1
HRPD Roamer Authentication
Zhibi Wang, Sarvar Patel, Simon Mizikovsky,Nancy Lee
2
What’s in the TIA-835-2-C standard for Simple IP
3.2.1.3 PPP Session Authentication
The PDSN shall support the two authentication mechanisms: CHAP and PAP. The PDSN shall also support a configuration option to allow an MS to receive Simple IP service without CHAP or PAP. The PDSN shall propose CHAP in an initial LCP Configure-Request message that the PDSN sends to the MS during the PPP establishment. If the PDSN receives an LCP Configure-NAK from the MS containing PAP, the PDSN shall accept PAP by sending an LCP Configure-Request message with PAP. If the PDSN … is configured to allow the MS to receive Simple IP service without CHAP or PAP, the PDSN shall respond with an LCP Configure-Request without the Authentication-Protocol option and shall adhere to the guidelines in Section 3.2.2.1 for NAI construction for accounting purposes.
3
What’s in the TIA-835-2-C standard for Mobile IP
4.2.1.3 Authentication
The PDSN shall initially propose CHAP in an LCP Configure-Request message to the MS. The PDSN shall re-send an LCP Configure-Request message without the authentication option after receiving the LCP Configure-Reject (CHAP or PAP) from the MS.
4.2.2.1 Agent Advertisements
For the MS that uses Mobile IP, the PDSN shall begin transmission of an operator configurable number of Agent Advertisements
4.2.2.3 MIP Extensions [PDSN Requirements]
The PDSN shall include the MN-FA Challenge Extension [RFC 3012] in the Agent Advertisement.
4
What’s in the TIA-835-2-C standard for Mobile IP (cont.)
4.2.3 MIP Authentication Support [Home Agent Requirements]
When the HA receives an RRQ from a PDSN, it authenticates the RRQ using the MN-HA shared key. …Based on the policy of the home network, the HA may also process the MN-AAA Authentication Extension as specified in RFC 3012, if included in the RRQ.
4.5.2.3 MIP Extensions [MS Requirements]
The MS shall include the MN-NAI Extension [RFC 2794], MN-HA Authentication Extension [RFC 2002], MN-FA Challenge Extension [RFC 3012], and MN-AAA Authentication Extension [RFC 3012] in the RRQ message. …The MS shall compute the MN-AAA Authentication Extension, according to RFC 3012, based on the shared secret the MS has with the Home RADIUS server. … The MS may use the same shared-secret or different shared secrets in the computation of the MN-AAA Authentication Extension and MN-HA Authentication Extension.
5
What’s in the TIA-878-1 standard
2.4.1.3 Access Authentication
The AT shall support CHAP for the PPP instance on the access stream. If the AN supports access authentication, the AN shall support CHAP for the PPP instance on the access stream. In this case, the AN shall always propose CHAP as a PPP option …
2.4.2 AN-AAA Support
If the AN supports access authentication and the A12 interface, the AN shall support the RADIUS client protocol… and shall communicate user CHAP access authentication information to the visited AN-AAA in an Access-Request message on the A12 interface. For an AN-AAA to recognize that the transaction is related to access authentication, the Access-Request message may contain an additional 3GPP2 vendor specific attribute.
6
Summary of what’s in the standards PDSN-level authentication is optional for Simple IP service.
– PDSN may allow Simple IP service without CHAP or PAP.
PDSN-level authentication is mandatory for Mobile IP service.– PDSN shall support Mobile IP authentication.
– The Home-AAA shall validate the MN-HA Authentication Extension, and may also process the MN-AAA Authentication Extension
– MN-HA and MN-AAA authentication may use the same or different shared secret.
A12 AN-level authentication is optional.– A12 and AN-level authentication are completely independent of PDSN-level
authentication. (Separate PPP sessions.)
– If used, AN-level authentication is performed first. If successful, then proceed to PDSN-level authentication.
In addition, CDG Document 79 “Wireless Data Roaming Requirements and Implementation Phase 1” recommends that the visited network should require authentication and authorization with the AN-AAA.
7
Some Terminology AN_NAI the NAI sent in the PPP session for AN-level
authentication (e.g., [email protected]) PDSN_NAI the NAI sent in the PPP session for PDSN-level
authentication (e.g., [email protected]) Operator A operator providing Simple IP service and using AN-level
authentication for their subscribers Operator P operator providing Mobile IP service and using PDSN-
level authentication for their subscribers ANP Operator P’s Access Network AN-AAAP Operator P’s AAA connected via A12 to the AN PDSNP Operator P’s PDSN PDSN-AAAP Operator P’s AAA connected to the PDSN AN_NAIPthe NAI sent for AN-level authentication, when the NAI has
Operator P’s domain name (e.g., [email protected]) PDSN_NAIP the NAI sent for PDSN-level authentication, when the NAI
has Operator P’s domain name
8
EV-DO Architecture Reference Model
PDSN
A10PDSN AAAA11
AN AAAA13AT A12 (RADIUS)
Air Interface
SourceAN/PCF
TargetAN/PCF
RADIUS
9
Call Flow: Auth in Operator P Network
SessionEstablishment
AN-AAAP PDSNPATP
A11-Registration Request
A11-Registration Reply
PDSN-AAAP
Access-Request(PDSN_NAIp)
Access-Accept
PPP establishment
CHAP response
CHAP challenge
ANP
10
Call Flow: Auth in Operator A Network
SessionEstablishment
AN-AAAA PDSNAATA ANA
A11-Registration Request
A11-Registration Reply
PDSN-AAAA
Access-Request(PDSN_NAIA)
Access-Accept
PPP establishment
CHAP response (PDSN_NAIA, default password)
CHAP challenge
CHAP response
CHAP challenge
PPP Establishment
A12 Access-Request(AN_NAIA)
A12 Access-Accept
11
Call Flow: Roaming Auth in Operator P
SessionEstablishment
AN-AAAP PDSNPATA ANP
A11-Registration Request
A11-Registration Reply
PDSN-AAAP
Access-Request(PDSN_NAIA, default password)
Access-Accept
PPP establishment
CHAP response (PDSN_NAIA, default password)
CHAP challenge
CHAP response
CHAP challenge
PPP Establishment
Access-Request(AN_NAIA)
Access-Accept
AN-AAAA PDSNA PDSN-AAAAANA
Access-Request(PDSN_NAIA)
Access-Accept
Access-Request(AN_NAIA)
Access-Accept
12
Call Flow: Roaming Auth in Operator A
SessionEstablishment
AN-AAAA PDSNAATP ANA
A11-Registration Request
A11-Registration Reply
PDSN-AAAA
Access-Request(PDSN_NAIP)
Access-Accept
PPP establishment
CHAP response (PDSN_NAIP)
CHAP challenge
CHAP response
CHAP challenge
PPP Establishment
Access-Request(AN_NAIP)
Access-Accept
AN-AAAP PDSNP PDSN-AAAPANP
Access-Request(PDSN_NAIP)
Access-Accept
Access-Request(AN_NAIP)
Access-Accept
13
Potential Attack: Attacker in Operator P
SessionEstablishment
AN-AAAP PDSNPATP ANP
A11-Registration Request
A11-Registration Reply
PDSN-AAAA
Access-Request(PDSN_NAIA, default password)
Access-Accept
PPP establishment
CHAP response (PDSN_NAIA, default password)
CHAP challenge
CHAP response
CHAP challenge
PPP Establishment
Access-Request(AN_NAIP)
Access-Accept
AN-AAAA PDSNA PDSN-AAAAANA
Access-Request(PDSN_NAIA)
Access-Accept
14
Potential Attack: Attacker in Operator P (cont.) NAI and Authentication at the AN level and the PDSN level are
independent and can be different. Attacker uses AN_NAIP at AN level, causing AN-level authentication
to be skipped because Operator P thinks this is his own user, and authentication will be performed at the PDSN level.
Attacker uses PDSN_NAIA at PDSN level, causing– PDSN-level authentication to be skipped because Operator P thinks the
user is a roamer and the authentication has been performed at the AN level; or
– If Operator P forwards the authentication request to Operator A’s PDSN-AAA, the attack still succeeds if the attacker knows Operator A’s default CHAP password, because Operator A will return Access-Accept.
The attack scenario is possible even if the standards are strictly followed.
15
Solution to the Attack Ensure that AN_NAI and PDSN_NAI are the same.
– The network must verify that the Device attempting access is associated with the Subscription receiving services.
AN shall report the AN_NAI (the NAI that is used by the AT at system access) to the PDSN by including it in the A11-Registration Request message.
PDSN shall verify that the PDSN_NAI received from the AT in the CHAP response matches the AN_NAI received from the AN in the A11-Registration Request message. If the two NAIs don’t match, terminate the session.
Requires minor A11 interface change to carry the AN_NAI (e.g., HRPD AT_ID) to the PDSN.
Could be viewed as implementation issue, but would require coordination of proprietary solutions between the Operators.