Providing SIM-based AAA in WLAN

資訊工業策進會整合技術實驗室

胡志豪 erichu@itl.iii.org.tw

Outline

• 計畫背景介紹– 無線區域網路 (WLAN) vs 行動電信網路整合趨勢– 國內外相關技術發展現況– WLAN vs 行動電信網路整合參考模型– “異質多接取網路下行動服務環境之建構”計畫

• 行動電信網路以 SIM 為基礎之認證加密方式• WLAN 以 SIM 為基礎之認證授權帳管機制

無線區域網路 (WLAN) vs 行動電信網路

Figure: Mobility vs Data Rate

WLAN 及行動電信網路整合需求

• 行動電信網路（ 2G 、 3G ）整合需求– 行動數據服務未來的需求– 3G 執照與建置費用過高

• 無線區域網路（ WLAN ）整合需求– 客戶基礎– 涵蓋範圍– 身分辨識及計費機制

WLAN 及行動電信網路整合情境

• 3GPP TR 22.934 V6.0.0 (2002.9)– Feasibility study on 3GPP system to WLAN inter-working

• Scenarios– Common billing and customer care

– 3GPP system based Access Control & Charging

– Access to 3GPP system PS based services

– Service continuity

– Seamless services

– Access to 3GPP system CS based services

我國電信國家型計畫規劃方向

各個已在單一傳播環境最佳化的現有接取網路，

透過一---

接取整合機制---

作互連並提供在任何時間、

地點的無縫

(seamless)

接取服務

Source : 電信國家型計劃 B3G 規劃書

國外相關技術發展現況組織名稱 相關發展現況

3GPP - 3G 系統與 Mobile IP 之整合參考模型 :

Architectural Requirements for Release 1999 (TS23.121)

- 如何將 Mobile IP 與核心網路中的 GGSN 整合 :

Inter-working between the Public Land Mobile Network supporting Packet

Based Service and Packet Data Networks (TS 29.061 )

- 整合 Multi-Tier 系統的相關研究 :

Combined GSM and Mobile IP in UMTS

Feasibility Study on 3GPP System to Wireless Local Network Inter-working

3GPP2 與 Mobile IP 整合之網路架構與傳送資料所需之協定架構 :

Wireless IP Network Standard

ETSI 整合 Multi-Tier 系統的相關研究 :

Analysis of existing roaming techniques applicable to TIPHON mobility services

IST No Coupling 、 Loose Coupling 、 Tight Coupling 之網路整合模型

Other HP 、 Nomadix 、 iPass

WLAN 與行動電信網路整合參考模型• Open Coupling : Mobility Management

Source : IST EVOLUTE(2002)(seamlEss multimedia serVices Over alL IP-based infrastrUcTurEs)

Home Agent/ Foreign Agent/ SIP Registrar

WLAN 與行動電信網路整合參考模型 (Cont’)

• Loose Coupling : Mobility Management + AAA Integration

Source : IST EVOLUTE(2002)

AAA: Authentication Authorization Accounting

WLAN 與行動電信網路整合參考模型 (Cont’)

• Tight Coupling : WLAN is other radio access technologies

Source : IST EVOLUTE(2002)

WLAN 與行動電信網路整合參考模型比較Definition Advantages Disadvantages

No (Open) Coupling

- Completely independent access

networks

- Users have separate contracts for

each network

- Mobility management

- Rapid introduction

- No impact on GSN nodes

- Suitable for all WLAN

technologies

- Poor handover

performance

- No common

subscriber database

Loose Coupling

- Same AAA subscriber database

- Mobility management

- Common database simplifies

handling security, billing and

customer management

- No impact on GSN nodes

- Suitable for all WLAN

technologies

- Poor handover

performance

Tight Coupling

- WLAN connected to core

network in the same manner as

other radio access technologies

- SGSN and GGSN need to be

updated

- Improved handover

performance

- Only feasible if a

single operator

running both

networks

異質多接取網路下行動服務環境之建構

SGSN

HLR

RAN

GGSN

AAA Server(Radius/Diameter)

AccessController

Access

Point

WLANHome Agent

SIP Servers(Proxy Redirector Registrar)

RNC

電信網路 (GPRS 、 UMTS)

無線區域網路 (WLAN)

提供行動終端異質網路環境下之行動管理機制

提供快速及一致之認證、授權及帳務管理機制

WISP Domain

AAA-HLR Link

BSS

資策會 92 創新前瞻計畫 ( 經濟部補助委託 )

認證授權帳管 (AAA) 整合技術分項

• Objective : Providing SIM-based AAA in WLAN– Security & Trusty mechanism

– Convenient for account management

– Lower cost for WLAN roaming infrastructure construction

AAA: Authentication Authorization Accounting

Cellular Network

RNC SGSN

HLR

RAN

GGSN

Radius AAA ServerAccess

Controller

Access

Point

WLANIP Networks

AAA-HLRGateway

WLAN

Mobile Host with SIM card

BSS

Outline

• 計畫背景介紹• 行動電信網路以 SIM 為基礎之認證加密方式

– Authentication Method

– Authentication Architecture

– MAP (Mobile Application Part)

• WLAN 以 SIM 為基礎之認證授權帳管模型

SIM-based AAA in Cellular Network

• SIM is good to manage public users• SIM card is very confidential and portable easily• SIM card is authenticated by Operator (Single way)

A8 A3

Ki

RAND

SRESKc

A3 A8

Ki

MS(SIM_card)

KcSRESequal?

Operator Home System

Accept

Reject

Yes

No

A5Data A5 Data

Encrypted data

Authentication

SIM-based AAA in Cellular Network (Cont’)

AuCHLR

1. IMSI 2. IMSI

3. RAND, Kc, SRES4. RAND, Kc, SRES5. RAND

6. SRES’

Verify if SRES’ = SRES,accept or reject.

0. IMSI

SRES=A3(Ki, RAND)Kc=A8(Ki, RAND)

IMSI, Ki, RAND, A3, A8IMSI ,Ki ,A3, A5, A8

SRES=A3(Ki, RAND)Kc=A8(Ki, RAND)

MSCVLR

Client Side Operator Side

IMSI = MCC + MNC + MSIN

AAA-HLR Gateway

HLRVLROriginal Path

New Path

MAP(Mobile Application Part):3GPP TS 29.002

• MAP_RESTORE_DATA– Used for VLR to request HLR to send data in subscriber IMSI record

• MAP_INSERT_SUBSCRIBER_DATA– HLR provides VLR with subscriber parameters

• MAP_SEND_AUTHENTICATION_INFO– Used for VLR to retrieve (RAND/SRES/Kc) information from HLR

Parameter name Request ResponseInvoke id M M(=)IMSI CNumber of requested vectors CRequesting node type CRe-synchronization Info CSegmentation prohibited indicator CImmediate response preferred indicator UAuthenticationSetList CUser error C

MAP_SEND_AUTHENTICATION_INFO Parameters( M: Mandatory C: Conditional U: service-User )

Outline

• 計畫背景介紹• 行動電信網路以 SIM 為基礎之認證加密方式

• WLAN 以 SIM 為基礎之認證授權帳管模型– EAP-SIM– 802.1X– Radius/Diameter– AAA-HLR Gateway– Scenarios / Sequence Diagram

EAP-SIM

• Mutual authentication & Stronger keying information

• Re-Authentication (version 10), Privacy supportSupplicant

SIM

Kc SRES

Nonce

SHA1

HMAC_SHA1

K_int

Mac

Sres

Authentication Server

SHA1

HMAC_SHA1

Mac

Sres

Operator

RAND

Kc

SRES

HMAC_SHA1 HMAC_SHA1

equal?

equal?

A8 A3MK

PRF

K_sresK_encr

MK

PRF

K_int K_sresK_encr

Reference : draft-harerinen-pppext-eap-sim-5.txt (Nokia)

Challenge & Need

• To read data & run authentication algorithm from SIM card

– SIM card logical model & functions

– GemCore

• Build authentication infrastructure in WLAN for EAP-SIM

– 802.1x

– Radius

• To retrieve authentication information from HLR/AuC

– AAA-HLR Gateway (Radius to MAP translation)

SIM Card Logical Model & Functions

• File system in SIM card

– 3GPP TS 11.11 Specs of SIM-ME Interface

• Functions : ATR, PPS, APDU,..

GemCore

• Data exchange between Host & SIM Card

– GemCore

802.1x

• IEEE 802.1x : Ported based Network Access Control• Three roles: Supplicant, Authenticator and AAA Server• Can work not only on 802.3 • EAP and Authentication server are employed.

– EAP is designed to allow additional authentication methods– Centralized user administration– Open, extensible and standards based

“Supplicant”Host

“Authenticator”Access Controller,Ethernet Switch etc “AAA Server”

RADIUSEAP message Over EAPOL(over 802.3, 802.5,802.11)

EAP message over RADIUS(over UDP of

802.3)

Uncontrolled port

Controlled port

Stacks of 802.1x-based Method

AAA ServerAuthenticatorSupplicant

802.11

RADIUS

UDP

802.3

EAPOL

802.11

EAPOL

EAP

Relay

IP

RADIUS

UDP

802.3

IP

EAP Methods

EAP

EAP Methods

Mobile Host Access Controller Radius AAA ServerAP

Radius AAA Server

• Remote Authentication Dial In User Service– Radius (RFC 2865)– Radius Accounting (RFC 2866)

• Key Features– Client / Server model– Network security– Flexible authentication mechanism (support PPP, CHAP, …)– Extensible protocol (attribute-length-value)

• Codes & Packets– 1 : Access Request– 2 : Access Accept– 3 : Access Reject– 11 : Access Challenge

Dial In User

NAS (Network Access Server)Client of RADIUS

RADIUS Server

AAA-HLR Gateway

• Functional Requirement

– Support Radius to MAP Translation

– Support EAP Methods

– Support Diameter Message (Optional)

• System Architecture

Driver

MTP Level 2

MTP Level 3

SCCP

MAP

Driver

Ethernet

IP

RADIUS

EAP

GMM AKA SIM

Protocol Signaling Translation

NIC T1/E1 Card

Radius to MAP Translation

• Procedure Mapping

• Message Translation

Radius - Gateway Gateway - HLR

Radius Access Request Send Authentication Info RequestRadius Access Challenge Send Authentication Info Response

Input from the RADIUS AAA server Output to the HLR

Packet type:Access-Request

Service-primitive type:MAP_SEND_AUTHENTICATION_INFO

Parameter Action Parameter Value

……

EAP-Message attribute M Mapping & Stored IMSI CGet from EAP-Message attribute

……

Input from the HLR Output to the RADIUS AAA server

Service-primitive:MAP_SEND_AUTHENTICATION_INFO_ack

Packet type:Access-Challenge

……

AuthenticationSetList C Mapping & Stored EAP-Message attribute M Mapping & Stored

……

Scenario 1 : MH with SIM Card

TCC Cellular Network

RNC SGSN

HLR

RAN

GGSN

Radius AAA ServerAccess

Controller

Access

Point

WLANIP Networks

AAA-HLRGateway

YAM WLAN

Mobile Host with SIM card

BSS

TCC Subscriber in P.WLAN deploy by YAM :MH with SIM card

IMSI

( RAND/SRES/Kc )

Scenario 2 : MH without SIM Card

One Time Password

Cell Phone

TCC Cellular Network

RNC SGSN

HLR

RAN

GGSN

Radius AAA Server

AccessController

AccessPoint

WLANIP Networks

AAA-HLRGateway

YAM WLAN

Mobile Host without SIM card

BSS

MSISDN

TCC Subscriber in P.WLAN deploy by YAM :MH without SIM card

Signaling Plan

SIM

EAP

EAP-OW

802.11

EAP-OW

802.11

Radius/Diameter

UDP

IP

Ethernet

L1

MAP

TCAP

SCCP

MTP3

MTP2

L1

Mobile Host Access ControllerAAA Server/

AAA-HLR GatewayHLR

SIM

EAP MAP

Radius/Diameter

TCAP

UDP SCCP

IP MTP3

Ethernet MTP2

L1 L1

Sequence Diagram

EAPoL_start(null)EAP_request(Identity)EAP_response(IMSI)

EAP_response(IMSI)

EAP_request(SIM-start)EAP_request(SIM-start)EAP_response(Nonce)

EAP_challenge (RAND, Mac)EAP_challenge(Sres)

EAP_response(Nonce)

Send Auth_Info_Ack(RAND, SRES, Kc)

EAP_challenge(Sres)

EAP_Success, key

EAP_Success

AC

VerifyMac

VerifySres

Mobile HostAP AS/Gateway HLR

HLR

Restore_Data Insert_Subs_Data

Insert_subs_Data_Ack

Send Auth_Info(IMSI)Restore_Data_Ack

EAP_challenge(RAND, Mac)

Send KeySend Key_Ack

Summary

• Algorithm for WLAN SIM-based authentication is implemented

– EAP-SIM

• Software to exchange data between SIM card and MH is implemented

• Authentication infrastructure in WLAN for EAP-SIM is build

– 802.1x

– Radius (freeRadius)

• “Radius to MAP translation” functionality on AAA-HLR Gateway is implemented