Improved One-Pass IMS Authentication in UMTS

Gaurav Sharma
Department of Computer Engineering Ramrao Adik Institute of Technology Navi Mumbai, India gaurav.sharma@rait.ac.in

Amarsinh Vidhate
Department of Computer Engineering Ramrao Adik Institute of Technology Navi Mumbai, India vidhate@rait.ac.in

Satish Devane
Department of Computer Engineering Ramrao Adik Institute of Technology Navi Mumbai, India satish@rait.ac.in

Abstract-Universal well as

Mobile

Telecommunications lJMTS the IP

System IP

We propose an improved one-pass IMS authentication procedure which reduces the message delivery cost of the authentication procedures earlier published by

(lJMTS), as a core network can support both circuit-switch as packet-switch services by networks. including supports Multimedia Multimedia

Chen et al.[4],

Subsystem (IMS) as part of its core network. IMS services are used by authenticating user equipment with the UMTS using UMTS AKA and then with the IMS using IMS AKA. This paper concentrates on the IMS authentication and proposes an improved one-pass IMS authentication procedure which will result in reduction in message delivery cost and improvement over IMS AKA. features This such proposed procedure as mutual also preserves and key security authentication

Huang et al.[2] & Long et al.[I].

The proposed procedure

authenticates the UE into the IMS domain by comparing the IMSI of UE derived from the IMPI provided by the UE in the SIP Register message and comparing it with IMSI stored in HSS (lMSIHss(impi)) while user registration. This method was first proposed by procedure also authentication The uses

Lin et

al.[3]. In addition, the proposed Vectors for mutual

Authentication

&

key agreement between UE and CSCF

agreement expected from an IMS authentication procedure.

overcoming security deficiencies of improvement in

Lin et al. 's [3] procedure.

proposed one-pass

the

Keywords- Authentication, UMTS, IMS, IMS AKA, SIP, GPRS, CSCF. I. The d 3r Generation
INTRODUCTION

authentication procedure is achieved by making I-CSCF (Interrogating - Call Session Control Function) take the responsibility of Authentication and Key Agreement instead of S-CSCF (Serving - Call Session Control Function). This is possible as both I-CSCF and S-CSCF have the same Zb and Cx interfaces [4] to HSS and use the same Diameter protocol as described by

Partnership

Project (3GPP)

has

proposed the Universal Mobile Telecommunication System (UMTS) which can act as the Core Network (CN). There is also an overlay architecture specified above the packet switched domain in the such core as network, Voice known IP as IP Multimedia Subsystem (lMS) [7]. IMS provides IP based multimedia services over (VoIP), multimedia conferencing, etc.[2]. IMS uses Session Initiation Protocol (SIP) [5] to create and control sessions and SIP function works on Call Server Control Functions (CSCF), which plays an important role in IMS authentication. The User Equipment (UE), in order to use multimedia services, must first authenticate itself to the packet-switch domain. This authentication is done using UMTS AKA (Authentication

Chen et al.

in [4] for the two-pass

IMS authentication procedure. The proposed one-pass IMS authentication protocol can reduce the redundancies and the authentication generation security. The rest of the paper is structured as follows. Section II presents the 3GPP UMTS IMS architecture IV presents the performance analysis proposed procedure with IMS AKA method. II.
RELATED WORK

costs

of

the

original

two-pass with

IMS the

authentication protocol with the same infrastructure and key algorithms without compromising

&

IMS AKA

Section III presents the proposed procedure in detail. Section

& comparison of & Long et al. 's

the [1]

&

Key Agreement)[I] procedure

which is

based on challenge-response scheme. To authenticate UE, UMTS uses International Mobile Subscriber Identity (lMSI) as the subscriber's identity which is stored in Subscriber Identity Module (USIM) of UE. In addition to packet-switch domain authentication, UE must also be authenticated in the IMS domain using IMS AKA to access multimedia services. The IP Multimedia Private Identity (IMPI) is stored in IMS Subscriber Identity Module (IS1M) in UE. IMS AKA is also a challenge response based procedure and although IMS is overlay architecture over packet-switch domain, a separate IMS AKA is very essential in order to prevent fraudulent IMS usage [3]. UMTS

This section presents an overview of the 3GPP UMTS IMS Architecture It also describes the two-pass IMS AKA procedure.

A.

3GPP UMTS IMS Architecture

A User Equipment (UE) contains a Universal Integrated

Circuit Card (UICC). The UICC is composed of a Subscriber Identity Module (SIM), a UMTS Subscriber Identity Module (USIM) and an IMS Subscriber Identity Module (lSIM). The International Mobile Subscriber Identity (IMSI) and IP Multimedia Private Identity (IMP!) are used for the UMTS and IMS authentication protocols, respectively [1].

978-1-61284-486-2/111$26.00 2011 IEEE

211

Step I I:

UE sends a SIP Register message to P-CSCF through SGSN with the user's Multimedia Private Identity). P-CSCF then forwards this message to CSCF.

IMPI

(IP

1-

Step 12

&

13: I-CSCF exchanges the User Authorization Request (UAR) and User Authorization Answer (UAA) pair with HSS to obtain the name of the S-CSSF that is serving UE.

Step 14: Step 15:

Figure 1. 3GPP UMTS IMS Architecture

After identifYing address of S-CSCF, I-CSCF forwards the Register message to the S-CSCF. If S-CSCF does not have a valid authentication vector (AV) array for UE, S CSCF array. Otherwise, this Step a. b. c. d. e. sends a Multimedia Authentication Request (MAR) to HSS for obtaining an A V

UMTS Terrestrial Radio Access Network (UTRAN) consists of the Radio Network Controllers (RNC) and Base Station (Node B). UTRAN connects the UE with the Core Network (CN). Packet-switch Domain is located in the Core Network. It also contains the Gateway GPRS Support Node (GGSN) network. The IP Multimedia Subsystem (IMS) contains Call Session Control Functions (CSCFs) used for signaling process. B. IMS AKA

&

Step 16 can be skipped.

Authentication Vector contains: a random number a cipher key

RAND,

&

the Serving GPRS Support Nodes (SGSN) [4,

an expected response XRES,

11]. They support the use of GPRS in the packet-switched

CK,

an integrity key IK, an authentication token A UTH.

&

control and plays an important role in the authentication

Step 16:

HSS generates an array of fresh

'n'

AVs and

sends it to S-CSCF through a Multimedia Authentication Answer (MAA) message. Step 17: S-CSCF selects an AV [i] CSCF Then, Step 18: through ICSCF a SIP message. forwards the SIP 401 Unauthorized message to the P-CSCF. P-CSCF keeps parameter Step 19:

Authentication

&

sends it to 1Unauthorized

401

CK; and IK; and RAND; II AUTH; to UE AUTH;.

sends the through a

SIP 401 Unauthorized message. UE verifies If the result is positive, UE derives

& IK;.

Both

(IPsec) UE

RES, CK; IK; & CK; are used for IP security security association between UE & P

CSCF, and the subsequent messages between

&

P-CSCF can be protected by IPsec. UE,

now, employs RES as the password of HTTP digest to derive the digest response of the authentication request header defined in [8] sends it to S-CSCF through P-CSCF CSCF. Step IlO:
Figure 2. IMS AKA Authentication Procedure

& & 1-

S-SCSF verifies digest-response using XRES;. If the result is positive, S-CSCF sends a Server Assignment Request (SAR) to HSS informing about which S-CSCF will serve the UE.

Once the UE successfully completes the packet-switch domain authentication, UMTS AKA [10]

&

packet data

protocol (PDP) context activation [6], UE can request IMS services through IMS authentication procedure using IMS AKA [2]. The IMS AKA procedure:

Step 111:

HSS receives SAR and stores the S-CSCF name and replies with a Server Assignment Answer (SAA) to S-CSCF.

Step Il2:

S-CSCF employs the

XRES;

as the password of

HTTP digest to derive the

response-auth

of

Authentication-Info

header defined in [8].

215

Then, S-CSCF sends a the

200

OK message with

I-CSCF first checks whether whether RSN is larger than acceptable time window, cannot be larger than

TS

is in the

response-auth

to UE through I-CSCF

&

acceptable time window, if yes, it then checks If there is a replay attack with

P-CSCF. The IMS AKA procedure correctly authenticates the UE in the IMS domain and preserves both, mutual authentication and key agreement. III.
PROPOSED IMPROVED ONE-PASS IMS AUTHENTTCATON

SNmax. TS
even

within the then

RSN

SNmux,
and

thereby pair

preventing replay attacks [1]. I-CSCF, then stores the sequence number Step G2: I-CSCF sends

imsi

impi

and assigns the RSN to the maximum

SNmax.
the User Authorization

The proposed authentication procedure uses the IMSI and

IMPI

pair for authentication. The role of S-CSCF is limited

Request (UAR) to HSS to obtain the name of the S-CSCF that is serving UE. I-CSCF also sends Multimedia Authorization

to assigning the requested server to UE as far as the authentication procedure is concerned. The overhead of authenticating the IMS user is transferred to I-CSCF whose role earlier was just to find the appropriate S-CSCF from HSS and redirect the request from P-CSCF to the S-CSCF. This concept was first presented by same Zb and HSS. Moreover, unlike IMS AKA, in the proposed procedure the random number [1]. Step G3:

IMP! to HSS to obtain A V(J ". n) to be used for UE authentication.

I-CSCF obtains User Authorization Answer (UAA) containing the name of the S-CSCF that is serving UE. The HSS retrieves the IMSI value, denoted as IMS/m;\,(impi), from the database by using the IMPI as an index. HSS also generates a vector AV(l. . . n) containing: XRES(l. . . n), CK(1". n) and IK(1". n) generated with the help of RAND using functions described in [9]. Then, HSS sends a Multimedia Authorization

Request (MAR) with

Chen et al.

in [4] for

a two-pass procedure as both I-CSCF and S-CSCF have the

Cx

interfaces to HSS and use the same

Diameter protocol and, hence, share the same trust level with

RAND

is generated by the UE freshness

of which is verified by the network to prevent replay attack

A.

Improved One-Pass IMS Authentication

Answer (MAA) message with and

IMShrss(impi)

AV(1". n)

to l-CSCF. for the indexed

If the IMShrs\{) value and the authentication vector and

AV(l". n)

IMPI

exist,

then only User Authorization Request (UAR) User Authorization Answer (UAA) messages are exchanged between I-CSCF and HSS to obtain the name of the S-CSCF that is serving UE in Step G2 and Step G3. Step G4: Once I-CSCF identifies the address of S CSCF, it forwards the Register Authorization message to the S-CSCF containing an unused array from AV(J". n). Step GS

IMPI

and

& G6:

After

receIvIng

Register

Authorization

message in the previous step, S-CSCF sends SAR message to HSS to inform which S CSCF will serve the UE. Then, HSS stores the name of the S-CSCF and sends back a SAA message as a response to S-CSCF. Step G7:
Figure 3. Proposed Improved One-Pass IMS Authentication

S-CSCF

selects

one

unused

array

from

AV(l". n)

and sends a

parameter values

200 OK message with IMP!, RAND(i), XRES(i),

The Improved One-Pass IMS Authentication procedure: Step G1: UE sends a SIP Register message with values Step G8:

CK(i) & IK(i) to

P-CSCF keeps forwards

P-CSCF.

IMPL IMSI &

number

a random number
=

RAND

based which

on the time stamp

TS and RSN (i.e., RAND

a random sequence

TS II RSN),

passes through the UMTS PS domain and P CSCF and arrives at I-CSCF.

CK(i) & IK(i) and then 200 OK message with the parameters IMP!, RAND(i), XRE S(i) to UE. UE computes RES(i), CK(i) & IK(i) using the same functions described in Step G3 from [11] and then checks whether RE S(i) XRE S(i) to
=

authenticate

the

S-CSCF.

If

so,

the

registration is complete

&

the IPSec Security

216

Association (SA) is created between UE and P-CSCF. The proposed procedure requires less number of messages for correctly authenticating the UE in the IMS domain, thereby; decreasing the message delivery cost and preserves both, mutual authentication and key agreement as desired. IV.
PERFORMANCE ANALYSIS With n AV previously issued

Methods Message Delivery Cost IMSAKA CI Long etal. CL Proposed Method CG

4+4a

2+4a

2+4a

The performance of the proposed IMS authentication procedure is evaluated in terms of message delivery cost and improvement over IMS AKA
.

We can also calculate the Average Message Delivery Cost CG for the proposed method using the following formula proposed by

A.

Message Delivery Cost Evaluation

One way of evaluating the performance of the proposed

CG

(:) CG1 + ( X) CG2

m CG
=

Lin et al.

in [3] as follows:

(3) (4)

authentication method is in terms of number of messages required for authentication or the message delivery cost. For the evaluation of the proposed method in [3]. we adopt the assumptions suggested by Lin Assumptions: The delivery cost from the UE to the S-CSCF is one unit. The cost between CSCFs unit. a<1 If I-CSCF does not have valid AV, the delivery cost CGI of the proposed authentication method can be expressed as:

2 +4a

The comparison of the average message delivery cost for IMS AKA, as follows:
TABLE II. AVERAGE MESSAGE DELIVERY COST

et al.

Long et al. 's

method and the proposed method is

&

HSS/another CSCF is a

Average Message Delivery Cost IMSAKA Long etal. Proposed Method

4+ 4+

( ) a

2+ 4+

( ) a

2 +4a

CG1

2+4a
&

(1)
08 are

We can clearly observe that CI> CL > CG. Hence, there is a reduction in the Average Message Delivery Cost in the proposed method as compared to IMS AKA authentication procedures. B.

Messages in Steps 0 I and 04, Steps 07 from UE to CSCF they both cost I unit each [3].

considered as one message each and since both of them are Messages in Steps 02, 03, 05, and 06 are considered as four independent messages with message delivery cost unit each as they are between CSCF and HSS/other CSCF. If I-CSCF does have valid AV, the delivery cost CG2 of the proposed authentication method can be expressed as
a

&

other

Improvement over IMS AKA

Improvement of the proposed procedure over IMS AKA

can be found using the formula given by

Lin et al.

in [4].

CG2
Fig.3.

2+4a

SG SG
where

CI-CG
=

(2)
=

CI m+xa

(5) (6)

It contains the same set of messages as described in Thus, in either case the message delivery cost for the proposed method is the same. We compare the message delivery cost of the proposed method with Long

------

2(1+a)m+xa

SG

is the improvement of the proposed procedure

.

over IMS AKA

We compare the improvement of the proposed method and the one proposed by
TABLE III.

et al. 's [1] method and the IMS AKA [2].

MESSAGE DELIVERY COST Methods

Long et al. [1] over IMS AKA

TABLE I.

IMPROVEMENT OVER IMS AKA Proposed Method SG

Message Delivery Cost

Long etal. Proposed Method CG SL

IMSAKA CI

Long etal CL

No AV issued previously

m 2(1+a)m+xa

m+xa 2(1+a)m+xa

4+6a

2 +6a

2+4a

217

We can clearly observe that SL

<

SG. Hence, there is an

improvement in the proposed method over IMS AKA compared to the method proposed by

Figure 5. Comparison of the message delivery cost improvement of the proposed authentication procedure and Long et aI. 's procedure.

Long et

al. [I]

Long et

al. [1] has shown improvement in terms of'n' or

Figure 5 gives a comparison of the proposed procedure with

the number of AV array, which can be expressed as

Long et al.'s procedure for different values of nand u.

V.
CONCLUSION

SL
Similarly, we

n 2n+(2n+ 1)a
show the improvement
x = m

(7)
of [4]. the

The proposed improved one-pass IMS authentication procedure shows reduction in the message delivery cost during the IMS authentication. It also shows improvement over previous methods and reduces the time for /
n

can

proposed procedure in terms of'n' where

SG

m+xa
=

n+a
=

2(1 +a)m+xa

2n+(2n+ 1)a

(8)

authentication as desired. In fact, the message delivery cost is reduced and not only matches with the method proposed by

Lin et

al.

in

[3]

but

also

overcomes

its

security

deficiencies with mutual authentication and key agreement as expected from an IMS authentication procedure.

REFERENCES [I] Xuelian Long, James Joshi, "Enhanced One-Pass IP Multimedia Subsystem Authentication Protocol for UMTS", IEEE, International Conference on Communications (ICC), May 2010. Chung-Ming Huang, Jian-Wei Li, "One-Pass Authentication and Key Agreement in IP Multimedia Subsystem for UMTS", IEEE, 21" International Conference on Advanced Information Networking and Applications (AINA'07), May 2007. Vi-Bing Lin, Ming-Feng Chang, Meng-Ta Hsu, Lin-Yi Wu, "One Pass GPRS and IMS Authentication Procedure for UMTS", IEEE Journal on Selected Areas in Communications, June 2005. Guangquan Chen, Mei Song, Junde Song, Wenjing Ma "Improved Authentication and Key Agreement Procedure in IP Multimedia Subsystem for UMTS", IEEE, International Conference on MultiMedia and Information Technology, 2008. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson,

[2]

[3]

[4]

Figure 4.

Improvement of the proposed method overlMS AKA.

[5]

Figure 4 plots the improvement achieved by the proposed procedure over IMS AKA for different values of nand
u.

R Sparks, M. Handley, E Schooler, "SIP: Session Initiation

Protocol", IETF, RFC 3261, June 2002. [6] [7] http://wpatentstorm.us/patents17203200/description.html. August, ww. 2010. Kumudu S. Munasinghe, Abbas Jamalipour, "Interworking of WLAN-UMTS Networks: An IMS-Based Platform for Session Mobility", Communications Magazine, IEEE, September 2008. J. Franks, P. M. Hallam-Baker, J. L. Hostetler, S. D. Lawrence, P. J. Leach, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999. 3GPP, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security architecture, Tech. Spec. 3G TS 33.102 Version 8. 3. 0 (2009-06), 2009.

[8]

[9]

[10] Jon Robert Dohmen, Lars S0mo Olaussen, "UMTS Authentication and Key Agreement", Agder University College, Norway, May 2001. [II] 3GPP, 3rd Generation Partnership Project; Technical Specification Group Services and Systems Aspects; Network architecture (Release 9) Tech. Spec. 3G TS 23.002 V9. 0. 0 (2009-06), 2009

218