IdM in Third and In Next Generation Networks - Events
Download
Report
Transcript IdM in Third and In Next Generation Networks - Events
Filling the Gaps of IdM in Third and
in Next Generation Networks
Standardized Network-centric IdM as an enabler
for secure applications
Burton Group Catalyst 2007 Conference /
OASIS Identity and Trusted Infrastructure
Workshop: Evolutionary Milestones
Barcelona/Spain, 22-25 October 2007
Martin Euchner
Nokia Siemens Networks GmbH & Co KG
COO RTP IE Fixed
[email protected]
non-confidential
1
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Presentation Overview
• Next Generation Networks (NGN) and IdM
• An example network/provider centric IdM approach
– Generic Authentication Architecture (GAA)
– Generic Bootstrapping Architecture (GBA)
– Usage of GBA in 3rd and in NGNs
– IdM Interworking between 3GPP GBA and Liberty Alliance
• This presentation is based on a contribution submitted to ITU-T Focus Group on IdM
for network-centric IdM and on other related material.
non-confidential
2
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Next Generation Network (NGN)
uses various IDs
Identifiers in common
components for
applications
User Id Data
Identifiers in common
components for
applications and service
support
Applications
Identifiers in
NACF
Service Stratum
Application Support
Functions and
Service Support Functions
Application
Functions
S. User
Profile
Functions
Other NGN Service
Components
Service
Control
Functions
IP Multimedia
Component
IP Multimedia
&PSTN/ISDN
Simulation
Service Component
Legacy
Terminals
User and
terminal
identifiers
Legacy
Terminals
GW
GW
Network Access
T.User
User Network Attachment
Control Functions
Profile
ProfileAttachment
Functions
(NACF)
Functions
Functions
Customer
Networks
Access
Network
Access Transport
Functions
Functions
Access network
identifiers
NGN
Terminals
Edge
Functions
Resource and Admission
Control Functions
(RACF)
Other Networks
PSTN / ISDN Emulation
Service Component
Identifiers IMS,
PES, IPTV
Core
Transport
Core
transport
Functions
Functions
Transport Stratum
End-User
Functions
* Note: Gateway (GW) may exist in either Transport Stratum
non-confidential
3
© Nokia Siemens Networks
or End-User Functions.
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Identifier
Interoperability
Identifiers in
RACF
NGN and the Need for IdM
• NGN has various identifiers defined throughout the NGN
architecture.
– NGN identifiers are standalone, isolated within component/stratum
– Difficult correlation of NGN identifiers across strata/layers
• Strong identities are prerequisite for secure and trustworthy
e-business in third and next generation networks.
• NGNs need to leverage such identities for the purpose of
– secure identification and authentication (user/device),
– assisting towards establishing secure communications,
– and for protection of the network infrastructure.
non-confidential
4
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Gap Analysis
• ITU-T Focus Group IdM has compiled an extensive list of
foreseen use cases and IdM scenarios
• Identified numerous gaps such as:
– Integration of IdM in NGN Architecture
– Discovery of Identity Resources
– Inter-Federation/Inter-CoT Interoperability
– Interoperability of Mechanisms Used to Exchange Identity Information
–…
• Some general ideas considered how to overcome gaps
(requires further studies and refinement)
non-confidential
5
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
An NGN IdM Approach
• NGN should focus on network centric IdM;
i.e. IdM within NGN
– Define external IdM rdinterfaces for interworking of NGN with user-centric,
application-centric 3 party IdP IdM.
– Network-centric IdM is an approach where NGN providers host IdM
(or use identity services from third party identity providers) for enabling access
to the NGN.
– Application-centric IdM enables applications and services
when linked to network-based IdM, yields consistent provider-centric IdM.
• A new envisioned NGN IdM plane across all NGN strata could allow ID
correlation
• A new envisioned NGN IdM bridging function could
–
–
–
–
act as an ID gateway
allow mapping of IDs/security policies into different domains,
interwork with other networks, and provide discovery,
link NGN IDs across strata and across layers.
non-confidential
6
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
An NGN IdM Vision
3rd Party
Providers, IdPs
and RPs
IdM within
NGN
could be any
IdM solution
(e.g. GBA)
Internet and
Web Services
External NGN
IdM interface(s)
Other IdM solutions
tbd
ANI and NNI
NGN (IdP)
IdM
(“blackbox”)
within NGN
provider
IdM
Application Servers
Service Stratum
Other
IdM
Bridge
UNI
Softswitch
CSCF
NGN (IdP)
NNI
IdM Plane
Access
Transport
Stratum
NNI
Other
Networks
(e.g., PSTN)
User Device
non-confidential
7
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
What is Generic Authentication Architecture
(GAA)?
• GAA is the generic authentication architecture
– based on cellular authentication (xSIM)
– designed to be used for authentication of all services.
• Every new service needs authentication.
• A generic authentication mechanism would ease introduction of new
services.
• But a generic mechanism cannot be proprietary
it must be standardized.
• The GAA specification work was started in 3GPP at the end of 2001,
and is now finalized for Release 6 of 3GPP.
• Work on GAA extensions is ongoing in 3GPP for Release 7.
GAA is also proposed for use in 3GPP2, OMA, TISPAN.
non-confidential
8
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
What problems does GAA solve?
New operator services are starting to appear
• WLAN access, Presence and Messaging, multicast/broadcast services (MBMS)
• All of them need authentication and key agreement.
Other services need authentication, too
• Typically each service sets up and manages its own username/password
database.
The critical step in security is securely provisioning initial credentials
• Setting up username/password databases, distributing smart cards, …
• Costs money and time, inconvenient to users.
The GAA Solution:
• Re-use the cellular authentication infrastructure
– Already provisioned User credentials (smart cards)
– Existing roaming agreements between operators.
• Design it as a generic framework to bootstrap authentication
so that new services can use it easily in a standardized manner.
non-confidential
9
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Benefit and Relevance
GAA supports convergence of cellular and non-cellular
networks and services for network-centric IdM
Value to different stakeholders:
• Using GAA cellular network operators can offer authentication as a
service. This is a new way to utilize their subscribers’ base and roaming
agreements.
• GAA benefits subscribers because it provides more secure and userfriendly authentication than e.g. passwords.
• GAA benefits service providers (running application servers).
– No need to provision credentials to users
– Stronger authentication than using passwords
– Big pool of potential customers
• GAA-Identity Management provides strong, two-factor authentication
– Bound not only to something that the user knows, but also to something he possesses.
– Smart card can support the user identity management.
non-confidential
10
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
GAA – Generic Authentication Architecture
(TR 33.919)
• GAA describes a generic architecture for peer authentication that can a
priori serve for any (present and future) application.
• GAA is an authentication framework
with authentication reference model, linking together GBA, security
mechanisms (shared secret based and certificated-based)
and functional entities..
HSS
TR 33.919
GAA
GBA
Shared secret
Certificates
GAA
Certificates
AP
TS 33.220
UE
SSC
TS 33.221
NE
Schematic illustration of GAA
non-confidential
11
© Nokia Siemens Networks
GBA
Illustration of mechanisms to issue authentication credentials
Note: Other mechanisms for issuing authentication credentials may exist but are out of scope
for this TR.
GBA: Generic Bootstrapping Architecture
SSC: Support for Subscriber Certificates
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Generic Authentication Architecture
• In GAA the mobile and the service provider are provisioned with fresh credentials –
can authenticate each other.
– This requires cellular authentication of the mobile terminal and is done over IP.
A mobile that has those credentials can be automatically provisioned with subscriber
certificate and becomes part of cellular network’s PKI
• Generic Bootstrapping Architecture (GBA) offers generic
HSS
authentication capability for various applications based on
shared secret.
Subscriber authentication in GBA is based on
HTTP Digest AKA [RFC 3310].
GBA
• Support of subscriber certificates and
GAA
Certificates
Access to Network Application Function using
HTTPS is based on GBA.
HTTPS access
• GBA, Subscriber certificates, and
Access to Network Application Function
using HTTPS form together
Generic Authentication Architecture (GAA).
non-confidential
12
© Nokia Siemens Networks
UE
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
NE
GBA – Generic Bootstrapping Architecture
Application (TS 33.220)
• GBA is a security mechanism that is applicable to any application in need of
authentication and/or access control.
• GBA describes the security features and a mechanism to bootstrap authentication
and key agreement for application security from the 3GPP AKA mechanism.
• GBA defines the
– generic AKA bootstrapping function,
– an architecture overview
– and the detailed procedure how to bootstrap the credential.
• Important applications as seen from the viewpoint of 3GPP may use GBA as basis
for its deployment.
In particular self-administration of 3GPP services is a candidate:
– For Presence, user self-administration via Ut is defined in TS 33.141 using and
profiling Ua from TS 33.222
– For Conferencing, Messaging, …, further TSs for self-administration may be defined.
– For Multimedia Broadcast/Multicast Service (MBMS) where GBA is used for security of
the broadcast encryption keys [TS 133.246].
non-confidential
13
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
GBA – Generic Bootstrapping Architecture
Main advantages
• Works over any access network, which provides IP connectivity
• Dynamic generation of shared secrets/passwords (e.g. for http digest)
• USIM- (and SIM-)based single sign-on to applications
• Binding of application provision to MNO
• MNO is root of trust
• Avoids long-term subscriber certificates and the corresponding large-scale
public-key infrastructure
• Provides (optionally) application- and NAF-group-specific persistent user
identities to the NAFs
• Provides (optionally) application- and NAF-group-specific user
authorization flags to the NAFs
• Security on user side may be smart-card (UICC)-based (so-called GBA_U).
non-confidential
14
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
GBA Entities and Interfaces
bootstrapping from cellular authentication and key agreement (AKA)
User (profile)
DB, IdP
GBA
GAA
Before bootstrapping:
HSS and smart card in UE share a key
for cellular authentication
HSS
Supports
Service
Discovery
(optional)
SLF
(opt)
Application
Server
Zh: Credential Fetching
Protocol
NAF
library
Bootstrapping
Server Function
Zn: Key distribution
(BSF)
Network Application
Function (NAF)
Server
Bootstrapping steps:
1. UE contacts NAF to obtain a service (Ua)
2. NAF requests authentication from UE (Ua)
3. NAF client triggers BSF client to bootstrap
4.
Protocol
(DIAMETER, SOAP)
Dz: Service Discovery
5.
BSF
client
Ub: Bootstrapping
Protocol
(HTTP Digest AKA)
6.
7.
User
Equipment Client
(UE)
non-confidential
15
© Nokia Siemens Networks
with AKA (Ub, Zh)
Resulting master session key and
transaction id are stored in BSF server and
client
NAF client sends transaction id to NAF
server (Ua)
NAF server gets NAF-specific session key
from BSF using transaction id (Zn)
NAF server and client share a key that they
can use for authentication
After bootstrapping:
Ua: Application Protocol
(HTTP digest over TLS, PSK TLS )
NAF and UE share a UE/NAF-specific
key for service authentication
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
GBA Security Features
• Mutual user/device authentication (UE, BSF) using HTTP Digest AKA.
• Authorization check by BSF/HSS.
• Dynamic key derivation (master, session keys).
• Secure key distribution and key/credential management.
• Message protection (integrity, replay, confidentiality) using TLS/HTTPS.
• Privacy protection of IMPI/IMPU, optional user anonymity.
• Linking UID with key material (BSF, NAF)
• Service discovery (SLF optional).
• Proxy services to external NAFs.
non-confidential
16
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Usage of GBA (1)
GBA is a generic enabler in 3G
• 3GPP
– User self-administration for IMS-based Presence with Presence
–
–
–
–
List Management
Mobile Broadcast Multicast Service (MBMS) to provision
subscriber certificates
GBA for HTTP TLS or Pre-shared Key TLS
Foreseen application to 3GPP Strategic Architecture Evolution
(SAE) / Long Term Evolution (LTE)
3GPP - Liberty Alliance Interworking
• 3GPP2
– New services, GAA in legacy CDMA networks
• OMA
– OMA Presence Specification,
– OMA Broadcast, OMA Location-based services,
– OMA Secure User Plane Location Service (SUPL)
non-confidential
17
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Usage of GBA (2)
GBA is a generic enabler
has been taken up into usage by many applications and standardization
forums:
• ETSI TISPAN Next Generation Networks (NGN)
– GBA enables the usage of cellular authentication to be used for noncellular services.
• ITU-T Next Generation Networks (NGN)
– Part as an authentication method of draft Rec. Y.NGN-Authentication
• DVB-H
– GAA-enhanced service protection
• IETF
– Shared key TLS based on GBA
non-confidential
18
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Flavors of GBA
• “Normal” GBA for mobile equipment (GBA_ME)
– shared secret leaves the UICC;
– dynamic key derivation outside UICC
• GBA for UICC (GBA_U)
– shared secret does not leave UICC;
– dynamic key derivation within UICC
▪ Ks_int_NAF remains with UICC
▪ Ks_ext_NAF leaves UICC
• “Legacy GBA” for using SIM card or SIM on UICC (2G GBA)
in case ISIM or USIM not present on UICC
• GBA for Cable (GBA_H):
– does not require UICC
▪ uses HTTP Digest over TLS enhancement to GBA
▪ uses TLS pre-shared key
• GAA for Subscriber Certificates (GAA–SSC)
non-confidential
19
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
GBA and Liberty Alliance (LAP) Interworking
(TR 33.980)
• Provides guidelines on the interworking
of the Generic Authentication Architecture (GAA) and the
Liberty Alliance architecture.
• The feasibility study investigates the details of possible
interworking methods between
– the Liberty Alliance Identity Federation Framework (ID-FF),
– the Identity Web Services Framework (ID-WSF) and
– the Generic Bootstrapping Architecture (GBA).
• TR 33.980 assumes that the architectures of Liberty Alliance
and of GBA are used in combination.
non-confidential
20
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Use case: Web Single Sign-On
•
•
•
User is authenticated by operator using HTTP Digest and GAA.
Operator shares user identity or pseudonym with 3rd party (SP)
Liberty ID-FF provides a mechanism for sharing identity between
operator and SP
Related specifications:
GAA infrastructure
HSS
3GPP TR 33.980
UE
BSF
client
Browser
NAF
library
HTTP Digest
HTTP Liberty ID-FF
IdP
Identity Server
HTTP Liberty ID-FF
Service Provider
non-confidential
21
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Use case: Web Services
•
•
•
•
Liberty Enabled Device/Web Service Client authenticates to Liberty
authentication web service,
obtains token(s) to establish identity and access Discovery Service
Authentication service leverages GBA mechanism and Operator network
Client accesses Discovery Service to access appropriate Service
Provider
Client interacts with Service Provider using web service (SOAP)
Related specifications:
GAA infrastructure
HSS
3GPP TR 33.980
UE
BSF
client
Liberty
Enabled User
Agent/Device
(LUAD)
NAF
library
Liberty Authentication
Protocol
Authentication
Service
Liberty ID-WSF Identity-based Discovery
Service
Service Discovery
Liberty ID-WSF Identity-based SOAP request and response
non-confidential
22
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Service Provider
Analyzed Architecture Components
LAP SP-IdP
SOAP-based
HSS
Zh
Zn
BSF
WSP
SP
IdP
SP
Auth. Service
NAF
(AP)
LAP UE-SP
Using HTTP
HTTPbased
Ub
Ua
UE
LUAD
LAP ID-WSF
LAP ID-FF
3GPP GBA
LAP:
SOAP-based
AS
Authenticatio
n
(carried within
SASL)
LAP WSP-WSC
SOAP-based
LAP:
SOAP-based
SSOS
LAP:
UE –AS
LAP:
UE -SSOS
SP
WSP
LAP:
UE - SP
LAP WSC-IdP/DS
SOAP-based
WSC / SP
NAF
I
d
P
LAP UE-SP
IdP /
DS
LAP UE - IdP
NAF
UE
LAP ID-WSF Authentication Service with Single Sign On Service
non-confidential
23
© Nokia Siemens Networks
SOAP-based
UE
UE
LAP UE –
SP
Using SOAP
LAP WSP-UE
UE
LAP ID-WSF Authentication Service
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
GBA and Liberty Alliance (LAP) Interworking
IdP collocated with NAF
Collocation of NAF and IdP
allows
HSS
Zh
Zn
BSF
LAP SPNAF/IdP
NAF/IdP
• federation/de-federation of GBA
credentials with LAP principal
identities
SP
NAF
Ub
avoids:
Ua
LAP
UE-IdP
UE
LAP UE-SP
• large impact on the generic interface
to the terminal to transport Liberty
related information.
• Modification/extension of the interface
to the service provider to support the
Liberty SSO use case.
• Usage of all Identity Management features as specified by LAP
• Root of trust and persistent identity of user managed by Operator/provider
• Strong authentication of UE for LAP Identity Provider (UICC-, SIM-based) using GBA
credentials
• Control of MNO over user rights at Identity Provider, general by SLA and user-specific by GBA
User Security Setting (authorization in USS).
• Similar interworking architectures defined for GBA-enabled Web-services,
and for GBA-enabled Simplified Single Sign On (SSO).
non-confidential
24
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
GBA-LAP
SAML Inter-working
Mail
Calendar
IdP
Zn
Application
NAF/SAML
Zh
HSS
BSF
Zn
Application
LAP SP-NAF/IdP
Ub
IdP
Application
Ua
NAF/IdP
LAP UE-IdP
LAP UE-SP
non-confidential
25
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Application
Example procedure for GBA-LAP interworking
with IdP collocated with NAF
Service
Provider
UE
BSF
NAF/IdP
Established TLS secure channel
1. Service access request/
HTTP request
2. HTTP re-direct to IdP
3. Service access request/
HTTP request
Derive fresh
session key
4. HTTP digest authentication
Derive fresh
session key
GBA bootstrapping (opt.)
if UE and NAF do not yet share fresh credentials
5. Authorization data,
User name (B-TID), password (KS_NAF)
UE
authenticated
and
authorized
GBA credentials fetch (opt)
if not already in NAF
6. LAP HTTP response, (LAP data)
7. Service access request/
LAP HTTP request
8. Service access response
non-confidential
26
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Common Security Requirements
addressed by ID-FF and ID-WSF
•
•
•
•
•
•
•
•
•
•
Request Authentication
Response Authentication
Request/Response Correlation
Replay Protection
Integrity Protection
Confidentiality Protection
Privacy Protections
Resource Access Authorization
Proxy Authorization
Mitigation of denial of service attack risks
non-confidential
27
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
ID-FF Security Features
• Web-based single sign on with simple federated identities
• Name Registration
• Exchange of opaque user handles (privacy protection)
•
•
•
•
•
•
•
•
•
no exchange of cleartext identifiers)
Notifying the user of the capability to federate;
soliciting consent to facilitate introductions
Single log-out (Federation Termination Notification)
Identity Provider Introduction
HTTP basic authentication w/w.o. SSL 3.0/TLS 1.0
SOAP over HTTPS (SSL 3.0/TLS 1.0) for X.509-based server-side
authentication and SOAP message integrity & confidentiality
SAML for security assertions
Name Identifier Mapping with NameIdentifier obfuscation
Name Identifier Encryption with XML encryption of NameIdentifier
XML signature
non-confidential
28
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
ID-WSF Security Features
• ID-WSF authentication protocol using SASL (RFC 2222)
profile:
SASL over TLS/SSL for integrity & confidentiality protection
of SASL messages
• Discovery Service
• ID-WSF Single Sign On Service
based on ID-FF SSO & federation profile
• Password Transformation optional service to convey
password pre-processing obligations to client.
non-confidential
29
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Summary
• Next Generation Networks have to solve an IdM problem
• GAA and GBA provide the foundation for network-centric IdM in 3G,
extends to next generation networks and non-3G environments.
• GBA has many applications and serves as a key security mechanism.
• Leverage deployed strong authentication solution that does not require PKI rollout.
• Liberty Alliance ID-FF and ID-WSF provide Identity Management
– Single Sign On (ID-FF) and privacy protecting identity web services protocols and
architecture, including authentication and interaction web services.
• IdM concepts in LAP and GBA can complement each other nicely:
– Re-use of GBA provides actual security mechanisms where LAP leaves room for security
mechanisms
– Provide authentication interworking between GBA and LAP
– GBA-LAP federation of identifiers and simplified Single-Sign On supported.
• Feasibility of possible LAP-GBA interworking architectures studied in TR 33.980
– Some suitable combined architecture concepts suggested
– Leverage good synergies between GBA and LAP.
non-confidential
30
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Thank You!
Acknowledgements to Silke Holtmanns, the Nokia Research Team and NSN RTP Research
non-confidential
31
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Nokia Siemens Networks
Unified Attachment Node (UAN)
• Allows operators to use SIM authentication for different
access technologies and services.
• Provides a unified access solution to cut through the
complexity of different login procedures (access, service),
providing authentication for several access technologies
including WiMAX:
one SIM card, one login fits all.
• Operators can use the SIM card for all these technologies,
simplifying authentication challenges and leveraging their
SIM assets.
• Moreover, UAN re-uses the authentication data from SIM,
giving consumers secure, “one-click-access” to third-party
services from, for example, the Internet. This is realized by
the so called “Bootstrapping” Server Function.
non-confidential
32
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Unified Attachment Node
Enables transparent authentication to services in multi-access environment
Unified authentication solution for
multiple authentication methods
Service authorization
UAN
Multiple
Accesses
Intelligent
Packet Core
a multi-access capable authentication
server for common broadband
access technologies (xDSL, WiMAX,
i-WLAN, …..)
non-confidential
33
© Nokia Siemens Networks
Multiple
services
Offers simple “one-click” service
authentication based on SIM/USIM
through 3GPP GAA architecture
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Authentication & Billing Value Center (A&BVC)
High Level Concept Architecture
Charging System
Registers
Operator Services
CG
UCS
HSS
HLR
Service
Clients
Internet
Service
non-confidential
34
© Nokia Siemens Networks
Service
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Service
UAN deployment example
WAP
HLR
MMSC
Stream
Operator VAS
IN
CG
Charging
IMS
HSS
IMS & Registers
3GPP PS
Flexi ISN
SP
WiMAX
ASN-GW
WLAN
AC
xDSL
BRAS
Internet
UAN
BMSC
NAF
server
BAM
Mobile TV
Reduce number of AAA infrastructure
Flexible tool for service authentication
Solution for GAA services (i.e mobile TV)
NASS TISPAN integrated function
non-confidential
35
© Nokia Siemens Networks
Online/Offline charging support
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
(3GPP/IMS) Identities and Identifiers
• 3GPP TS 23.003 “Numbering, addressing and identification”
Defines the identifiers for IP Multimedia Subsystem (IMS)
• 3GPP TS 23.228 “IP Multimedia Subsystem (IMS) Stage 2”
Handling of Identities in IMS
Public
User Identity
Service
Profile
IMS
Subscription
Private
User Identity
• Private User Identity (IMPI)
– Is a NAI (username@realm)
– IMPI can be derived from IMSI
Public
User Identity
Public
User Identity
Relationship of the Private User Identity and Public User Identities
Public User
Identity – 1
if there is no ISIM application
Service
Profile
• Public User Identity (IMPU)
Service
Profile – 1
– Is a SIP URI or a TEL URI
Private User
Identity – 1
Public User
Identity – 2
IMS
Subscription
Private User
Identity – 2
Service
Profile – 2
Public User
Identity – 3
The relation of a shared Public User Identity (Public-ID-2) and Private User Identities
non-confidential
36
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
GAA - Support for Subscriber Certificates
(TS 33.221)
• Specifies a global and secure authorization and charging infrastructure of
mobile networks to support a local architecture for digital signatures.
• Defines signalling procedures for support of issuing certificates to
subscribers and the standard format of certificates and digital signatures.
– procedures to issue temporary or long-term certificates to subscribers;
– standard format of certificates and digital signatures, e.g. re-using OMA
wireless PKI specifications.
• Subscriber certificates provide a migration path towards global Public Key
Infrastructure (PKI):
– start from local certificate islands to migrate towards global PKI.
• Usage:
– subscriber certificates to authorize and account for service usage both in home
and in visited networks.
non-confidential
37
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
GAA – SSC
Reference Model for Certificates
• PKI Portal
– issues a certificate for UE and
delivers an operator CA certificate
– is a Registration Authority (RA) that
authenticates the certification request
based on cellular subscription.
– may also function as a
SLF
Certificate Authority (CA).
Registration
Authority
(CA opt)
HSS
Zh
Dz
BSF
Zn
• Subscriber certificate profile is based
PKI
Portal
(NAF)
PKIaware
AS
Ua
on OMA WAP Certificate and CRL
UE
Ub
Profile (reusing IETF RFC 3280,
X.509 profiles)
Qualified certificate profiles by
IETF [RFC 3039] and ETSI
may also be used
Simple network model for certificate issuing and using
when supported.
TS 33.221
non-confidential
38
© Nokia Siemens Networks
Certificate enrolment protocol
(PKCS#10 with HTTP Digest Authentication or TLS PSK)
(certifying subscriber's public keys, delivery of the Operator CA
certificate to the UE)
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
3GPP “IdM”-related specifications
GAA:
TR 33.919: GAA general overview
TS 24.109: Ub and Ua interface; protocol details, includes PKI enrolment
TS 29.109: Zh and Zn interface; protocol details
TS 24.109: Ub and Ua interface; protocol details, includes PKI enrolment
TS 29.109: Zh and Zn interface; protocol details
GBA:
TS 33.220: Generic Bootstrapping Architecture (GBA)
TS 33.221: PKI enrolment
TS 33.222: Use of HTTPS and authentication proxy
TS 31.102: GBA_U details for USIM
TS 31.103: GBA_U details for ISIM
TS 31.111: USIM Application Toolkit (GBA_U triggering)
TS 33.141: Presence security (uses GBA)
TS 33.246: MBMS security (uses GBA)
TR 33.980: GBA and Liberty Alliance (LAP) Interworking
non-confidential
39
© Nokia Siemens Networks
IMS:
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Additional Information
• Liberty Alliance ID-WSF 2.0 Specifications
– https://www.projectliberty.org/resource_center/specifications/liberty_alli
ance_id_wsf_2_0_specifications
• Liberty ID-WSF Authentication, Single Sign-On, and Identity
Mapping Services Specification
– https://www.projectliberty.org/liberty/content/download/871/6189/file/libe
rty-idwsf-authn-svc-v2.0.pdf
• 3GPP
– http://www.3gpp.org/
non-confidential
40
© Nokia Siemens Networks
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner
Abbreviations
3GPP:
A&BVC:
AKA:
ANI:
AP:
AS:
BSF:
CA:
CoT:
CPS:
CPSF:
CT:
DS:
FG-IdM:
GAA:
GBA:
HSS:
HTTP:
HTTPS:
ID-FF:
IdM:
IdP:
ID-WSF:
IP:
ISIM:
LAP:
LUAD:
MNO:
3rd Generation Partnership Project
Authentication & Billing Value Center
Authenticated Key Exchange
Application Network Interface
Authentication Proxy
Authentication Service
Bootstrapping Server Function
Certificate Authority
Circle-of-Trust
Common Profile Storage
Common Profile Storage Framework
Core Network and Terminals
Discovery Service
ITU-T Focus Group Identity Management
Generic Authentication Architecture
Generic Bootstrapping Architecture
Home Subscriber Server
Hypertext Transfer Protocol
Hypertext Transfer Protocol Security
Identity Federation Framework
ID Management
Identity Provider
Identity Web Services Framework
Internet Protocol
IP Multimedia Subsystem (IMS) SIM
Liberty Alliance Project
Liberty-enabled User Agent or Device
Mobile/Multiservice Network Operator
non-confidential
41
© Nokia Siemens Networks
NACF:
NAF:
NE:
NGN:
NNI:
OMA:
PKI:
RA:
SA:
SAML:
SASL:
SCTP:
SIM:
SLF:
SOAP:
SP:
SSC:
SSO:
SSOS:
TLS:
UAN:
UE:
UICC:
UMTS:
UNI:
USIM:
USS:
WAP:
WSC:
WSP:
Network Attachment Control Function
Network Application Function
Network Entity
Next Generation Network
Network-Network Interface
Open Mobile Alliance
Public Key Infrastructure
Registration Authority
Services & System Aspects
Security Assertion Markup Language
Simple Authentication and Security Layer
Stream Control Transmission Protocol
Subscriber Identity Module
Subscriber Locator Function
Simple Object Access Protocol
Service Provider
Support for Subscriber Certificates
Single Sign-On
Single Sign-On Service
Transport Layer Security
Unified Attachment Node
User Equipment
Universal Integrated Circuit Card
Universal Mobile Telecommunications System
User Network Interface
Universal Subscriber Identity Module
User Security Setting
Wireless Application Protocol
Web Service Consumer
Web Service Provider
Burton Group Catalyst 2007/OASIS IDtrust Workshop, Barcelona/Spain, 22-25 October 2007 / Euchner