Network Smart Card Performing U(SIM)
Download
Report
Transcript Network Smart Card Performing U(SIM)
Network Smart Card
Performing U(SIM)
Functionalities in AAA
Protocol Architectures
Joaquin Torres, A. Izquierdo, M. Carbonell and J.M. Sierra
Carlos III University of Madrid, Spain
Computer Science Department
Outline
Smart
Devices
Convergence
NGN …?
Introduction
WLANs deployment:
SOHO, campus, residential and public
environments
the number of public hotspots is continuously
proliferating, and this allows the information to
be accessible in any time and any place
3G mobile systems
as a competitive solution
wide geographical area coverage
effective roamings
other advantages:
WISTP 2008, May 13-16, Sevilla
such as reliability, throughput, value-added services
and contents
[email protected]
3
Networks Convergence
However,
expensive investment required by the 3G networks
forces to the operators to look for more profitable and
versatile solutions (leakage of subscribers?)
Comparing features:
WLANs
3G systems
WISTP 2008, May 13-16, Sevilla
provide services with significant transmission rates…
in high demand zones and
when the mobility is not a requirement
high mobility,
wide coverage,
well-established voice services…
…but lower transmission rates, so they are more adequate
for low/medium demand
[email protected]
4
Convergence: 3G/WLAN interworking
WLAN and 3G networks are
complementary: 3G/WLAN interworking
I-3G/WLAN is a clear trend in the public
access infrastructures (PWLAN , Public
Wireless LAN)
3GPP TS 23.234 v7.3.0: 3GPP System to Wireless
Local Area Network (WLAN) Interworking System
Description (September 2006)
WISTP 2008, May 13-16, Sevilla
[email protected]
5
3G/WLAN Interworking features
development of mobile services with high
transmission rates
transparent roaming between both
technologies
e.g. IP-based multimedia services, IMS
smart switching, with the goal: keep initiated
sessions
Ad-hoc user services: QoS
WISTP 2008, May 13-16, Sevilla
profiled subscribers,
preserving the quality of services.
[email protected]
6
3G/WLAN Authentication
Infrastructure
Subscriber
User’s multimode devices
must be authenticated before her access to
network services is authorized
personalized credentials
e.g. laptops, smartphones, PDAs, etc.
require the appropriate secure module
Solution:
WISTP 2008, May 13-16, Sevilla
the authentication schemes are based on a
combination of the solutions that were initially
supported by these two systems.
[email protected]
7
3G/WLAN: authentication
convergence
SIM-based solution, simultaneously inherit from:
WLAN systems: EAPoL-based (i.e. 802.1X/EAP, RADIUS
or DIAMETER)
chip card-based U(SIM) inherited from stand-alone 3G
systems
authentication schemes supported by 3GPP subscriber
registers (i.e. HLR/HSS)
Advantages…
WISTP 2008, May 13-16, Sevilla
Devices are ready!
User is accustomed to SIM
Module/HW secure
3G/WLAN Netw. Operators do not require additional
security credentials
[email protected]
8
3G/WLAN Reference Model
Intranet / Internet
Visited 3GPP Network
3GPP AAA
Proxy
Offline
Charging
System
Red
de Acceso
WLAN
AccessWLAN
Network
WLAN UE
3GPP TS 23.234 v7.3.0: 3GPP System to Wireless Local Area Network
(WLAN) Interworking System Description (September 2006)
ETSI TS 133 234 V7.5.0, 3GPP System to Wireless Local Area Network
(WLAN) Interworking Security System (June 2007)
3GPP
Access
WLAN/
Acceso
IP WLAN/IP3GPP
WAG
SLF
3GPP AAA
Server
HSS
HLR
Packet Data
Gateway
OCS
Offline
Charging
System
Home 3GPP Network
Internet
WISTP 2008, May 13-16, Sevilla
[email protected]
9
3G Mobile Systems Authentication: AKA
U(SIM)
3G MS
RNS
3G-SGSN
HLR/AuC
{RAND,XRES,CK, IK, AUTN} =f(IMSI)
AUTH[{RAND||CK|| IK|| AUTN}]
{RAND||CK|| IK|| AUTN}
Verifies MAC by f1
Decrypts SQN by f5
Checks freshness SQN
RES= f2(K, RAND)
RES
RES
Derives CK by f3
Derives IK by f4
RES
=?
XRES
WISTP 2008, May 13-16, Sevilla
[email protected]
10
Example scenario:
convergence authentication
AAA
SERVER
Proxy
AAA
Home WLAN
gateway
Visited WLAN
Proxy
AAA
3G-SGSN
HLR/AuC
Home 3G Network
WISTP 2008, May 13-16, Sevilla
[email protected]
11
3G/WLAN: convergence in
authentication
EAP-SIM and EAP-AKA
U(SIM)
SIM-based authentication schemes
standardized protocols
End-to-end mutual authentication between the mobile
station and the backend authentication server
EAP-SIM/AKA
EAP-SIM/AKA
EAP
EAPoL
802.11
WLAN MS
EAP
EAP
RADIUS/DIAMETER
Client
RADIUS/DIAMETER
Proxies
RADIUS/DIAMETER
Server
UDP/IP
UDP/IP
UDP/IP
L2/L1
L2/L1
L2/L1
EAPoL
802.11
AP
WLAN DOMAIN
WISTP 2008, May 13-16, Sevilla
[email protected]
Network AAA
Proxies
3G AAA Server
WAN DOMAIN + CELLULAR NETWORK
12
A quick trust analysis
both devices blindly trust each other
they behave as an unique supplicant
this is not a by default recommendable
assumption
the authentication scheme should be designed
to protect against any potential scenario
e.g.WLAN MS is an a priori untrustworthy
terminal.
Conclusion:
WISTP 2008, May 13-16, Sevilla
additional authentication mechanisms should be
provided?
[email protected]
13
Stand-alone device…stand-alone suplicant
Smart
Cards
Multimode
MS
WLAN
AAA
Internet
IP-based
AAA
Other Services
User
PSTN
Dedicated-lines
3GPP
Supplicant Device
WISTP 2008, May 13-16, Sevilla
Access Device
Access Network
[email protected]
Core Network
AAA services
14
Motivation
Our new approach starts from a different
authentication model that considers:
an isolated U(SIM) with autonomy during the
authentication process.
participates as stand-alone supplicant or claimant, and
not relies on the access terminal (i.e. WLAN mobile station)
for this functionality.
Additionally, this work assumes an a priori
untrustworthy environment:
WISTP 2008, May 13-16, Sevilla
the WLAN MS is considered as a potential attacker.
Hence, the WLAN MS should be authenticated by the
network as a different host from U(SIM).
Required: Device Authentication previous to SM
[email protected]
15
Goals
To define an AAA architecture, which
represents a more robust and flexible
solution in terms of security.
Feasible for untrustworthy environments
To provide efficient SIM-based mobile
stations’ customization or personalization
in critical or public environments.
Authentication Convergence (Smart Device, Convergence (netw1,netw2))
WISTP 2008, May 13-16, Sevilla
[email protected]
16
Our Network Smart Card
concept
In a previous work, we proposed a
Network Smart Card (NSC) with
authentication purposes:
WISTP 2008, May 13-16, Sevilla
Atomic smart card authentication protocol
design: the authentication protocol should be
designed as an integral part of the smart card.
We propose a specific protocol stack for the
card
End-to-end mutual authentication schema: the
smart card participates as a communication
extreme.
IETF Layer 2 authentication (IP layer is not
required)
[email protected]
17
…details
Our Network Smart Card (NSC) approach
EAP-type=EAP-AKA
EAP-type
EAP
EAP pass-through
PPP
PPP
ISO7816
ISO7816
Supplicant
Smart Card
Terminal
• Pass-through authenticator
according to EAP (acc. IETF)
• AP/ NAS EAP-based
Other approaches…
WISTP 2008, May 13-16, Sevilla
[email protected]
18
Related Work
EAP-SIM/AKA solutions:
many works but focused on 3G/WLAN interworking
security (network side)
usually, problems derived from original SIM/AKA
protocols
Alternatives: EAP-TTLS, EAP-TLS, etc.
Assumption about the (U)SIM-WLAN_UE trust
relationship
blind trust: they behave as an unique supplicant
Summarized:
WISTP 2008, May 13-16, Sevilla
U(SIM) stores the corresponding subscriber
authentication credentials
And computes the envisaged cryptographic algorithms in
SIM/AKA protocols, on the behalf of mobile station.
[email protected]
19
Related Work
Versatile solutions are missed
Example: consider an U(SIM) that may be
an external smart card that customizes
(temporal personalization) a public wireless
terminal for a 3G/WLAN access.
In such a case, the U(SIM) behaviour as an
stand-alone supplicant is highly
recommendable. So it should be isolated
and protected.
WISTP 2008, May 13-16, Sevilla
[email protected]
20
New NSC-based AAA Protocol
Architecture in 3G/WLAN
EAP-AKA
EAP-AKA
EAP
EAP
PPP
PPP
ISO7816
ISO7816
NSC-based
U(SIM)
WISTP 2008, May 13-16, Sevilla
EAP
DIAMETER
Client
DIAMETER Proxies
DIAMETER
Server
UDP/IP
UDP/IP
UDP/IP
L2/L1
L2/L1
802.11
WLAN MS
802.11 L2/L1
AP Bridge
[email protected]
Network
AAA
Proxies
3G AAA
Server
21
Features
U(SIM) remote authentication scheme:
stand-alone supplicant functionality instead of
split supplicant functionality: the U(SIM) and
WLAN MS does not cooperate in the
authentication process as an unique device.
the authentication protocol stack is designed as
an integral part of the U(SIM) (atomic design)
to participate as actual endpoint in the
authentication process with a 3G AAA server.
EAP-AKA
EAP
PPP
ISO7816
NSC-based
U(SIM)
WISTP 2008, May 13-16, Sevilla
[email protected]
22
…features
Minimal changes in the original architecture
3G network side does not require changes
proxies and end-equipments keep settings and
implementation features.
EAP-AKA
EAP
DIAMETER Proxies
DIAMETER
Server
UDP/IP
UDP/IP
L2/L1
L2/L1
Network AAA
Proxies
WISTP 2008, May 13-16, Sevilla
3G AAA Server
[email protected]
23
..features
WLAN Mobile Station participates as a
Network Access Server (NAS) implementing
the role of pass-through authenticator as a
DIAMETER client
This reinforces the stand-alone supplicant
functionality in the U(SIM), since WLAN MS
cannot act as supplicant and authenticator at
the same time for the same U(SIM).
EAP
PPP
ISO7816
DIAMETER
Client
UDP/IP
802.11
WLAN MS
WISTP 2008, May 13-16, Sevilla
[email protected]
802.11 L2/L1
AP Bridge
24
…features
U(SIM) isolation:
Our architecture takes advantage of the
functions of the LCP protocol (i/ PPP):
advantages with regard to assure the security
of the entire scheme in untrustworthy
scenarios.
LCP/PPP protocol may be easily hosted in the
U(SIM) stack.
EAP was initially designed for PPP
EAP Layer allows:
WISTP 2008, May 13-16, Sevilla
packets exchange between the EAP-SIM/AKA
methods and LCP frames
duplication and retransmissions control.
[email protected]
25
Authentication Flow in our AAA
Architecture
3G AAA
Server
WLAN
MS
NSC-based
U(SIM)
0. EAP Request/Identity
1. PPP/EAP Request/Identity
2. PPP/EAP Response/Identity [IMSI or Pseudonym]
3. DIAMETER/EAP Response/Identity [IMSI or Pseudonym]
4. DIAMETER/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]
5. PPP/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]
6. PPP/EAP Response/AKA-Challenge [RES, MAC]
7. DIAMETER/EAP Response/AKA-Challenge [RES, MAC]
XRE
S=?
RES
8. Validation
9. DIAMETER/EAP Success
10. PPP/EAP Success
11. Secure channel establishment
WISTP 2008, May 13-16, Sevilla
[email protected]
26
Security and Trust Issues
We are not proposing a new U(SIM)
authentication protocol in the context of
3G/WLAN interworking.
Our architecture is designed by well-known
protocols that are implemented inside the
U(SIM) with a novel approach.
new way to transport authentication messages
between the U(SIM) and a 3G AAA server
and U(SIM) takes the control in the user side.
Security weakness and threats are derived
by the own nature of such standardized
protocols and the correctness of their
implementation.
WISTP 2008, May 13-16, Sevilla
[email protected]
27
Security and Trust Issues
new secure algorithms, key material or
cryptographic techniques are not required
The implementation of the EAP-AKA
method is transparently reused, both in the
U(SIM) side and in the 3G AAA Server side.
WISTP 2008, May 13-16, Sevilla
[email protected]
28
Trust Models
Relevant impact of our proposal is related
to the trust models
Trust model, derived from the original AAA
protocol architecture in a 3G/WLAN
interworking scenario:
explicit
blind
U(SIM)
User Domain
WISTP 2008, May 13-16, Sevilla
WLAN
nAUT
MS
implicit
AP
explicit
Proxie
s
AAA
3GPP
Server
Public Domain, untrustworthy environment
[email protected]
29
Our Trust Model
“blind trust” assumption should not be applied to
all scenarios and a more flexible solution is
required
Our goal: to introduce a more realistic
architecture, which a new trust model is derived
from
explicit
U(SIM)
implicit
WLAN
nAUT
MS
implicit
AP
explicit
Proxie
s
AAA
3GPP
Server
explicit
User Domain
WISTP 2008, May 13-16, Sevilla
Public Domain, untrustworthy environment
[email protected]
30
Our Trust Model
the trust relationship between the WLAN
MS and the 3G AAA server is supported by
DIAMETER protocol
the WLAN MS is part of the network and it
behaves as an Access Point for the U(SIM)
just when U(SIM) and 3G AAA server
mutually trust each other, then U(SIM)
trusts WLAN MS.
WISTP 2008, May 13-16, Sevilla
Our AAA architecture aims to provide
robustness with this goal
This is a reasonable result in a priori
untrustworthy scenarios
[email protected]
31
Implementation and Testbed
Testbed for the AAA network architecture for NSCbased U(SIM)
Implemented by means of the OpenDiameter
libraries: C++ API both to EAP and Diameter EAP
Network AAA Proxy
NSC-based U(SIM)
WLAN MS
DIAMETER Client
3G AAA
Diameter
Server
WISTP 2008, May 13-16, Sevilla
[email protected]
32
Details about implementation
3G AAA Server: back-end authentication server is basically
implemented by:
Network AAA proxy
the libdiametereap and libeap libraries. The Diameter EAP API
is extensible and allows define authorization (DEA attributes
EAP API is extended in order to support EAP-AKA method.
OpenSSL library (partially included) provides a set of AKA
cryptographic functionalities.
For simplicity’s sake, the implementation of functions f3 and f4
has not been carried out.
standard Diameter base protocol procedure relay version
(Diameter proxy) is provided by the libdiameter.
Allows to complete the implementation of the protocol stack in
a layer 2 wireless Access Point.
WLAN MS
WISTP 2008, May 13-16, Sevilla
common laptop - IEEE 802.11g wireless interface.
functionality of NAS (Diameter client) is provided by the
implementation of the libdiametereap library.
[email protected]
33
Details about implementation
Network Smart Card with U(SIM) functionalities
JavaCard: bulk LCP/EAP protocol stack -according to the
standardized state-machines
enhancing with a set of functionalities corresponding EAP-AKA
method.
CK and IK derivation, as well as, synchronization and reauthentication functionalities have been avoided with testbed
experiments purposes.
eapReqData
RECEIVED
SEND_RESPONSE
(rxReq, rxSuccess, rxFailure, reqId, reqMethod) =
parseEapReq(eapReqData)
lastId = reqId
lastRespData = eapRespData
eapReq = FALSE
eapResp = TRUE
GET_METHOD
if (allowMethod(reqMethod)) {
aka.Method = reqMethod
methodState = INIT
} else {
eapRespData = buildNak(reqId)
}
WISTP 2008, May 13-16, Sevilla
eapRespData
[email protected]
AKA_METHOD
ignore = aka.check(eapReqData)
if (!ignore) {
(methodState, decision, allowNotifications) =
aka.process(eapReqData)
eapRespData = aka.buildResp(reqId)
if (aka.isKeyAvailable())
eapKeyData = aka.getKey()
}
34
Conclusion
Our testbed shows the feasibility and robustness of the
proposed NSC-based AAA protocol architecture for 3G/WLAN
interworking scenarios.
Standardized EAP-AKA protocol is transparently implemented
in a common U(SIM), which participates as stand-alone
supplicant (NSC-based U(SIM))
A novel trust model that assumes an a priori untrustworthy
environment is defined
Therefore, our approach represents a more flexible solution
in terms of security.
Beyond these benefits, it also may provide efficient mobile
stations’ customization or personalization in critical or public
environments.
Further works:
WISTP 2008, May 13-16, Sevilla
Study and complete EAP-AKA functionalities
New EAP-types methods
[email protected]
35
Network Smart Card
Performing U(SIM)
Functionalities in AAA
Protocol Architectures
Thank you for your attention!
Questions/Comments?
WISTP 2008, May 13-16, Sevilla
[email protected]
36