S.R0086-0_v1.0_011904

Document Sample
S.R0086-0_v1.0_011904 Powered By Docstoc
					3GPP2 S.R0086-0

Version: 1.0

Date: 11 December 2003




                         IMS Security Framework




COPYRIGHT

3GPP2 and its Organizational Partners claim copyright in this document and individual
Organizational Partners may copyright and issue documents or standards publications in
individual Organizational Partner's name based on this document. Requests for reproduction
of this document should be directed to the 3GPP2 Secretariat at secretariat@3gpp2.org.
Requests to reproduce individual Organizational Partner's documents should be directed to
that Organizational Partner. See www.3gpp2.org for more information.
                                      S.R0086-0 v1.0



EDITOR



Marcus Wong
Lucent Technologies, Inc.
67 Whippany Road
Whippany, NJ 07981

USA
mw888mw@lucent.com



   REVISION HISTORY

   1.0         Initial publication   11 December 2003
(This page intentionally left blank)
                                                                                                                                                      S.R0086-0 v1.0


 1
 2
 3   CONTENTS
 4
 5
 6   1      SCOPE ................................................................................................................................................... 1
 7
 8   2      REFERENCES ...................................................................................................................................... 1
 9
10   3      DEFINITIONS, SYMBOLS AND ABBREVIATIONS ..................................................................... 2
11
12       3.1       DEFINITIONS..................................................................................................................................... 2
13       3.2       ABBREVIATIONS ............................................................................................................................... 2
14
     4      OVERVIEW OF THE SECURITY ARCHITECTURE ................................................................... 3
15
16
17
     5      SECURITY FEATURES ...................................................................................................................... 5
18       5.1    SECURE ACCESS TO IMS................................................................................................................... 5
19
           5.1.1    Authentication of the subscriber and the network ................................................................... 5
20
           5.1.2    Re-Authentication of the subscriber ........................................................................................ 6
21
           5.1.3    Confidentiality protection........................................................................................................ 6
22
           5.1.4    Integrity protection.................................................................................................................. 6
23
         5.2    NETWORK TOPOLOGY HIDING........................................................................................................... 7
24
25   6      SECURITY MECHANISMS ............................................................................................................... 7
26
27       6.1    AUTHENTICATION AND KEY AGREEMENT ......................................................................................... 7
28         6.1.1    Authentication of an IM-subscriber......................................................................................... 8
29         6.1.2    Authentication failures .......................................................................................................... 10
30           6.1.2.1 User authentication failure ................................................................................................ 10
31           6.1.2.2 Network authentication failure .......................................................................................... 11
32           6.1.2.3 Incomplete authentication ................................................................................................. 12
33         6.1.3    Synchronization failure ......................................................................................................... 12
34         6.1.4    Network Initiated authentications ......................................................................................... 13
35
           6.1.5    Integrity protection indicator ................................................................................................ 14
36
         6.2    CONFIDENTIALITY MECHANISMS .................................................................................................... 14
37
         6.3    INTEGRITY MECHANISMS ................................................................................................................ 14
38
         6.4    HIDING MECHANISMS ..................................................................................................................... 14
39
40   7      SECURITY ASSOCIATION SET-UP PROCEDURE.................................................................... 15
41
42
         7.1    SECURITY ASSOCIATION PARAMETERS ........................................................................................... 15
43       7.2    SET-UP OF SECURITY ASSOCIATIONS (SUCCESSFUL CASE)............................................................... 19
44       7.3    ERROR CASES IN THE SET-UP OF SECURITY ASSOCIATIONS ............................................................. 21
45         7.3.1    Error cases related to IMS AKA............................................................................................ 21
46           7.3.1.1 User authentication failure ................................................................................................ 21
47           7.3.1.2 Network authentication failure .......................................................................................... 21
48           7.3.1.3 Synchronisation failure...................................................................................................... 21
49           7.3.1.4 Incomplete authentication ................................................................................................. 21
50         7.3.2    Error cases related to the Security-Set-up ............................................................................ 21
51
             7.3.2.1 Proposal unacceptable to P-CSCF..................................................................................... 21
52
             7.3.2.2 Proposal unacceptable to UE............................................................................................. 21
53
             7.3.2.3 Failed consistency check of Security-Set-up lines at the P-CSCF .................................... 22
54
         7.4    AUTHENTICATED RE-REGISTRATION .............................................................................................. 22
55
56
           7.4.1    Void ....................................................................................................................................... 22
57
           7.4.1a Management of security associations in the UE ................................................................... 22
58
           7.4.2    Void ....................................................................................................................................... 23
           7.4.2a Management of security associations in the P-CSCF ........................................................... 23



                                                                                    i
                                                                                                                                                S.R0086-0 v1.0


                                                                                                                                                              1
    7.5     RULES FOR SECURITY ASSOCIATION HANDLING WHEN THE UE CHANGES IP ADDRESS .................. 24                                                      2
                                                                                                                                                              3
8     SECURE MEMORY WITHIN UE ................................................................................................... 24
                                                                                                                                                              4
    8.1     REQUIREMENTS ON THE SECURE MEMORY OF AN IMS CAPABLE UE ............................................ 24                                            5
                                                                                                                                                              6
9     NETWORK DOMAIN SECURITY.................................................................................................. 26                            7

    9.1     INTER-DOMAIN SECURITY .............................................................................................................. 26           8

    9.2     INTRA-DOMAIN SECURITY ............................................................................................................. 26            9

                  Annex A (normative): The use of Security Mechanism Agreement for SIP Sessions (ref.                                                        10
                                                                                                                                                             11
                  [22]) for security mode set-up........................................................................................... 28
                                                                                                                                                             12
                  Annex B (normative): Key expansion functions for IPsec ESP........................................ 30
                                                                                                                                                             13
                  Annex C (normative): Recommendations to protect the IMS from UEs bypassing the P-
                                                                                                                                                             14
                  CSCF................................................................................................................................. 31   15
                                                                                                                                                             16
                                                                                                                                                             17
                                                                                                                                                             18
                                                                                                                                                             19
                                                                                                                                                             20
                                                                                                                                                             21
                                                                                                                                                             22
                                                                                                                                                             23
                                                                                                                                                             24
                                                                                                                                                             25
                                                                                                                                                             26
                                                                                                                                                             27
                                                                                                                                                             28
                                                                                                                                                             29
                                                                                                                                                             30
                                                                                                                                                             31
                                                                                                                                                             32
                                                                                                                                                             33
                                                                                                                                                             34
                                                                                                                                                             35
                                                                                                                                                             36
                                                                                                                                                             37
                                                                                                                                                             38
                                                                                                                                                             39
                                                                                                                                                             40
                                                                                                                                                             41
                                                                                                                                                             42
                                                                                                                                                             43
                                                                                                                                                             44
                                                                                                                                                             45
                                                                                                                                                             46
                                                                                                                                                             47
                                                                                                                                                             48
                                                                                                                                                             49
                                                                                                                                                             50
                                                                                                                                                             51
                                                                                                                                                             52
                                                                                                                                                             53
                                                                                                                                                             54
                                                                                                                                                             55
                                                                                                                                                             56
                                                                                                                                                             57
                                                                                                                                                             58




                                                                         ii
                                                                                                  S.R0086-0 v1.0


 1
 2
 3   FOREWORD
 4
 5   This Technical Specification has been produced by the 3rd Generation Partnership Project 2 (3GPP2) based
 6
     on 3GPP TS 33.203 v5.4.0.
 7
 8   This document contains portions of material copied from 3GPP document number(s) TS 33.203. The
 9
     copyright on the 3GPP document is owned by the Organizational Partners of 3GPP (ARIB - Association of
10
     Radio Industries and Businesses, Japan; CWTS – China Wireless Telecommunications Standards group,
11
     China; ETSI – European Telecommunications Standards Institute; Committee T1, USA; TTA -
12
     Telecommunications Technology Association, Korea; and TTC – Telecommunication Technology
13
     Committee, Japan), which have granted license for reproduction and for use by 3GPP2 and its
14
15
     Organizational Partners.
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58




                                                       iii
                                                                                                       S.R0086-0 v1.0


 1
 2


     1                Scope
 3
 4
 5
 6   This document addresses the access and network security for IP-based services.
 7
 8   The scope for this technical specification is to specify the security features and mechanisms for secure
 9   access to the IM subsystem (IMS) for the 3G mobile telecommunication system.
10
11   The IMS supports IP Multimedia applications such as video, audio and multimedia conferences using SIP,
12   Session Initiation Protocol, as the signaling protocol for creating and terminating Multimedia sessions,
13   cf. [6]. This specification only deals with how the SIP signaling is protected between the subscriber and the
14   IMS, how the subscriber is authenticated and how the subscriber authenticates the IMS.
15
16
17
18   2                References
19
20   The following documents contain provisions which, through reference in this text, constitute provisions of
21   the present document.
22
23         • References are either specific (identified by date of publication, edition number, version number,
24           etc.) or non-specific.
25
26         • For a specific reference, subsequent revisions do not apply.
27
28   For a non-specific reference, the latest version applies.
29
30   [1]      3GPP TS 33.102, "3rd Generation Partnership Project; Technical Specification Group Services and
31            System Aspects; 3G Security; Security Architecture"
32   [2]      3GPP2 P.S0001-B, “Wireless IP Network Standard”
33
34   [3]      3GPP2 X.S0013, “IP Network for cdma2000 Spread Spectrum Systems 3GPP2 All-IP Core
35            Network Enhancements For Multimedia Domain
36
37   [4]      Void
38
39   [5]
40
41
     [6]      IETF RFC 3261, "SIP: Session Initiation Protocol".
42
     [7]      Void.
43
44
     [8]      3GPP2 X.S0013.4, “3GPP2 MMD; IP Multimedia Call Control Protocol Based on SIP and SDP
45
              Stage 3”
46
47
48
     [9]      3GPP2 S.R0037, “IP Network Architecture Model for cdma2000 Spread Spectrum Systems”
49
     [10]     Void
50
51
     [11]     3GPP2 X.S0013.2, “3GPP2 MMD; IP Multimedia Subsystem Stage-2”
52
53
54
     [12] IETF RFC 2617 (1999), "HTTP Authentication: Basic and Digest Access Authentication".
55
56   [13]     IETF RFC 2406 (1998), "IP Encapsulating Security Payload (ESP)".
57
58   [14]     IETF RFC 2401 (1998), "Security Architecture for the Internet Protocol".




                                                           1
                                                                                                       S.R0086-0 v1.0


                                                                                                                    1
[15]   IETF RFC 2403 (1998), "The Use of HMAC-MD5-96 within ESP and AH".                                            2
                                                                                                                    3
[16]   IETF RFC 2404 (1998), "The Use of HMAC-SHA-1-96 within ESP and AH".                                          4
                                                                                                                    5
[17]   IETF RFC 3310 (2002), "HTTP Digest Authentication Using AKA".
                                                                                                                    6
                                                                                                                    7
[18]   IETF RFC 3041 (2001), "Privacy Extensions for Stateless Address Autoconfiguration in IPv6".
                                                                                                                    8

[19]   IETF RFC 2402 (1998), "IP Authentication Header".                                                            9
                                                                                                                   10

[20]   IETF RFC 2405 (1998), "The ESP DES-CBC Cipher Algorithm With Explicit IV".                                  11
                                                                                                                   12
[21]   IETF RFC 2406 (1998), “IP Encapsulating Security Payload (ESP)”.                                            13
                                                                                                                   14
[22]   IETF RFC 3329 (2002), “Security Mechanism Agreement for the Session Initiation Protocol (SIP)”              15
                                                                                                                   16
[23]   3GPP2 X.S0013, “3GPP2 All-IP Core Network – Enhancements For Multimedia Domain (MMD)                        17
       Overview (Part-00)”                                                                                         18
                                                                                                                   19
[24]   3GPP2 X.S0011, “cdma2000 Wireless IP Network Standard”                                                      20
                                                                                                                   21
[25]   IETF RFC 2409 (1998), “Internet Key Exchange (IKE)”                                                         22
                                                                                                                   23
                                                                                                                   24


3             Definitions, symbols and abbreviations                                                               25
                                                                                                                   26
                                                                                                                   27
                                                                                                                   28
3.1           Definitions                                                                                          29
                                                                                                                   30
For the purposes of the present document, the following terms and definitions apply.                               31
                                                                                                                   32
Authenticated (re-) registration: A registration i.e. a SIP register is sent towards the Home Network              33
which will trigger an authentication of the IMS subscriber i.e. a challenge is generated and sent to the UE.       34
                                                                                                                   35
Confidentiality: The property that information is not made available or disclosed to unauthorized                  36
individuals, entities or processes.                                                                                37
                                                                                                                   38
Data integrity: The property that data has not been altered in an unauthorized manner.                             39
                                                                                                                   40
Data origin authentication: The corroboration that the source of data received is as claimed.                      41
                                                                                                                   42
Entity authentication: The provision of assurance of the claimed identity of an entity.                            43
                                                                                                                   44
Key freshness: A key is fresh if it can be guaranteed to be new, as opposed to an old key being reused             45
through actions of either an adversary or authorized party.                                                        46
                                                                                                                   47
Security Domain: Networks that are managed by a single administrative authority. Within a security                 48
domain the same level of security and usage of security services will be typical.                                  49
                                                                                                                   50
                                                                                                                   51
                                                                                                                   52
                                                                                                                   53
                                                                                                                   54

3.2           Abbreviations                                                                                        55
                                                                                                                   56
                                                                                                                   57
For the purposes of the present document, the following abbreviations apply:                                       58

    AAA              Authentication Authorization Accounting



                                                     2
                                                                                                      S.R0086-0 v1.0


 1
 2
         AKA              Authentication and key agreement
 3       CSCF             Call Session Control Function
 4       HSS Collective   Home Subscriber Server equivalent to AAA plus Databases
 5       IM               IP Multimedia
 6       IMPI             IM Private Identity
 7       IMPU             IM Public Identity
 8       IMS              IP Multimedia Core Network Subsystem
 9       LMSD             Legacy MS Domain
10       MAC              Message Authentication Code
11
         MMD              Multi-Media Domain
12
         MS               Mobile Station
13
         PDS              Packet Data Subsystem (3GPP2 PDSN-based)
14
         R-UIM            Removable User Identity Module
15
16
         SA               Security Association
17
         SEG              Security Gateway
18
         SDP              Session Description Protocol
19       SIP              Session Initiation Protocol
20       UA               User Agent
21       UE               User Equipment (equivalent to MS)
22       .
23
24
25
26
27
28
     4             Overview of the security architecture
29
     In the MMD, service is not provided until a security association is established between the mobile
30
     equipment and the network. IMS is essentially an overlay to the PDS and has a low dependency on the
31
     PDS. PDS can be deployed without the multimedia session capability. Consequently a separate security
32
33
     association is required between the multimedia client and the IMS before access is granted to multimedia
34
     services. The IMS Security Framework is shown in Figure 1.
35
     IMS authentication keys and functions at the user side may be stored in some secure memory location on
36
37
     an UE. It shall be possible for the IMS authentication keys and functions to be logically independent to the
38
     keys and functions used for PDS authentication. However, this does not preclude common authentication
39
     keys and functions from being used for IMS and PDS authentication according to the guidelines given in
40   section 8.
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58




                                                         3
                                                                                                       S.R0086-0 v1.0


                                                                                                                    1
                                                                                                                    2
                                                                                                                    3
                                                                                                                    4
                                                                                                                    5


                                                                     IMS
                                                                                                                    6

              UE                                                                                                    7
                                                                                                                    8
                                                                     Home Network
                                                                                                                    9
         Secure
          Mem
                             1
                                                     HSS                                                           10
                                                                                                                   11
                                                                                                                   12
                                          3                                    3                                   13
                                                                                                                   14
                                                                                             Multimedia
                                      I -CSCF            5
                                                                   S-CSCF                    IP-Networks
                                                                                                                   15
                                                                                                                   16
                                                                                                                   17
                                         4/5                 4/5
                                                                                                                   18
                                                                                                                   19

                                                                    Home/Serving                                   20
                                                                    N t  k                                         21

             UA              2         P-CSCF                                                                      22
                                                                                                                   23
                                                                                                                   24
                                                                                                                   25
                                                                   Transport                                       26
                                                                                                                   27

      Cdma2000 AN                      Packet Data Subsystem                                                       28
        Radio                                                                                                      29
          Access                                                                                                   30
                                                                                                                   31
                                                                                                                   32
                                                                                                                   33
                                                                                                                   34
                                                                                                                   35
                                 Figure 1: The IMS security architecture                                           36
                                                                                                                   37

There are five different security associations and different needs for security protection for IMS and they        38

are numbered 1,2, 3, 4 and 5 in Figure 1.                                                                          39
                                                                                                                   40

   1. Provides mutual authentication between the UE and the S-CSCF. The HSS collective (comprising of              41

      the AAA and the associated Databases, also referenced in this document as the “HSS”) delegates the           42

      performance of subscriber authentication to the S-CSCF. However the HSS is responsible for                   43
                                                                                                                   44
      generating keys and challenges. The long-term key in the secure memory of the UE and the HSS is
                                                                                                                   45
      associated with the user private identity (IMPI). The subscriber will have one (network internal)
                                                                                                                   46
      user private identity (IMPI) and at least one external user public identity (IMPU).
                                                                                                                   47
                                                                                                                   48
   2. Provides a secure link and a security association between the UE and a P-CSCF for protection of the
                                                                                                                   49
      Gm reference point. Data origin authentication is provided i.e. the corroboration that the source of
                                                                                                                   50
      data received is as claimed. For the definition of the Gm reference point cf. [9].
                                                                                                                   51
                                                                                                                   52
   3. Provides security within the network domain internally for the Cx-interface. This security
                                                                                                                   53
      association is covered in Section 9. For the definition of the Cx-interface cf. [9].
                                                                                                                   54
                                                                                                                   55
   4. Provides security between different networks for SIP capable nodes. This security association is
                                                                                                                   56
      covered in Section 9. This security association is only applicable when the P-CSCF resides in the
                                                                                                                   57
      VN. If the P-CSCF resides in the Home Network (HN) then bullet point number five below applies.
                                                                                                                   58




                                                     4
                                                                                                        S.R0086-0 v1.0


 1
 2
         5. Provides security within the network internally within the IMS subsystem between SIP capable
 3          nodes. This security association is covered in Section 9. Note that this security association also
 4          applies when the P-CSCF resides in the HN.
 5
 6   There exist other interfaces and reference points in IMS, which have not been addressed above. Those
 7   interfaces and reference points reside within the IMS, either within the same security domain or between
 8   different security domains. This specification assumes that the IP MMD core network supports secure
 9   communications via standard IETF protocols [14].
10
11   Mutual authentication is required between the UE and the HN.
12
13
     The mechanisms specified in this technical specification are independent of the mechanisms defined for the
14   Legacy MS Domain (LMSD) and Packet Data Subsystem (PDS).
15
16
     An independent IMS security mechanism provides additional protection against security breaches. For
17
     example, if the PDS security is breached the IMS would continue to be protected by its own security
18   mechanism. As indicated in Figure 1 the P-CSCF may be located either in the Visited or the Home
19   Network.
20
21   The confidentiality and integrity protection for SIP-signaling is provided in a hop-by-hop fashion. The first
22   hop i.e. between the UE and the P-CSCF is specified in this technical specification. The other hops, inter-
23   domain and intra-domain are specified in [5].
24
25


     5             Security features
26
27
28
29
30
31
     5.1           Secure access to IMS
32
33   5.1.1         Authentication of the subscriber and the network
34
35   The user’s subscription is authenticated by the S-CSCF (home service provider). The security association
36   between the UE and the first access point into the operator’s network (P-CSCF) is negotiated based on the
37   protocol defined in RFC 3329 [22]. The options supported by [22] are: tls, digest, ipsec-ike, ipsec-man,
38
     and ipsec-3gpp. When the negotiated protocol is not ipsec-3gpp, sections 5 through 8 do not apply, and the
39
     appropriate RFC e.g. the SIP RFC [6] security mechanism shall be applied.
40
41   Authentication between the subscriber and the network shall be performed as specified in section 6.1.
42
43   An IM-subscriber will have its subscriber profile located in the HSS in the Home Network. The subscriber
44   profile will contain information on the subscriber that may not be revealed to an external partner, cf. [3]. At
45
     registration an S-CSCF is assigned to the subscriber by the I-CSCF. The subscriber profile will be
46
     downloaded to the S-CSCF over the Cx-reference point from the HSS (Cx-Pull). When a subscriber
47
     requests access to the IP Multimedia Core Network Subsystem this S-CSCF will check, by matching the
48
     request with the subscriber profile, if the subscriber is allowed to continue with the request or not i.e. Home
49
     Control (Authorization of IM-services).
50
51
     All SIP-signaling will take place over the MMD i.e. IP Multimedia Core Network Subsystem is essentially
52
     an overlay to the PDS. Hence the Visited Network will have control of all the subscribers in the PDS i.e.
53
54
     Visited Control (Authorization of bearer resources) since the Visited Network provides the subscriber with
55
     a transport service and its associated QoS.
56
     For IM-services a new security association is required between the mobile and the IMS before access is
57
58
     granted to IM-services.




                                                          5
                                                                                                                              S.R0086-0 v1.0


                                                                      1
                                                                                                                                           1
The mechanism for mutual authentication in cdma2000® is called AKA. It is a challenge response protocol                                    2
and in cdma2000 the authentication center in the Home System derives the challenge. An Authentication                                      3
Vector containing the challenge is sent from the Home Stratum to the Serving Network. The Authentication                                   4
Vector contains the expected response XRES and also a message authentication code MAC. The Serving                                         5

Network compares the response from the UE with the XRES and if they match the UE has been                                                  6

authenticated. The UE calculates an expected MAC, XMAC, and compares this with the received MAC                                            7

and if they match the UE has authenticated the Serving Network.                                                                            8
                                                                                                                                           9

The AKA-protocol is a secure protocol developed for UMTS and the same concept/principles may be                                           10

reused for the IP Multimedia Core Network Subsystem, where it is called IMS AKA. One specific                                             11

characteristic of the IMS AKA procedure is that the UE is authenticated for IMS services only by the Home                                 12

Network, and not by the Serving Network.                                                                                                  13
                                                                                                                                          14

The Home Network authenticates the subscriber at anytime via the registration or re-registration                                          15

procedures.                                                                                                                               16
                                                                                                                                          17
                                                                                                                                          18
5.1.2             Re-Authentication of the subscriber                                                                                     19
                                                                                                                                          20
Initial registration shall always be authenticated. It is the policy of the operator that decides when to trigger                         21

a re-authentication by the S-CSCF. Hence a re-registration might not need to be authenticated2.                                           22
                                                                                                                                          23
A SIP REGISTER message, which has not been integrity protected at the first hop, shall be considered as                                   24

initial registration.                                                                                                                     25
                                                                                                                                          26
The S-CSCF shall also be able to initiate an authenticated re-registration of a user at any time, independent                             27
of previous registrations.                                                                                                                28
                                                                                                                                          29
                                                                                                                                          30
5.1.3             Confidentiality protection                                                                                              31
                                                                                                                                          32
Confidentiality protection shall not be applied to SIP signaling messages between the UE and the P-CSCF.                                  33
It is recommended to offer encryption for SIP signaling at the link layer, i.e., between the UE and the Radio                             34
Access Network.                                                                                                                           35
                                                                                                                                          36
Confidentiality between CSCFs, and between CSCFs and the HSS shall rely on mechanisms specified in                                        37
[5][24] and it is outside the scope of this document.                                                                                     38
                                                                                                                                          39

5.1.4             Integrity protection                                                                                                    40
                                                                                                                                          41
                                                                                                                                          42
Integrity protection shall be applied between the UE and the P-CSCF for protecting the SIP signaling, as                                  43
specified in section 6.3 whenever an SA exists. The following mechanisms are provided.                                                    44
                                                                                                                                          45
    1. The UE and the P-CSCF shall negotiate the integrity algorithm/mechanism to be used for a
                                                                                                                                          46
       particular session, as specified in chapter 7 (based on [22]).                                                                     47
                                                                                                                                          48
    2. The UE and the P-CSCF shall agree on security associations, which include the integrity keys that
                                                                                                                                          49
       shall be used for the integrity protection. The integrity key shall be the IK, delivered by the S-CSCF
                                                                                                                                          50
       to the P-CSCF during the user’s IMS authentication process (component of the AKA Authentication                                    51
       Vector), as specified in clause 6.1.                                                                                               52
                                                                                                                                          53
                                                                                                                                          54
                                                                                                                                          55
1 cdma2000® is the trademark for the technical nomenclature for certain specifications and standards of the Organizational Partners
                                                                                                                                          56
                                                                                      ®
       (OPs) of 3GPP2. Geographically (and as of the date of publication), cdma2000 is a registered trademark of the                      57
       Telecommunications Industry Association (TIA-USA) in the United States.
                                                                                                                                          58
2 Here, “authentication” refers to the AKA procedure. Integrity protection is always used for Registration messages when a security
       association exists.




                                                                 6
                                                                                                         S.R0086-0 v1.0


 1
 2
         3. The UE and the P-CSCF shall both verify that the data received originates from a node, which has
 3          the agreed integrity key. This verification is also used to detect if the data has been tampered with.
 4
 5
         4. Replay attacks and reflection attacks should be mitigated.
 6
 7
     Integrity protection between CSCFs, and between CSCFs and the HSS shall rely on mechanisms specified
 8
     by Network Domain Security in [5].
 9
10
11   5.2           Network topology hiding
12
13   The operational details of an operator's network are sensitive business information that operators are
14   reluctant to share with their competitors. While there may be situations (partnerships or other business
15   relations) where the sharing of such information is appropriate, the possibility should exist for an operator
16   to determine whether or not the topology of its network needs to be hidden.
17
18   It shall be possible to hide the network topology from other operators, which includes the hiding of the
19   number of S-CSCFs, the capabilities of the S-CSCFs and the capability of the network.
20
21   To achieve network hiding, the I-CSCF shall have the capability to encrypt the address of an S-CSCF in
22   SIP Via, Record-Route, Route and Path headers and then decrypt the address when handling the response
23   to a request. The P-CSCF may receive routing information that is encrypted but the P-CSCF will not have
24   the key to decrypt this information.
25
26   The mechanism shall support the scenario that different I-CSCFs in the Home Network may encrypt and
27   decrypt the address of the S-CSCFs.
28
29
30
31   6             Security Mechanisms
32
33   The security mechanism agreement is based on [22]. [22] defines a negotiation mechanism between the
34   UE and its first-hop SIP entry, the P-CSCF. It also provides protection against Man-in-the-Middle attack
35   by allowing the peers to detect if the initial, unprotected offer has been tampered with. 3GPP2 IMS shall
36
     support ipsec-3gpp as described below (conforming to recommendation [22] appendix A).
37
38
39
40
     6.1           Authentication and key agreement
41
     The scheme used for authentication and key agreement in the IMS is called IMS AKA. The IMS AKA
42
43
     achieves mutual authentication between the UE and the Home Network (HN), cf. Figure 1. The identity
44
     used for authenticating a subscriber is the private identity, IMPI, which has the form of a NAI, cf. [3]. The
45
     HSS and the UE share a long-term key associated only with the IMPI, not with an IM public identity
46   (IMPU).
47
48
     The HN shall use the IMS AKA scheme for authenticating an IM subscriber. The security parameters e.g.
49
     keys generated by the IMS AKA scheme are transported by SIP.
50
51
     The generation of the authentication vector AV that includes RAND, XRES, CK, IK and AUTN shall be
52
     done in the same way as specified in [1]. The UE and the HSS keep track of their respective IMS specific
53   SQN counters. The requirements on the handling of the counters and mechanisms for sequence number
54   management are specified in [1]. The AMF field can be used in the same way as in [1].
55
56
     Furthermore a security association is established between the UE and the P-CSCF. The subscriber may
57   have several IMPUs associated with one IMPI. These may belong to the same or different service profiles.
58   Only one SA shall be active between the UE and the P-CSCF. This single SA shall be updated when a new
     successful authentication of the subscriber has occurred, cf. section 7.4.




                                                           7
                                                                                                         S.R0086-0 v1.0


                                                                                                                      1
It is the policy of the HN that decides if an authentication shall take place for the registration of different       2
IMPUs e.g. belonging to same or different service profiles. Regarding the definition of service profiles cf.          3
[3]. The registration process may be done without key distribution and exchange process. However, for                 4
certain implementations, it may also be acceptable to combine the registration and key distribution such              5
that keying material would be made available during the combined registration and authentication process.             6
                                                                                                                      7
                                                                                                                      8
6.1.1         Authentication of an IM-subscriber                                                                      9
                                                                                                                     10
Before a user can get access to the IM services at least one IMPU needs to be registered and the IMPI                11
authenticated in the IMS at application level. In order to get registered the UE sends a SIP REGISTER                12
message towards the SIP registrar server i.e. the S-CSCF, cf. Figure 1, which will perform the                       13
authentication of the user. The message flows are the same regardless of whether the user has an IMPU                14
already registered or not.                                                                                           15
                                                                                                                     16
                                                                                                                     17
                                                                                                                     18
                                                                                                                     19
                                                                                                                     20
                                                                                                                     21
                                                                                                                     22
                                                                                                                     23
                                                                                                                     24
                                                                                                                     25
                                                                                                                     26
                                                                                                                     27
                                                                                                                     28
                                                                                                                     29
                                                                                                                     30
                                                                                                                     31
                                                                                                                     32
                                                                                                                     33
                                                                                                                     34
                                                                                                                     35
                                                                                                                     36
                                                                                                                     37
                                                                                                                     38
                                                                                                                     39
                                                                                                                     40
                                                                                                                     41
                                                                                                                     42
    Figure 2: The IMS Authentication and Key Agreement for an unregistered IM subscriber and
                                                                                                                     43
                    successful mutual authentication with no synchronization error
                                                                                                                     44
                                                                                                                     45
The detailed requirements and complete registration flows are defined in [8] and [11].                               46
                                                                                                                     47
SMn stands for SIP Message n and CMm stands for Cx message m which has a relation to the
                                                                                                                     48
authentication process:                                                                                              49
                                                                                                                     50
        SM1:
                                                                                                                     51
        REGISTER(IMPI, IMPU)
                                                                                                                     52
                                                                                                                     53
                                                                                                                     54
In SM2 and SM3 the P-CSCF and the I-CSCF respectively forwards the SIP REGISTER towards the S-
                                                                                                                     55
CSCF.
                                                                                                                     56
                                                                                                                     57
                                                                                                                     58




                                                      8
                                                                                                        S.R0086-0 v1.0


 1
 2
     After receiving SM3, if the IMPU is not currently registered at the S-CSCF, the S-CSCF needs to set the
 3   registration flag at the HSS to initial registration pending. This is done in order to handle mobile terminated
 4   calls while the initial registration is in progress and not successfully completed. The registration flag is
 5   stored in the HSS together with the S-CSCF name and user identity, and is used to indicate whether a
 6   particular IMPU of the user is unregistered or registered at a particular S-CSCF or if the initial registration
 7   at a particular S-CSCF is pending. The registration flag is set by the S-CSCF sending a Cx-Put to the HSS.
 8   If the IMPU is currently registered, the S-CSCF shall leave the registration flag set to registered. At this
 9   stage the HSS has performed a check that the IMPI and the IMPU belong to the same user.
10
11   Upon receiving the SIP REGISTER the S-CSCF shall use an Authentication Vector (AV) for
12   authenticating and agreeing on a key with the user. If the S-CSCF has no valid AV then the S-CSCF shall
13   send a request for AV(s) to the HSS in CM1 together with the number m of AVs wanted where m is at least
14   one.
15
16           CM1:
17           Cx-AV-Req(IMPI, m)
18
19
20
     Upon receipt of a request from the S-CSCF, the HSS sends an ordered array of n authentication vectors to
21
     the S-CSCF using CM2. The authentication vectors are ordered based on sequence number. Each
22
     authentication vector consists of the following components: a random number RAND, an expected
23
24
     response XRES, a cipher key CK, an integrity key IK and an authentication token AUTN. Each
25
     authentication vector is good for one authentication and key agreement between the S-CSCF and the IMS
26
     user.
27
28           CM2:
29           Cx-AV-Req-Resp(IMPI, RAND1||AUTN1||XRES1||CK1||IK1,….,RANDn||AUTNn||XRESn||CKn||IKn)
30
31
32
     When the S-CSCF needs to send an authentication challenge to the same user, it selects the next
33
     authentication vector from the ordered array, i.e. authentication vectors in a particular S-CSCF are used on
34
     a first-in / first-out basis.
35
36
     The S-CSCF sends a SIP 4xx Auth_Challenge i.e. an authentication challenge towards the UE including
37
     the challenge RAND and the authentication token AUTN in SM4. It also includes the integrity key IK and
38
     the cipher key CK for the P-CSCF. [17] specifies the fields to populate corresponding parameters of
39
40
     authenticate challenge.
41
     The verification of the SQN by the UE will cause the UE to reject an attempt by the S-CSCF to re-use an
42
     AV. Therefore no AV shall be sent more than once.
43
44
             NOTE: This does not preclude the use of the normal SIP transaction layer re-transmission
45
     procedures.
46
47
48
49           SM4:
50           4xx Auth_Challenge(IMPI, RAND, AUTN, IK, CK)
51
52
53
54
     When the P-CSCF receives SM5 it shall store the key(s) and remove that information and forward the rest
55
     of the message to the UE i.e.
56
57
58




                                                           9
                                                                                                         S.R0086-0 v1.0


                                                                                                                      1
        SM6:                                                                                                          2
        4xx Auth_Challenge(IMPI, RAND, AUTN)
                                                                                                                      3
                                                                                                                      4
                                                                                                                      5
As part of the challenge (SM6) the UE receives AUTN, which includes a MAC and the SQN. The UE                         6
calculates the XMAC and checks that XMAC=MAC, and then checks if the SQN is in the correct range as                   7
in [1]. If both these checks are successful the UE calculates the response, RES, puts it into the                     8
Authorization header and sends it back to the registrar in SM7. [17] specifies the fields to populate                 9

corresponding parameters of the response. It should be noted that the UE at this stage also computes the             10

session keys CK and IK.                                                                                              11
                                                                                                                     12
        SM7:                                                                                                         13
        REGISTER(IMPI, RES)                                                                                          14
                                                                                                                     15
                                                                                                                     16

The P-CSCF forwards the RES in SM8 to the I-CSCF, which queries the HSS to find the address of the S-                17

CSCF. In SM9 the I-CSCF forwards the RES to the S-CSCF.                                                              18
                                                                                                                     19

Upon receiving SM9 containing the response, the S-CSCF retrieves the active XRES for that user and uses              20

this to check the response sent by the UE as described in [17]. If the check is successful then the user has         21

been authenticated and the IMPU is registered in the S-CSCF. If the IMPU was not currently registered, the           22
                                                                                                                     23
S-CSCF shall send a Cx-Put to update the registration-flag to registered. If the IMPU was currently
                                                                                                                     24
registered the registration-flag is not altered.
                                                                                                                     25

It shall be possible to implicitly register IMPU(s). The implicitly registered IMPU(s) all belong to the same        26
                                                                                                                     27
Service Profile. All the IMPU(s) being implicitly registered shall be delivered by the HSS to the S-CSCF
                                                                                                                     28
and subsequently to the P-CSCF. The S-CSCF shall regard all implicitly registered IMPU(s) as registered
                                                                                                                     29
IMPU(s).
                                                                                                                     30
                                                                                                                     31
When an IMPU has been registered this registration will be valid for some period of time. Both the UE and
                                                                                                                     32
the S-CSCF will keep track of a timer for this purpose but the expiration time in the UE is smaller than the
                                                                                                                     33
one in the S-CSCF in order to make it possible for the UE to be registered and reachable without
                                                                                                                     34
interruptions. A successful registration of a previously registered IMPU (including implicitly registered            35
IMPUs) means the expiry time of the registration is refreshed.                                                       36
                                                                                                                     37
It should be noted that the UE initiated re-registration opens up a potential denial-of-service attack. That is,
                                                                                                                     38
an attacker could try to register an already registered IMPU and respond with the wrong RES in order to              39
make the HN de-register the IMPU. For this reason a subscriber should not be de-registered if it fails an            40
authentication. It shall be defined by the policy of the operator when successfully registered IMPU(s) are to        41
be de-registered.                                                                                                    42
                                                                                                                     43
The lengths of the Authentication Vector parameters are specified in chapter 6.3.7 in [1].                           44
                                                                                                                     45

6.1.2         Authentication failures                                                                                46
                                                                                                                     47
                                                                                                                     48
6.1.2.1           User authentication failure                                                                        49
                                                                                                                     50
In this case the authentication of the user should fail at the S-CSCF because of an incorrect response               51
(received in SM9). However, if the response is incorrect, then the IK used to protect SM7 will normally be           52

incorrect as well, which will normally cause the integrity check at the P-CSCF to fail. In this case SM7 is          53

discarded by the IPsec layer at the P-CSCF, therefore SM9 does not reach the S-CSCF. If the integrity                54

check passes but the response is incorrect, the message flows are identical up to and including SM9 as a             55
                                                                                                                     56
successful authentication. Once the S-CSCF detects the user authentication failure it should proceed in the
                                                                                                                     57
same way as having received SM9 in a network authentication failure (see clause 6.1.2.2).
                                                                                                                     58




                                                     10
                                                                                                       S.R0086-0 v1.0


 1
 2   6.1.2.2          Network authentication failure
 3
 4   In this section the case when the authentication of the network is not successful is specified. When the
 5   check of the MAC in the UE fails the network cannot be authenticated and hence registration fails. The
 6   flow is identical as for the successful registration in 6.1.1 up to SM6, as shown in Figure 3.
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
           Figure 3: The IMS Authentication and Key Agreement with network authentication error.
34
35
36
     The UE shall send a Register message towards the HN including an indication of the cause of failure in
37
     SM7. The P-CSCF and the I-CSCF forward this message to the S-CSCF.
38
             SM7:
39
             REGISTER(Failure = AuthenticationFailure, IMPI)
40
41
42
     Upon receiving SM9, which includes the cause of authentication failure, the S-CSCF shall set the
43
     registration-flag in the HSS to unregistered, if the IMPU is not currently registered. To set the flag the S-
44
45
     CSCF sends in CM3 a Cx-Put to the HSS. If the IMPU is currently registered, the S-CSCF does not update
46
     the registration flag.
47
            CM3:
48
            Cx-AV-Put(IMPI, Clear S-CSCF name)
49
50
51
52   The HSS responds to CM3 with a Cx-Put-Resp in CM4.
53
54   In SM10 the S-CSCF sends a 4xx Auth_Failure towards the UE indicating that authentication has failed, no
55   security parameters shall be included in this message.
56
57
58




                                                         11
                                                                                                        S.R0086-0 v1.0


                                                                                                                     1
       SM10:                                                                                                         2
       SIP/2.0 4xx Auth_Failure
                                                                                                                     3
                                                                                                                     4
                                                                                                                     5
Upon receiving SM10 the I-CSCF shall clear any registration information related to the IMPI.                         6
                                                                                                                     7
                                                                                                                     8
6.1.2.3           Incomplete authentication                                                                          9
                                                                                                                    10
If the S-CSCF does not receive a response to an authentication within an acceptable time, it considers the
                                                                                                                    11
authentication to have failed. If the IMPU was not already registered, the S-CSCF shall send a Cx-Put to
                                                                                                                    12
the HSS to set the registration-flag for that IMPU to unregistered (see message CM3 in clause 6.1.2.2). If          13
the IMPU was already registered, the S-CSCF does not change the registration-flag.                                  14
                                                                                                                    15

6.1.3         Synchronization failure                                                                               16
                                                                                                                    17
                                                                                                                    18
In this section the case of an authenticated registration with synchronization failure is described. After re-
                                                                                                                    19
synchronization, authentication may be successfully completed, but it may also happen that in subsequent
                                                                                                                    20
attempts other failure conditions (i.e. user authentication failure, network authentication failure) occur. In
                                                                                                                    21
the message flow in Figure 4, only the case of synchronization failure with subsequent successful                   22
authentication is shown. The other cases can be derived by combination with the flows for the other failure         23
conditions.                                                                                                         24
                                                                                                                    25
                                                                                                                    26
                                                                                                                    27
                                                                                                                    28
                                                                                                                    29
                                                                                                                    30
                                                                                                                    31
                                                                                                                    32
                                                                                                                    33
                                                                                                                    34
                                                                                                                    35
                                                                                                                    36
                                                                                                                    37
                                                                                                                    38
                                                                                                                    39
                                                                                                                    40
                                                                                                                    41
                                                                                                                    42
                                                                                                                    43
                                                                                                                    44
                                                                                                                    45
                                                                                                                    46
                                                                                                                    47
                                                                                                                    48
                                                                                                                    49
                                                                                                                    50

          Figure 4: The IMS Authentication and Key Agreement with synchronization failure.                          51
                                                                                                                    52
                                                                                                                    53
The flow equals the flow in 6.1.1 up to SM6. When the UE receives SM6 it detects that the SQN is out of
                                                                                                                    54
range and sends a synchronization failure back to the S-CSCF in SM7. [17] describes the fields to populate
                                                                                                                    55
corresponding parameters of synchronization failure.
                                                                                                                    56
                                                                                                                    57
                                                                                                                    58




                                                     12
                                                                                                        S.R0086-0 v1.0


 1
 2
             SM7:
             REGISTER(Failure = Synchronization Failure, AUTS, IMPI)
 3
 4
 5
 6
     Upon receiving the Synchronization Failure and the AUTS the S-CSCF sends an Av-Req to the HSS in
 7
     CM3 including the required number of Avs, m.
 8
             CM3:
 9
             Cx-AV-Req(IMPI, RAND,AUTS, m)
10
11
12
13   The HSS checks the AUTS as in section 6.3.5 in [1]. After potentially updating the SQN, the HSS sends
14   new AVs to the S-CSCF in CM4.
15
16
17           CM4:
18           Cx-AV-Req-Resp(IMPI, n,RAND1||AUTN1||XRES1||CK1||IK1,….,RANDn||AUTNn||XRESn||CKn||IKn)
19
20
21   The rest of the messages i.e. SM10-SM18 including the Cx messages are exactly the same as SM4-SM12
22   and the corresponding Cx messages in 6.1.1.
23
24
25
     6.1.4         Network Initiated authentications
26
27
     In order to authenticate an already registered user, the S-CSCF shall send a request to the UE to initiate a
28   re-registration procedure. When received at the S-CSCF, the re-registration shall trigger a new IMS AKA
29   procedure that will allow the S-CSCF to re-authenticate the user, as shown in Figure 5.
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
              Figure 5: The IMS Authentication and Key Agreement with network initiated
52                                         authentications.
53
54   The UE shall initiate the re-registration on the reception of the Authentication Required indication. In the
55   event that the UE does not initiate the re-registration procedure after the request from the S-CSCF, the S-
56   CSCF may decide to de-register the subscriber or re-issue an Authentication-Required.
57
58




                                                          13
                                                                                                     S.R0086-0 v1.0


                                                                                                                  1
6.1.5         Integrity protection indicator                                                                      2
                                                                                                                  3
In order to decide whether a REGISTER request from the UE needs to be authenticated, the S-CSCF needs             4
to know about the integrity protection applied to the message. The P-CSCF attaches an indication to the           5

REGISTER request to inform the S-CSCF that the message was integrity protected if:                                6
                                                                                                                  7
   -   the P-CSCF receives a REGISTER containing an authentication response and the message is                    8
       protected with the SA created during this authentication procedure; or                                     9
                                                                                                                 10
   -   the P-CSCF receives a REGISTER not containing an authentication response and the message is               11
       protected with the SA created by latest successful authentication (from the P-CSCF perspective).          12
                                                                                                                 13
For all other REGISTER requests the P-CSCF attaches an indication that the REGISTER request was not              14
integrity protected or ensures that there is no indication about integrity protection in the message.            15
                                                                                                                 16
                                                                                                                 17

6.2           Confidentiality mechanisms                                                                         18
                                                                                                                 19

No confidentiality mechanism is provided in this specification, cf. clause 5.1.3.                                20
                                                                                                                 21
                                                                                                                 22

6.3           Integrity mechanisms                                                                               23
                                                                                                                 24
                                                                                                                 25
IPsec ESP as specified in reference [13] shall provide integrity protection of SIP signaling between the UE
                                                                                                                 26
and the P-CSCF, protecting all SIP signaling messages at the IP level. IPSec ESP general concepts on
                                                                                                                 27
Security Policy management, Security Associations and IP traffic processing as described in reference [14]
                                                                                                                 28
shall also be considered. ESP integrity shall be applied in transport mode between UE and P-CSCF.                29
                                                                                                                 30
The method to set up ESP security associations (SAs) during the SIP registration procedure is specified in
                                                                                                                 31
clause 7. As a result of the registration procedure, a pair of unidirectional SAs between the UE and the
                                                                                                                 32
P-CSCF, shared by TCP and UDP, shall be simultaneously established in the P-CSCF and later on in the             33
UE. One SA is for traffic from the UE to the P-CSCF (inbound SA at the P-CSCF) and the other SA is for           34
traffic from the P-CSCF to the UE (outbound SA at the P-CSCF).                                                   35
                                                                                                                 36
The integrity key IKESP is the same for the two simultaneously established SAs. The integrity key IKESP is       37
obtained from the key IKIM established as a result of the AKA procedure, specified in clause 6.1, using a        38
suitable key expansion function. This key expansion function depends on the ESP integrity algorithm and          39
is specified in Annex B of this specification.                                                                   40
                                                                                                                 41
The integrity key expansion on the user side is done in the UE. The integrity key expansion on the network       42
side is done in the P-CSCF.                                                                                      43
                                                                                                                 44
The anti-replay service as described in [21] shall be enabled in the UE and the P-CSCF on all established        45
SAs.Note that IPsec integrity protection is incompatible with use of Network Address Translation between         46
IPv4 entities. No Network Address Translation is allowed between the UE and P-CSCF.                              47
                                                                                                                 48
                                                                                                                 49
6.4           Hiding mechanisms                                                                                  50
                                                                                                                 51
The Hiding Mechanism is optional for implementation. All I-CSCFs in the HN shall share the same                  52
encryption and decryption key Kv. If the mechanism is used and the operator policy states that the topology      53

shall be hidden the I-CSCF shall encrypt the hiding information elements when the I-CSCF forwards SIP            54

Request or Response messages outside the hiding network’s domain. The hiding information elements are            55

entries in SIP headers, such as Via, Record-Route, Route and Path, which contain addresses of SIP proxies        56
                                                                                                                 57
in hiding network. When I-CSCF receives a SIP Request or Response message from outside the hiding
                                                                                                                 58
network’s domain, the I-CSCF shall decrypt those information elements that were encrypted by I-CSCF in
this hiding network domain.



                                                    14
                                                                                                        S.R0086-0 v1.0


 1
 2
     The purpose of encryption in network hiding is to protect the identities of the SIP proxies and the topology
 3   of the hiding network. Therefore, an encryption algorithm in confidentiality mode shall be used. The
 4   network hiding mechanism will not address the issues of authentication and integrity protection of SIP
 5   headers. The AES in CBC mode with 128-bit block and 128-bit key shall be used as the encryption
 6   algorithm for network hiding. In the CBC mode under a given key, if a fixed IV is used to encrypt two
 7   same plaintexts, then the ciphertext blocks will also be equal. This is undesirable for network hiding.
 8   Therefore, random IV shall be used for each encryption. The same IV is required to decrypt the
 9   information. The IV shall be included in the same SIP header that includes the encrypted information.
10
11
12
13
14
     7              Security association set-up procedure
15
     The security association set-up procedure is necessary in order to decide what security services to apply
16
     and when the security services start. In the IMS authentication of users is performed during registration as
17
     specified in clause 6.1. Subsequent signaling communications in this session will be integrity protected
18
     based on the keys derived during the authentication and key agreement process.
19
20
21
22
     7.1            Security association parameters
23
24
     For protecting IMS signaling between the UE and the P-CSCF it is necessary to agree on shared keys that
25   are provided by a set of parameters specific to a protection method. The security mode setup (cf. clause 7.2)
26   is used to negotiate the SA parameters required for IPsec ESP with authentication, with or without
27   confidentiality.
28
29
30
31
     The SA parameters that shall be negotiated between UE and P-CSCF in the security mode set-up
32
     procedure, are:
33
34
         -   Integrity algorithm
35
         NOTE 1: What is called "authentication algorithm" in [13] is called "integrity algorithm" in this
36
37
                 specification to avoid confusion with the authentication algorithms used in the AKA
38
                 protocol.
39
             The integrity algorithm is either HMAC-MD5-96 [15] or HMAC-SHA-1-96 [16].
40
41
         NOTE 2: This, in particular, excludes the use of the NULL integrity algorithm.
42
43
             Both integrity algorithms shall be supported by both the UE and the P-CSCF as mandated by [13].
44
             In the unlikely event that one of the integrity algorithms is compromised during the lifetime of this
45
             specification, this algorithm shall no longer be supported.
46
47
         NOTE 3: If only one of the two integrity algorithms is compromised then it suffices for the IMS to
48
                 remain secure that the algorithm is no longer supported by any P-CSCF. The security mode
49
                 set-up procedure (cf. clause 7.2) will then ensure that the other integrity algorithm is selected.
50
51
         -   SPI (Security Parameter Index)
52
53           The SPI is allocated locally for inbound SAs. The triple (SPI, destination IP address, security
54           protocol) uniquely identifies an SA at the IP layer. The UE shall select the SPIs uniquely, and
55
             different from any SPIs that might be used in any existing SAs (i.e. inbound and outbound SAs).
56
             The SPIs selected by the P-CSCF shall be different than the SPIs sent by the UE, cf. section 7.2.
57
58




                                                          15
                                                                                                        S.R0086-0 v1.0


                                                                                                                     1
   NOTE 4: This allocation of SPIs ensures that protected messages in the uplink always differ from                  2
           protected messages in the downlink in, at least, the SPI field. This thwarts reflection attacks.          3
           When several applications use IPsec on the same physical interface the SIP application                    4
           should be allocated a separate range of SPIs.                                                             5
                                                                                                                     6
The following SA parameters are not negotiated:                                                                      7
                                                                                                                     8
   -   Life type: the life type is always seconds;                                                                   9

                                                              32                                                    10
   -   SA duration: the SA duration has a fixed length of 2 -1;                                                     11
                                                                                                                    12
   NOTE 5: The SA duration is a network layer concept. From a practical point of view, the value chosen
                                                                                                                    13
           for "SA duration" does not impose any limit on the lifetime of an SA at the network layer.
                                                                                                                    14
           The SA lifetime is controlled by the SIP application as specified in clause 7.4.                         15
                                                                                                                    16
   -   Mode: transport mode;
                                                                                                                    17
                                                                                                                    18
   -   Key length: the length of the integrity key IKESP depends on the integrity algorithm. It is 128 bits for
                                                                                                                    19
       HMAC-MD5-96 and 160 bits for HMAC-SHA-1-96.
                                                                                                                    20
                                                                                                                    21
Selectors:
                                                                                                                    22

The security associations (SA) have to be bound to specific parameters (selectors) of the SIP flows between         23

UE and P-CSCF, i.e. source and destination IP addresses, transport protocol, and source and destination             24
                                                                                                                    25
ports.
                                                                                                                    26

   -   IP addresses are bound to a pair of SAs, as in clause 6.3, as follows:                                       27
                                                                                                                    28

       -     inbound SA at the P-CSCF:                                                                              29

             The source and destination IP addresses associated with the SA are identical to those in the           30

             header of the IP packet in which the initial SIP REGISTER message was received by the                  31

             P-CSCF.                                                                                                32
                                                                                                                    33

       -     outbound SA at the P-CSCF:                                                                             34

             the source IP address bound to the outbound SA equals the destination IP address bound to the          35

             inbound SA;                                                                                            36
                                                                                                                    37
             the destination IP address bound to the outbound SA equals the source IP address bound to the
                                                                                                                    38
             inbound SA.
                                                                                                                    39
                                                                                                                    40
   NOTE 6: This implies that the source and destination IP addresses in the header of the IP packet in
                                                                                                                    41
           which the protected SIP REGISTER message was received by the P-CSCF need to be the
                                                                                                                    42
           same as those in the header of the IP packet in which the initial SIP REGISTER message was
                                                                                                                    43
           received by the P-CSCF.
                                                                                                                    44
                                                                                                                    45
   -   The transport protocol is either TCP or UDP.
                                                                                                                    46

   -   Ports:                                                                                                       47
                                                                                                                    48

       1. The P-CSCF receives messages protected with ESP from any UE on one fixed port (the                        49

          "protected port") different from the standard SIP port 5060. The number of the protected port is          50

          communicated to the UE during the security mode set-up procedure, cf. clause 7.2. For every               51
                                                                                                                    52
          protected request towards UE, the P-CSCF shall insert the protected port into Via header. No
                                                                                                                    53
          unprotected messages shall be sent from or received on this port. From a security point of view,
                                                                                                                    54
          the P-CSCF may receive unprotected messages from any UE on any port which is different from
                                                                                                                    55
          the protected port.                                                                                       56
                                                                                                                    57
   NOTE 7: The protected port is fixed for a particular P-CSCF, but may be different for different
                                                                                                                    58
           P-CSCFs.




                                                      16
                                                                                                       S.R0086-0 v1.0


 1
 2
           2. For protected or unprotected outbound messages from the P-CSCF (inbound for the UE) any
 3            source port number may be used at the P-CSCF from a security point of view.
 4
 5
           3. For each security association, the UE assigns a local port to send or receive protected messages
 6            to and from the P-CSCF ("protected port"). No unprotected messages shall be sent to or received
 7            on this port. The UE shall use a single protected port number for both TCP and UDP
 8            connections. The port number is communicated to the P-CSCF during the security mode set-up
 9            procedure, cf. clause 7.2. When the UE sends a re-REGISTER request, it shall always pick up a
10            new port number and send it to the network. If the UE is not challenged by the network, the port
11            number shall be obsolete. Annex A of this specification gives detail how the port number is
12            populated in SIP messages. From a security point of view, the UE may send or receive
13            unprotected messages to or from the P-CSCF on any ports which are not the protected ports.
14
15         4. The P-CSCF is allowed to receive only REGISTER messages on unprotected ports. All other
16            messages not arriving on the protected port shall be discarded by the P-CSCF.
17
18         5. For every protected request, the UE shall insert the protected port of the corresponding SA into
19            the Via header. The UE is allowed to receive only the following messages on an unprotected
20            port:
21
22             -   responses to unprotected REGISTER messages;
23
24             -   error messages.
25
26             All other messages not arriving on a protected port shall be discarded by the UE.
27
28
     The following rules apply:
29
30
        1. For each SA which has been established and has not expired, the SIP application at the P-CSCF
31
           stores at least the following data: (UE_IP_address, UE_protected_port, SPI, IMPI, IMPU1, ... ,
32
           IMPUn, lifetime) in an "SA_table".
33
34
        NOTE 8: The SPI is only required when initiating and deleting SAs in the P-CSCF. The SPI is not
35
                exchanged between IPsec and the SIP layer for incoming or outgoing SIP messages.
36
37
        2. The SIP application at the P-CSCF shall check upon receipt of a protected REGISTER message that
38
           the source IP address in the packet header coincides with the UE’s IP address given inserted in the
39
           contact Via header of the protected REGISTER message. If the contact Via header does not
40         explicitly contain the UE’s IP address, but rather a symbolic name then the P-CSCF shall first
41         resolve the symbolic name by suitable means to obtain an IP address.
42
43
        3. The SIP application at the P-CSCF shall check upon receipt of an initial REGISTER message that
44         the pair (UE_IP_address, UE_protected_port), where the UE_IP_address is the source IP address in
45         the packet header and the protected port is sent as part of the security mode set-up procedure (cf.
46         clause 7.2), has not yet been associated with entries in the "SA_table". Furthermore, the P-CSCF
47         shall check that, for any one IMPI, no more than three SAs per direction and per transport protocol
48         are stored at any one time. If these checks are unsuccessful the registration is aborted and a suitable
49         error message is sent to the UE.
50
51      NOTE 9: According to clause 7.4 on SA handling, at most three SAs per direction and per transport
52              protocol need to exist at a P-CSCF for one user at any one time.
53
54      4. For each incoming protected message the SIP application at the P-CSCF shall verify that the correct
55         inbound SA according to clause 7.4 on SA handling has been used. The SA is identified by the pair
56         (UE_IP_address, UE_protected_port) in the "SA_table". The SIP application at the P-CSCF shall
57         further check that the IMPU associated with the SA in the "SA_table" and the IMPU in the received
58         SIP message coincide. If this is not the case the message shall be discarded.




                                                         17
                                                                                                   S.R0086-0 v1.0


                                                                                                                1
5. For each SA which has been established and has not expired, the SIP application at the UE stores at          2
   least the following data: (UE_protected_port, SPI, lifetime) in an "SA_table".                               3
                                                                                                                4
NOTE 10: The SPI is only required to initiate and delete SAs in the UE. The SPI is not exchanged                5
         between IPsec and the SIP layer for incoming or outgoing SIP messages.                                 6
                                                                                                                7
6. When establishing a new pair of SAs (cf. clause 6.3) the SIP application at the UE shall ensure that         8
   the selected number for the protected port, as well as SPI number, do not correspond to an entry in          9
   the "SA_table".                                                                                             10
                                                                                                               11
NOTE 11: Regarding the selection of the number of the protected port at the UE it is generally                 12
         recommended that the UE randomly selects the number of the protected port from a                      13
         sufficiently large set of numbers not yet allocated at the UE. This is to thwart a limited form       14
         of a Denial of Service attack.                                                                        15
                                                                                                               16
7. For each incoming protected message the SIP application at the UE shall verify that the correct             17
   inbound SA according to clause 7.4 on SA handling has been used. The SA is identified by                    18
   UE_protected_port in the "SA table". The source port selector is set to be a wildcard in the UE’s           19
   IPsec database.                                                                                             20
                                                                                                               21
NOTE 12: If the integrity check of a received packet fails then IPsec will automatically discard the           22
         packet.                                                                                               23
                                                                                                               24
8. The lifetime of an SA at the application layer between the UE and the P-CSCF shall equal the                25
   registration period.                                                                                        26
                                                                                                               27
                                                                                                               28
                                                                                                               29
                                                                                                               30
                                                                                                               31
                                                                                                               32
                                                                                                               33
                                                                                                               34
                                                                                                               35
                                                                                                               36
                                                                                                               37
                                                                                                               38
                                                                                                               39
                                                                                                               40
                                                                                                               41
                                                                                                               42
                                                                                                               43
                                                                                                               44
                                                                                                               45
                                                                                                               46
                                                                                                               47
                                                                                                               48
                                                                                                               49
                                                                                                               50
                                                                                                               51
                                                                                                               52
                                                                                                               53
                                                                                                               54
                                                                                                               55
                                                                                                               56
                                                                                                               57
                                                                                                               58




                                                 18
                                                                                                         S.R0086-0 v1.0


 1
 2   7.2           Set-up of security associations (successful case)
 3
 4   Authentication and key agreement procedures are described in Section 6.1.
 5
 6   The set-up of security associations is based on [22]. Annex A of this specification shows how to use [22]
 7   for the set-up of security associations.
 8
 9   In this section the normal case is specified i.e. when no failures occurs. Note that for simplicity some of the
10   nodes and messages have been omitted. Hence there are gaps in the numbering of messages, as the I-CSCF
11   is omitted.
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39                             Figure 6: Successful set-up of security associations.
40
41   The UE sends a Register message towards the S-CSCF to register the location of the UE and to set-up the
42   security mode, cf. clause 6.1. In order to start the security mode set-up procedure, the UE shall include a
43   Security-setup-line in this message.
44
45   The Security-setup-line in SM1 contains the Security Parameter Index value and the protected port selected
46   by the UE. It also contains a list of identifiers for the integrity algorithms which the UE supports.
47
48
49
            SM1:
            REGISTER(Security-setup = SPI_U, Port_U, UE integrity algorithms list)
50
51
52
     SPI_U is the symbolic name of the SPI value (cf. section 7.1) that the UE selects. The syntax of the SPI is
53
     defined in Annex A.
54
55
     Port U is the symbolic name of a pair of port numbers (port1, port2) where port1 defines the destination
56
     port number for inbound messages at the UE that are protected, and port2 defines the source port number
57   for outbound messages at the UE that are protected. The syntax of port1 and port2 is defined in Annex A.
58




                                                          19
                                                                                                         S.R0086-0 v1.0


                                                                                                                      1
Upon receipt of SM1, the P-CSCF temporarily stores the parameters received in the Security-setup-line                 2
together with the UE’s IP address from the source IP address of the IP packet header, the IMPI and IMPU.              3
Upon receipt of SM4, the P-CSCF adds the key IKIM received from the S-CSCF to the temporarily stored                  4
parameters. The P-CSCF then selects the SPI for the inbound SA. The P-CSCF shall define the SPIs such                 5
that they are unique and different from any SPIs as received in the Security-setup-line from the UE.                  6
                                                                                                                      7
   NOTE:      This rule (unique SPIs) is needed since the UE and the P-CSCF use the same key for inbound              8
              and outbound traffic.                                                                                   9
                                                                                                                     10
In order to determine the integrity algorithm the P-CSCF proceeds as follows: the P-CSCF has a list of               11
integrity algorithms it supports, ordered by priority. The P-CSCF selects the first integrity algorithm on its       12
own list which is also supported by the UE.                                                                          13
                                                                                                                     14
The P-CSCF then establishes another pair of SAs in the local security association database.                          15
                                                                                                                     16
The Security-setup-line in SM6 contains the SPI assigned by the P-CSCF and the fixed number of the                   17
protected port at the P-CSCF. It also contains a list of identifiers for the integrity algorithms which the          18
P-CSCF supports.                                                                                                     19
                                                                                                                     20
                                                                                                                     21
       SM6:                                                                                                          22
       4xx Auth_Challenge(Security-setup = SPI_P, Port_P, P-CSCF integrity algorithms list)
                                                                                                                     23
                                                                                                                     24
SPI_P is the symbolic name of the SPI value (cf. section 7.1) that the P-CSCF selects. The syntax of the             25
SPI is defined in Annex A.                                                                                           26
                                                                                                                     27
Port_P is the symbolic name of the port number port1, where port1 defines the destination port number for            28
inbound messages at the P-CSCF that are protected. The port number port2 of the P-CSCF shall be absent               29
in Port_P. The syntax of port1 is defined in Annex A.                                                                30
                                                                                                                     31
Upon receipt of SM6, the UE determines the integrity algorithm as follows: the UE selects the first                  32
integrity algorithm on the list received from the P-CSCF in SM 6 which is also supported by the UE.                  33
                                                                                                                     34
The UE then proceeds to establish another pair of SAs in the local SAD.                                              35
                                                                                                                     36
The UE shall integrity-protect SM7 and all following SIP messages. Furthermore the integrity algorithms
                                                                                                                     37
list received in SM6 shall be included:                                                                              38
                                                                                                                     39
                                                                                                                     40
       SM7:
                                                                                                                     41
       REGISTER(Security-setup = P-CSCF integrity algorithms list)
                                                                                                                     42
                                                                                                                     43
After receiving SM7 from the UE, the P-CSCF shall check whether the integrity algorithms list received in
                                                                                                                     44
SM7 is identical with the integrity algorithms list sent in SM6. If this is not the case the registration            45
procedure is aborted. The P-CSCF shall include in SM8 information to the S-CSCF that the received                    46
message from the UE was integrity protected. The P-CSCF shall add this information to all subsequent                 47
REGISTER messages received from the UE that have successfully passed the integrity check in the P-                   48
CSCF.                                                                                                                49
                                                                                                                     50
SM8:                                                                                                                 51
REGISTER(Integrity-Protection = Successful, IMPI)                                                                    52
                                                                                                                     53
The P-CSCF finally sends SM12 to the UE. SM12 does not contain information specific to security mode                 54
setup (i.e. a Security-setup line), but with sending SM12 not indicating an error the P-CSCF confirms that           55
security mode setup has been successful. After receiving SM12 not indicating an error, the UE can assume             56
the successful completion of the security-mode setup.                                                                57
                                                                                                                     58




                                                      20
                                                                                                        S.R0086-0 v1.0


 1
 2   7.3           Error cases in the set-up of security associations
 3
 4
 5   7.3.1         Error cases related to IMS AKA
 6
 7   Errors related to IMS AKA failures are specified in section 6.1. However, this section additionally
 8   describes how these shall be treated, related to security setup.
 9
10
11
     7.3.1.1           User authentication failure
12
13
     In this case, SM7 fails integrity check by IPsec at the P-CSCF if the IKIM derived from RAND at UE is
14
     wrong. The SIP application at the P-CSCF never receives SM7. It shall delete the temporarily stored SA
15   parameters associated with this registration after a time-out.
16
17
     In case IKIM was derived correctly, but the response was wrong the authentication of the user fails at the
18
     S-CSCF due to an incorrect response. The S-CSCF will send a 4xx Auth_Failure message to the UE, via
19   the P-CSCF, which may pass through an already established SA. Afterwards, both, the UE and the P-CSCF
20   delete the new SAs.
21
22
     7.3.1.2           Network authentication failure
23
24
     If the UE is not able to successfully authenticate the network, the UE shall send a REGISTER message
25
     which may pass through an already established SA, indicating a network authentication failure, to the P-
26
     CSCF. The P-CSCF deletes the new SAs after receiving this message.
27
28
29   7.3.1.3           Synchronisation failure
30
31   In this situation, the UE observes that the AUTN sent by the network in SM6 contains an out-of-range
32   sequence number. The UE shall send a REGISTER message to the P-CSCF, which may pass through an
33   already established SA, indicating the synchronization failure. The P-CSCF deletes the new SAs after
34   receiving this message.
35
36
37   7.3.1.4           Incomplete authentication
38
39
     If the UE responds to an authentication challenge from a S-CSCF, but does not receive a reply before the
40   request times out, the UE shall start a registration procedure if it still requires any IM services. The first
41   message in this registration should be protected with an SA created by a previous successful authentication
42   if one exists.
43
44   If the P-CSCF deletes a registration SA due to its lifetime being exceeded, the P-CSCF should delete any
45   information relating to that registration procedure.
46
47
48
     7.3.2         Error cases related to the Security-Set-up
49
50   7.3.2.1           Proposal unacceptable to P-CSCF
51
52   In this case the P-CSCF cannot accept the proposal set sent by the UE in the Security-Set-up command of
53   SM1. SM6 The P-CSCF shall respond to SM1 indicating a failure, by sending an error response to the UE.
54
55
56   7.3.2.2           Proposal unacceptable to UE
57
58   If the P-CSCF sends in the security-setup line of SM6 a proposal that is not acceptable for the UE, the UE
     shall terminate the registration procedure.




                                                          21
                                                                                                          S.R0086-0 v1.0


                                                                                                                       1
7.3.2.3           Failed consistency check of Security-Set-up lines at the P-CSCF                                      2
                                                                                                                       3
The P-CSCF shall check whether authentication algorithms list received in SM7 is identical with the                    4
authentication algorithms list sent in SM6. If this is not the case the registration procedure is aborted. (Cf.        5
clause 7.2).                                                                                                           6
                                                                                                                       7
                                                                                                                       8

7.4           Authenticated re-registration                                                                            9
                                                                                                                      10

Every registration that includes a user authentication attempt produces new security associations. If the             11

authentication is successful, then these new security associations shall replace the previous ones. This              12

clause describes how the UE and P-CSCF handle this replacement and which SAs to apply to which                        13
                                                                                                                      14
message.
                                                                                                                      15

If the UE has an already active security association, then it shall use this to protect the REGISTER                  16

message. If the S-CSCF is notified by the P-CSCF that the REGISTER message from the UE was integrity-                 17
                                                                                                                      18
protected it may decide not to authenticate the user by means of the AKA protocol. However, the UE may
                                                                                                                      19
send unprotected REGISTER messages at any time. In this case, the S-CSCF shall authenticate the user by
                                                                                                                      20
means of the AKA protocol. In particular, if the UE considers the SA no longer active at the P-CSCF, e.g.,
                                                                                                                      21
after receiving no response to several protected messages, then the UE shall send an unprotected
                                                                                                                      22
REGISTER message.                                                                                                     23
                                                                                                                      24
Security associations may be unidirectional or bi-directional. This clause assumes that security associations
                                                                                                                      25
are unidirectional, as this is the general case. For IP layer SAs, the lifetime mentioned in the following            26
clauses is the lifetime held at the application layer. Furthermore deleting an SA means deleting the SA from          27
both the application and IPsec layer. The message numbers, e.g. SM1, used in the following clauses relate             28
to the message flow given in section 6.1.1.                                                                           29
                                                                                                                      30

7.4.1         Void                                                                                                    31
                                                                                                                      32
                                                                                                                      33

7.4.1a        Management of security associations in the UE                                                           34
                                                                                                                      35

The UE shall be involved in only one registration procedure at a time, i.e. the UE shall remove any data              36
                                                                                                                      37
relating to any previous incomplete registrations or authentications, including any SAs created by an
                                                                                                                      38
incomplete authentication.
                                                                                                                      39

The UE may start a registration procedure with an existing pair of SAs. This will be referred to as the old           40
                                                                                                                      41
SAs. The authentication produces a pair of new SAs. These new SAs shall not by used to protect non-
                                                                                                                      42
authentication traffic until noted during the authentication flow. In the same way, certain messages in the
                                                                                                                      43
authentication shall be protected with a particular SA. If the UE receives a message protected with the
                                                                                                                      44
incorrect SA, it shall discard the message.                                                                           45
                                                                                                                      46
A successful authentication proceeds in the following steps:
                                                                                                                      47
                                                                                                                      48
   -   The UE sends the SM1 message to register with the IMS. If SM1 was protected, it shall be protected
                                                                                                                      49
       with the old outbound SA.
                                                                                                                      50

   -   The UE receives an authentication challenge in a message (SM6) from the P-CSCF. This message                   51
                                                                                                                      52
       shall be protected with the old inbound SA if SM1 was protected and unprotected otherwise.
                                                                                                                      53

   -   If this message SM6 can be successfully processed by the UE, the UE creates the new SAs, which                 54

       are derived according to section 7.1. The lifetime of the new SAs shall be set to allow enough time            55
                                                                                                                      56
       to complete the registration procedure. The UE then sends its response (SM7) to the P-CSCF, which
                                                                                                                      57
       shall be protected with the new outbound SA. Meanwhile, if SM1 was protected, the UE shall use
                                                                                                                      58




                                                      22
                                                                                                       S.R0086-0 v1.0


 1
 2
            the old SAs for messages other than those in the authentication, until a successful message of new
 3          authentication is received (SM12).
 4
 5
        -   The UE receives an authentication successful message (SM12) from the P-CSCF. It shall be
 6          protected with the new inbound SA.
 7
 8
        -   After the successful processing of this message by the UE, the registration is complete. The UE sets
 9
            the lifetime of the new SAs using the maximum of registration timer in the message and the lifetime
10          of the old SAs. For further traffic sent from UE, the new outbound SA is used. The old SA is now
11          deleted. The old inbound SA is kept for receiving messages from P-CSCF. It shall be deleted when
12          either lifetime is expired, or a further SIP message protected with the new inbound SA is
13          successfully received from the P-CSCF. The new SAs are used to protect all traffic.
14
15   A failure in the authentication can occur for several reasons. If the SM1 was not protected, then no
16   protection shall be applied to the failure messages, except the user authentication failure message which
17   shall be protected with the new SA. If SM1 was protected, the old SAs shall be used to protect the failure
18   message, the UE shall delete the new SAs.
19
20   The UE shall monitor the expiry time of registration without authentication and adjust the lifetime of SA it
21   holds to ensure that they live longer than the expiry time given in the registration.
22
23   The UE shall delete any SA whose lifetime is exceeded.
24
25
26
     7.4.2         Void
27
28
29
     7.4.2a        Management of security associations in the P-CSCF
30
     When the S-CSCF initiates an authentication by sending a challenge to the UE, the P-CSCF may already
31
     contain existing SAs from previously completed authentications. It may also contain an existing pair of
32
     SAs from an incomplete authentication. These will be referred to as the old and registration SAs
33
34
     respectively. The authentication produces a pair of new SAs. These new SAs shall not be used to protect
35
     non-authentication traffic until noted during the authentication flow. Similarly certain messages in the
36   authentication shall be protected with a particular SA. If the P-CSCF receives a message protected with the
37   incorrect SA, it shall discard the message.
38
39
     The P-CSCF associates the IMPI given in the registration procedure and all the successfully registered
40   IMPUs related to that IMPI to an SA.
41
42
     A successful authentication proceeds in the following steps:
43
        -   The P-CSCF receives the SM1 message. If SM1 is protected, it shall be protected with the old
44
45
            inbound SA.
46
        -   The P-CSCF forwards the message containing the challenge (SM6) to the UE. This shall be
47
            protected with the old outbound SA, if SM1 was protected and unprotected otherwise.
48
49
        -   The P-CSCF then creates the new SAs, which are derived according to section 7.1. The expiry time
50
            of the new SAs shall be set to allow enough time to complete the registration procedure. The
51
52
            registration SAs shall be deleted if they exist.
53
        -   The P-CSCF receives the message carrying the response (SM7) from the UE. It shall be protected
54
            using the new inbound SA. If SM1 was protected, the old SAs can now be used to protect messages
55
56
            other than those in the authentication.
57
        -    The P-CSCF forwards the successful registration message (SM12) to the UE. It shall be protected
58
             using the new outbound SA. This completes the registration procedure for the P-CSCF. The P-




                                                         23
                                                                                                         S.R0086-0 v1.0


                                                                                                                      1
            CSCF sets the expiry time of the new SAs equal to the maximum of registration timer in the                2
            message and the lifetime of the old SAs.                                                                  3
                                                                                                                      4
    -       After SM12 is sent, the P-CSCF handles the UE related SAs according to the following rules:               5
                                                                                                                      6
        -     If there are old SAs, but SM1 is received unprotected, the P-CSCF considers error cases                 7
              happened, and assumes UE does not have those old SAs for use. In this case, the P-CSCF shall            8
              remove the old SAs.                                                                                     9
                                                                                                                     10
        -     If SM1 is protected with an old SA, the P-CSCF keeps this inbound SA and the corresponding             11
              outbound SA with the UE active, and continues to use them. Any other old SAs are deleted.              12
              The kept old SAs are deleted when either the old SA’s lifetime has expired, or a further SIP           13
              message protected with the new inbound SA is successfully received from the UE. Then further           14
              messages are protected with new SAs. This completes the SA handling procedure for the P-               15
              CSCF.                                                                                                  16
                                                                                                                     17
A failure in the authentication can occur for several reasons. If the SM1 was not protected, then no                 18
protection shall be applied to the failure messages, except the user authentication failure message which            19
shall be protected with the new SA. If SM1 was protected, the old SAs shall be used to protect the failure           20
messages. In both cases, after processing the failure message, the P-CSCF shall delete the new SAs.                  21
                                                                                                                     22
The P-CSCF shall delete any SA whose lifetime is exceeded.                                                           23
                                                                                                                     24
                                                                                                                     25
                                                                                                                     26
                                                                                                                     27
7.5              Rules for security association handling when the UE                                                 28


                 changes IP address                                                                                  29
                                                                                                                     30
                                                                                                                     31
When a UE changes its IP address, e.g. by using the method described in RFC 3041 [18], then the UE shall             32
delete the existing SA's and initiate an unprotected registration procedure using the new IP address as the          33
source IP address in the packets carrying the REGISTER messages.                                                     34
                                                                                                                     35
                                                                                                                     36


8                Secure Memory within UE
                                                                                                                     37
                                                                                                                     38
                                                                                                                     39
For the purposes of this document the secure memory include the collection of IMS security data and                  40
functions on a UE.                                                                                                   41
                                                                                                                     42
                                                                                                                     43
                                                                                                                     44
                                                                                                                     45
8.1              Requirements on the Secure Memory of an IMS                                                         46


                 Capable UE                                                                                          47
                                                                                                                     48
                                                                                                                     49
This section identifies requirements on the secure memory to support IMS access security. It does not                50
identify any data or functions that may be required on the secure memory for non-security purposes.                  51
                                                                                                                     52
The secure memory shall include:                                                                                     53
                                                                                                                     54
    -   The IMPI;                                                                                                    55
                                                                                                                     56
    -   At least one IMPU;
                                                                                                                     57

    -   Home Network Domain Name;                                                                                    58




                                                      24
                                                                                                     S.R0086-0 v1.0


 1
 2
        -   Support for sequence number checking in the context of the IMS Domain;
 3
 4
        -   The same enhanced AKA algorithms as specified in cdma2000 apply for the secure memory;
 5
        -   An authentication Key.
 6
 7
     The secure memory shall deliver the CK to the UE although it is not required that SIP signaling is
 8
     confidentiality protected.
 9
10
     At UE power off the existing SAs (session keys and related information) shall be deleted.
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58




                                                        25
                                                                                                       S.R0086-0 v1.0


                                                                                                                    1
                                                                                                                    2


9        Network Domain Security
                                                                                                                    3
                                                                                                                    4
                                                                                                                    5
This section describes security mechanisms for Security Associations 3, 4 and 5 of Figure 1. This section is        6
applicable independent of negotiation of the SIP security mechanism.                                                7
                                                                                                                    8
                                                                                                                    9

9.1           Inter-domain Security                                                                                10
                                                                                                                   11

Referring to Figure 1, interface 4 provides security between different networks for SIP capable nodes. The         12

involved nodes shall be capable of IPsec [14]. Privacy protection shall be applied with cryptographic              13
                                                                                                                   14
strength greater than DES. Integrity protection shall be applied. IPsec may be used in either transport mode
                                                                                                                   15
or tunnel mode; when used in tunnel mode, one or both of the network security domains may use Security
                                                                                                                   16
Gateways. Security associations between nodes in different networks shall be negotiated using IPsec/IKE
                                                                                                                   17
[25].
                                                                                                                   18
                                                                                                                   19


9.2           Intra-domain Security
                                                                                                                   20
                                                                                                                   21
                                                                                                                   22
The interfaces labeled 3 and 5 in Figure 1 are between SIP-capable nodes in the same network security              23
domain. As this interface exists entirely within one network security domain, the administrative authority         24
may choose any mechanism to secure this interface, including physical security where appropriate.                  25
Cryptographic methods of security, if applied, shall include both privacy and integrity protection, and be at      26
least equivalent to IPsec [14] using triple-DES and HMAC-MD5.                                                      27
                                                                                                                   28
                                                                                                                   29
                                                                                                                   30
                                                                                                                   31
                                                                                                                   32
                                                                                                                   33
                                                                                                                   34
                                                                                                                   35
                                                                                                                   36
                                                                                                                   37
                                                                                                                   38
                                                                                                                   39
                                                                                                                   40
                                                                                                                   41
                                                                                                                   42
                                                                                                                   43
                                                                                                                   44
                                                                                                                   45
                                                                                                                   46
                                                                                                                   47
                                                                                                                   48
                                                                                                                   49
                                                                                                                   50
                                                                                                                   51
                                                                                                                   52
                                                                                                                   53
                                                                                                                   54
                                                                                                                   55
                                                                                                                   56
                                                                                                                   57
                                                                                                                   58




                                                    26
          S.R0086-0 v1.0


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58




     27
                                                                                                         S.R0086-0 v1.0


                                                                                                                      1

Annex A (Normative):                                                                                                  2
                                                                                                                      3

The use of Security Mechanism Agreement for SIP                                                                       4
                                                                                                                      5

Sessions (ref. [22]) for security mode set-up                                                                         6
                                                                                                                      7

The BNF syntax of [22] is defined for negotiating security associations for manually keyed IPsec in the               8

following way:                                                                                                        9
                                                                                                                     10

       security-client               = "Security-Client" HCOLON sec-mechanism *(COMMA sec-                           11

       mechanism)                                                                                                    12
                                                                                                                     13

       security-server               = "Security-Server" HCOLON sec-mechanism *(COMMA sec-                           14

       mechanism)                                                                                                    15
                                                                                                                     16
       security-verify               = "Security-Verify" HCOLON sec-mechanism *(COMMA sec-                           17

       mechanism)                                                                                                    18
                                                                                                                     19
       sec-mechanism                 = mechanism-name *(SEMI mech-parameters)                                        20
                                                                                                                     21
       mechanism-name                = "ipsec-3gpp"                                                                  22
                                                                                                                     23
       mech-parameters               = ( preference / algorithm / protocol / mode / encrypt-algorithm / spi /        24
       port1 / port2 / transport )                                                                                   25
                                                                                                                     26
       preference                             = "q" EQUAL qvalue                                                     27
                                                                                                                     28
       qvalue                                          = ( "0" [ "." 0*3DIGIT ] ) / ( "1" [ "." 0*3("0") ] )         29
                                                                                                                     30
       algorithm                              = "alg" EQUAL ( "hmac-md5-96" / "hmac-sha-1-96 " )
                                                                                                                     31
                                                                                                                     32
       protocol                               = "prot" EQUAL ( "ah" / "esp" )
                                                                                                                     33

       mode                                            = "mod" EQUAL ( "trans" / "tun" )                             34
                                                                                                                     35

       encrypt-algorithm = "ealg" EQUAL ( "des-ede3-cbc" / "null" )                                                  36
                                                                                                                     37
       spi                                                      = "spi" EQUAL spivalue                               38
                                                                                                                     39
       spivalue                               = 10DIGIT; 0 to 4294967295                                             40
                                                                                                                     41
       port1                                           = "port1" EQUAL port                                          42
                                                                                                                     43
       port2                                           = "port2" EQUAL port                                          44
                                                                                                                     45
       port                                            = 1*DIGIT                                                     46
                                                                                                                     47
                                                                                                                     48
                                                                                                                     49
The parameters described by the BNF above have the following semantics:
                                                                                                                     50

       Mechanism-name: For manually keyed IPsec, this field includes the value "ipsec-3gpp".                         51
                                                                                                                     52

       Preference: As defined in [22].                                                                               53
                                                                                                                     54
       Algorithm: If present, defines the authentication algorithm. May have a value "hmac-md5-96" for               55
       algorithm defined in [15], "hmac-sha-1-96" for algorithm defined in [16].                                     56
                                                                                                                     57
                                                                                                                     58




                                                      28
                                                                                                  S.R0086-0 v1.0


 1
 2
       Protocol: Defines the IPsec protocol. May have a value "ah" for [19] and "esp" for [13]. If no
 3     Protocol parameter is present, the value will be "esp".
 4
 5
     NOTE:    According to clause 6 only "esp" is allowed for use in IMS.
 6
 7
       Mode: Defines the mode in which the IPsec protocol is used. May have a value "trans" for transport
 8
       mode, and value "tun" for tunneling mode. If no Mode parameter is present, the value will be
 9
       "trans".
10
11
     NOTE:    According to clause 6.3 ESP integrity shall be applied in transport mode i.e. only "trans" is
12
              allowed for use in IMS.
13
       Encrypt-algorithm: If present, defines the encryption algorithm. May have a value "des-ede3-cbc"
14
15
       for algorithm defined in [20] or "null" if encryption is not used. If no Encrypt-algorithm parameter is
16
       present, the algorithm will be "null".
17
     NOTE:    According to clause 6.2 no encryption is provided in.
18
19
       Spi: Defines the SPI number used for inbound messages.
20
21
     NOTE:    The SPI number will be used for outbound messages for the entity which did not generate the
22
              "spi" parameter
23
24     Port1: Defines the destination port number for inbound messages that are protected
25
26     Port2: Defines the source port number for outbound messages that are protected. If no Port2
27     parameter is present it is set to be a wildcard by the receiver.
28
29
30
31     It is assumed that the underlying IPsec implementation supports selectors that allow all transport
32     protocols supported by SIP to be protected with a single SA.
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58




                                                    29
                                                                                                S.R0086-0 v1.0


                                                                                                             1
                                                                                                             2


Annex B (Normative):
                                                                                                             3
                                                                                                             4


Key expansion functions for IPsec ESP                                                                        5
                                                                                                             6
                                                                                                             7
If the selected authentication algorithm is HMAC-MD5-96 then IKESP = IKIM.                                   8
                                                                                                             9
If the selected authentication algorithm is HMAC-SHA-1-96 then IKESP is obtained from IKIM by               10
appending 32 zero bits to the end of IKIM to create a 160-bit string.                                       11
                                                                                                            12
                                                                                                            13
                                                                                                            14
                                                                                                            15
                                                                                                            16
                                                                                                            17
                                                                                                            18
                                                                                                            19
                                                                                                            20
                                                                                                            21
                                                                                                            22
                                                                                                            23
                                                                                                            24
                                                                                                            25
                                                                                                            26
                                                                                                            27
                                                                                                            28
                                                                                                            29
                                                                                                            30
                                                                                                            31
                                                                                                            32
                                                                                                            33
                                                                                                            34
                                                                                                            35
                                                                                                            36
                                                                                                            37
                                                                                                            38
                                                                                                            39
                                                                                                            40
                                                                                                            41
                                                                                                            42
                                                                                                            43
                                                                                                            44
                                                                                                            45
                                                                                                            46
                                                                                                            47
                                                                                                            48
                                                                                                            49
                                                                                                            50
                                                                                                            51
                                                                                                            52
                                                                                                            53
                                                                                                            54
                                                                                                            55
                                                                                                            56
                                                                                                            57
                                                                                                            58




                                                 30
                                                                                                       S.R0086-0 v1.0


 1
 2
 3   Annex C (Normative):
 4
 5
     Recommendations to protect the IMS from UEs
 6
 7
     bypassing the P-CSCF
 8
 9
     After the UE does a successful SIP REGISTER with the P-CSCF, malicious UE could try to send SIP
10
     messages directly to the S-CSCF. This could imply that the UE would be able to bypass the integrity
11   protection provided by IPSec ESP between the UE and the P-CSCF.
12
13
              NOTE: [8] defines a trust domain that consists of the P-CSCF, the I-CSCF, the S-CSCF, the
14
                    BGCF, the MGCF, the MRFC and all the AS’s that are not provided by 3rd party service
15                  providers. There are nodes in the edge of the trust domain that are allowed to provide
16                  with an asserted identity header. The nodes in the trust domain will trust SIP messages
17                  with asserted identity header. The asserted identity information is useful as long as the
18                  interfaces in an operator’s network can be trusted.
19
20   If a UE manages to bypass the P-CSCF it presents at least the following problems:
21
22   1) The P-CSCF is not able to generate any charging information.
23
24
     2) Malicious UE could masquerade as some other user (e.g. it could potentially send INVITE or BYE
25
        messages).
26
27
     The following recommendations for preventing attacks based on such misbehavior are given:
28
              •   Access to S-CSCF entities shall be restricted to the core network entities that are required for
29
30
                  IMS operation only. It shall be ensured that no UE is able to directly send IP packets to IMS-
31
                  entities other than the required ones, i.e. Assigned P-CSCF, or HTTP servers.
32
33
              •   Impersonation of IMS core network entities at IP level (IP spoofing), especially
34
                  impersonation of P-CSCFs by UEs shall be prevented.
35
36
              •   It is desirable to have a general protection mechanism against UEs spoofing (source) IP
37
                  addresses in any access network providing access to IMS services.
38
39
     If neither inter-CSCF traffic nor CSCF-SEG traffic can be trusted and if this traffic is not protected by
40
     [5][24] mechanisms, then physical protection measures or IP traffic filtering should be applied. This is
41
     anyhow not in the scope of 3GPP2 specification.
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58




                                                         31

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:25
posted:8/25/2012
language:Unknown
pages:39