View
216
Download
0
Tags:
Embed Size (px)
Citation preview
SIP roaming solutionSIP roaming solutionamongst different WLAN-amongst different WLAN-based service providersbased service providers
Julián F. Gutiérrez1, Alessandro Ordine1, Luca Veltri2
11 DIE, University of Rome "Tor Vergata", Italy DIE, University of Rome "Tor Vergata", Italy
22 Dpt. of Information Engineering - University of Parma, Italy Dpt. of Information Engineering - University of Parma, Italy
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
OverviewOverview Scope
roaming amongst (WLAN-based) access networks
• WLAN access networks are widely used
• current wireless internet providers (WISPs) use different authentication schemes
• lack of an integrated and open authentication framework
Goal open solution for secure authentication in wireless (also wired)
access scenario based on a distributed AAA architecture and on SIP protocol
• enabling the use through standard 3G terminals testbed implementation
Characteristics captive portal like solution (layer-two independent) based on SIP registration procedure
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
OutlineOutline SIP authentication overview
Digest authentication AKA Digest-AKA
Uni-Fy architecture
SIP-based authentication scheme
Implementation
Future work
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
SIP Digest authenticationSIP Digest authentication It follows a challenge-based scheme based on a shared secret for
authentication purposes (as on HTTP authentication)
Any time that a proxy server or UA receives a request, it MAY challenge the initiator of the request to provide assurance of its identity
INVITE / REGISTER
challenge generation
response generation
INVITE / REGISTER(with response)
responseverification
200/OK
A
B
C
D
UAC UASRegister/Redirect/Proxy Server
401 /407(with nonce)
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
SIP AKASIP AKA
MT Auth Server HSS
USIM
AV request
[User Id]Generation of
AV=RAND,AUTN,XRES,IK,CK
Authentication challenge
[RAND,AUTN]RAND,AUTN
RES
Run AKA algorithm:- verify AUTN- compute RES- generate IK,CK
Authentication response
[RES]
User Id Retrieval
AV push
[RAND,AUTN,XRES,IK,CK]
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
SIP Digest-AKASIP Digest-AKA
GenerationAV={RAND,AU T N ,
XRES, I K ,CK}
Start o f AKAalgorithm
Digest calculation of"response" usingRES as password
Checks Digest"response" using
XRES as password
A K A S IM
S IP U A C
A K A H SS
SI P R equest
A V request
A V
SI P response 401/ 407
[cha llenge= R A ND,A UTN]
SI P R equest
[cha llenge,response]
R A N D,A UTN
R ES
A C K
SI P R equest
(authenticated)
S IP serv er
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
Uni-FyUni-Fy Proposed solution based on Uni-Fy distributed access control
system
Uni-Fy characteristics Wireless LAN/HotSpot management system with
• distributed authentication
• access and policy control
• other capabilities authentication and authorization functions implemented at
application layer access control is applied at IP layer by means of firewalling
capability overall scheme can be viewed as a captive portal implementation used within the TWELVE research project (developed by the
University of Trento)
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
Uni-Fy architectureUni-Fy architecture
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
Uni-Fy architectureUni-Fy architecture Access network
through which mobile users can attach the rest of the network (e.g. Internet), and, after being successfully authenticated, gain connectivity towards it
Gateway acts as access router for the access network enforces the policy rules (as PEP) dynamically setup by the Gatekeeper
Gatekeeper together with the Gateway enforces authentication procedure before
granting access to mobile users it works at application level redirecting specific application sessions to a
proper authentication server
Authentication Provider directly or indirectly trusted by the Gatekeeper; application sessions are
redirected to it in order to force a proper authentication procedure implementation strictly depend on the specific application supported for
authentication purpose (HTTP, SIP, others) optionally uses a backend authentication server (an AAA server such as a
RADIUS or Diameter server) and an LDAP or DB repository
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
GW and GK architectureGW and GK architecture GW and GK can be co-located or implemented on different nodes
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
SIP-based authentication SIP-based authentication schemescheme
Proposal of a captive-portal-like mechanism based on access control scheme based on the Uni-Fy architecture
• open and flexible SIP authentication procedure
• same signaling platform used for multimedia real-time service and used by 3G mobile networks
When a mobile user roams into a new visited network it tries to authenticate with his own SIP server such procedure is intercepted by the local GK administrated by
the visited ISP the authentication procedure between the mobile user and his SIP
server goes on with some modifications
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
SIP extensionSIP extension For ISP-to-ISP authentication and correct authorization
information retrieval an extension of the SIP authentication procedure is proposed
Two new header fields defined Proxy-To-Proxy-Authenticate (pp-authenticate)
• used to carry authentication request information
• sent by a generic intermediate proxy to authenticate a next-hop entity, in order to correctly trust information sent as response from such next hop entity
• inserted by the proxy within the second SIP request from the UAC to the next hop entity
Proxy-To-Proxy-Authorization (pp-authorization)
• used to carry authentication response information
• inserted in a SIP response message by the next hop entity in response to the pp-authenticate request
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
Authentication schemeAuthentication scheme
CLIENT REGISTER(WITH RESPONSE)
New header “Proxy-To-Proxy-Authenticate”
added by Uni-Fy
CLIENT REGISTER(WITH RESPONSE)
+pp-authenticate
Answer to the usual supplicant authentication
procedure+
Answer to the challenge coming from Uni-Fy (“Proxy-
To-Proxy-Authorization”)
200/OK+
pp-authorization
Uni-Fy checks the response to the challenge.Independently, the 200/OK is sent to the
supplicant
200/OK
CLIENT (UAC) Uni-Fy SIP SERVER (UAS)
CLIENT REGISTER
401 UNAUTHORIZED(WITH CHALLENGE)
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
Implementation testbedImplementation testbed Whole authentication and authorization scenario implemented in
a testbed based on the Uni-Fy access control mechanism
GW and GK nodes have been realized based on the original Uni-Fy implementation (TWELVE project; http://netmob.unitn.it/twelve.html)
GK plugin for SIP has been developed in C++ based on the reSIProcate C++ SIP stack library
(http://www.sipfoundry.org/reSIProcate)
Proxy server (opportunely extended with proxy-to-proxy authentication) has been implemented in Java based on the mjsip SIP stack library and reference implementation
(http://www.mjsip.org)
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
Future WorkFuture Work
Improve the actual shared secret mechanism between Uni-Fy and the next hop entity
Access to the 3G SIM card in order to base the authentication procedure in the credentials stored in the SIM card
WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIPUniversità degli Studi di ParmaDipartimento di Ingegneria dell'Informazione WLAN/3G secure authentication based on SIPWLAN/3G secure authentication based on SIP
Thank you for your attention!!
For further details, please contact: