IMS Authentication with AKAv1 and AKAv2
- 2. IMS Authentication according to AKAv1 AKAv2:
��� Introduction
• UE Authenticate
○ In Sim
• Creating a Shared Secret
• Other Thing in Sim
○ IMS Registration
• How HSS or AuC create AV
○ IN UE
• Response Decoding and Verification of the Network
• HTTP Digest calculation from HMAC-MD5 password generation
○ Overview
○ Reference
2
- 3. 1- Introduction
3
IMS specifies a set of connectivity and communications services based on a number of Internet Engineering
Task Force (IETF) protocols and standards, particularly Session Initiation Protocol [RFC 3261].
The 3gpp IMS specifications, outlined in [3gppTS24.229], provide detailed requirements for implementations
that follow the standard. The current document focuses on one critical aspect of IMS, implementation of the
mutual authentication of user equipment and network. IMS AKA is an application of HTTP Digest Authentication
[RFC2617] intended to overcome the weaknesses in the HTTP procedure. Two variants have been defined:
AKAv1 with IPsec and AKAv2 with TLS. AKAv1 uses AKA techniques to create a secure connection and IPsec
[RFC4301] to ensure continued confidentiality and integrity. AKAv1 is subject to man-in-the-middle attacks if
not properly secured using IPsec. AKAv2 addresses this weakness by using stronger passwords and may employ
TLS to secure the channel.
- 4. 1-1 UE Authenticate
4
Mutual authentication is performed when a User Equipment (UE) registers for service with the IMS. The UE has
established radio connection with the Radio Access Network (RAN) and is permitted to pass traffic to the
network to obtain services. The UE sends a SIP registration request to a designated IMS Registrar (CSCF) to
begin the exchange. The CSCF and the UE exchange credentials derived from a predetermined shared secret.
The end result of the exchange is a one-time password that summarizes the shared knowledge. When there is
agreement both ends use the derived parameters to create security associations to ensure integrity and
confidentiality of subsequent communication.
- 6. 2- In Sim:
○ Creating a Shared Secret
○ Other Thing in Sim
6
- 7. 2-1 Creating a Shared Secret
7
The shared secret (K) is created when a SIM (UICC) is manufactured. The secret is embedded in the SIM and is
not visible to any device into which the SIM could be inserted. The secret is also distributed to the
authentication center managed by the Home Subscription Server (HSS) located in the core 5 network. The
secret is never directly exposed, but is used to create credentials which are then exchanged and compared
using authentication and key agreement (AKA) protocols.
IN and
HSS or AuC(Authentication center)
- 8. 2-2 Other Thing in Sim
8
The essential data contents (for this discussion) of a SIM are a 4-tuple of unique values: the ICCID – Integrated
Circuit Card IDentifier, IMSI – International Mobile Subscriber Identity, SQN – a sequence number, and K – the
secret. Also, there is a set of message authentication and key generating algorithms f1, f2, f3, f4, and f5
embedded in the SIM and are the same as the corresponding functions at the AuC.
- 9. 3- IMS Registration:
9
IMS follows the familiar SIP challenge-response message exchange with inclusion of the IMS AKA Digest
method. Next slide figure is a message timeline indicating the order and important contents of the registration
request-response sequence.
- 10. 3- IMS Registration:
10
IMS follows the familiar SIP challenge-response message exchange with inclusion of the IMS AKA Digest
method. Figure below is a message timeline indicating the order and important contents of the registration
request-response sequence.
- 11. 11
The UE sends an initial SIP REGISTER request that includes its IMSI and waits for the challenge to be offered by
the Registrar (CSCF). The initial registration request includes an Authorization: header containing username,
realm, and domain uri parameters.
REGISTER sip:vzims.com SIP/2.0
From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227
To: <sip:+14438055906@vzims.com>
…
CSeq: 1 REGISTER
Authorization: Digest
username="311480000832290@vzims.com"
realm="vzims.com"
uri="sip:vzims.com"
Content-Length: 0
- 12. 12
The UE sends an initial SIP REGISTER request that includes its IMSI and waits for the challenge to be offered by
the Registrar (CSCF). The initial registration request includes an Authorization: header containing username,
realm, and domain uri parameters.
UE
(1)
HSS or Auc
P/I/C cscf
REGISTER sip:vzims.com SIP/2.0
From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227
To: <sip:+14438055906@vzims.com>
CSeq: 1 REGISTER
Authorization: Digest
username="311480000832290@vzims.com"
realm="vzims.com"
uri="sip:vzims.com"
Content-Length: 0
REGISTER sip:vzims.com SIP/2.0
From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227
To: <sip:+14438055906@vzims.com>
…
CSeq: 1 REGISTER
Authorization: Digest
username="311480000832290@vzims.com"
realm="vzims.com"
uri="sip:vzims.com"
Content-Length: 0
- 13. 13
The CSCF creates a request for the HSS Cx interface (Diameter) for one or more authentication vectors (AV) using the
identifying keys supplied on the registration request. The AV contains the challenge values.
REGISTER sip:vzims.com SIP/2.0
From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227
To: <sip:+14438055906@vzims.com>
…
CSeq: 1 REGISTER
Authorization: Digest
username="311480000832290@vzims.com"
realm="vzims.com"
uri="sip:vzims.com"
Content-Length: 0
UE
HSS or Auc
(2)
- 14. 14
Each AV is an n-tuple that describes the authentication process and consists of the following fields:
UE
HSS or Auc
(3)
P/I/C cscf
Response(vector [<=m])
Authentication Vectors :
Scheme – TLS-Digest-AKAv2 or IPsec-Digest-AKAv1
XRES – this is the expected response to the challenge.
RAND – a random number challengevalue
AUTN – Network Authentication Token
IK – Integrity key used to protect subsequent signaling
CK – cipherkey used to protect subsequent signaling
• Scheme – TLS-Digest-AKAv2 or IPsec-Digest-AKAv1 (Coded in the AMF?)
• XRES – this is the expected response to the challenge.
• RAND – a random number challenge value
• AUTN – Network Authentication Token
• IK – Integrity key used to protect subsequent signaling
• CK – cipher key used to protect subsequent signaling
- 15. 15
The CSCF creates a response for the UE using the RAND and AUTN parameters from the AV. The response,
coded according to [RFC2617] and [RFC3310], will consist of nonce, algorithm, and qop parameters bundled
into a WWW-Authenticate: header. A 401 Unauthorized status containing the challenge is returned to the
client.
UE
HSS or Auc
P/I/C cscf
401 Unauthorized(nonce,algorithm,qop)
nonce = RAND || AUTN || Server data
algoritm = AKAv1-MD5 or AKAv2-MD5
qop = auth
(4)
SIP/2.0 401 Unauthorized
…
CSeq: 1 REGISTER
WWW-Authenticate: Digest
realm="vzims.com"
nonce="glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA=="
algorithm=AKAv2-MD5
qop="auth"
Content-Length: 0
Packet received by UE:
- 16. 3-1 How HSS or AuC create AV :
16
The AuC uses the permanent subscriber identity (IMSI) to identify the client, supplied to the CSCF in the request
username= parameter. The AuC manages the shared secret, K, and sequence number, SQN on behalf of each
client. When the AuC receives a request for a new AV it starts by generating a fresh sequence number SQN and
a random, unpredictable challenge RAND ①. The values for MAC, XRES, CK, IK, and AK are computed and an
AUTN is constructed ②. The resulting values are bundled together into an AV and returned to the calling CSCF
③. The CSCF will assemble a nonce from the RAND and AUTN parameters for delivery to the client ④. It saves
the CK, IK, and XRES parameters to verify the client response and create any necessary security associations.
- 17. 3-1 How HSS or AuC create AV :
17
The AuC uses the permanent subscriber identity (IMSI) to identify the client, supplied to the CSCF in the request
username= parameter. The AuC manages the shared secret, K, and sequence number, SQN on behalf of each
client. When the AuC receives a request for a new AV it starts by generating a fresh sequence number SQN and
a random, unpredictable challenge RAND ①. The values for MAC, XRES, CK, IK, and AK are computed and an
AUTN is constructed ②. The resulting values are bundled together into an AV and returned to the calling CSCF
③. The CSCF will assemble a nonce from the RAND and AUTN parameters for delivery to the client ④. It saves
the CK, IK, and XRES parameters to verify the client response and create any necessary security associations.
- 18. 4- IN UE:
○ Response Decoding and Verification of the Network
18
- 19. 4-1 Response Decoding and Verification of the Network
19
The UE receives and decodes the nonce value into a string of 320bits. The UE extracts the RAND and AUTN
values to send to the SIM using the AUTHENTICATE (RAND, AUTN) command [3gppTS31.102]. Each of the RAND
and AUTN parameters are 128bits (16bytes) in length. There may be some server-specific bytes appended to
the end (64bits) (unused at this point). The SIM will calculate the password response (RES), security keys (IK &
CK), the expected sequence number (SQN), and a message authentication code (XMAC).
nonce="glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA=="
Base64 decode to Hex
825b14b0500b3320a77980ab99e6c8d0 ecacee3e761b0000bf78b29c86e4cb 99 3338313832663200
RAND (16byte) AUTN (16byte) Server-specific unused (8byte)
(40 Byte)
- 21. 21
f1 f2 f3 f4
XMAC RES CK IK
Test((xmac == mac) && (SQN in range sim(SQN))
- 22. 22
f1 f2 f3 f4
XMAC RES CK IK
Test((xmac == mac) && (SQN in range sim(SQN))
If xmac != mac:
the client and CSCF do not have the same shared
secret
If the MAC does not match the XMAC no auts= is sent,
and the final response= value is empty.
- 23. 23
f1 f2 f3 f4
XMAC RES CK IK
Test((xmac == mac) && (SQN in range sim(SQN))
If xmac != mac:
the client and CSCF do not have the same shared
secret
If the MAC does not match the XMAC no auts= is sent,
and the final response= value is empty. If SQN not in range sim(SQN):
the SIM will return a (re-)Synchronization
Token (AUTS) value to be sent to the CSCF in
the challenge response. The AUTS is coded to
inform the CSCF that the sequence numbers
are out of sync and a resynchronization
process needs to be performed.
- 24. 24
f1 f2 f3 f4
XMAC RES CK IK
Test((xmac == mac) && (SQN in range sim(SQN))
If (xmac == mac) && (SQN in range sim(SQN)):
Means network is authenticate for UE
If xmac != mac:
the client and CSCF do not have the same shared
secret
If the MAC does not match the XMAC no auts= is sent,
and the final response= value is empty. If SQN not in range sim(SQN):
the SIM will return a (re-)Synchronization
Token (AUTS) value to be sent to the CSCF in
the challenge response. The AUTS is coded to
inform the CSCF that the sequence numbers
are out of sync and a resynchronization
process needs to be performed.
- 25. 25
f1 f2 f3 f4
XMAC RES CK IK
Test((xmac == mac) && (SQN in range sim(SQN))
If (xmac == mac) && (SQN in range sim(SQN)):
Means network is authenticate for UE
If xmac != mac:
the client and CSCF do not have the same shared
secret
If the MAC does not match the XMAC no auts= is sent,
and the final response= value is empty. If SQN not in range sim(SQN):
the SIM will return a (re-)Synchronization
Token (AUTS) value to be sent to the CSCF in
the challenge response. The AUTS is coded to
inform the CSCF that the sequence numbers
are out of sync and a resynchronization
process needs to be performed.
Let’s Go to next step:
We have RES , CK , IK
- 26. 26
Now we have two algorithm for authenticateAKAv1
Use
RES
IK
CK
In AKAv1 RES is password
And IK and CK is for IPSEC
- 27. 27
Now we have two algorithm for authenticate
AKAv2
AKAv1
Use
RES
IK
CK
In AKAv1 RES is password
And IK and CK is for IPSEC
But in AKAv2 for get
password need to calculate
HMAC
- 28. 28
Now we have two algorithm for authenticate
AKAv2
AKAv1
For example:
RES = 09c96fcb
IK = 01bcc42bd27cfe2ceea34d66f35fc129
CK = 82cb63773e19bc44dc02c8ca64681464
Use
RES
IK
CK
In AKAv1 RES is password
And IK and CK is for IPSEC
But in AKAv2 for get
password need to calculate
HMAC
- 29. Now we have two algorithm for authenticate
AKAv2
AKAv1
For example:
RES = 09c96fcb
IK = 01bcc42bd27cfe2ceea34d66f35fc129
CK = 82cb63773e19bc44dc02c8ca64681464
Use
RES
IK
CK
Use hmac
HMAC( RES || IK || CK , “http-digest-akav2-password” )
In AKAv1 RES is password
And IK and CK is for IPSEC
But in AKAv2 for get
password need to calculate
HMAC
- 30. 30
Now we have two algorithm for authenticate
AKAv2
AKAv1
For example:
RES = 09c96fcb
IK = 01bcc42bd27cfe2ceea34d66f35fc129
CK = 82cb63773e19bc44dc02c8ca64681464
Use
RES
IK
CK
Use hmac
HMAC( RES || IK || CK , “http-digest-akav2-password” )
Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” )
RES IK CK
In AKAv1 RES is password
And IK and CK is for IPSEC
But in AKAv2 for get
password need to calculate
HMAC
- 31. 31
Now we have two algorithm for authenticate
AKAv2
AKAv1
For example:
RES = 09c96fcb
IK = 01bcc42bd27cfe2ceea34d66f35fc129
CK = 82cb63773e19bc44dc02c8ca64681464
Use
RES
IK
CK
Use hmac
HMAC( RES || IK || CK , “http-digest-akav2-password” )
Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” )
RES IK CK
Part A Part B
In AKAv1 RES is password
And IK and CK is for IPSEC
But in AKAv2 for get
password need to calculate
HMAC
- 32. 32
Now we have two algorithm for authenticate
AKAv2
AKAv1
For example:
RES = 09c96fcb
IK = 01bcc42bd27cfe2ceea34d66f35fc129
CK = 82cb63773e19bc44dc02c8ca64681464
Use
RES
IK
CK
Use hmac
HMAC( RES || IK || CK , “http-digest-akav2-password” )
Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” )
RES IK CK
Part A Part B
09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca64681464 || (0X00 * 28)C =
In AKAv1 RES is password
And IK and CK is for IPSEC
But in AKAv2 for get
password need to calculate
HMAC
- 33. 33
Now we have two algorithm for authenticate
AKAv2
AKAv1
For example:
RES = 09c96fcb
IK = 01bcc42bd27cfe2ceea34d66f35fc129
CK = 82cb63773e19bc44dc02c8ca64681464
Use
RES
IK
CK
Use hmac
HMAC( RES || IK || CK , “http-digest-akav2-password” )
Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” )
RES IK CK
Part A Part B
09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca64681464 || (0X00 * 28)
09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca6468146400000000000000000000000000000000000000000000000000000000
C =
D =
In AKAv1 RES is password
And IK and CK is for IPSEC
But in AKAv2 for get
password need to calculate
HMAC
- 35. 35
For every byteꚛ0X36
3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636
Part B
Convert
string to HEX
687474702d6469676573742d616b6176322d70617373776f7264
E =
F =
- 36. 36
For every byteꚛ0X36
3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636
Part B
Convert
string to HEX
687474702d6469676573742d616b6176322d70617373776f7264
E =
F =
G = MD5(E||F) = MD5(3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636
3636363636363636 3636363636363636 687474702d6469676573742d616b6176322d70617373776f7264) = f4e838c0595529b7c34ece17baa41145
- 37. 37
For every byteꚛ0X36
3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636
Part B
Convert
string to HEX
687474702d6469676573742d616b6176322d70617373776f7264
E =
F =
G = MD5(E||F) = MD5(3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636
3636363636363636 3636363636363636 687474702d6469676573742d616b6176322d70617373776f7264) = f4e838c0595529b7c34ece17baa41145
Now from D XOR to 0X0C for every byte
09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca6468146400000000000000000000000000000000000000000000000000000000D =
- 39. 39
For every byteꚛ0X5C
559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5cH =
I = MD5 (H || G) = MD5(559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c f4e838c0595529b7c34ece17baa41145) = b11ff4fe419cdd5d3fae868a788d530f
- 40. 40
For every byteꚛ0X5C
559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5cH =
I = MD5 (H || G) = MD5(559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c f4e838c0595529b7c34ece17baa41145) = b11ff4fe419cdd5d3fae868a788d530f
In AKAv2 HMAC( RES || IK || CK , “http-digest-akav2-password” ) = b11ff4fe419cdd5d3fae868a788d530f
In akav1 password is RES = 09c96fcb and IK & CK is used for IPSEC
In akav2 password is HMAC( RES || IK || CK , “http-digest-akav2-password” ) = b11ff4fe419cdd5d3fae868a788d530f
- 41. 4-2 HTTP Digest calculation from HMAC-MD5 password generation
41
In akav2 password is b11ff4fe419cdd5d3fae868a788d530f
For HTTP Digest in AKAv2
Convert password hex to base64
Base64(b11ff4fe419cdd5d3fae868a788d530f) = sR/0/kGc3V0/roaKeI1TDw==
A1 = 311480000832290@vzims.com:vzims.com:sR/0/kGc3V0/roaKeI1TDw==
MD5(A1) = 56f3f5e3296c3a313ac900eef63a6d97
Convert A1 to MD5
A2 = REGISTER:sip:vzims.com
- 42. 42
MD5(A2) = 4f9c96eef99b18cdc160734cc7b0d664
Convert A2 to MD5
Now understand from WWW-Authenticate and (about to be) Authorization: headers
nonce = glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==“
nc = 00000001
cnonce = MJIwMDA0
qop = auth
MD5(MD5(A1):nonce:nc:cnonce:auth:MD5(A2))
MD5(56f3f5e3296c3a313ac900eef63a6d97:glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kz
ODE4MmYyAA==:00000001:MjIwMDA0:auth:4f9c96eef99b18cdc160734cc7b0d664)
- 43. 43
MD5(MD5(A1):nonce:nc:cnonce:auth:MD5(A2)) = aaed79818a9e0ce70bac6c5b5834d1a7
Response = aaed79818a9e0ce70bac6c5b5834d1a7
REGISTER sip:vzims.com SIP/2.0
From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227
To: <sip:+14438055906@vzims.com>
…
Authorization: Digest
username="311480000832290@vzims.com"
realm="vzims.com"
nonce=”glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==”
uri="sip:vzims.com"
response=”aaed79818a9e0ce70bac6c5b5834d1a7”
algoritm=AKAv2-MD5
cnonce=””
qop=auth
nc=000000001
...
- 44. 44
UE
P/I/C cscf
(5)
REGISTER sip:vzims.com SIP/2.0
From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227
To: <sip:+14438055906@vzims.com>
Authorization: Digest
username="311480000832290@vzims.com"
realm="vzims.com"
nonce= glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==
uri="sip:vzims.com"
response= aaed79818a9e0ce70bac6c5b5834d1a7
algoritm=AKAv2-MD5
cnonce=
qop=auth
nc=000000001
...
- 45. 45
5- Overview
The shared secret (K) is created and assigned to a SIM and the AuC.
The AuC produces an Authentication Vector (AV) based on K and a Sequence Number (SQN). The AV
contains a random number challenge (RAND), Network Authentication Token (AUTN), an expected result
password (XRES), and cryptographic keys for integrity checking (IK) and encryption (CK).
In response to a client (UE) registration request, the server (CSCF) creates an authentication challenge
containing the RAND and AUTN parameters. The challenge is delivered to the client.
The client presents the challenge to the SIM which verifies the AUTN. If the verification is successful, the
network has been authenticated. The SIM creates the password response (RES) and local versions of the
keys (IK, CK).
The client creates the response from these parameters and re-attempts the registration. The server
verifies the password for authentication of the UE to the network.
- 46. 46
6- Reference
VERIZON WIRELESS WHITE PAPER-IMS AKAv1 AKv2 implementation
It is access on slideshare: https://www.slideshare.net/AlokPrasad5/ims-akav1-akv2-verizon