Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

A00-20050214-017 Ericsson AKA discussion

advertisement 
3GPP2 A00-200502xx-xxx Ericsson AKA discussion.doc
TSG-A
TITLE:
Background Material for AKA Discussion
SOURCE:
Ericsson Inc
Ericsson Inc
Erik Colban
5012 Wateridge Vista Drive
San Diego, CA 92121
Vibhor Julka
5012 Wateridge Vista Drive
San Diego, CA 92121
Erik.Colban@ericsson.com
Vibhor.Julka@ericsson.com
ABSTRACT:
This contribution provides input to a discussion on the introduction of AKA in the IOS.
RECOMMENDATION: FYI
Ericsson Inc. grants a free, irrevocable license to 3GPP2 and its Organizational Partners to
incorporate text or other copyrightable material contained in the contribution and any
modifications thereof in the creation of 3GPP2 publications; to copyright and sell in
Organizational Partner's name any Organizational Partner's standards publication even though it
may include all or portions of this contribution; and at the Organizational Partner's sole discretion
to permit others to reproduce in whole or in part such contribution or the resulting Organizational
Partner's standards publication. Ericsson Inc. is also willing to grant licenses under such
contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for
purpose of practicing an Organizational Partner’s standard which incorporates this contribution.
This document has been prepared by Ericsson Inc. to assist the development of specifications by
3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a
binding proposal on Ericsson Inc. Ericsson Inc. specifically reserves the right to amend or
modify the material contained herein and to any intellectual property of Ericsson Inc. other than
provided in the copyright statement above.
1
Terms
AC. See Authentication Center.
AKA. Authentication and Key Agreement. An authentication procedure that allows
mutual authentication of the mobile station and base station.
Authentication Center (AC). An entity that manages the authentication information
related to the mobile station.
Authentication Response (AUTHR). An 18-bit output of the authentication algorithm.
It is used, for example, to validate mobile station registrations, originations and
terminations.
AV. Authentication Vector used by AKA.
CCK. An encryption key derived from the CMEA key. A 128-bit pattern that is the 64bit CMEA key concatenated with a copy of itself.
CIK. An integrity key derived from the CMEA key. A 128-bit pattern that is the 64-bit
CMEA key concatenated with a copy of itself.
CK. Cipher Key. A 128-bit pattern produced by AKA that is used for encryption.
CMEA. Cellular Message Encryption Algorithm.
EXT_SSEQ. Security sequence number. A 32-bit crypto-sync that is used for
encryption, message integrity, or both.
IK. Integrity Key. A 128-bit pattern produced by AKA that is used for integrity
protection.
MAC-I. Message Authentication Code for message integrity. The 32-bit output of the
message integrity algorithm that allows the receiver to authenticate the message.
MACI. A 32-bit LAC Layer field that carries either the MAC-I or the UMAC of a
signaling message.
NEW_KEY_ID. In ROP, this is the index of the pending (CIK, CCK) and
NEW_SSEQ_H associated with AUTHR. In Authentication Response Message, this is
the index of the pending (IK, CK) and NEW_SSEQ_H associated with the (RANDA,
AUTHN).
NEW_SSEQ_H. The pending 24-bit security sequence number used for encryption
and/or integrity protection.
RANDA. The random challenge number contained in an AV.
RES. A Registration Accepted Order, Extended Channel Assignment Message, or
Security Mode Command Message.
RES. The result computed by the MS based on the received RANDA and sent to the BS,
which the BS uses to verify the authenticity of the MS. [Note: In this contribution, RES is
not italicized when used to refer to the authentication result.]
ROP. A Registration Message, Origination Message, or Page Response Message.
R-UIM. Removable UIM.
UAK. UIM Authentication Key. A 128-bit pattern produced by AKA that is used for
authentication of the R-UIM.
UIM. User Identity Module.
UMAC. A 32-bit output of the UMAC algorithm computed by UIM based on MAC-I.
2
Call flows reflecting AKA text in [C.S0005-C]
The call flows in this section are based on TIA-2000-C, Section 2.3.12.5.
2.1
2G Authentication1 when P_REV_IN_USE ≥ 10
2.1.1
2G Authentication and Key Establishment
Whenever an idle mobile station does not have any integrity key and encryption key to
use, it starts the 2G authentication and key set-up procedures by registering via a
Registration Message, Origination Message, or Page Response Message (ROP). See
section 2.2.4 for the case where the MS already has established a set of keys.
Since the mobile station does not know beforehand whether the serving base station it
roams to supports 2G authentication, 3G authentication, or both, the mobile station
always starts with 2G authentication. In this call flow, we assume that the network uses
2G authentication.
MS
BS
ROP(NEW_KEY_ID, NEW_SEQ_H, AUTHR)
TKey Setup
RES(MACI)
Security Mode Completion Order(MACI)
a.
b.
c.
Figure 1: 2G authentication when P_REV_IN_ USE ≥ 10
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP). The ROP contains a new key id (NEW_KEY_ID) and a
new security sequence number (NEW_SSEQ_H) associated with the AUTHR of the
message. The mobile station also starts a Key Set-Up timer.
b. The base station gets a CMEA key from the network and authenticates the mobile
station’s AUTHR (which is always included). If the authentication is successful,
when the CMEA key is available at the base station, the base station uses assured
mode to send a Registration Accepted Order, Extended Channel Assignment
Message, or Security Mode Command Message (RES) that includes a Message
Authentication Code generated using the pending CIK, and the pending
1
Reference C.S0005-D 2.3.12.5.1
NEW_SSEQ_H (proposed by the mobile station). Upon reception of the RES, the
mobile station validates the MACI. If the validation is successful, the pending (CIK,
CCK) and NEW_SSEQ_H can become “in use” in the mobile station. The mobile
station stores the NEW_KEY_ID in KEY_ID, the CIK in INT_KEY[KEY_ID], and
the CCK in ENC_KEY[KEY_ID]. The mobile station stops the Key Set-Up timer. If
the mobile station receives a RES with an invalid MACI or if the Key Set-Up timer
expires, the mobile station enters the System Determination Substate with an
encryption/message integrity failure indication, which will trigger re-registrations. If
after several attempts of re-registrations such that the integrity key and encryption key
still cannot be established, the mobile station may reject the serving base station, and
the base station may reject serving the mobile station.
c. The MS sends a Security Mode Completion Order to the base station that includes
a Message Authentication Code. At this point, if the base station successfully
validates the Security Mode Completion Order that the mobile station sends, the
pending (CIK, CCK) and NEW_SSEQ_H can become “in use” in the base
station; otherwise, the base station resends the RES until it receives a valid
Security Mode Completion Order from the mobile station. Once (CIK, CCK) has
been established, the mobile station can perform integrity protection and
encryption.
[Note: Until the keys are established, messages that are not essential to the
establishment of the key may be exchanged. These messages shall not include a
MACI. The Extended Channel Assignment Message may be sent after step ‘a’, which
allows for early traffic channel assignment.]
2.1.1.1
Possible Outcomes of the 2G Authentication Procedure
The outcome of a 2G-authentication attempt may be:
1. The MS and BS successfully authenticate each other. The call flow completes with
successful establishment of the (CIK, CCK) in the MS and the BS.
2. The BS successfully authenticates the MS, but the MS fails to authenticate the BS.
This may occur if, in step ‘b’, the MS fails to receive a RES message with a valid
MACI before the Key Set-Up timer expires. The MS enters the System Determination
Substate, which is experienced at the BS as a loss of radio contact.
3. The BS fails to authenticate the MS. This may occur if, in step ‘a’, the AUTHR is
invalid or missing, or, in step ‘c’, the MACI is invalid.
If the AUTHR is invalid or missing, the MSC/BS may reject the registration or call
attempt. In certain cases, e.g., emergency calls, the MSC/BS may allow the call to
proceed. In this case, the BS sends an RES that does not include a MACI and the call
proceeds with subsequent messages not including the MACI.
If the AUTHR is valid but the Security Mode Completion Order does not contain a
valid MACI, the BS resends the RES until it receives a valid Security Mode
Completion Order from the mobile station. In certain cases, e.g., emergency calls, the
MSC/BS may allow the call to proceed. In this case, the call proceeds with
subsequent messages not including the MACI.
2.2
3G Authentication2 (AKA) when P_REV_IN_USE ≥ 10
2.2.1
3G Authentication and Key Establishment
In this scenario, the BS receives an ROP that does not contain a MACI or not, or the
MACI does not check, or cannot be checked, and the base station initiates AKA.
MS
BS
ROP(NEW_KEY_ID, NEW_SSEQ_H, AUTHR)
a.
T Key Setup
Auth. Request Message(RANDA, AUTN)
Auth. Response Message(RES)
b.
c.
T Key Setup
RES(MACI)
d.
Figure 2: 3G Authentication when P_REV_IN_ USE ≥ 10
a. The mobile station sends an ROP. The ROP contains a new key id (NEW_KEY_ID)
and a new security sequence number (NEW_SSEQ_H) associated with the AUTHR
of the message. The mobile station also starts a Key Set-Up timer.
b. The base station invokes the procedure by selecting the next unused AV from the
ordered array of AV’s stored in the VLR. If an AV is not available in the serving
node, one (or more) AV’s are requested from the subscriber’s home system. The base
station sends the mobile station an Authentication Request Message, which contains
the random challenge RANDA, and the authentication token for network
authentication, AUTN, associated with the selected AV. Each AV contains the
following information (see [C.S0005-C], figure 2.3.12.5.2-1):
2

Authentication Random Challenge Number (RANDA)

Expected Result (XRES)

Encryption Key (CK)

Integrity Key (IK)
Reference C.S0005-D 2.3.12.5.2

UIM Authentication Key (UAK) (support this of field is optional)

Authentication Token (AUTN), which consists of the Concealed Sequence
Number (CON_SQN), the Authentication Management Function (AMF), and the
Message Authentication Code (MAC-A).
Upon reception of the Authentication Request Message, the mobile station aborts any
pending 2G key setup and the UIM computes the expected message authentication
code (XMAC). If this is not equal to the MAC-A received in the AUTN, the mobile
station enters the System Determination Substate with an encryption/message
integrity failure indication; otherwise, the UIM verifies that the sequence number
SQN received in the AUTN is in the correct range (a test of freshness).
If the UIM determines that the received SQN is not in the correct range, see section
2.2.3. If the SQN is in the correct range, the UIM computes the (IK, CK) pair and the
RES and passes the (IK, CK) pair and RES to the mobile station. The mobile station
then re-starts the Key Set-Up timer. The mobile station then associates a pending key
id NEW_KEY_ID and a pending NEW_SSEQ_H with the pending (IK, CK) pair.
The mobile station also stores (RANDA, RES, IK, CK, key id, NEW_SSEQ_H) in
case it receives, in the near future, the same retransmitted Authentication Request
Message that requires the mobile station to resend the same Authentication Response
Message. The UIM stores (IK, CK) until the next successful execution of AKA.
c. The MS sends an Authentication Response Message containing RES to the base
station. Upon reception of the Authentication Response Message, the base station
compares RES with the expected response XRES from the selected AV. If XRES
equals RES, then the authentication of the user has passed and the pending (IK, CK)
and the pending NEW_SSEQ_H can become “in use” in the base station. To ensure
the base station has agreed to switch to the pending (IK, CK), the mobile station
keeps sending the Authentication Response Message until it gets the RES that
includes a Message Authentication Code generated using the pending IK (or until the
Key Set-Up timer expires, whichever comes first)
d. The base station then confirms the AKA completion by sending an RES that includes
a Message Authentication Code generated using the pending IK to confirm the use of
the pending (IK, CK). Upon reception of this confirmation, the mobile station stops
the Key Set-Up timer and the pending (IK, CK), NEW_SSEQ_H, and key id become
“in use” for the mobile station. The mobile station stores the NEW_KEY_ID in
KEY_ID, the IK in INT_KEY[KEY_ID], and the CK in ENC_KEY[KEY_ID]. If for
any reason the keys cannot be established before the timer expires, the mobile station
enters the System Determination Substate with an encryption/message integrity
failure indication upon the expiration of the timer, which triggers re-registrations. If
after several attempts of re-registrations such that the integrity key and encryption key
still can not be established, the mobile station may reject the serving base station, and
the base station may reject serving the mobile station.
Once (IK, CK) has been established, the mobile station may start integrity protection
and encryption.
[Note: Until the keys are established, messages that are not essential to the
establishment of the key may be exchanged. These messages shall not include a
MACI. The Extended Channel Assignment Message may be sent after step ‘a’, which
allows for early traffic channel assignment. In step ‘d’, the BS sends a Security Mode
Command Message.]
2.2.1.1
Possible Outcomes of the 3G Authentication Procedure
The outcome of a 3G-authentication attempt may be:
1. The MS and BS successfully authenticate each other. The call flow completes with
successful establishment of the (IK, CK) in the MS and the BS.
2. The MS fails to authenticate the BS. This may occur if the MS fails to receive an
Authentication Request Message with a valid MAC-A (which is part of the AUTN) in
step ‘b’ and an RES message (step ‘d’) with a valid MACI before the Key Set-Up
timer expires. The MS enters the System Determination Substate, which is
experienced at the BS as a loss of radio contact.
3. The MSC/BS fails to authenticate the MS. This may occur if, in step ‘a’, the AUTHR
is invalid or, in step ‘c’, the RES does not match the XRES.
If the AUTHR is invalid or missing, the MSC/BS may reject the registration or call
attempt. In certain cases, e.g., emergency calls, the MSC/BS may allow the call to
proceed. In these cases, the BS does not send an Authentication Request Message
(i.e., does not initiate 3G authentication), but sends an RES that does not include a
MACI and the call proceeds with subsequent messages not including the MACI.
If the AUTHR is valid but the Authentication Response Message does not contain a
valid RES, the MSC/BS may reject the registration or call attempt. In certain cases,
e.g., emergency calls, the MSC/BS may allow the call to proceed. In these cases, the
call proceeds with subsequent messages not including the MACI.
2.2.2
Network Initiated AKA Procedure not Associated with an
ROP
The base station can initiate AKA at any time for any reason, for example, when (IK,
CK) expires in the mobile station. The call flow of this scenario is the same as the one in
section 2.2.1 starting at step ‘b’ and ending with a Security Mode Command in step ‘d’.
2.2.3
Synchronization Failure during AKA
MS
BS
ROP(NEW_KEY_ID, NEW_SSEQ_H, AUTHR)
a.
TKey Setup
Auth. Request Message(RANDA, AUTN)
Auth. Resync. Message(MAC-S, CON_MS_SEQ)
b.
c.
Figure 3: Synchronization failure during AKA
a. The mobile station sends an ROP. The ROP contains a new key id (NEW_KEY_ID)
and a new security sequence number (NEW_SSEQ_H) associated with the AUTHR
of the message. The mobile station also starts a Key Set-Up timer.
b. The base station invokes the procedure by selecting the next unused AV from the
ordered array of AV’s stored in the VLR. If an AV is not available in the serving
node, one (or more) AV’s are requested from the subscriber’s home system. The base
station sends the mobile station an Authentication Request Message, which contains
the random challenge RANDA, and the authentication token for network
authentication, AUTN, associated with the selected AV.
Upon reception of the Authentication Request Message, the mobile station aborts any
pending 2G key setup and the UIM computes the expected message authentication
code (XMAC). If this is not equal to the MAC-A received in the AUTN, the mobile
station enters the System Determination Substate with an encryption/message
integrity failure indication; otherwise, the UIM verifies that the sequence number
SQN received in the AUTN is in the correct range (a test of freshness).
c. The UIM determines that the received SQN is not in the correct range, and the mobile
station sends an Authentication Resynchronization Message to the base station that
includes a message authentication code for resynchronization (MAC_S) and the
concealed value of the sequence number stored in the UIM (CON_MS_SQN). The
mobile station then erases any current (IK, CK) in the mobile station and abandons
the AKA procedure.
2.2.3.1
Possible Outcomes of the Synchronization Failure
If the MS detects that the SQN receives in the AUTN is not in the correct range (in step
‘b’), the following scenarios are possible:
1. After step ‘c’, the MS [enters the System Determination Substate,] re-registers or
resends the ROP message. This time, the BS uses a newly generated AV that has the
SQN in the correct range, and the AKA procedure succeeds.
2. After step ‘c’, the BS resends the Authentication Request Message using a newly
generated AV that has the SQN in the correct range. The MS restarts the Key Set-Up
timer and responds with an Authentication Response Message including a valid RES,
and the BS sends an RES message in response to the ROP message that the MS
previously sent.
3. In certain cases, e.g., emergency calls, the MSC/BS may allow the call to proceed.
After step ‘c’, the BS sends an RES message that does not include a MACI and the
call proceeds with subsequent messages not including the MACI.
2.3
3G Reuse of Established Keys
2.3.1
The MS Powers UP and Restores the Integrity and
Encryption Keys3
Since (IK, CK) is stored in UIM even when the mobile station is powered off, it is
possible for the mobile station, when the mobile station powers on again, to try to restore
and use the stored (IK, CK) in order to avoid unnecessary AKA. However, the mobile
station will need to re-establish the crypto-sync and key id, which are not stored when the
mobile station is powered off.
MS
BS
ROP(NEW_KEY_ID, NEW_SSEQ_H, AUTHR, MACI)
TKey Setup
RES(MACI)
Security Mode Completion Order(MACI)
a.
b.
c.
Figure 4: Restoration of (IK, CK)
a. The mobile station sends an ROP that includes a Message Authentication Code
generated using the stored IK and a pending NEW_SSEQ_H. The mobile station
includes the NEW_SSEQ_H in the LAC Layer in the ROP and sets the
NEW_KEY_ID to a value selected by the mobile station to associate with this (IK,
CK). When the base station receives the ROP, it validates the MACI using its own IK
3
Reference C.S0005-D 2.3.12.5.3
stored for this mobile station and with the pending NEW_SSEQ_H provided in the
message. The mobile station also starts a Key Set-Up timer.
b. If the MACI is valid, the base station sends an RES that includes a Message
Authentication Code generated using the stored IK and NEW_SSEQ_H. The base
station resends the RES until it gets the expected Security Mode Completion Order.
When the mobile station receives the RES, the mobile station validates the MACI. If
the MACI checks, the mobile station then starts using the key id for the stored (IK,
CK), and the (IK, CK) and NEW_SSEQ_H can become “in use” in the mobile
station.
c. The mobile station then sends a Security Mode Completion Order that includes a
Message Authentication Code. Upon reception of the Security Mode Completion
Order, base station validates the MACI and if the MACI is valid, the base station
starts to set the key id for the (IK, CK) to the value selected by the mobile station (in
NEW_KEY_ID and SDU_KEY_ID), regardless of the current key id being used at
the base station. The (IK, CK) pair and NEW_SSEQ_H can become in “in use” in the
base station. The (IK, CK) pair is now successfully restored.
2.3.1.1
Possible Outcomes of the Key Restoration Procedure
The outcome of a key restoration procedure:
1. The keys are successfully restored. The call flow completes with successful
establishment of crypto-sync and key id in the MS and the BS.
2. The BS fails to validate the MACI received from the MS in step ‘a’. The BS may
initiate AKA by sending an Authentication Request Message to the MS. The call flow
in section 2.2.1 applies. The possible outcomes are listed in section 2.2.1.1. If the BS
does not support 3G authentication, the BS may send an RES message including a
MACI based on the CMEA key.
In certain cases, e.g., emergency calls, the MSC/BS may allow the call to proceed. In
these cases, the BS sends an RES that does not include a MACI and the MS does not
send the Security Mode Completion Order, and the call proceeds with subsequent
messages not including the MACI.
3. The BS successfully authenticates the MS, but the MS fails to authenticate the BS.
This may occur if, in step ‘b’, the MS fails to receive a RES message with a valid
MACI before the Key Set-Up timer expires. The MS enters the System Determination
Substate, which is experienced at the BS as a loss of radio contact.
2.3.2
ROP Using Established (IK, CK)
After the 3G integrity and encryption keys (IK, CK) have been established, the MS and
the BS may establish the authenticity of each other by validating the MACI of the
received messages.
MS
BS
ROP(AUTHR, MACI)
RES(MACI)
a.
b.
Figure 5: ROP after (IK, CK) has been established
a. The mobile station sends an ROP that includes a Message Authentication Code
generated using the stored IK. When the base station receives the ROP, it validates
the MACI.
b. The BS sends an RES that includes a Message Authentication Code generate using
the current IK. When the BS receives the RES, it validates the MACI.
2.3.2.1
Possible Outcomes of the Message Exchange Using preEstablished (IK, CK)
1. Both messages are successfully validated.
2. The BS fails to validate the MACI received from the MS in step ‘a’. The BS may
initiate AKA by sending an Authentication Request Message to the MS. The call flow
in section 2.1.1 applies. The possible outcomes are listed in section 2.2.1.1. If the BS
does not support 3G authentication, the BS may send an RES message including a
MACI based on the CMEA key.
In certain cases, e.g., emergency calls, the MSC/BS may allow the call to proceed. In
these cases, the RES message does not include a MACI, and the call proceeds with
subsequent messages not including the MACI.
3. The BS successfully authenticates the MS, but the MS fails to authenticate the BS.
This may occur if, in step ‘b’, the MS fails to receive a RES message with a valid
MACI. The MS enters the System Determination Substate, which is experienced at
the BS as a loss of radio contact.
3
Dividing up the Work between the BS and the
MSC
The cdma2000 1x air interface standard [C.S0005-C] refers to the “base station” as the
network side of the air interface, and not necessarily the BS only. In this section, we add
IOS messaging to the call flows of section 2. In each of the following call flows, <m1>,
<m2>, <m3>, etc., are used as meta-message names, which, depending on the actual
scenario (i.e., origination, page response or registration), may be mapped to existing or
new IOS messages. See section 3.1.2.1 for proposed mapping of the meta-messages to
actual IOS messages.
Note that other messages may be exchanged between the BS and the MSC and that these
call flows show only those messages that are essential to the authentication and key setup
procedures.
3.1
2G Authentication when P_REV_IN_USE ≥ 10
3.1.1
Successful 2G Authentication
MS
BS
MSC
ROP(NEW_KEY_ID,
NEW_SSEQ_H, AUTHR)
a.
<m1>(AUTHR)
b.
<m2>(CMEA_key)
c.
TKey Setup
RES(MACI)
d.
Security Mode Completion
Order(MACI)
e.
<m3>(Auth_Success_Ind)
f.
Figure 6: Successful 2G authentication
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP). The ROP contains a new key id (NEW_KEY_ID) and a
new security sequence number (NEW_SSEQ_H) associated with the AUTHR of the
message.
b. The BS sends an <m1> including the AUTHR to the MSC. The MSC validates the
AUTHR.
c. The MSC sends an <m2> message with the pending CMEA key. Upon receipt of this
message the BS forms the CIK and CCK by concatenating the CMEA key with itself.
d. The BS sends an RES to the MS that includes a MACI generated with the CIK and
the pending NEW_SSEQ_H proposed by the MS. Upon reception of the RES, the
mobile station validates the MACI. If the validation is successful, the pending (CIK,
CCK) and NEW_SSEQ_H can become “in use” in the mobile station.
e. The MS sends a Security Mode Completion Order to the base station that includes a
MACI. At this point, if the base station successfully validates the Security Mode
Completion Order that the mobile station sends, the pending (CIK, CCK) and
NEW_SSEQ_H can become “in use” in the base station.
f. The BS sends a <m3> message that indicates that the MS was successfully
authenticated. This message includes the cryptosync, which the MSC stores for future
use.
3.1.1.1
Mapping of Meta-Messages to IOS Messages
The following table shows the mapping from meta-messages to actual A1 interface
messages.
Scenario
ROP
RES
<m1>
<m2>
<m3>
Registration
Registration
Message
Registration
Accept
Order
Location
Updating
Request
Location
Updating
Accept
Authentication
Report (new)
Mobile
Origination
Origination
Message
Extended
Channel
Assignment
Message
CM
Service
Request
Assignment
Request
Assignment
Complete
Privacy
Mode
Command
Privacy Mode
Complete
Assignment
Request
Assignment
Complete
Privacy
Mode
Command
Privacy Mode
Complete
Security
Mode
Command
Message
Mobile
Termination
Page
Response
Message
Extended
Channel
Assignment
Message
Security
Mode
Command
Message
Paging
Response
Notes:
1. The BS may send the ECAM before receiving the Assignment Request message
(early traffic channel assignment), in which case the CMEA key is not available at the
time of sending this message. In this case the keys become “in use” at the MS after it
receives the Security Mode Command including the MACI.
2. The MSC may send the Assignment Request message prior to authenticating the MS.
When the MSC has authenticated the MS it sends the CMEA key in the Privacy
Mode Command message. The BS must receive the Privacy Mode Command
message in time to prevent expiration of the Key Set-Up timer at the MS.
2G Authentication — AUTHR Invalid or Missing
3.1.2
MS
BS
MSC
ROP(NEW_KEY_ID,
NEW_SSEQ_H, AUTHR)
a.
<m1>(AUTHR)
b.
<m2>(CAUSE)
c.
TKey Setup
<Rejection>
d.
Figure 7: 2G authentication — AUTHR invalid or missing
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP). The ROP contains a new key id (NEW_KEY_ID) and a
new security sequence number (NEW_SSEQ_H) associated with the AUTHR of the
message.
b. The BS sends an <m1> message including an incorrect AUTHR or no AUTHR to the
MSC. The MSC fails to validate the AUTHR.
c. The MSC sends an <m2> message including a cause for rejecting the call.
d. The BS rejects the registration or call attempt.
3.1.2.1
Mapping of Meta-Messages to IOS Messages
The following table shows the mapping from meta-messages to actual A1 interface
messages.
Scenario
ROP
<m1>
<m2>
Registration
Registration
Message
Location Updating
Request
Location Updating Reject
Mobile
Origination
Origination
Message
CM Service Request
SCCP/SUA Connection
Refused
Clear Command
Mobile
Termination
Page
Response
Message
Paging Response
SCCP/SUA Connection
Refused
Clear Command
Notes:
1. If the MSC determines that the MS is not authorized before the
SCCP/SUA connection has been established, the MSC rejects the call by
refusing the SCCP/SUA connection, otherwise the MSC clears the call by
sending the Clear Command message.
2. In certain cases, e.g., emergency calls, the MSC/BS may allow the call to
proceed. In this case the MSC will not send <m2> to the BS. The BS
proceeds with call setup and does not include a MACI in the subsequent
messages.
2G Authentication — MS Fails to Authenticate the BS
3.1.3
MS
BS
MSC
ROP(NEW_KEY_ID,
NEW_SSEQ_H, AUTHR)
a.
<m1>(AUTHR)
<m2>(CMEA_key)
TKey Setup
RES(MACI)
x
b.
c.
d.
TRES
x
<m3>(Failure_ind)
e.
Figure 8: 2G authentication — MS fails to authenticate the BS
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP). The ROP contains a new key id (NEW_KEY_ID) and a
new security sequence number (NEW_SSEQ_H) associated with the AUTHR of the
message. The mobile station also starts a Key Set-Up timer.
b. The BS sends an <m1> including the AUTHR to the MSC. The MSC validates the
AUTHR.
c. The MSC sends an <m2> message with the pending CMEA key. Upon receipt of this
message the BS forms the CIK and CCK by concatenating the CMEA key with itself.
d. The BS sends an RES to the MS that includes a MACI generated with the CIK and
the pending NEW_SSEQ_H proposed by the MS. Upon reception of the RES, the
mobile station determines that the MACI is invalid. The BS resends the RES until it
receives a valid Security Mode Completion Order from the mobile station or until it
determines that it has lost radio contact with the MS. Upon expiration of the Key SetUp timer the MS enters the System Determination Substate.
e. The BS determines that it has lost contact with the MS and sends an <m3> message
including a failure indication to the MSC.
3.1.3.1
Mapping of Meta-Messages to IOS Messages
The following table shows the mapping from meta-messages to actual A1 interface
messages.
Scenario
ROP
RES
<m1>
<m2>
<m3>
Registration
Registration
Message
Registration
Accept
Order
Location
Updating
Request
Location
Updating
Accept
Authentication
Report (new)
Mobile
Origination
Origination
Message
Extended
Channel
Assignment
Message
CM
Service
Request
Assignment
Request
Assignment
Failure
Privacy
Mode
Command
Clear Request
Assignment
Request
Assignment
Failure
Security
Mode
Command
Message
Mobile
Termination
Page
Response
Message
Extended
Channel
Assignment
Message
Security
Paging
Response
Mode
Command
Message
Privacy
Mode
Command
Clear Request
Notes:
1. The MSC sends the Clear Request message if it already has received the Assignment
Complete message. Otherwise it sends the Clear Request message.
3.2
3G Authentication
3.2.1
Successful 3G Authentication
MS
BS
MSC
ROP(NEW_KEY_ID,
NEW_SSEQ_H, AUTHR)
a.
<m1>(AUTHR)
<m2>(AV)
TKey Setup
Auth. Req. Msg. (RAND, AUTN)
c.
d.
Auth. Rsp. Msg.(RES)
RES(MACI)
b.
e.
<m3>(Auth_Success_Ind)
f.
Figure 9: Successful 3G authentication
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP). The ROP contains a new key id (NEW_KEY_ID) and a
new security sequence number (NEW_SSEQ_H) associated with the AUTHR of the
message.
b. The BS sends an <m1> including the AUTHR to the MSC. The MSC validates the
AUTHR.
c. The MSC sends an <m2> message with including the next unused AV. Upon receipt
of this message the BS calculates the IK and CK.
d. The BS sends an Authentication Request Message containing the RANDA and
AUTN. Upon receipt of this message the MS aborts any pending 2G key setup.
e. The MS sends an Authentication Response Message that includes a RES to the BS
that includes a RES. The BS compares the RES with the XRES received from the
MSC in step ‘c’.
f. The BS sends an RES message including a MACI. Upon receipt of this message, the
MS validates the MACI. The BS also sends an <m3> message to the MSC that
indicates that the MS was successfully authenticated.
3.2.1.1
Mapping of Meta-Messages to IOS Messages
The mapping from meta-messages to actual A1 interface messages is identical to to the
mapping in the case of 2G authentication; see section 3.1.1.1.
3.2.2
3G Authentication — AUTHR Invalid or Missing
See section 3.1.2.
3G Authentication — MS Fails to Authenticate the BS
3.2.3
MS
MSC
BS
ROP(NEW_KEY_ID,
NEW_SSEQ_H, AUTHR)
a.
<m1>(AUTHR)
<m2>(AV)
TKey Setup
Auth. Req. Msg.(RANDA, AUTN)
x
x
Figure 10: 3G authentication — MS fails to authenticate the BS
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP). The ROP contains a new key id (NEW_KEY_ID) and a
new security sequence number (NEW_SSEQ_H) associated with the AUTHR of the
message. The mobile station also starts a Key Set-Up timer.
b. The BS sends an <m1> message including the AUTHR to the MSC. The MSC
validates the AUTHR.
c. The MSC sends an <m2> message with including the next unused AV. Upon receipt
of this message the BS calculates the IK and CK.
d. The BS sends an Authentication Request Message containing the RANDA and
AUTN. Upon receipt of this message the MS aborts any pending 2G key setup. The
MS determines that the MAC-A in the AUTN is invalid and enters the System
Determination Substate.
e. The BS determines that it has lost contact with the MS and sends an <m3> message
including a failure indication to the MSC.
3.2.3.1
c.
d.
<m3>(Failure Ind.)
TRES
b.
Mapping of Meta-Messages to IOS Messages
The mapping from meta-messages to actual A1 interface messages is identical to the
mapping in the case of 2G authentication; see section 3.1.3.1.
e.
3G Authentication — BS Receives Invalid RES from the
MS
3.2.4
MS
BS
MSC
ROP(NEW_KEY_ID,
NEW_SSEQ_H, AUTHR)
a.
<m1>(AUTHR)
<m2>(AV)
Auth. Req. Msg. (RAND, AUTN)
c.
d.
Auth. Rsp. Msg.(RES)
RES()
b.
e.
<m3>(Auth_Failure_Ind)
<m4>(CAUSE)
Release
f.
g.
h.
TKey Setup
x
Figure 11: 3G authentication — BS receives invalid RES from the MS
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP). The ROP contains a new key id (NEW_KEY_ID) and a
new security sequence number (NEW_SSEQ_H) associated with the AUTHR of the
message.
b. The BS sends an <m1> including the AUTHR to the MSC. The MSC validates the
AUTHR.
c. The MSC sends an <m2> message with including the next unused AV. Upon receipt
of this message the BS calculates the IK and CK.
d. The BS sends an Authentication Request Message containing the RANDA and
AUTN. Upon receipt of this message the MS aborts any pending 2G key setup.
e. The MS sends an Authentication Response Message that includes a RES to the BS
that includes a RES. The BS compares the RES with the XRES received from the
MSC in step ‘c’ and determines that there is a mismatch.
f. The BS sends a <m3> message to the MSC that indicates that the MS was not
successfully authenticated. The BS may also continue exchanging messages with the
MS without including the MACI. If the MSC authorizes the MS, the call flow ends at
this step.
g. The MSC determines not to authorize the MS and sends an <m4> message to release
the call.
h. The BS initiates the release of the call.
3.2.4.1
Mapping of Meta-Messages to IOS Messages
Scenario
ROP
RES
<m1>
<m2>
<m3>
<m4>
Registration
Registration
Message
Registration
Accept
Order
Location
Updating
Request
Location
Updating
Accept
Authentication
Report (new)
NA
Mobile
Origination
Origination
Message
Extended
Channel
Assignment
Message
CM
Service
Request
Assignment
Request
Assignment
Complete
Clear
Command
Privacy
Mode
Command
Privacy Mode
Complete
Assignment
Request
Assignment
Complete
Privacy
Mode
Command
Privacy Mode
Complete
Security
Mode
Command
Message
Mobile
Termination
Page
Response
Message
Extended
Channel
Assignment
Message
Security
Mode
Command
Message
Paging
Response
Clear
Command
3G Authentication — Synchronization Failure
3.2.5
MS
BS
MSC
ROP(NEW_KEY_ID,
NEW_SSEQ_H, AUTHR)
a.
<m1>(AUTHR)
<m2>(AV)
Auth. Req. Msg. (RAND, AUTN)
c.
d.
Auth. Resync. Msg.(MAC_S,
CONS_MS_SQN)
RES()
b.
e.
<m3>(Auth_Failure_Ind)
<m4>(CAUSE)
Release
f.
g.
h.
TKey Setup
x
Figure 12: 3.2.5 3G authentication — synchronization failure
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP). The ROP contains a new key id (NEW_KEY_ID) and a
new security sequence number (NEW_SSEQ_H) associated with the AUTHR of the
message.
b. The BS sends an <m1> including the AUTHR to the MSC. The MSC validates the
AUTHR.
c. The MSC sends an <m2> message with including the next unused AV. Upon receipt
of this message the BS calculates the IK and CK.
d. The BS sends an Authentication Request Message containing the RANDA and
AUTN. Upon receipt of this message the MS aborts any pending 2G key setup.
e. The MS sends an Authentication Resynchronization Message that includes a MAC_S
and CONS_MS_SEQ to the BS.
f. The BS sends a <m3> message to the MSC that indicates that the MS was not
successfully authenticated. The BS may also continue exchanging messages with the
MS without including the MACI. If the MSC authorizes the MS, the call flow ends at
this step.
g. The MSC determines not to authorize the MS and sends an <m4> message to release
the call.
h. The BS initiates the release of the call.
3.2.5.1
Mapping of Meta-Messages to IOS Messages
The mapping is identical to the mapping in section 3.2.4.1.
3.2.6
Restoration of Keys on Power Up
BS
MS
MSC
ROP(NEW_KEY_ID,
NEW_SSEQ_H, AUTHR, MACI)
a.
<m1>(AUTHR)
b.
TKey Setup
<m2>(CK, IK)
RES(MACI)
c.
d.
Sec. Mode Compl. Order(MACI)
e.
<m3>(Success Ind)
Figure 13: Restoration of keys on power up
f.
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP) that includes a Message Authentication Code generated
using the stored IK and a pending NEW_SSEQ_H. The ROP contains a new key id
(NEW_KEY_ID) and a new security sequence number (NEW_SSEQ_H) associated
with the AUTHR of the message.
b. The BS sends an <m1> including the AUTHR to the MSC. The MSC validates the
AUTHR. The message includes an indicator that new cryptosync keys and a MACI
was received from the MS.
c. The MSC sends an <m2> message with including the current (CK, IK).
d. The BS sends an RES message including a MACI. Upon receipt of this message, the
MS validates the MACI.
e. The MS sends a Security Mode Complete Message including a MACI to the BS. The
BS validates the MACI based on the keys received from the MSC in step ‘c’.
f. The BS sends an <m3> message to the MSC that indicates that the MS was
successfully authenticated.
3.2.6.1
Mapping of Meta-Messages to IOS Messages
The mapping from meta-messages to actual A1 interface messages is identical to the
mapping in the case of 2G authentication; see section 3.1.1.1.
3.2.7
ROP Using Established (IK, CK)
BS
MS
MSC
ROP(AUTHR, MACI)
a.
<m1>(AUTHR)
b.
<m2>(CK, IK, cryptosync)
RES(MACI)
c.
d.
<m3>(Success Ind)
e.
Figure 14: Restoration of keys on power up
a. The mobile station sends Registration Message, Origination Message, or Page
Response Message (ROP) that includes a Message Authentication Code generated
using the stored IK and the current TX_EXT_SSEQ[i][KEY_ID]. The message also
includes the AUTHR.
b. The BS sends an <m1> including the AUTHR to the MSC. The MSC validates the
AUTHR. The message includes an indicator that a MACI was received from the MS.
c. The MSC sends an <m2> message with including the current (CK, IK) and the
current crytosync parameters if available. Note: When an MS goes idle, the BS may
request the MSC to store the current cryptosync parameters.
d. The BS sends an RES message including a MACI. Upon receipt of this message, the
MS validates the MACI.
e. The BS sends an <m3> message to the MSC that indicates that the MS was
successfully authenticated.
3.2.7.1
Mapping of Meta-Messages to IOS Messages
The mapping from meta-messages to actual A1 interface messages is identical to the
mapping in the case of 2G authentication; see section 3.1.1.1.
Related documents
CS 2813 - Loyola College
CS 2813 - Loyola College
Chapter 11 HW
Chapter 11 HW
I think that public-key`s authentication process and symmetric key`s
I think that public-key`s authentication process and symmetric key`s
Pharmacology series –Autumn 2014
Pharmacology series –Autumn 2014
Davis
Davis
cryptography and network security
cryptography and network security
sequence authentication
sequence authentication
Download
advertisement