2G/3G Authentication with
SIM cards:
usage & roaming basics for
the Internet challenged
Michael Haberler
Internet Foundation Austria
outline
• a SIM card mini-tutorial
• features, protocol flow, usage, production, addressing
• UMTS authentication and key agreement
• principles and protocol flow
• the universal integrated circuit card (UICC)
• USIM app
• how 2G, 3G roaming works
• „over the air“ (OTA) loading of UICC apps
• example: X.509 certificate download
• (U)SIM‘s and Internet access authentication
– how SIMs and RADIUS roaming works
• (U)SIM‘s and SIP authentication
– what the SIP server does
• How the parameter logistics works
• a bonus business model thrown in
• summary
what‘s a 2G SIM card
• crypto smart card as per ISO 7816
• access protected by a PIN code(s) („card holder verification“)
• fixed storage of subscriber identity – IMSI (international mobile
subscriber identity) – „GSM MAC address“
– E.164 number to IMSI mapping at the operator only
• safe storage for shared secret - accessible only through CHAP
operation
– not broken as of today except for most stupid CHAP algorithm known
• CHAP algorithm in hardware
– operator chooses algorithm
• tree structured filesystem
– stream, record, cyclic record files
– can be readonly, read/write or none at all (for the key)
– some permission hierarchy
how are SIM cards produced
• unprogrammed chips are „personalized“ and „closed“
(parameters written & sealed)
• mass product - $5-$7 apiece at 1000+
– GEMplus, Giesecke & Devrient ....
• everybody can have SIM‘s made – even Mom&Pop ISP
• not everybody may
– roam with other cellular operators
– use the GSM algorithm „A3/A8“ – you wouldnt want it anyway
– must be member of GSM association for that
• having your own algorithm in a chip mask is a circa
$50K+ affair
• for testing & development unprogrammed castrated
chips used (XOR algorithm for CHAP...)
how are (U)SIM cards accessed
• 2G, 3G use
– builtin reader in the mobile handset
• for Internet use:
– maybe builtin in PDA, PC (e.g.DELL)
– external USB token – 20$ apiece
– re-use a mobile SIM card via Bluetooth SIG SIM Access
Profile (only if roaming against 2G/3G operator)
• read 3G „(U)SIM Security Reuse by Peripheral
Decices on local interfaces“ – contains some threat
analysis
SIM usage in 2G authentication
access request – present IMSI
Authentication
2G GSM Center
handset present challenge („RAND“)
send RESP (challenge response)
keys
shared secret
IMSI structure
C
MC N
MC SI
MN
hr
T e w ohe
T ot t r M i um t
am
x e
n
of
gts
di i di i
gts gts
di i
I SI
M
am
x
M i um f di i
of
n
e gt
t
i s
9
-
0
2
4
7
T
8
C
MC obi
C
e y ode
r
M l ount C
N
MC obi t
e w k ode
N
M l e or C
SI
MN obi
M le
Subs e e t nN
b
i d f
rI
c r nic
o
a be
um r
I SI
M ne t
ri
no l
I t a na obi
M l Subs e e t
e i d y
rI
c r ni
b
• MCC/MNC uniquely designates an operator and his authentication center
• when roaming, MCC/MNC tells the visiting network where to route the
authentication request
• this is done via SS7 MAP (mobile application part)
what is „OTA“ (over the air) loading?
• SIM cards are writable by mobile equipment
– if authenticated to network
– if instructed by operator „over the air“
– if file/directory is writable
• example: ISIM X.509 certificate „bootstrap“
– AKA authenticated:
• let user visit PKI portal
• download certificates through HTTP/Digest mechanism
• certificates are stored in record structured files, as ar CA certifcates
• „The Air“ can also be an IP connection
• download of executable applets possible
– SIM Toolkit, USAT (USIM Application toolkit)
– bytecode instructions sent encrypted by 3DES, stored on card
• regularly used in 2G networks today – for functionality upgrades
& parameter download
UMTS authentication and key
agreement (AKA)
• substantially improved over 2G SIM
• protection against replay, MITM attacks
• sports also network-to-user authentication
• more complex algorithm
• compatibility functions 2G network/3G
card, 3G network/2G card
3G AKA authentication flow
access request – present IMSI
Authentication
3G UMTS Center
handset challenge RAND || AUTN token
send RESP (challenge response)
keys
shared secret,
result: Sequence numbers
Cipher key
Integrity key
what‘s the universal integrated
circuit card (UICC) about
• generic support mechanism for multiple
applications on one card
• 2G,3G authentication become „applications“
selected as needed
– USIM application implements AKA
– 2G SIM app implements 2G CHAP
– additional apps possible (ISIM, PKI certificate
storage etc)
– ISIM is pretty close to SIP client needs!!
• mobile equipment chooses application
using (U)SIMs for Internet
access authentication
• embed flow in EAP and tunnel in RADIUS
• between 802.1x „supplicant“ in client and RADIUS
EAP backend using EAP-SIM or EAP-AKA
• RADIUS server MAY gateway to SS7 MAP and
„roam“
– WiFi network looks like a GSM roaming partner
– example: WiFi roaming through www.togewanet.com
• OR RADIUS server access an ISP-style database
for keys
– ISP is the SIM card issuer!
using (U)SIM for SIP authentication
• speak HTTP/AKA (RFC3310) between SIP UA and proxy
• proxy translates into EAP-AKA-in-RADIUS
• RFC specified only for AKA (3G auth)
• no mapping of EAP-SIM onto HTTP/SIM for 2G auth
• bad – almost all networks today use 2G auth – which
breaks SIP authentication through GSM/UMTS operators
• we need to address this and spec HTTP/SIM
how 2G roaming works
• mobile equipment presents IMSI
• visited network looks at MCC,MNC part of IMSI
– if no roaming agreement, drop him
– otherwise send access request thru SS7 MAP to home
network
– the home network verifies IMSI and sends a „triplet“:
(challenge, expected response, cipher key) authentication
vector
– visited network presents challenge, reads response
– if (response == expected response), service user
• the triplet is essentially an access ticket
– note no replay detection – these fellows seem to trust each
other
how 3G roaming works
• not much different from 3G, just more
parameters needed for AKA
• „triplets“ become „quintets“
how the 2G/3G user ids (IMSI‘s) are
mapped to RADIUS authentication:
• take mobile country code, mobile network code
• use them to create a realm
• Example
– IMSI = 232011234567890
• means mcc=232 (Austria) mnc=01 (Mobilkom)
– resulting realm
• mnc01.mcc232.owlan.org
– resulting RADIUS user
• 232011234567890@mnc01.mcc232.owlan.org
• routing to Radius servers decided by „subdomain“
• convention established by Nokia
• Nokia owns owlan.org domain pro-bono
from thereon this is vanilla RADIUS roaming
• but its just fine if we call it mnc01.mcc232.visionNG.org if that
sounds better, realms just gotta be unique
how does 2G/3G address
logistics work
• if you are a service provider and have E.164
ranges, get a MNC from your MCC
administrator (FCC, regulator...)
• the E.164 range might also be, for example,
from visionNG (+87810 ff) MCC = 901
• this doesnt mean you‘re part of 2G/3G
roaming yet – contracts & regulatory
prerequisites needed
• but the addressing is all set to go!!
a bonus business model thrown in:
• combine a SIP-based iTSP with a Mobile Virtual
Network Operator (MVNO)
– an MVNO has authentication, billing, customers, numbers,
but the radio network is outsourced from somewhere else
• issue (U)SIM cards which work both in a 2/3G
handset AND as WiFi/SIP auth tokens – note the
same card authenticates both uses!
• leave choice to user how to connect – Internet or
cellular – using the same E.164 number
Summary
• 2G/3G has a strong/very strong authentication architecture
• it is almost copy & paste for iTSP use at WiFi access, WiFi
roaming acces, SIP and other levels (TBD!)
• it can serve to solve the X.509 certificate distribution problem
• operator model (2G/3G home network, ISP home network) has
no impact on Internet-side terminals
• numbering & addressing resources are compatible and available
(maybe not obviously so)
• the Internet could become the biggest (U)SIM authenticated
mobile network ever to roam with 2G/3G land