Network Smart Card Performing U(SIM) Functionalities in AAA Protocol Architectures

WISTP 2008, May 13-16, Sevilla [email protected]

Network Smart Card Performing U(SIM)

Functionalities in AAA Protocol Architectures

Joaquin Torres, A. Izquierdo, M. Carbonell and J.M. Sierra

Carlos III University of Madrid, SpainComputer Science Department

WISTP 2008, May 13-16, Sevilla [email protected]

Outline

Smart Devices Convergence

NGN …?

WISTP 2008, May 13-16, Sevilla [email protected] 3

Introduction

WLANs deployment: SOHO, campus, residential and public

environments the number of public hotspotspublic hotspots is

continuously proliferating, and this allows the information to be accessible in any time and any place

3G mobile systems as a competitive solution wide geographical area coverage effective roamings other advantages:

such as reliability, throughput, value-added services and contents


Networks Convergence However,

expensive investmentexpensive investment required by the 3G networks forces to the operators to look for more profitable look for more profitable

and versatile solutionsand versatile solutions (leakage of subscribers?) Comparing features:

WLANs provide services with significant transmission rates…significant transmission rates… in high demand zoneshigh demand zones and when the mobility is not a requirementmobility is not a requirement

3G systems high mobility, wide coverage, well-established voice services… …but lower transmission rateslower transmission rates, so they are more

adequate for low/medium demandlow/medium demand


Convergence: 3G/WLAN interworking

WLAN and 3G networks are complementarycomplementary: 3G/WLAN interworking

I-3G/WLAN is a clear trend in the public access infrastructures (PWLAN , Public Wireless LAN)

3GPP TS 23.234 v7.3.0: 3GPP System to Wireless Local Area Network (WLAN) Interworking System Description (September 2006)


3G/WLAN Interworking features development of mobile servicesmobile services with

high transmission rates e.g. IP-based multimedia services, IMS

transparent roamingroaming between both technologies smart switching, with the goal: keep

initiated sessions

Ad-hoc user services: QoSQoS profiled subscribers, preserving the quality of services.


3G/WLAN Authentication Infrastructure Subscriber

must be authenticatedauthenticated before her access to network services is authorized

personalized credentialscredentials

User’s multimode devices e.g. laptops, smartphones, PDAs, etc. require the appropriate secure module secure module

Solution: the authentication schemes are based on

a combination of the solutions that were initially supported by these two systems.


3G/WLAN: authentication convergence SIM-based solution, simultaneously inherit

from: WLAN systems: EAPoL-basedEAPoL-based (i.e. 802.1X/EAP,

RADIUS or DIAMETER) chip card-based U(SIM)chip card-based U(SIM) inherited from stand-alone

3G systems authentication schemes supported by 3GPP

subscriber registerssubscriber registers (i.e. HLR/HSS)

Advantages… Devices are ready! User is accustomed to SIM Module/HW secure 3G/WLAN Netw. Operators do not require

additional security credentials


3G/WLAN Reference Model

Red de Acceso WLAN

WLAN -UE

Packet DataGateway

HSS

HLR

OfflineChargingSystem

OCS

'

Intranet / Internet

3GPP AAAProxy


WAG

Acc

eso

IP W

LAN

/ 3

GPP

3GPP AAAServer

SLF

Home 3GPP Network

WLAN -UE

Packet DataGateway

HSS

HLR


OCS

'

Intranet / Internet

WLAN Access Network

WLAN -UE

Packet DataGateway

HSS

HLR


OCS

'

Intranet / Internet

Visited 3GPP Network

3GPP AAAProxy


WAG

IP W

LAN

/ 3

GPP A

ccess

3GPP AAAServer

SLF

Internet

3GPP TS 23.234 v7.3.0: 3GPP System to Wireless Local Area Network (WLAN) Interworking System Description (September 2006)

ETSI TS 133 234 V7.5.0, 3GPP System to Wireless Local Area Network (WLAN) Interworking Security System (June 2007)


3G Mobile Systems Authentication: AKA

{RAND||CK|| IK|| AUTN}AUTH[{RAND||CK|| IK|| AUTN}]

3G MS

U(SIM)

RES

RNS

3G-SGSN

{RAND,XRES,CK, IK, AUTN} =f(IMSI)

RES= f2(K, RAND)

RES

RES=?

XRES

HLR/AuC

Verifies MAC by f1Verifies MAC by f1Decrypts SQN by f5Decrypts SQN by f5Checks freshness SQNChecks freshness SQN

Derives CK by f3Derives CK by f3Derives IK by f4Derives IK by f4


AAAAAASERVERSERVER

Visited WLANVisited WLAN

Home WLANHome WLAN

Example scenario: convergence authentication

Home 3G Home 3G Network Network

ProxyAAA

HLR/AuC

ProxyAAA

3G-SGSN

gatewaygateway


3G/WLAN: convergence in authentication EAP-SIM and EAP-AKA

SIM-based authentication schemes standardized protocols End-to-end mutual authentication between the

mobile stationmobile station and the backend authentication backend authentication serverserver

802.11

EAPoL

EAP

802.11

EAPoL

EAP

RADIUS/DIAMETERClient

UDP/IP

L2/L1

RADIUS/DIAMETERServer

UDP/IP

L2/L1

EAP

EAP-SIM/AKA EAP-SIM/AKA

WLAN MS

RADIUS/DIAMETER Proxies

UDP/IP

L2/L1

AP Network AAA Proxies

3G AAA Server

U(SIM)

WLAN DOMAIN WAN DOMAIN + CELLULAR NETWORK


A quick trust analysis both devices blindly trustblindly trust each other they behave as an unique supplicantunique supplicant this is not a by default

recommendable assumption the authentication scheme should be

designed to protect against any potential against any potential scenarioscenario

e.g.WLAN MS is an a priori untrustworthya priori untrustworthy terminal.

Conclusion: additional authentication mechanismsadditional authentication mechanisms

should be provided?


Stand-alone device…stand-alone suplicant

Access Network Core NetworkAccess DeviceSupplicant Device

PSTNDedicated-lines

3GPP

MultimodeMS

Smart Cards

AAA services

IP-basedAAA

AAA

Use

r

Oth

er

Serv

ices

InternetWLAN


Motivation Our new approach starts from a different a different

authentication modelauthentication model that considers: an isolated U(SIM) with autonomy during the

authentication process. participates as stand-alone supplicant or claimant,

and not relies on the access terminal (i.e. WLAN mobile

station) for this functionality.

Additionally, this work assumes an a priori a priori untrustworthy environmentuntrustworthy environment: the WLAN MSWLAN MS is considered as a potential potential

attackerattacker. Hence, the WLAN MS should be authenticated by

the network as a different host from U(SIM). Required: Device Authentication previous to SM


Goals

To define an AAA architecture, which represents a more robust and flexible solution in terms of security. Feasible for untrustworthy environments

To provide efficient SIM-based mobile stations’ customization or personalization in critical or public environments.

Convergence (netw1,netw2)Convergence (Smart Device,

)Authentication


Our Network Smart Card concept In a previous work, we proposed a

Network Smart Card (NSC) with Network Smart Card (NSC) with authentication purposesauthentication purposes: Atomic smart card authentication protocol

design: the authentication protocol should be designed as an integral part of the smart card. We propose a specific protocol stack for the card

End-to-end mutual authentication schema: the smart card participates as a communication extreme.

IETF Layer 2 authentication (IP layer is not required)


…details Our Network Smart Card (NSC) approach

Other approaches…

ISO7816

PPP

EAP

ISO7816

PPP

EAP pass-through

EAP-type

SupplicantSmart Card

Terminal

• Pass-through authenticatorPass-through authenticatoraccording to EAP (acc. IETF)according to EAP (acc. IETF)

• AP/ NAS EAP-basedAP/ NAS EAP-based

EAP-type=EAP-AKA


Related Work EAP-SIM/AKA solutions:

many works but focused on 3G/WLAN interworking security (network side)

usually, problems derived from original SIM/AKA protocols

Alternatives: EAP-TTLS, EAP-TLS, etc. Assumption about the (U)SIM-WLAN_UE trust

relationship blind trust: they behave as an unique supplicant

Summarized: U(SIM) stores stores the corresponding subscriber subscriber

authentication credentialsauthentication credentials And computes the envisaged cryptographic cryptographic

algorithmsalgorithms in SIM/AKA protocols, on the behalf of mobile station.


Related Work Versatile solutions are missed

Example: consider an U(SIM) that may be an external smart card that customizes (temporal personalization) a public wireless terminal for a 3G/WLAN access.

In such a case, the U(SIM) behaviour as an stand-alone supplicant is highly recommendable. So it should be isolated and protected.


New NSC-based AAA Protocol Architecture in 3G/WLAN

ISO7816

PPP

EAP

ISO7816

PPP

EAPDIAMETER

Client

UDP/IP

802.11

DIAMETERServer

UDP/IP

L2/L1

EAP

EAP-AKA EAP-AKA

NSC-based U(SIM)

DIAMETER Proxies

UDP/IP

L2/L1

WLAN MS Network AAA

Proxies

802.11 L2/L1

AP Bridge 3G AAA Server


Features U(SIM) remote authentication scheme:

stand-alone supplicantstand-alone supplicant functionality instead of split supplicant functionality: the U(SIM) and WLAN MS does not cooperate in the authentication process as an unique device.

the authentication protocol stackauthentication protocol stack is designed as an integral part of the U(SIM)integral part of the U(SIM) (atomic design) to participate as actual endpoint in the authentication process with a 3G AAA server.

ISO7816

PPP

EAP

EAP-AKA

NSC-based U(SIM)


…features Minimal changes in the original

architecture 3G network side does not require changes proxies and end-equipments keep settings and

implementation features.

DIAMETERServer

UDP/IP

L2/L1

EAP

EAP-AKA

DIAMETER Proxies

UDP/IP

L2/L1

Network AAA Proxies

3G AAA Server


..features WLAN Mobile Station participates as a

Network Access Server (NAS) Network Access Server (NAS) implementing the role of pass-through implementing the role of pass-through authenticatorauthenticator as a DIAMETER client This reinforces the stand-alone supplicant

functionality in the U(SIM), since WLAN MS cannot act as supplicant and authenticator at the same time for the same U(SIM).

ISO7816

PPP

EAPDIAMETER

Client

UDP/IP

802.11

WLAN MS

802.11 L2/L1

AP Bridge


…features U(SIM) isolation:

advantages with regard to assure the security of the entire scheme in untrustworthy scenarios.

Our architecture takes advantage of the functions of the LCP protocol (i/ PPP): LCP/PPP protocol may be easily hosted in

the U(SIM) stack. EAP was initially designed for PPP

EAP Layer allows: packets exchange between the

EAP-SIM/AKA methods and LCP frames duplication and retransmissions control.


Authentication Flow in our AAA Architecture

WLAN MS

3G AAAServer

NSC-based U(SIM)

XRES=?RES

4. DIAMETER/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]4. DIAMETER/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]

2. PPP/EAP Response/Identity [IMSI or Pseudonym]2. PPP/EAP Response/Identity [IMSI or Pseudonym]

6. PPP/EAP Response/AKA-Challenge [RES, MAC]6. PPP/EAP Response/AKA-Challenge [RES, MAC]

7. DIAMETER/EAP Response/AKA-Challenge [RES, MAC]7. DIAMETER/EAP Response/AKA-Challenge [RES, MAC]

3. DIAMETER/EAP Response/Identity [IMSI or Pseudonym]3. DIAMETER/EAP Response/Identity [IMSI or Pseudonym]

0. EAP Request/Identity0. EAP Request/Identity

5. PPP/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]5. PPP/EAP Request/AKA-Challenge [RAND, AUTN, MAC, Encrypted ID]

9. DIAMETER/EAP Success9. DIAMETER/EAP Success

11. Secure channel establishment 11. Secure channel establishment

1100. PPP/EAP Success. PPP/EAP Success

1. PPP/EAP Request/Identity1. PPP/EAP Request/Identity

8. Validation8. Validation


Security and Trust Issues We are not proposing a new U(SIM) not proposing a new U(SIM)

authentication protocolauthentication protocol in the context of 3G/WLAN interworking.

Our architecture is designed by well-designed by well-known protocolsknown protocols that are implemented inside the U(SIM) with a novel approach. new way to transport authentication

messages between the U(SIM) and a 3G AAA server

and U(SIM) takes the control in the user side. Security weakness and threatsSecurity weakness and threats are

derived by the own nature of such standardized protocols and the correctness of their implementation.


Security and Trust Issues

new secure algorithms, key material new secure algorithms, key material or cryptographic techniques are not or cryptographic techniques are not requiredrequired

The implementation of the EAP-AKA EAP-AKA method is transparently reusedmethod is transparently reused, both in the U(SIM) side and in the 3G AAA Server side.


Trust Models Relevant impact of our proposal is

related to the trust models Trust model, derived from the originaloriginal

AAA protocol architecture in a 3G/WLAN interworking scenario:

nAUTAAA3GPP

Server

U(SIM)

WLANMS

explicit

Proxies

APimplicit

explicit

User DomainUser Domain PuPublic Domain, untrustworthyblic Domain, untrustworthy environmentenvironment

blind


Our Trust Model ““blind trust” assumptionblind trust” assumption should not be

applied to all scenarios and a more flexible solution is required

Our goal: to introduce a more realistic architecture, which a new trust modelnew trust model is derived from

nAUTAAA3GPP

Server

U(SIM)

WLANMS

explicit

Proxies

APimplicit

explicit

explicit

Public Domain, untrustworthy environmentPublic Domain, untrustworthy environmentUser DomainUser Domain

implicit


Our Trust Model the trust relationship between the

WLAN MS and the 3G AAA server is 3G AAA server is supported by DIAMETERsupported by DIAMETER protocol

the WLAN MS is part of the network and it behaves as an Access PointAccess Point for the U(SIM)

just when U(SIM) and 3G AAA server mutually trust each other, then U(SIM) trusts WLAN MS. Our AAA architecture aims to provide

robustness with this goal This is a reasonable result in a priori

untrustworthy scenarios


Implementation and Testbed Testbed for the AAA network architecture for

NSC-based U(SIM) Implemented by means of the OpenDiameter

libraries: C++ API both to EAP and Diameter EAP

NSC-based U(SIM)WLAN MS

DIAMETER Client

Network AAA Proxy

3G AAA DiameterServer


Details about implementation 3G AAA Server: back-end authentication server is

basically implemented by: the libdiametereap and libeap libraries. The Diameter EAP

API is extensible and allows define authorization (DEA attributes

EAP API is extended in order to support EAP-AKA method. OpenSSL library (partially included) provides a set of AKA

cryptographic functionalities. For simplicity’s sake, the implementation of functions f3

and f4 has not been carried out. Network AAA proxy

standard Diameter base protocol procedure relay version (Diameter proxy) is provided by the libdiameter.

Allows to complete the implementation of the protocol stack in a layer 2 wireless Access Point.

WLAN MS common laptop - IEEE 802.11g wireless interface. functionality of NAS (Diameter client) is provided by the

implementation of the libdiametereap library.


Details about implementation Network Smart Card with U(SIM) functionalities

JavaCard: bulk LCP/EAP protocol stack -according to the standardized state-machines

enhancing with a set of functionalities corresponding EAP-AKA method.

CK and IK derivation, as well as, synchronization and re-authentication functionalities have been avoided with testbed experiments purposes.

(rxReq, rxSuccess, rxFailure, reqId, reqMethod) =parseEapReq(eapReqData)

RECEIVED

if (allowMethod(reqMethod)) {aka.Method = reqMethod

methodState = INIT} else {

eapRespData = buildNak(reqId)}

GET_METHOD

ignore = aka.check(eapReqData)if (!ignore) {

(methodState, decision, allowNotifications) =aka.process(eapReqData)

eapRespData = aka.buildResp(reqId)if (aka.isKeyAvailable())

eapKeyData = aka.getKey()}

AKA_METHOD

lastId = reqIdlastRespData = eapRespData

eapReq = FALSEeapResp = TRUE

SEND_RESPONSE

eapRespDataeapReqData


Conclusion Our testbed shows the feasibility and robustness of

the proposed NSC-based AAA protocol architecture for 3G/WLAN interworking scenarios.

Standardized EAP-AKA protocol is transparently implemented in a common U(SIM), which participates as stand-alone supplicant (NSC-based U(SIM))

A novel trust model that assumes an a priori untrustworthy environment is defined

Therefore, our approach represents a more flexible solution in terms of security.

Beyond these benefits, it also may provide efficient mobile stations’ customization or personalization in critical or public environments.

Further works: Study and complete EAP-AKA functionalities New EAP-types methods


Network Smart Card Performing U(SIM)

Functionalities in AAA Protocol Architectures

Thank you for your attention!Questions/Comments?

Network Smart Card Performing U(SIM) Functionalities in AAA Protocol Architectures

Documents

Transcript of Network Smart Card Performing U(SIM) Functionalities in AAA Protocol Architectures