust Issues new secure algorithms, key material or cryptographic techniques are not required The implementation of the EAP-AKA method is transparently reused, both in the U(SIM) side and in the 3G AAA Server side.
joaquin.torres@uc3m.es Trust Models Relevant impact of our proposal is related to the trust models Trust model, derived from the original AAA protocol architecture in a 3G/WLAN interworking scenario: User Domain Public Domain, untrustworthyenvironment explicit blind U(SIM) AP Proxies AAA 3GPP Server WLAN MS implicit explicit nAUT
joaquin.torres@uc3m.es Our Trust Model “blind trust” assumption should not be applied to all scenarios and a more flexible solution is required Our goal: to introduce a more realistic architecture, which a new trust model is derived from User Domain Public Domain, untrustworthy environment explicit U(SIM) AP Proxies implicit AAA 3GPP Server WLAN MS implicit explicit nAUT explicit
joaquin.torres@uc3m.es Our Trust Model the trust relationship between the WLAN MS and the 3G AAA server is supported by DIAMETER protocol the WLAN MS is part of the network and it behaves as an Access Point for the U(SIM) just when U(SIM) and 3G AAA server mutually trust each other, then U(SIM) trusts WLAN MS. Our AAA architecture aims to provide robustness with this goal This is a reasonable result in a priori untrustworthy scenarios
joaquin.torres@uc3m.es Implementation and Testbed Testbed for the AAA network architecture for NSC-based U(SIM) Implemented by means of the OpenDiameter libraries: C++ API both to EAP and Diameter EAP Network AAA Proxy NSC-based U(SIM) WLAN MS DIAMETER Client 3G AAA Diameter Server
joaquin.torres@uc3m.es Details about implementation 3G AAA Server: back-end authentication server is basically implemented by: the libdiametereap and libeap libraries. The Diameter EAP API is extensible and allows define authorization (DEA attributes EAP API is extended in order to support EAP-AKA method. OpenSSL library (partially included) provides a set of AKA cryptographic functionalities. For simplicity’s sake, the implementation of functions f3 and f4 has not been carried out. Network AAA proxy standard Diameter base protocol procedure relay version (Diameter proxy) is provided by the libdiameter. Allows to complete the implementation of the protocol stack in a layer 2 wireless Access Point. WLAN MS common laptop - IEEE 802.11g wireless interface. functionality of NAS (Diameter client) is provided by the implementation of the libdiametereap library.
joaquin.torres@uc3m.es Details about implementation Network Smart Card with U(SIM) functionalities JavaCard: bulk LCP/EAP protocol stack -according to the standardized state-machines enhancing with a set of functionalities corresponding EAP-AKA method. CK and IK derivation, as well as, synchronization and re-authentication functionalities have been avoided with testbed experiments purposes. RECEIVED GET_METHOD AKA_METHOD SEND_RESPONSE (rxReq, rxSuccess, rxFailure, reqId, reqMethod) = parseEapReq(eapReqData) if (allowMethod(reqMethod)) { aka.Method = reqMethod methodState = INIT } else { eapRespData = buildNak(reqId) } ignore = aka.check(eapReqData) if (!ignore) { (methodState, decision, allowNotifications) = aka.process(eapReqData) eapRespData = aka.buildResp(reqId) if (aka.isKeyAvailable()) eapKeyData = aka.getKey() } lastId = reqId lastRespData = eapRespData eapReq = FALSE eapResp = TRUE eapReqData eapRespData
joaquin.torres@uc3m.es Conclusion Our testbed shows the feasibility and robustness of the proposed NSC-based AAA protocol architecture for 3G/WLAN interworking scenarios. Standardized EAP-AKA protocol is transparently implemented in a common U(SIM), which participates as stand-alone supplicant (NSC-based U(SIM)) A novel trust model that assumes an a priori untrustworthy environment is defined Therefore, our approach represents a more flexible solution in terms of security. Beyond these benefits, it also may provide efficient mobile stations’ customization or personalization in critical or public environments. Further works: Study and complete EAP-AKA functionalities New EAP-types methods
joaquin.torres@uc3m.es Network Smart Card Performing U(SIM) Functionalities in AAA Protocol Architectures Thank you for your attention! Questions/Comments?