1

HRPD Roamer Authentication

Zhibi Wang, Sarvar Patel, Simon Mizikovsky,Nancy Lee

2

What’s in the TIA-835-2-C standard for Simple IP

3.2.1.3 PPP Session Authentication

The PDSN shall support the two authentication mechanisms: CHAP and PAP. The PDSN shall also support a configuration option to allow an MS to receive Simple IP service without CHAP or PAP. The PDSN shall propose CHAP in an initial LCP Configure-Request message that the PDSN sends to the MS during the PPP establishment. If the PDSN receives an LCP Configure-NAK from the MS containing PAP, the PDSN shall accept PAP by sending an LCP Configure-Request message with PAP. If the PDSN … is configured to allow the MS to receive Simple IP service without CHAP or PAP, the PDSN shall respond with an LCP Configure-Request without the Authentication-Protocol option and shall adhere to the guidelines in Section 3.2.2.1 for NAI construction for accounting purposes.

3

What’s in the TIA-835-2-C standard for Mobile IP

4.2.1.3 Authentication

The PDSN shall initially propose CHAP in an LCP Configure-Request message to the MS. The PDSN shall re-send an LCP Configure-Request message without the authentication option after receiving the LCP Configure-Reject (CHAP or PAP) from the MS.

4.2.2.1 Agent Advertisements

For the MS that uses Mobile IP, the PDSN shall begin transmission of an operator configurable number of Agent Advertisements

4.2.2.3 MIP Extensions [PDSN Requirements]

The PDSN shall include the MN-FA Challenge Extension [RFC 3012] in the Agent Advertisement.

4

What’s in the TIA-835-2-C standard for Mobile IP (cont.)

4.2.3 MIP Authentication Support [Home Agent Requirements]

When the HA receives an RRQ from a PDSN, it authenticates the RRQ using the MN-HA shared key. …Based on the policy of the home network, the HA may also process the MN-AAA Authentication Extension as specified in RFC 3012, if included in the RRQ.

4.5.2.3 MIP Extensions [MS Requirements]

The MS shall include the MN-NAI Extension [RFC 2794], MN-HA Authentication Extension [RFC 2002], MN-FA Challenge Extension [RFC 3012], and MN-AAA Authentication Extension [RFC 3012] in the RRQ message. …The MS shall compute the MN-AAA Authentication Extension, according to RFC 3012, based on the shared secret the MS has with the Home RADIUS server. … The MS may use the same shared-secret or different shared secrets in the computation of the MN-AAA Authentication Extension and MN-HA Authentication Extension.

5

What’s in the TIA-878-1 standard

2.4.1.3 Access Authentication

The AT shall support CHAP for the PPP instance on the access stream. If the AN supports access authentication, the AN shall support CHAP for the PPP instance on the access stream. In this case, the AN shall always propose CHAP as a PPP option …

2.4.2 AN-AAA Support

If the AN supports access authentication and the A12 interface, the AN shall support the RADIUS client protocol… and shall communicate user CHAP access authentication information to the visited AN-AAA in an Access-Request message on the A12 interface. For an AN-AAA to recognize that the transaction is related to access authentication, the Access-Request message may contain an additional 3GPP2 vendor specific attribute.

6

Summary of what’s in the standards PDSN-level authentication is optional for Simple IP service.

– PDSN may allow Simple IP service without CHAP or PAP.

PDSN-level authentication is mandatory for Mobile IP service.– PDSN shall support Mobile IP authentication.

– The Home-AAA shall validate the MN-HA Authentication Extension, and may also process the MN-AAA Authentication Extension

– MN-HA and MN-AAA authentication may use the same or different shared secret.

A12 AN-level authentication is optional.– A12 and AN-level authentication are completely independent of PDSN-level

authentication. (Separate PPP sessions.)

– If used, AN-level authentication is performed first. If successful, then proceed to PDSN-level authentication.

In addition, CDG Document 79 “Wireless Data Roaming Requirements and Implementation Phase 1” recommends that the visited network should require authentication and authorization with the AN-AAA.

7

Some Terminology AN_NAI the NAI sent in the PPP session for AN-level

authentication (e.g., user@OperatorA.com) PDSN_NAI the NAI sent in the PPP session for PDSN-level

authentication (e.g., user@OperatorP.com) Operator A operator providing Simple IP service and using AN-level

authentication for their subscribers Operator P operator providing Mobile IP service and using PDSN-

level authentication for their subscribers ANP Operator P’s Access Network AN-AAAP Operator P’s AAA connected via A12 to the AN PDSNP Operator P’s PDSN PDSN-AAAP Operator P’s AAA connected to the PDSN AN_NAIPthe NAI sent for AN-level authentication, when the NAI has

Operator P’s domain name (e.g., user@OperatorP.com) PDSN_NAIP the NAI sent for PDSN-level authentication, when the NAI

has Operator P’s domain name

8

EV-DO Architecture Reference Model

PDSN

A10PDSN AAAA11

AN AAAA13AT A12 (RADIUS)

Air Interface

SourceAN/PCF

TargetAN/PCF

RADIUS

9

Call Flow: Auth in Operator P Network

SessionEstablishment

AN-AAAP PDSNPATP

A11-Registration Request

A11-Registration Reply

PDSN-AAAP

Access-Request(PDSN_NAIp)

Access-Accept

PPP establishment

CHAP response

CHAP challenge

ANP

10

Call Flow: Auth in Operator A Network

SessionEstablishment

AN-AAAA PDSNAATA ANA

A11-Registration Request

A11-Registration Reply

PDSN-AAAA

Access-Request(PDSN_NAIA)

Access-Accept

PPP establishment

CHAP response (PDSN_NAIA, default password)

CHAP challenge

CHAP response

CHAP challenge

PPP Establishment

A12 Access-Request(AN_NAIA)

A12 Access-Accept

11

Call Flow: Roaming Auth in Operator P

SessionEstablishment

AN-AAAP PDSNPATA ANP

A11-Registration Request

A11-Registration Reply

PDSN-AAAP

Access-Request(PDSN_NAIA, default password)

Access-Accept

PPP establishment

CHAP response (PDSN_NAIA, default password)

CHAP challenge

CHAP response

CHAP challenge

PPP Establishment

Access-Request(AN_NAIA)

Access-Accept

AN-AAAA PDSNA PDSN-AAAAANA

Access-Request(PDSN_NAIA)

Access-Accept

Access-Request(AN_NAIA)

Access-Accept

12

Call Flow: Roaming Auth in Operator A

SessionEstablishment

AN-AAAA PDSNAATP ANA

A11-Registration Request

A11-Registration Reply

PDSN-AAAA

Access-Request(PDSN_NAIP)

Access-Accept

PPP establishment

CHAP response (PDSN_NAIP)

CHAP challenge

CHAP response

CHAP challenge

PPP Establishment

Access-Request(AN_NAIP)

Access-Accept

AN-AAAP PDSNP PDSN-AAAPANP

Access-Request(PDSN_NAIP)

Access-Accept

Access-Request(AN_NAIP)

Access-Accept

13

Potential Attack: Attacker in Operator P

SessionEstablishment

AN-AAAP PDSNPATP ANP

A11-Registration Request

A11-Registration Reply

PDSN-AAAA

Access-Request(PDSN_NAIA, default password)

Access-Accept

PPP establishment

CHAP response (PDSN_NAIA, default password)

CHAP challenge

CHAP response

CHAP challenge

PPP Establishment

Access-Request(AN_NAIP)

Access-Accept

AN-AAAA PDSNA PDSN-AAAAANA

Access-Request(PDSN_NAIA)

Access-Accept

14

Potential Attack: Attacker in Operator P (cont.) NAI and Authentication at the AN level and the PDSN level are

independent and can be different. Attacker uses AN_NAIP at AN level, causing AN-level authentication

to be skipped because Operator P thinks this is his own user, and authentication will be performed at the PDSN level.

Attacker uses PDSN_NAIA at PDSN level, causing– PDSN-level authentication to be skipped because Operator P thinks the

user is a roamer and the authentication has been performed at the AN level; or

– If Operator P forwards the authentication request to Operator A’s PDSN-AAA, the attack still succeeds if the attacker knows Operator A’s default CHAP password, because Operator A will return Access-Accept.

The attack scenario is possible even if the standards are strictly followed.

15

Solution to the Attack Ensure that AN_NAI and PDSN_NAI are the same.

– The network must verify that the Device attempting access is associated with the Subscription receiving services.

AN shall report the AN_NAI (the NAI that is used by the AT at system access) to the PDSN by including it in the A11-Registration Request message.

PDSN shall verify that the PDSN_NAI received from the AT in the CHAP response matches the AN_NAI received from the AN in the A11-Registration Request message. If the two NAIs don’t match, terminate the session.

Requires minor A11 interface change to carry the AN_NAI (e.g., HRPD AT_ID) to the PDSN.

Could be viewed as implementation issue, but would require coordination of proprietary solutions between the Operators.