Transcript AAA Server

Providing SIM-based AAA in WLAN
資訊工業策進會
整合技術實驗室
胡志豪 [email protected]
Outline
• 計畫背景介紹
–
–
–
–
無線區域網路(WLAN) vs 行動電信網路整合趨勢
國內外相關技術發展現況
WLAN vs 行動電信網路整合參考模型
“異質多接取網路下行動服務環境之建構”計畫
• 行動電信網路以SIM為基礎之認證加密方式
• WLAN以SIM為基礎之認證授權帳管機制
無線區域網路(WLAN) vs 行動電信網路
Figure: Mobility vs Data Rate
WLAN及行動電信網路整合需求
• 行動電信網路（ 2G 、 3G ）整合需求
– 行動數據服務未來的需求
– 3G執照與建置費用過高
• 無線區域網路（ WLAN ）整合需求
– 客戶基礎
– 涵蓋範圍
– 身分辨識及計費機制
WLAN及行動電信網路整合情境
• 3GPP TR 22.934 V6.0.0 (2002.9)
– Feasibility study on 3GPP system to WLAN inter-working
• Scenarios
–
–
–
–
–
–
Common billing and customer care
3GPP system based Access Control & Charging
Access to 3GPP system PS based services
Service continuity
Seamless services
Access to 3GPP system CS based services
我國電信國家型計畫規劃方向
---
地透各
點過個
的一已
無 在
縫接單
取一
整傳
合播
機環
接制境
取 最
服作佳
務互化
連的
並現
提有
供接
在取
任網
何路
時，
間
、
(seamless)
---
Source : 電信國家型計劃B3G規劃書
國外相關技術發展現況
組織名稱
相關發展現況
3GPP
- 3G系統與Mobile IP之整合參考模型:
Architectural Requirements for Release 1999 (TS23.121)
- 如何將Mobile IP與核心網路中的GGSN整合:
Inter-working between the Public Land Mobile Network supporting Packet
Based Service and Packet Data Networks (TS 29.061 )
- 整合Multi-Tier系統的相關研究:
Combined GSM and Mobile IP in UMTS
Feasibility Study on 3GPP System to Wireless Local Network Inter-working
3GPP2
與Mobile IP整合之網路架構與傳送資料所需之協定架構:
Wireless IP Network Standard
ETSI
整合Multi-Tier系統的相關研究:
Analysis of existing roaming techniques applicable to TIPHON mobility services
IST
No Coupling 、Loose Coupling 、Tight Coupling之網路整合模型
Other
HP 、Nomadix 、iPass
WLAN與行動電信網路整合參考模型
• Open Coupling : Mobility Management
Home Agent/ Foreign Agent/ SIP Registrar
Source : IST EVOLUTE(2002)
(seamlEss multimedia serVices Over alL IP-based infrastrUcTurEs)
WLAN與行動電信網路整合參考模型(Cont’)
• Loose Coupling : Mobility Management + AAA Integration
Source : IST EVOLUTE(2002)
AAA: Authentication Authorization Accounting
WLAN與行動電信網路整合參考模型(Cont’)
• Tight Coupling : WLAN is other radio access technologies
Source : IST EVOLUTE(2002)
WLAN與行動電信網路整合參考模型比較
Definition
Advantages
Disadvantages
No (Open)
Coupling
- Completely independent access
- Rapid introduction
networks
- No impact on GSN nodes
- Users have separate contracts for - Suitable for all WLAN
each network
technologies
- Mobility management
- Poor handover
performance
- No common
subscriber database
Loose
Coupling
- Same AAA subscriber database
- Mobility management
- Common database simplifies
handling security, billing and
customer management
- No impact on GSN nodes
- Suitable for all WLAN
technologies
- Poor handover
performance
Tight
Coupling
- WLAN connected to core
network in the same manner as
other radio access technologies
- SGSN and GGSN need to be
updated
- Improved handover
performance
- Only feasible if a
single operator
running both
networks
異質多接取網路下行動服務環境之建構
無線區域網路(WLAN)
提供行動終端
異質網路環境
下之行動管理
機制
SIP Servers
(Proxy Redirector Registrar)
Home Agent
WLAN
AAA Server
(Radius/Diameter)
Access
Controller
Access
Point
AAA-HLR
Link
提供快速及一
致之認證、授
權及帳務管理
機制
HLR
RAN
BSS
R
N
C
SGSN
電信網路(GPRS、UMTS)
資策會92創新前瞻計畫(經濟部補助委託)
GGSN
WISP Domain
認證授權帳管(AAA)整合技術分項
• Objective : Providing SIM-based AAA in WLAN
– Security & Trusty mechanism
– Convenient for account management
– Lower cost for WLAN roaming infrastructure construction
WLAN
IP Networks
WLAN
Radius AAA Server
Access
Controller
Access
Point
Mobile Host
with SIM card
Cellular Network
AAA-HLR
Gateway
HLR
RAN
BSS
RNC
SGSN
GGSN
AAA: Authentication Authorization Accounting
Outline
• 計畫背景介紹
• 行動電信網路以SIM為基礎之認證加密方式
– Authentication Method
– Authentication Architecture
– MAP (Mobile Application Part)
• WLAN以SIM為基礎之認證授權帳管模型
SIM-based AAA in Cellular Network
• SIM is good to manage public users
• SIM card is very confidential and portable easily
• SIM card is authenticated by Operator (Single way)
Operator Home System
MS(SIM_card)
RAND
Ki
A8
Ki
A3
Kc
SRES
Data
A5
Reject
Authentication
No
equal?
Yes
Accept
Encrypted data
A3
A8
SRES
Kc
A5
Data
SIM-based AAA in Cellular Network (Cont’)
VLR MSC
IMSI ,Ki ,A3, A5, A8
0. IMSI
5. RAND
AuC
HLR
IMSI, Ki, RAND, A3, A8
1. IMSI
4. RAND, Kc, SRES
2. IMSI
3. RAND, Kc, SRES
6. SRES’
Verify if SRES’ = SRES,
accept or reject.
SRES=A3(Ki, RAND)
SRES=A3(Ki, RAND)
Kc=A8(Ki, RAND)
Client Side
IMSI = MCC + MNC + MSIN
Kc=A8(Ki, RAND)
Operator Side
MAP(Mobile Application Part):3GPP TS 29.002
• MAP_RESTORE_DATA
– Used for VLR to request HLR to send data in subscriber IMSI record
• MAP_INSERT_SUBSCRIBER_DATA
– HLR provides VLR with subscriber parameters
• MAP_SEND_AUTHENTICATION_INFO
– Used for VLR to retrieve (RAND/SRES/Kc) information from HLR
Parameter name
AAA-HLR
Gateway
New Path
VLR
HLR
Original Path
Invoke id
IMSI
Number of requested vectors
Requesting node type
Re-synchronization Info
Segmentation prohibited indicator
Immediate response preferred indicator
AuthenticationSetList
User error
Request Response
M
M(=)
C
C
C
C
C
U
C
C
MAP_SEND_AUTHENTICATION_INFO Parameters
( M: Mandatory
C: Conditional
U: service-User )
Outline
• 計畫背景介紹
• 行動電信網路以SIM為基礎之認證加密方式
• WLAN以SIM為基礎之認證授權帳管模型
–
–
–
–
–
EAP-SIM
802.1X
Radius/Diameter
AAA-HLR Gateway
Scenarios / Sequence Diagram
EAP-SIM
• Mutual authentication & Stronger keying information
• Re-Authentication (version 10), Privacy support
Supplicant
Authentication Server
Operator
RAND
Nonce
MK
PRF
SHA1
SIM
SHA1
A8
Kc
A3
Kc
MK
SRES
SRES
PRF
K_int K_encr K_sres
K_int K_encr K_sres
HMAC_SHA1
HMAC_SHA1
HMAC_SHA1
HMAC_SHA1
equal?
Sres
Mac
equal?
Mac
Reference : draft-harerinen-pppext-eap-sim-5.txt (Nokia)
Sres
Challenge & Need
• To read data & run authentication algorithm from SIM card
– SIM card logical model & functions
– GemCore
• Build authentication infrastructure in WLAN for EAP-SIM
– 802.1x
– Radius
• To retrieve authentication information from HLR/AuC
– AAA-HLR Gateway (Radius to MAP translation)
SIM Card Logical Model & Functions
• File system in SIM card
– 3GPP TS 11.11 Specs of SIM-ME Interface
• Functions : ATR, PPS, APDU,..
GemCore
• Data exchange between Host & SIM Card
– GemCore
802.1x
•
•
•
•
IEEE 802.1x : Ported based Network Access Control
Three roles: Supplicant, Authenticator and AAA Server
Can work not only on 802.3
EAP and Authentication server are employed.
– EAP is designed to allow additional authentication methods
– Centralized user administration
– Open, extensible and standards based
“Authenticator”
“Supplicant”
Host
EAP message
Over EAPOL
(over 802.3,
802.5,802.11)
Access Controller,
Ethernet Switch etc
Uncontrolled port
Controlled port
EAP message
over RADIUS
(over UDP of
802.3)
“AAA Server”
RADIUS
Stacks of 802.1x-based Method
Supplicant
Mobile Host
AP
Authenticator
AAA Server
Access Controller
Radius AAA Server
EAP
Methods
EAP
Methods
EAP
EAP
Relay
RADIUS
EAPOL
802.11
EAPOL
802.11
RADIUS
UDP
UDP
IP
IP
802.3
802.3
Radius AAA Server
• Remote Authentication Dial In User Service
– Radius (RFC 2865)
– Radius Accounting (RFC 2866)
• Key Features
–
–
–
–
RADIUS Server
Client / Server model
Network security
Flexible authentication mechanism (support PPP, CHAP, …)
Extensible protocol (attribute-length-value)
• Codes & Packets
–
–
–
–
1 : Access Request
2 : Access Accept
3 : Access Reject
11 : Access Challenge
NAS
Dial In User
(Network Access Server)
Client of RADIUS
AAA-HLR Gateway
• Functional Requirement
– Support Radius to MAP Translation
– Support EAP Methods
– Support Diameter Message (Optional)
• System Architecture
GMM
AKA
SIM
Protocol Signaling Translation
EAP
RADIUS
MAP
IP
SCCP
MTP Level 3
Ethernet
MTP Level 2
Driver
NIC
Driver
T1/E1 Card
Radius to MAP Translation
• Procedure Mapping
Radius - Gateway
Gateway - HLR
Radius Access Request
Radius Access Challenge
Send Authentication Info Request
Send Authentication Info Response
• Message Translation
Input from the RADIUS AAA server
Output to the HLR
Packet type:
Access-Request
Service-primitive type:
MAP_SEND_AUTHENTICATION_INFO
Parameter
Action
Parameter
Mapping & Stored
IMSI
Value
……
EAP-Message attribute M
C
Get from EAP-Message
attribute
……
Input from the HLR
Output to the RADIUS AAA server
Service-primitive:
MAP_SEND_AUTHENTICATION_INFO_ack
Packet type:
Access-Challenge
……
AuthenticationSetList
C
Mapping & Stored
EAP-Message attribute M
……
Mapping & Stored
Scenario 1 : MH with SIM Card
YAM WLAN
IP Networks
IMSI
WLAN
Radius AAA Server
Access
Controller
Access
Point
Mobile Host
with SIM card
( RAND/SRES/Kc )
AAA-HLR
Gateway
TCC Cellular Network
HLR
RAN
BSS
RNC
SGSN
GGSN
TCC Subscriber in P.WLAN deploy by YAM :
MH with SIM card
Scenario 2 : MH without SIM Card
YAM WLAN
IP Networks
MSISDN
WLAN
Radius AAA Server
Access
Controller
Access
Point
Mobile Host
without SIM card
AAA-HLR
Gateway
TCC Cellular Network
HLR
RAN
Cell Phone
One Time
Password
BSS
RNC
SGSN
TCC Subscriber in P.WLAN deploy by YAM :
MH without SIM card
GGSN
Signaling Plan
SIM
SIM
EAP
EAP
EAP-OW
802.11
Mobile Host
EAP-OW
802.11
MAP
MAP
Radius/Dia
meter
Radius/Di TCAP
ameter
TCAP
UDP
UDP
SCCP
SCCP
IP
IP
MTP3
MTP3
Ethernet
Ethernet
MTP2
MTP2
L1
L1
L1
L1
Access Controller
AAA Server/
AAA-HLR Gateway
HLR
Sequence Diagram
HLR
Mobile Host
AP
AC
EAPoL_start(null)
EAP_request(Identity)
EAP_response(IMSI)
EAP_request(SIM-start)
EAP_response(Nonce)
Verify
Mac
EAP_challenge (RAND, Mac)
EAP_challenge(Sres)
Send Key
Send Key_Ack
EAP_Success
AS/Gateway
HLR
EAP_response(IMSI)
EAP_request(SIM-start)
EAP_response(Nonce)
EAP_challenge
(RAND, Mac)
EAP_challenge
(Sres)
EAP_Success, key
Restore_Data
Insert_Subs_Data
Insert_subs_Data_Ack
Restore_Data_Ack
Send Auth_Info(IMSI)
Send Auth_Info_Ack
(RAND, SRES, Kc)
Verify
Sres
Summary
• Algorithm for WLAN SIM-based authentication is
implemented
– EAP-SIM
• Software to exchange data between SIM card and MH is
implemented
• Authentication infrastructure in WLAN for EAP-SIM is
build
– 802.1x
– Radius (freeRadius)
• “Radius to MAP translation” functionality on AAA-HLR
Gateway is implemented