use ipsec ike universal mobile telecommunication systemjkzao/publication/talk, ipsec use in 3… ·...

1

Use of IPsec & IKE inUniversal Mobile Telecommunication System

Dr. John K. ZaoSr. Scientist, Information Security

Verizon Communications / BBN Technologies

BBN TechnologiesAn Operating Unit of

IPSEC 2000Paris La Defense - France 10/26/2000


2 BBN TechnologiesAn Operating Unit of

Outline

uOverview: 3G Wireless Data Networks

u Analysis: UMTS Security

u Proposal: Possible Use of IPsec & IKE in UMTS Security

2



Outline

uOverview: 3G Wireless Data Networksv Historyv Architecturev Domainsv Strata





Wireless Data Network Development2G 2.5G 3G

Europe

USA

3



GPRS / UMTS System Architecture

MSC

EIR

MESIM

AuC

HLR VLR

BSC

BSC

BTS

BTS

BTS

BTS

PSTN / ISDNPSPDN / CSPDN

MESIM

MESIM

MESIM

MSC

Access NetworkDomain

Core NetworkDomain

Serving NetworkDomain

Transit NetworkDomain

User EquipmentDomain

InfrastructureDomain

MobileEquipment

DomainUSIM

Domain

Home NetworkDomain



UMTS Domain Hierarchy






MobileEquipment

Domain

USIMDomain

Home/Remote NetworkDomain

ME USIM

MT SNAN HN / RN

HE / TE

TN

Cu Uu Iu [Yu] [Zu]

SN

User Apps Provider Apps

Domain – a high-level group of UMTS entities; reference points (interfaces) are defined between domains

4



UMTS MT-HN Strata

Home StratumService Stratum

Transport StratumAccess Stratum






MobileEquipment

Domain

USIMDomain


ME USIM

MT SNAN HN / RN

HE / TE

TN

Cu Uu Iu [Yu] [Zu]

SN


Stratum – a group of UMTS protocols that are relevant to one aspect of the services provided by one or more domains



UMTS MT-RN Strata

Service Stratum


Application Stratum






MobileEquipment

Domain

USIMDomain


ME USIM

MT SNAN HN / RN

HE / TE

TN

Cu Uu Iu [Yu] [Zu]

SN


Stratum – a group of UMTS protocols that are relevant to one aspect of the services provided by one or more domains

5



Outline


u Analysis: UMTS Securityv Security Threadsv Security Architecturev Security Features/Services

F Network Access SecurityF Network Domain SecurityF User Domain SecurityF Application Domain Security

v Security MechanismsF Mobile User Identity AllocationF Entity Authentication & Key AgreementF User Traffic ConfidentialityF Network Domain Security




3G Security: Threats

Privilege Misuse,User

Privilege MisuseAlteration,USIM Download

Masquerading,Net Elements

Information Leakage User Location

Masquerading, Download Origins

Unauthorized Access, System Data

Stealing,Terminals


Traffic Analysis, Active

Privilege Misuse,Service Net

Service AbuseAlteration,System Data

Traffic Analysis, Passive

Repudiation,Traffic Delivery

Masquerading,Home Environment


Alteration,ME Download

Masquerading,User

Repudiation,Traffic Origin

Masquerading,Service Net

Intervention,Protocols

Alteration,Signal & Control

Eavesdropping, Signal & Control

Repudiation,Charge

Masquerading,User

Intervention,Physical

Alteration,User Traffic

Eavesdropping, User Traffic

EnablingThreads

RepudiationIllegitimate UsesDenial of Services

Integrity Violation

Confidentiality Violation

BasicThreads

Source: 3G Security; Security Threats & Requirements [3G TS 21.133]

6



3G Security : Threats, Radio Interface







Stealing,Terminals




Service AbuseAlteration,System Data






Masquerading,User






Repudiation,Charge

Masquerading,User




EnablingThreads


Integrity Violation


BasicThreads

Relevant Threads Significant Threads Major Threadsv Radio Eavesdropping & Traffic Analysisv User & Net Element Masquerading



3G Security : Threats, ME-USIM Interface

Information Leakage, User Location

Privilege Misuse, (Borrowed USIM)




Unauthorized Access, System Data (USIM)

Stealing,Terminals (ME)



Privilege Misuse, Service Net

Service AbuseAlteration,System Data (ME)






Masquerading,User (ME/USIM)




Alteration, (USIM) Signal & Control

Eavesdropping, (USIM) Signal & Control

Repudiation,Charge

Masquerading, User (Stolen ME & USIM)


Alteration, (USIM) User Traffic

Eavesdropping, (USIM) User Traffic

EnablingThreads


Integrity Violation


BasicThreads

Relevant Threads Significant Threads Major Threadsv ME/USIM Masqueradingv ME/USIM Data Alteration & Accessv ME/USIM Download Alteration & Eavesdropping

7



3G Security : Threats, General System







Stealing,Terminals




Service Abuse,Emergency Service

Alteration,System Data






Masquerading,User






Repudiation,Charge

Masquerading,User




EnablingThreads


Integrity Violation


BasicThreads

Relevant Threads Significant Threads Major Threadsv Privilege Misusev Network Element Masqueradingv Wired Link Eavesdropping



UMTS Security Architecture

Service Stratum


Application Stratum






MobileEquipment

Domain

USIMDomain


ME USIM

MT SNAN HN / RN

HE / TE

TN

Cu Uu Iu [Yu] [Zu]

SN


Network Access Security

Network Domain Security

User Domain Security

Application Domain Security

v User Domain Security – protection against attacks on ME - USIM/USIM interfacesv Network Access Security – protection against attacks on radio (access) linksv Network Domain Security – protection against attacks on wired network infrastructurev Application Domain Security – protection on user & provider application exchangesv Security Management – monitoring & managing user - provider security features

8



Network Access Security

User Identity ConfidentialityServicesServicesF Identity ConfidentialityF Location ConfidentialityF Untraceability

MechanismsMechanismsF Temporary Visiting IdentityF Encrypted Permanent IdentityF Encrypted Signal / Control Data

Entity AuthenticationServicesServicesF Authentication Mechanism AgreementF User AuthenticationF Network Element Authentication

MechanismsMechanismsF HE-SN Authentication & Key AgreementF Local Authentication

Data ConfidentialityServicesServicesF Cipher Algorithm AgreementF Cipher Key AgreementF User Data ConfidentialityF Signal / Control Data Confidentiality

Data IntegrityServicesServicesF Integrity Algorithm AgreementF Integrity Key AgreementF Signal / Control Data IntegrityF Signal / Control Data Origin Authentication



Network Domain Security

Entity AuthenticationServicesServicesF Mechanism AgreementF Network Element Authentication

MechanismMechanismF Explicit Symmetric Key Authentication

Data ConfidentialityServicesServicesF Cipher Algorithm AgreementF Cipher Key AgreementF Signal / Control Data Confidentiality

Data IntegrityServicesServicesF Integrity Algorithm AgreementF Integrity Key AgreementF Signal / Control Data IntegrityF Signal / Control Data Origin Authentication

9



User Domain Security

User - USIM AuthenticationServicesServicesF PIN-based Authentication

USIM - ME AuthenticationServicesServicesF Shared Secret Authentication



Application Domain Security

Secure USIM Download & MessagingServicesServicesF Application Identity AuthenticationF Application Data ConfidentialityF Application Data Origin AuthenticationF Application Data IntegrityF Application Exchange Sequence IntegrityF Application Exchange Replay ProtectionF Application Data Non-repudiation

IP Security[TBD][TBD]

User Traffic ConfidentialityServiceServiceF End-to-End Data Confidentiality

User Profile Confidentiality[TBD][TBD]

10



* Mobile User Identity (MUI) ExchangesTemporary MUI (TMUI) Allocation

Permanent MUI (IMUI) Identification

v Similar to Mobile IP Registration

v Source: UMTS Security Architec-ture [3G TS 33.102]



Entity Authentication & Key AgreementParametersvAuthentication Vector

AV(i) := RAND(i)||XRES(i)||CK(i)||IK(i)||AUTN(i)

AUTN,CK,IK,XRES derived from RAND,SQN,AMF

vAuthentication Data RequestAuthen_Req := IMUI || HLR_MSG

vAuthentication Data RequestAuthen_Res := [IMUI] || AV(1..n)

CommentsvAuthentication is conducted between

HE/AuC & MS/USIMvHE is authentication & key distribution

center

vSN/VLR is trusted mediatorvIf HE is off-line then MS-SN authenti-cate

using shared integrity key & protect their traffic using old (CK,IK)

11



User Traffic Confidentiality

Key Management

v Cipher Key (Ks)v Initialization Vector (IV)

Cipher Algorithmsv Synchronous Stream Cipher

F Data stream XOR with key stream

F Synchronization controlled by IV

Issuesv Encryption synchronization mechanismv TFO voice protection adaptation v Data traffic protection adaptationv Encryption termination at net gatewaysv Encryption management



Network Domain SecuritySimilar to Multi-Realm Kerberos

Layer Iv Symmetric Session Key

Negotiation using PK technology

Layer IIv Session Key Distribution within

each Operator

Layer IIIv Secure communication between

Elements of different Operators

12



Outline



u Proposal: Possible Use of IPsec & IKE in UMTS Securityv Motivation

v Use of IPsec with IKE

v Use of IPsec with UMTS Key Management

v Use of IKE with UMTS Cipher Mechanisms

v Use of IPsec with Stateful Header Compression



Motivation

Why are we thinking of putting IPsec & IKE into 3G?Because …v IP (with XML payloads) is likely to be the networking protocol for

future Wireless Internet.v GSM/GPRS/UMTS Security Architecture is complex & fragmented.

v IPsec & IKE will become widely deployed.v Use of USIM will make PK technology more accessible.v …

What will be the major show stoppers?v Wireless Voice traffic will NOT be over IP in near future.v Wireless Signaling & Control traffic is NOT over IP either.

13



Use of IPsec with IKE in UMTS

uApplication Domain Security [Strong Case]v User Traffic Confidentiality

uNetwork Domain Security [Possible but Unlikely Case]v Entity Authentication

v Data Confidentiality

v Data Integrity

v First, UMTS Core Network must speak IP …



Use of IPsec with UMTS Key Management

uNetwork Domain Signaling & Control Security [Possible Case]v Entity Authentication

v Data Confidentiality

v Data Integrityv More likely than IPsec protection for entire UMTS Core Networkv Use UMTS Key Management is reasonable for compatibilityv Still, UMTS Signaling & Control must speak IP …

14



Use of IKE with UMTS Cipher Mechanisms

Not so unlikely as we think because …v UMTS uses USIM-HE exchanges to establish user security v USIM & HE/AuC may use IKE technology

uEntity Authentication & Cipher/Integrity Key Agreementv Network Access Securityv Application Domain Security



Use of IPsec with Header Compression

Justificationv Wireless Data Network may have limited bandwidthv Wireless Access & Network Domains support stateful L2 switching

Approachv Adopt technologies from IETF Robust Header Compression WGv Consider possible IPsec header compression ?

15



Bibliography

3rd Generation Partnership Project, Technical Specification Group (TSG) SA

v 3G TS 21.133 - 3G Security; Security Threats & Requirements

v 3G TS 21.120 - 3G Security; Security Principles & Objectives

v 3G TS 33.105 - 3G Security; Cryptographic Algorithm Requirements

v 3G TS 33.102 - UMTS; 3G Security; Security Architecture

v 3G TS 23.101 - UMTS; General UMTS Architecture

GSM Documents

v GS 02.60 – GPRS; Service Description; Stage 1

v GS 03.60 – GPRS; Service Description; Stage 2

v GS 02.09 – Security Aspects

v GS 03.20 – Security Related Network Functions

Source: http://www.etsi.org/