Upload
giles-carr
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
WISTP 2008, May 13-16, Sevilla [email protected]
Network Smart Card Performing U(SIM)
Functionalities in AAA Protocol Architectures
Joaquin Torres, A. Izquierdo, M. Carbonell and J.M. Sierra
Carlos III University of Madrid, SpainComputer Science Department
WISTP 2008, May 13-16, Sevilla [email protected] 3
Introduction
WLANs deployment: SOHO, campus, residential and public
environments the number of public hotspotspublic hotspots is
continuously proliferating, and this allows the information to be accessible in any time and any place
3G mobile systems as a competitive solution wide geographical area coverage effective roamings other advantages:
such as reliability, throughput, value-added services and contents
WISTP 2008, May 13-16, Sevilla [email protected] 4
Networks Convergence However,
expensive investmentexpensive investment required by the 3G networks forces to the operators to look for more profitable look for more profitable
and versatile solutionsand versatile solutions (leakage of subscribers?) Comparing features:
WLANs provide services with significant transmission rates…significant transmission rates… in high demand zoneshigh demand zones and when the mobility is not a requirementmobility is not a requirement
3G systems high mobility, wide coverage, well-established voice services… …but lower transmission rateslower transmission rates, so they are more
adequate for low/medium demandlow/medium demand
WISTP 2008, May 13-16, Sevilla [email protected] 5
Convergence: 3G/WLAN interworking
WLAN and 3G networks are complementarycomplementary: 3G/WLAN interworking
I-3G/WLAN is a clear trend in the public access infrastructures (PWLAN , Public Wireless LAN)
3GPP TS 23.234 v7.3.0: 3GPP System to Wireless Local Area Network (WLAN) Interworking System Description (September 2006)
WISTP 2008, May 13-16, Sevilla [email protected] 6
3G/WLAN Interworking features development of mobile servicesmobile services with
high transmission rates e.g. IP-based multimedia services, IMS
transparent roamingroaming between both technologies smart switching, with the goal: keep
initiated sessions
Ad-hoc user services: QoSQoS profiled subscribers, preserving the quality of services.
WISTP 2008, May 13-16, Sevilla [email protected] 7
3G/WLAN Authentication Infrastructure Subscriber
must be authenticatedauthenticated before her access to network services is authorized
personalized credentialscredentials
User’s multimode devices e.g. laptops, smartphones, PDAs, etc. require the appropriate secure module secure module
Solution: the authentication schemes are based on
a combination of the solutions that were initially supported by these two systems.
WISTP 2008, May 13-16, Sevilla [email protected] 8
3G/WLAN: authentication convergence SIM-based solution, simultaneously inherit
from: WLAN systems: EAPoL-basedEAPoL-based (i.e. 802.1X/EAP,
RADIUS or DIAMETER) chip card-based U(SIM)chip card-based U(SIM) inherited from stand-alone
3G systems authentication schemes supported by 3GPP
subscriber registerssubscriber registers (i.e. HLR/HSS)
Advantages… Devices are ready! User is accustomed to SIM Module/HW secure 3G/WLAN Netw. Operators do not require
additional security credentials
WISTP 2008, May 13-16, Sevilla [email protected] 9
3G/WLAN Reference Model
Red de Acceso WLAN
WLAN -UE
Packet DataGateway
HSS
HLR
OfflineChargingSystem
OCS
'
Intranet / Internet
3GPP AAAProxy
OfflineChargingSystem
WAG
Acc
eso
IP W
LAN
/ 3
GPP
3GPP AAAServer
SLF
Home 3GPP Network
WLAN -UE
Packet DataGateway
HSS
HLR
OfflineChargingSystem
OCS
'
Intranet / Internet
WLAN Access Network
WLAN -UE
Packet DataGateway
HSS
HLR
OfflineChargingSystem
OCS
'
Intranet / Internet
Visited 3GPP Network
3GPP AAAProxy
OfflineChargingSystem
WAG
IP W
LAN
/ 3
GPP A
ccess
3GPP AAAServer
SLF
Internet
3GPP TS 23.234 v7.3.0: 3GPP System to Wireless Local Area Network (WLAN) Interworking System Description (September 2006)
ETSI TS 133 234 V7.5.0, 3GPP System to Wireless Local Area Network (WLAN) Interworking Security System (June 2007)
WISTP 2008, May 13-16, Sevilla [email protected] 10
3G Mobile Systems Authentication: AKA
{RAND||CK|| IK|| AUTN}AUTH[{RAND||CK|| IK|| AUTN}]
3G MS
U(SIM)
RES
RNS
3G-SGSN
{RAND,XRES,CK, IK, AUTN} =f(IMSI)
RES= f2(K, RAND)
RES
RES=?
XRES
HLR/AuC
Verifies MAC by f1Verifies MAC by f1Decrypts SQN by f5Decrypts SQN by f5Checks freshness SQNChecks freshness SQN
Derives CK by f3Derives CK by f3Derives IK by f4Derives IK by f4
WISTP 2008, May 13-16, Sevilla [email protected] 11
AAAAAASERVERSERVER
Visited WLANVisited WLAN
Home WLANHome WLAN
Example scenario: convergence authentication
Home 3G Home 3G Network Network
ProxyAAA
HLR/AuC
ProxyAAA
3G-SGSN
gatewaygateway
WISTP 2008, May 13-16, Sevilla [email protected] 12
3G/WLAN: convergence in authentication EAP-SIM and EAP-AKA
SIM-based authentication schemes standardized protocols End-to-end mutual authentication between the
mobile stationmobile station and the backend authentication backend authentication serverserver
802.11
EAPoL
EAP
802.11
EAPoL
EAP
RADIUS/DIAMETERClient
UDP/IP
L2/L1
RADIUS/DIAMETERServer
UDP/IP
L2/L1
EAP
EAP-SIM/AKA EAP-SIM/AKA
WLAN MS
RADIUS/DIAMETER Proxies
UDP/IP
L2/L1
AP Network AAA Proxies
3G AAA Server
U(SIM)
WLAN DOMAIN WAN DOMAIN + CELLULAR NETWORK
WISTP 2008, May 13-16, Sevilla [email protected] 13
A quick trust analysis both devices blindly trustblindly trust each other they behave as an unique supplicantunique supplicant this is not a by default
recommendable assumption the authentication scheme should be
designed to protect against any potential against any potential scenarioscenario
e.g.WLAN MS is an a priori untrustworthya priori untrustworthy terminal.
Conclusion: additional authentication mechanismsadditional authentication mechanisms
should be provided?
WISTP 2008, May 13-16, Sevilla [email protected] 14
Stand-alone device…stand-alone suplicant
Access Network Core NetworkAccess DeviceSupplicant Device
PSTNDedicated-lines
3GPP
MultimodeMS
Smart Cards
AAA services
IP-basedAAA
AAA
Use
r
Oth
er
Serv
ices
InternetWLAN
WISTP 2008, May 13-16, Sevilla [email protected] 15
Motivation Our new approach starts from a different a different
authentication modelauthentication model that considers: an isolated U(SIM) with autonomy during the
authentication process. participates as stand-alone supplicant or claimant,
and not relies on the access terminal (i.e. WLAN mobile
station) for this functionality.
Additionally, this work assumes an a priori a priori untrustworthy environmentuntrustworthy environment: the WLAN MSWLAN MS is considered as a potential potential
attackerattacker. Hence, the WLAN MS should be authenticated by
the network as a different host from U(SIM). Required: Device Authentication previous to SM
WISTP 2008, May 13-16, Sevilla [email protected] 16
Goals
To define an AAA architecture, which represents a more robust and flexible solution in terms of security. Feasible for untrustworthy environments
To provide efficient SIM-based mobile stations’ customization or personalization in critical or public environments.
Convergence (netw1,netw2)Convergence (Smart Device,
)Authentication
WISTP 2008, May 13-16, Sevilla [email protected] 17
Our Network Smart Card concept In a previous work, we proposed a
Network Smart Card (NSC) with Network Smart Card (NSC) with authentication purposesauthentication purposes: Atomic smart card authentication protocol
design: the authentication protocol should be designed as an integral part of the smart card. We propose a specific protocol stack for the card
End-to-end mutual authentication schema: the smart card participates as a communication extreme.
IETF Layer 2 authentication (IP layer is not required)
WISTP 2008, May 13-16, Sevilla [email protected] 18
…details Our Network Smart Card (NSC) approach
Other approaches…
ISO7816
PPP
EAP
ISO7816
PPP
EAP pass-through
EAP-type
SupplicantSmart Card
Terminal
• Pass-through authenticatorPass-through authenticatoraccording to EAP (acc. IETF)according to EAP (acc. IETF)
• AP/ NAS EAP-basedAP/ NAS EAP-based
EAP-type=EAP-AKA
WISTP 2008, May 13-16, Sevilla [email protected] 19
Related Work EAP-SIM/AKA solutions:
many works but focused on 3G/WLAN interworking security (network side)
usually, problems derived from original SIM/AKA protocols
Alternatives: EAP-TTLS, EAP-TLS, etc. Assumption about the (U)SIM-WLAN_UE trust
relationship blind trust: they behave as an unique supplicant
Summarized: U(SIM) stores stores the corresponding subscriber subscriber
authentication credentialsauthentication credentials And computes the envisaged cryptographic cryptographic
algorithmsalgorithms in SIM/AKA protocols, on the behalf of mobile station.
WISTP 2008, May 13-16, Sevilla [email protected] 20
Related Work Versatile solutions are missed
Example: consider an U(SIM) that may be an external smart card that customizes (temporal personalization) a public wireless terminal for a 3G/WLAN access.
In such a case, the U(SIM) behaviour as an stand-alone supplicant is highly recommendable. So it should be isolated and protected.
WISTP 2008, May 13-16, Sevilla [email protected] 21
New NSC-based AAA Protocol Architecture in 3G/WLAN
ISO7816
PPP
EAP
ISO7816
PPP
EAPDIAMETER
Client
UDP/IP
802.11
DIAMETERServer
UDP/IP
L2/L1
EAP
EAP-AKA EAP-AKA
NSC-based U(SIM)
DIAMETER Proxies
UDP/IP
L2/L1
WLAN MS Network AAA
Proxies
802.11 L2/L1
AP Bridge 3G AAA Server
WISTP 2008, May 13-16, Sevilla [email protected] 22
Features U(SIM) remote authentication scheme:
stand-alone supplicantstand-alone supplicant functionality instead of split supplicant functionality: the U(SIM) and WLAN MS does not cooperate in the authentication process as an unique device.
the authentication protocol stackauthentication protocol stack is designed as an integral part of the U(SIM)integral part of the U(SIM) (atomic design) to participate as actual endpoint in the authentication process with a 3G AAA server.
ISO7816
PPP
EAP
EAP-AKA
NSC-based U(SIM)
WISTP 2008, May 13-16, Sevilla [email protected] 23
…features Minimal changes in the original
architecture 3G network side does not require changes proxies and end-equipments keep settings and
implementation features.
DIAMETERServer
UDP/IP
L2/L1
EAP
EAP-AKA
DIAMETER Proxies
UDP/IP
L2/L1
Network AAA Proxies
3G AAA Server
WISTP 2008, May 13-16, Sevilla [email protected] 24
..features WLAN Mobile Station participates as a
Network Access Server (NAS) Network Access Server (NAS) implementing the role of pass-through implementing the role of pass-through authenticatorauthenticator as a DIAMETER client This reinforces the stand-alone supplicant
functionality in the U(SIM), since WLAN MS cannot act as supplicant and authenticator at the same time for the same U(SIM).
ISO7816
PPP
EAPDIAMETER
Client
UDP/IP
802.11
WLAN MS
802.11 L2/L1
AP Bridge
WISTP 2008, May 13-16, Sevilla [email protected] 25
…features U(SIM) isolation:
advantages with regard to assure the security of the entire scheme in untrustworthy scenarios.
Our architecture takes advantage of the functions of the LCP protocol (i/ PPP): LCP/PPP protocol may be easily hosted in
the U(SIM) stack. EAP was initially designed for PPP
EAP Layer allows: packets exchange between the
EAP-SIM/AKA methods and LCP frames duplication and retransmissions control.
WISTP 2008, May 13-16, Sevilla [email protected] 26
Authentication Flow in our AAA Architecture
WLAN MS
3G AAAServer
NSC-based U(SIM)
XRES=?RES
4. DIAMETER/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]4. DIAMETER/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]
2. PPP/EAP Response/Identity [IMSI or Pseudonym]2. PPP/EAP Response/Identity [IMSI or Pseudonym]
6. PPP/EAP Response/AKA-Challenge [RES, MAC]6. PPP/EAP Response/AKA-Challenge [RES, MAC]
7. DIAMETER/EAP Response/AKA-Challenge [RES, MAC]7. DIAMETER/EAP Response/AKA-Challenge [RES, MAC]
3. DIAMETER/EAP Response/Identity [IMSI or Pseudonym]3. DIAMETER/EAP Response/Identity [IMSI or Pseudonym]
0. EAP Request/Identity0. EAP Request/Identity
5. PPP/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]5. PPP/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]
9. DIAMETER/EAP Success9. DIAMETER/EAP Success
11. Secure channel establishment 11. Secure channel establishment
1100. PPP/EAP Success. PPP/EAP Success
1. PPP/EAP Request/Identity1. PPP/EAP Request/Identity
8. Validation8. Validation
WISTP 2008, May 13-16, Sevilla [email protected] 27
Security and Trust Issues We are not proposing a new U(SIM) not proposing a new U(SIM)
authentication protocolauthentication protocol in the context of 3G/WLAN interworking.
Our architecture is designed by well-designed by well-known protocolsknown protocols that are implemented inside the U(SIM) with a novel approach. new way to transport authentication
messages between the U(SIM) and a 3G AAA server
and U(SIM) takes the control in the user side. Security weakness and threatsSecurity weakness and threats are
derived by the own nature of such standardized protocols and the correctness of their implementation.
WISTP 2008, May 13-16, Sevilla [email protected] 28
Security and Trust Issues
new secure algorithms, key material new secure algorithms, key material or cryptographic techniques are not or cryptographic techniques are not requiredrequired
The implementation of the EAP-AKA EAP-AKA method is transparently reusedmethod is transparently reused, both in the U(SIM) side and in the 3G AAA Server side.
WISTP 2008, May 13-16, Sevilla [email protected] 29
Trust Models Relevant impact of our proposal is
related to the trust models Trust model, derived from the originaloriginal
AAA protocol architecture in a 3G/WLAN interworking scenario:
nAUTAAA3GPP
Server
U(SIM)
WLANMS
explicit
Proxies
APimplicit
explicit
User DomainUser Domain PuPublic Domain, untrustworthyblic Domain, untrustworthy environmentenvironment
blind
WISTP 2008, May 13-16, Sevilla [email protected] 30
Our Trust Model ““blind trust” assumptionblind trust” assumption should not be
applied to all scenarios and a more flexible solution is required
Our goal: to introduce a more realistic architecture, which a new trust modelnew trust model is derived from
nAUTAAA3GPP
Server
U(SIM)
WLANMS
explicit
Proxies
APimplicit
explicit
explicit
Public Domain, untrustworthy environmentPublic Domain, untrustworthy environmentUser DomainUser Domain
implicit
WISTP 2008, May 13-16, Sevilla [email protected] 31
Our Trust Model the trust relationship between the
WLAN MS and the 3G AAA server is 3G AAA server is supported by DIAMETERsupported by DIAMETER protocol
the WLAN MS is part of the network and it behaves as an Access PointAccess Point for the U(SIM)
just when U(SIM) and 3G AAA server mutually trust each other, then U(SIM) trusts WLAN MS. Our AAA architecture aims to provide
robustness with this goal This is a reasonable result in a priori
untrustworthy scenarios
WISTP 2008, May 13-16, Sevilla [email protected] 32
Implementation and Testbed Testbed for the AAA network architecture for
NSC-based U(SIM) Implemented by means of the OpenDiameter
libraries: C++ API both to EAP and Diameter EAP
NSC-based U(SIM)WLAN MS
DIAMETER Client
Network AAA Proxy
3G AAA DiameterServer
WISTP 2008, May 13-16, Sevilla [email protected] 33
Details about implementation 3G AAA Server: back-end authentication server is
basically implemented by: the libdiametereap and libeap libraries. The Diameter EAP
API is extensible and allows define authorization (DEA attributes
EAP API is extended in order to support EAP-AKA method. OpenSSL library (partially included) provides a set of AKA
cryptographic functionalities. For simplicity’s sake, the implementation of functions f3
and f4 has not been carried out. Network AAA proxy
standard Diameter base protocol procedure relay version (Diameter proxy) is provided by the libdiameter.
Allows to complete the implementation of the protocol stack in a layer 2 wireless Access Point.
WLAN MS common laptop - IEEE 802.11g wireless interface. functionality of NAS (Diameter client) is provided by the
implementation of the libdiametereap library.
WISTP 2008, May 13-16, Sevilla [email protected] 34
Details about implementation Network Smart Card with U(SIM) functionalities
JavaCard: bulk LCP/EAP protocol stack -according to the standardized state-machines
enhancing with a set of functionalities corresponding EAP-AKA method.
CK and IK derivation, as well as, synchronization and re-authentication functionalities have been avoided with testbed experiments purposes.
(rxReq, rxSuccess, rxFailure, reqId, reqMethod) =parseEapReq(eapReqData)
RECEIVED
if (allowMethod(reqMethod)) {aka.Method = reqMethod
methodState = INIT} else {
eapRespData = buildNak(reqId)}
GET_METHOD
ignore = aka.check(eapReqData)if (!ignore) {
(methodState, decision, allowNotifications) =aka.process(eapReqData)
eapRespData = aka.buildResp(reqId)if (aka.isKeyAvailable())
eapKeyData = aka.getKey()}
AKA_METHOD
lastId = reqIdlastRespData = eapRespData
eapReq = FALSEeapResp = TRUE
SEND_RESPONSE
eapRespDataeapReqData
WISTP 2008, May 13-16, Sevilla [email protected] 35
Conclusion Our testbed shows the feasibility and robustness of
the proposed NSC-based AAA protocol architecture for 3G/WLAN interworking scenarios.
Standardized EAP-AKA protocol is transparently implemented in a common U(SIM), which participates as stand-alone supplicant (NSC-based U(SIM))
A novel trust model that assumes an a priori untrustworthy environment is defined
Therefore, our approach represents a more flexible solution in terms of security.
Beyond these benefits, it also may provide efficient mobile stations’ customization or personalization in critical or public environments.
Further works: Study and complete EAP-AKA functionalities New EAP-types methods
WISTP 2008, May 13-16, Sevilla [email protected] 36
Network Smart Card Performing U(SIM)
Functionalities in AAA Protocol Architectures
Thank you for your attention!Questions/Comments?