11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
4
5
6
7
8
9
10
1
2
3
X31-20031208-xxx Samsung_SKT BCMCS stg-2 UATK.doc
TITLE:
SOURCE:
JUNHYUK SONG
(82)+31-279-3639 junhyuk@telecom.samsung.co.kr
JH Park joehoon@sktelecom
ABSTRACT: This contribution proposes the stage 2 descriptions on BCMCS User
Authentication and Service Authorization
RECOMMENDATION:
Review and adopt
Notice
SAMSUNG Incorporated grants a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication.
SAMSUNG Incorporated is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an
Organizational Partner’s standard which incorporates this contribution.
This document has been prepared by SAMSUNG Incorporated to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on SAMSUNG Incorporated. SAMSUNG Incorporated specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of
SAMSUNG Incorporated other than provided in the copyright statement above.
1
PDS
1
5
6
7
2
3
4
8
9
10
11
12
For BCMCS bearer path setup, the BCMCS registration message may need to be authenticated and authorized. The method of using authorization signature generated at the MS based upon the BAK has been proposed, however use of BAK_HASH may result in the mismatch between the user subscription information and BAK lifetime.
Once MS obtained BAK and related session information, the authorization and session information are supposed to be valid during entire BAK lifetime, and BAK lifetime is not necessary to meet with user BCMCS subscription profile (Ex. User cancels the service, overdue monthly payment of subscription, and pre-paid service case) . This contribution provides the method for user authentication and authorization signature. In this proposed mechanism, per user based BCMCS user authentication token enable the user authentication that implicitly provide service authorization.
13
14
15
16
17
18
19
20
21
UATK mechanism based on user authentication that implicitly provides services authorization.
If the network requires so, the MS shall generate UATK (User Authentication Token) based on following rules:
User Token = (MIN | Counter | cdma2000 System time)
22
23
24
25
26
27
28
29
30
31
Figure 1 UATK Generation
MIN: Mobile Identification Number parse from BCMCS_NAI
BCMCS_NAI: MIN@home_domain securely stored in UIM upon subscription of
BCMCS
CDMA System Time: The cdma system time corresponding to a time that is no later than when the Physical Layer will begin transmission of the BCMCS Registration message that will carry this UATK. The MS shall use the same system time for computing UATK for all BCMCS flows included in a BCMCS Registration message.
2
EHMAC-SHA-1
PDS
1
2
3
4
5
6
14
15
16
17
18
19
20
10
11
12
13
7
8
9
EHMAC-SHA-1: SHA-1 based Hash algorithm specified in section 2.1.2 of S.S0078
(Common Security algorithm).
BAK: The Broadcast Access Key for the BCMCS Flow requested by the MS.
BAK_LENGTH: The length of BAK.
Counter: The counter value. The counter is increased by 1 every time when the MS sends a BCMCS Registration message. The counter shall be maintained modulo 2Counter
Length. The initial value will be set to 0.
The MS includes MIN. Counter, BAK_ID (BAK identity that is used to generate the
Auth Signature (MAC) for this BCMCS Flow), cdma system time short (the
CDMASystemTimeShortLength least significant bits of the cdma system time used to generate the Auth Signature), and UATK in a BCMCS registration message. Upon receiving the BCMCS registration message, RAN will derive the cdma system time from the cdma system time short and then pass MIN, the Counter, BAK_ID, and cdma system time to the PDSN that is providing the BCMCS Multicast IP flows. The PDSN then forms BCMCS_NAI (
MIN@Home_domain
), transfers them to the BCMCS
Controller. Upon receiving the authorization parameters, the BCMCS Controller will compute the UATK, using the same inputs and algorithm described above, and then compares it with the received UATK from the MS. If results are matched, the User
Authentication and Service authorization is successful.
21
22
23
24
This section describes the call flow for BCMCS User Authentication and Authorization for MS located in Home network.
3
PDS
MS/UIM BSC PCF PDSN
Home
AAA
BCMCS
Controller
Timer
Information Acqusition with ((BAK,
BAK_ID,BAK_lifetime)TK, BCMCS Session info,)
Registration (UATK, MIN, BCMCS_FLOW_ID, Counter, lseat significant bits Ststem_Time)
1
2
IOS Message (UATK, MIN, BCMCS_FLOW_ID,
Counter, System_Time)
IOS Message(IUATK, MIN, BCMCS_Flow_ID, Counter,
System_Time)
Access Request (UATK, BCMCS_Flow_ID, Counter, System_Time)
Access Request (UATK, BCMCS_Flow_ID, Counter, System_Time)
Access Accept (ok)
Access Accept (ok)
6
7
8
3
4
5
IOS Message (ok)
IOS Message Reply (ok)
9
10
6
7
8
9
1
2
3
4
5
10
11
12
13
14
15
20
21
22
23
16
17
18
19
24
25
26
Figure 2 UATK Call flow for MS located in Home Network
1.
Perform Information Acquisition after BCMCS Controller Discovery and during
Information Acqusition MS received BCMCS Session Information including
Multicast IP address, port number, BCMCS_FLOW_ID, Header Compression,
Framing info, Encryption info, BAK, BAK_ID.
2.
MS shall concatenate MIN, Counter, and CDMA System Time to form User
Token. After that MS computes UATK with input of BAK, BAK_Length, User
Token, and MAC_Length through EHMAC_SHA-1 function, the MS includes
MIN, Counter, cdma system time short (the CDMASystemTimeShortLength least significant bits of the cdma system time used to generate the Auth Signature),
BAK_ID and UATK in a BCMCS Registration message.
3~4 Upon receiving the BCMCS registration message, RAN will derive the cdma system time from the cdma system time short and then passes the MIN, Counter,
BAK_ID, cdma system time, UATK to the PDSN over IOS message.
5. The PDSN then forms BCMCS_NAI (
MIN@Home_domain
) with MIN (Mobile
Identifiation number) with home domain, sends received parameters from IOS over
RADIUS access reqeust message to the BCMCS Controller through Home AAA for
BCMCS authentication and authorization. (Note: Home AAA will route every access request with BCMCS_NAI to BCMCS controller)
4
PDS
10
11
12
13
6
7
8
9
1
2
3
4
5
14
15
16
6. Upon receiving the access request, BCMCS Controller will look up the BAK by
BAK_ID, and concatenate MIN, Counter and CDMA System Time to form User
Token and compute UATK. BCMCS controller compares generated UATK value with received UATK from MS. If results are matched and user profile information is up to date, the user authentication and service authorization is successful.
7~8. If the user subscriber profile allows it (ex. No payment over due), BCMCS
Controller then sends Access Accept to PDSN through Home AAA.
9~10 Upon receiving RADIUS Access Accept PDSN sends Authentication and
Authorization ‘accept’ to RAN.
Accept the use of UATK for BCMCS user authentication and service authorization.
5