X31-20031208-030 Samsung_SKT BCMCS stg

advertisement

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

4

5

6

7

8

9

10

1

2

3

X31-20031208-xxx Samsung_SKT BCMCS stg-2 UATK.doc

3GPP2 TSG-X PDS

TITLE:

SOURCE:

BCMCS User Authentication Service Authorization Token (UATK)

JUNHYUK SONG

(82)+31-279-3639 junhyuk@telecom.samsung.co.kr

JH Park joehoon@sktelecom

ABSTRACT: This contribution proposes the stage 2 descriptions on BCMCS User

Authentication and Service Authorization

RECOMMENDATION:

Review and adopt

Notice

SAMSUNG Incorporated grants a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication.

SAMSUNG Incorporated is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an

Organizational Partner’s standard which incorporates this contribution.

This document has been prepared by SAMSUNG Incorporated to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on SAMSUNG Incorporated. SAMSUNG Incorporated specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of

SAMSUNG Incorporated other than provided in the copyright statement above.

1

PDS

1

5

6

7

2

3

4

8

9

10

11

12

1. Introduction

For BCMCS bearer path setup, the BCMCS registration message may need to be authenticated and authorized. The method of using authorization signature generated at the MS based upon the BAK has been proposed, however use of BAK_HASH may result in the mismatch between the user subscription information and BAK lifetime.

Once MS obtained BAK and related session information, the authorization and session information are supposed to be valid during entire BAK lifetime, and BAK lifetime is not necessary to meet with user BCMCS subscription profile (Ex. User cancels the service, overdue monthly payment of subscription, and pre-paid service case) . This contribution provides the method for user authentication and authorization signature. In this proposed mechanism, per user based BCMCS user authentication token enable the user authentication that implicitly provide service authorization.

13

14

15

16

17

18

19

20

21

2. UATK (User Authentication Token) Mechanism

UATK mechanism based on user authentication that implicitly provides services authorization.

If the network requires so, the MS shall generate UATK (User Authentication Token) based on following rules:

User Token = (MIN | Counter | cdma2000 System time)

22

23

24

25

26

27

28

29

30

31

BAK

Figure 1 UATK Generation

MIN: Mobile Identification Number parse from BCMCS_NAI

BCMCS_NAI: MIN@home_domain securely stored in UIM upon subscription of

BCMCS

CDMA System Time: The cdma system time corresponding to a time that is no later than when the Physical Layer will begin transmission of the BCMCS Registration message that will carry this UATK. The MS shall use the same system time for computing UATK for all BCMCS flows included in a BCMCS Registration message.

2

BAK_Length

User_Token

(MIN | Counter | cdma system time)

MAC_Length

(4 Octets)

EHMAC-SHA-1

Auth signature: MAC

(32 bits)

PDS

1

2

3

4

5

6

14

15

16

17

18

19

20

10

11

12

13

7

8

9

EHMAC-SHA-1: SHA-1 based Hash algorithm specified in section 2.1.2 of S.S0078

(Common Security algorithm).

BAK: The Broadcast Access Key for the BCMCS Flow requested by the MS.

BAK_LENGTH: The length of BAK.

Counter: The counter value. The counter is increased by 1 every time when the MS sends a BCMCS Registration message. The counter shall be maintained modulo 2Counter

Length. The initial value will be set to 0.

The MS includes MIN. Counter, BAK_ID (BAK identity that is used to generate the

Auth Signature (MAC) for this BCMCS Flow), cdma system time short (the

CDMASystemTimeShortLength least significant bits of the cdma system time used to generate the Auth Signature), and UATK in a BCMCS registration message. Upon receiving the BCMCS registration message, RAN will derive the cdma system time from the cdma system time short and then pass MIN, the Counter, BAK_ID, and cdma system time to the PDSN that is providing the BCMCS Multicast IP flows. The PDSN then forms BCMCS_NAI (

MIN@Home_domain

), transfers them to the BCMCS

Controller. Upon receiving the authorization parameters, the BCMCS Controller will compute the UATK, using the same inputs and algorithm described above, and then compares it with the received UATK from the MS. If results are matched, the User

Authentication and Service authorization is successful.

21

22

23

24

2.1 Authentication and Authorization call flow for Home

Network

This section describes the call flow for BCMCS User Authentication and Authorization for MS located in Home network.

3

PDS

MS/UIM BSC PCF PDSN

Home

AAA

BCMCS

Controller

Timer

Information Acqusition with ((BAK,

BAK_ID,BAK_lifetime)TK, BCMCS Session info,)

Registration (UATK, MIN, BCMCS_FLOW_ID, Counter, lseat significant bits Ststem_Time)

1

2

IOS Message (UATK, MIN, BCMCS_FLOW_ID,

Counter, System_Time)

IOS Message(IUATK, MIN, BCMCS_Flow_ID, Counter,

System_Time)

Access Request (UATK, BCMCS_Flow_ID, Counter, System_Time)

Access Request (UATK, BCMCS_Flow_ID, Counter, System_Time)

Access Accept (ok)

Access Accept (ok)

6

7

8

3

4

5

IOS Message (ok)

IOS Message Reply (ok)

9

10

6

7

8

9

1

2

3

4

5

10

11

12

13

14

15

20

21

22

23

16

17

18

19

24

25

26

Figure 2 UATK Call flow for MS located in Home Network

1.

Perform Information Acquisition after BCMCS Controller Discovery and during

Information Acqusition MS received BCMCS Session Information including

Multicast IP address, port number, BCMCS_FLOW_ID, Header Compression,

Framing info, Encryption info, BAK, BAK_ID.

2.

MS shall concatenate MIN, Counter, and CDMA System Time to form User

Token. After that MS computes UATK with input of BAK, BAK_Length, User

Token, and MAC_Length through EHMAC_SHA-1 function, the MS includes

MIN, Counter, cdma system time short (the CDMASystemTimeShortLength least significant bits of the cdma system time used to generate the Auth Signature),

BAK_ID and UATK in a BCMCS Registration message.

3~4 Upon receiving the BCMCS registration message, RAN will derive the cdma system time from the cdma system time short and then passes the MIN, Counter,

BAK_ID, cdma system time, UATK to the PDSN over IOS message.

5. The PDSN then forms BCMCS_NAI (

MIN@Home_domain

) with MIN (Mobile

Identifiation number) with home domain, sends received parameters from IOS over

RADIUS access reqeust message to the BCMCS Controller through Home AAA for

BCMCS authentication and authorization. (Note: Home AAA will route every access request with BCMCS_NAI to BCMCS controller)

4

PDS

10

11

12

13

6

7

8

9

1

2

3

4

5

14

15

16

6. Upon receiving the access request, BCMCS Controller will look up the BAK by

BAK_ID, and concatenate MIN, Counter and CDMA System Time to form User

Token and compute UATK. BCMCS controller compares generated UATK value with received UATK from MS. If results are matched and user profile information is up to date, the user authentication and service authorization is successful.

7~8. If the user subscriber profile allows it (ex. No payment over due), BCMCS

Controller then sends Access Accept to PDSN through Home AAA.

9~10 Upon receiving RADIUS Access Accept PDSN sends Authentication and

Authorization ‘accept’ to RAN.

3. Recommadation

Accept the use of UATK for BCMCS user authentication and service authorization.

5

Download