TS31103 ISIM introduction
8 likes1,224 views
The ISIM module stores IMS-specific subscriber data provisioned by an IMS operator. It contains six groups of data: security keys, private/public user identities, home network domain name, P-CSCF address, and administrative data. The ISIM supports IMS AKA, GBA, and HTTP Digest security mechanisms. It initializes by selecting profiles and verifying PIN codes before providing subscriber data to the IMS application.
TS31103 ISIM introduction
- 2. Outline • Introduction • ISIM Structure • ISIM Initialisation • ISIM Security Mechanism • IMS AKA security • GBA_U security • HTTP Digest security • Other : No ISIM Provide
- 3. Introduction • ISIM is the new module in UICC. • ISIM stores IMS-specific subscriber data mainly provisioned by an IMS operator. • The store data can be divide into six groups: Security keys Private user identity Public user identity Home network domain name P-CSCF address Administrative data
- 5. ISIM Structure (2/7) • Security Keys • EF-GBABP : GBA Bootstrapping Parameter • Store B-TID and RAND • EF-GBANL : GBA NAF List • NAF-ID and B-TID pair • EF-NAFKCA • NAF key address
- 6. ISIM Structure (3/7) • Private User Identity • EF-IMPI • The ID using for Register, Authorisation, Administration, Charging to IMS • Store in HSS and provide from operator • NAI format Ex. username@operator.com • Public User Identity • EF-IMPU • Use by request communication to other user. • Contain one or more record in ISIM, but will store at least one IMPU for emergency registration. • SIP/TEL URI format • Ex. sip:kimmy@fih.com or tel:77654321
- 7. ISIM Structure (4/7) • Home Network Domain Name • EF-DOMAIN • This used to find the home network during the registration procedure. • They can only be one home network domain name URI stored in ISIM. • Ex. • Public user identify : username@operator.com • Home domain name : operator.com
- 8. ISIM Structure (5/7) • P-CSCF Address • EF-P-CSCF • This EF contains one or more Proxy Call Session Control Function addresses . • The first record in the EF shall be considered to be of the highest priority. The last record in the EF shall be considered to be the lowest priority.
- 9. ISIM Structure (6/7) • ISIM Service Table • EF-IST • This EF indicates which optional services are available. • Mandatory :Services n°1 to n°8
- 10. ISIM Structure (7/7) • EF-AD (Administrative Data) • EF-ARR (Access Rule Reference) • EF-SMS • EF-UICCIARI
- 11. ISIM Initialisation SELECT EF-PL from other application or using Default Verify PIN Code SELECT EF-AD Request IMPU/IMPI/SIP Domain/Service Table/P-CSCF address ISIM application closure Using STATUS cmd to terminate session Idle Mode presence detection using STATUS cmd
- 12. ISIM Security Mechanism (1/2) • The function can be used in several different contexts: • IMS AKA security : SIP-based services • GBA_U security : HTTP application • HTTP Digest security
- 13. ISIM Security Mechanism (2/2)
- 14. IMS AKA security (1/4) • IMS AKA security context during the procedure for authenticating the ISIM to its. • The function shall be used whenever an IMS context shall be established, i.e. when the terminal receives a challenge from the IMS. • UE will first send REGISTER command with null authentication value.
- 15. IMS AKA security (2/4) • Using AKA Algorithm from HSS. • AuC which locate in HSS will generate SQN and RAND. • HSS will using shared secret key K which also stored in UICC. • AK = f5K (RAND) • MAC = f1K (SQN || RAND || AMF) • XRES = f2K (RAND) • CK = f3K (RAND) • IK = f4K (RAND) • AUTN = SQN xor AK || AMF || XMAC • AV = RAND || XRES || CK || IK || AUTN
- 16. IMS AKA security (3/4) • IMS server will send 401 UNAUTHORIZED to UE, which bring RAND and AUTN for UE to use AKA algorithm reproduce other key value : • RADN AK • AK SQN • SQN, RAND, AMF XMAC • Calculate ATUN and compare the answer with network • Check current SQN is bigger than old SQN, if SQN is invalid, UE will send RESGISTER command again. • If SQN is valid, and reproduce IK and CK, and UE will store IK and CK for data encrypt. • Final, UE will reverser RES and send REGISTER again.
- 17. IMS AKA security (4/4) • Compare RES and XRES which store in S-CSCF • If compare success, and send 200 OK to UE. • If compare fail, and send 403 FORBIDDEN to UE Challenge
- 18. GBA_U security (1/2) • ISIM operations in GBA security context are supported if service n°2 is "available”. • Using AKA algorithm to verify RES • Using Ks to reproduce Ks_ext_NAF and Ks_int_NAF use between UE and NAF for authorized data. Ks_ext_NAF = KDF(Ks, "gba-me", RAND, IMPI, NAF_Id) Ks_int_NAF = KDF(Ks, "gba-u, RAND, IMPI, NAF_Id) Ks=CK || IK
- 20. HTTP Digest security • ISIM operations in HTTP-Digest security context are supported if service n°3 is "available" • Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser.
- 21. Other : No ISIM Provide • If no ISIM application, we can derived IMPI/IMPU/Domain name based on IMSI Example :IMSI=234150999999999, MNC=15, MCC=234 IMPI : <IMSI>@ims.mnc<MNC>.mcc<MCC>.3gppnetwork.org 234150999999999@ims.mnc015.mcc234.3gppnetwork.org IMPU : sip: <IMSI>@ims.mnc<MNC>.mcc<MCC>.3gppnetwork.org sip:234150999999999@ims.mnc015.mcc234.3gppnetwork.org Domain name : mnc<MNC>.mcc<MCC>.3gppnetwork.org ims.mnc015.mcc234.3gppnetwork.org
- 22. Q & A
Editor's Notes
- #6: EF-GBABP : This EF contains the AKA Random challenge (RAND) and Bootstrapping Transaction Identifier (B-TID) associated with a GBA bootstrapping procedure. 儲存GBA驗證過程中的兩組key, bootstrapping id 和 RAND參數 EF-GBANL : This EF contains the list of NAF_ID and B-TID associated to a GBA NAF derivation procedure 當NAF有許多組時, 儲存對應的NAF_ID的 bootstrapping id EF-NAFKCA : This EF contains one or more NAF Key Centre addresses. The first record in the EF shall be considered to be of the highest priority. The last record in the EF shall be considered to be the lowest priority. 當NAF有許多組時, 儲存NAF的address, 第一個record的NAF最高, 依序下降
- #7: IMPI有點像IMSI, 在註冊綁定user身份做身份的認證,儲存在HSS中 IMPU有點像user因為不同的需求註冊的不同id, 也有點像e-mail 或是電話號碼, 根據其他user的IMPU相互溝通, 所以一個user可以多個IMPU, 但IMPU不像IMPI在註冊時做身分認證, 但在終止會話建立時會需要用到
- #9: P-CSCF的位置, 第一筆record優先權高…依序下降
- #10: Local break out : As the PDN-GW is located in the visited network, user plane traffic doesn’t necessarily need to traverse back to the home network. This is known as the ‘local-breakout’ architecture. (指p-cscf 和pdn-gw在visited network 不再home network, 所以ue不用穿越回home network去連p-cscf)
- #11: IARI, IMS application reference identifier :似乎是一個id reference, 可以讓user重複利用sip 區分不同的application service? 可以利用此id, 去區分計價方式? An IMS application is an application that uses an IMS communication service(s) in order to provide a specific service to the end-user. The IMS application uses specific IMS Communication Service(s) and provides the end user service through the reuse of the SIP communication part of service. The IMS application does not extend the definition of the IMS communication service. The IMS application reference identifies the application utilising the IMS communication service. A Communication Service is an aggregation of one or several media components and the service logic managing the aggregation, represented in the protocols used. An IMS application is an application that uses an IMS Communication Service(s) in order to provide a specific service to the end-user. Only IMS applications other than the default application associated to the Communication Service are identified through IARIs.
- #13: 簡單來說 aka只能做ue是否可以使用ims的認證, 但gba是ue是否可以使用application service的認證
- #16: SQN = (SQN xor AK) xor AK
- #19: Ks_ext_NAF is computed in the UICC as Ks_ext_NAF = KDF(Ks, "gba-me", RAND, IMPI, NAF_Id), and Ks_int_NAF is computed in the UICC as Ks_int_NAF = KDF(Ks, "gba-u, RAND, IMPI, NAF_Id), where KDF 但是終端在這個網絡中是否能夠實行一個具體的業務,是透過GBA來完成,對於IMS來講,這是後面AS的事情,IMS只要判斷用戶能夠使用這個網絡就足夠了。 比如用戶開機註冊,這個時候並沒有實際的業務請求出現。 那用戶和AS 之間通過GAA/GBA的實現來補足這塊的不足。 所以GBA是實現讓AS和終端在後續的業務階段
- #21: 摘要訪問認證是一種協議規定的Web伺服器用來同網頁瀏覽器進行認證信息協商的方法。它在密碼發出前,先對其應用哈希函數,這相對於HTTP基本認證發送明文而言,更安全。 從技術上講,摘要認證是使用隨機數來阻止進行密碼分析的MD5加密哈希函數應用。它使用HTTP協議。