SlideShare a Scribd company logo

IMS Authentication with AKAv1 and AKAv2

Download as PPTX, PDF
M
mohammad norozzudegan

This slide describes IMS authentication with AKAv1 and AKAv2 protocol in detail based on the Verizon White paper. The white paper is available on SlideShare: https://lnkd.in/gkujTRV

Related slideshows

VoLTE flows - basics
VoLTE flows - basicsVoLTE flows - basics
VoLTE flows - basics
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
IMS ENUM & DNS Mechanism
IMS ENUM & DNS MechanismIMS ENUM & DNS Mechanism
IMS ENUM & DNS Mechanism
 
1 of 47
IMS Authentication accordingto AKAv1AKAv2 Mohammad Norouzzadegan January 2020 Norozzudegan@gmail.com
IMS Authentication according to AKAv1 AKAv2: ○ Introduction • UE Authenticate ○ In Sim • Creating a Shared Secret • Other Thing in Sim ○ IMS Registration • How HSS or AuC create AV ○ IN UE • Response Decoding and Verification of the Network • HTTP Digest calculation from HMAC-MD5 password generation ○ Overview ○ Reference 2
1- Introduction 3 IMS specifies a set of connectivity and communications services based on a number of Internet Engineering Task Force (IETF) protocols and standards, particularly Session Initiation Protocol [RFC 3261]. The 3gpp IMS specifications, outlined in [3gppTS24.229], provide detailed requirements for implementations that follow the standard. The current document focuses on one critical aspect of IMS, implementation of the mutual authentication of user equipment and network. IMS AKA is an application of HTTP Digest Authentication [RFC2617] intended to overcome the weaknesses in the HTTP procedure. Two variants have been defined: AKAv1 with IPsec and AKAv2 with TLS. AKAv1 uses AKA techniques to create a secure connection and IPsec [RFC4301] to ensure continued confidentiality and integrity. AKAv1 is subject to man-in-the-middle attacks if not properly secured using IPsec. AKAv2 addresses this weakness by using stronger passwords and may employ TLS to secure the channel.
1-1 UE Authenticate 4 Mutual authentication is performed when a User Equipment (UE) registers for service with the IMS. The UE has established radio connection with the Radio Access Network (RAN) and is permitted to pass traffic to the network to obtain services. The UE sends a SIP registration request to a designated IMS Registrar (CSCF) to begin the exchange. The CSCF and the UE exchange credentials derived from a predetermined shared secret. The end result of the exchange is a one-time password that summarizes the shared knowledge. When there is agreement both ends use the derived parameters to create security associations to ensure integrity and confidentiality of subsequent communication.
Illustrates the process of SIM creation and distribution of authentication credentials 5
2- In Sim: ○ Creating a Shared Secret ○ Other Thing in Sim 6
2-1 Creating a Shared Secret 7 The shared secret (K) is created when a SIM (UICC) is manufactured. The secret is embedded in the SIM and is not visible to any device into which the SIM could be inserted. The secret is also distributed to the authentication center managed by the Home Subscription Server (HSS) located in the core 5 network. The secret is never directly exposed, but is used to create credentials which are then exchanged and compared using authentication and key agreement (AKA) protocols. IN and HSS or AuC(Authentication center)
2-2 Other Thing in Sim 8 The essential data contents (for this discussion) of a SIM are a 4-tuple of unique values: the ICCID – Integrated Circuit Card IDentifier, IMSI – International Mobile Subscriber Identity, SQN – a sequence number, and K – the secret. Also, there is a set of message authentication and key generating algorithms f1, f2, f3, f4, and f5 embedded in the SIM and are the same as the corresponding functions at the AuC.
3- IMS Registration: 9 IMS follows the familiar SIP challenge-response message exchange with inclusion of the IMS AKA Digest method. Next slide figure is a message timeline indicating the order and important contents of the registration request-response sequence.
3- IMS Registration: 10 IMS follows the familiar SIP challenge-response message exchange with inclusion of the IMS AKA Digest method. Figure below is a message timeline indicating the order and important contents of the registration request-response sequence.
11 The UE sends an initial SIP REGISTER request that includes its IMSI and waits for the challenge to be offered by the Registrar (CSCF). The initial registration request includes an Authorization: header containing username, realm, and domain uri parameters. REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> … CSeq: 1 REGISTER Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" uri="sip:vzims.com" Content-Length: 0
12 The UE sends an initial SIP REGISTER request that includes its IMSI and waits for the challenge to be offered by the Registrar (CSCF). The initial registration request includes an Authorization: header containing username, realm, and domain uri parameters. UE (1) HSS or Auc P/I/C cscf REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> CSeq: 1 REGISTER Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" uri="sip:vzims.com" Content-Length: 0 REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> … CSeq: 1 REGISTER Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" uri="sip:vzims.com" Content-Length: 0
13 The CSCF creates a request for the HSS Cx interface (Diameter) for one or more authentication vectors (AV) using the identifying keys supplied on the registration request. The AV contains the challenge values. REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> … CSeq: 1 REGISTER Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" uri="sip:vzims.com" Content-Length: 0 UE HSS or Auc (2)
14 Each AV is an n-tuple that describes the authentication process and consists of the following fields: UE HSS or Auc (3) P/I/C cscf Response(vector [<=m]) Authentication Vectors : Scheme – TLS-Digest-AKAv2 or IPsec-Digest-AKAv1 XRES – this is the expected response to the challenge. RAND – a random number challengevalue AUTN – Network Authentication Token IK – Integrity key used to protect subsequent signaling CK – cipherkey used to protect subsequent signaling • Scheme – TLS-Digest-AKAv2 or IPsec-Digest-AKAv1 (Coded in the AMF?) • XRES – this is the expected response to the challenge. • RAND – a random number challenge value • AUTN – Network Authentication Token • IK – Integrity key used to protect subsequent signaling • CK – cipher key used to protect subsequent signaling
15 The CSCF creates a response for the UE using the RAND and AUTN parameters from the AV. The response, coded according to [RFC2617] and [RFC3310], will consist of nonce, algorithm, and qop parameters bundled into a WWW-Authenticate: header. A 401 Unauthorized status containing the challenge is returned to the client. UE HSS or Auc P/I/C cscf 401 Unauthorized(nonce,algorithm,qop) nonce = RAND || AUTN || Server data algoritm = AKAv1-MD5 or AKAv2-MD5 qop = auth (4) SIP/2.0 401 Unauthorized … CSeq: 1 REGISTER WWW-Authenticate: Digest realm="vzims.com" nonce="glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==" algorithm=AKAv2-MD5 qop="auth" Content-Length: 0 Packet received by UE:
3-1 How HSS or AuC create AV : 16 The AuC uses the permanent subscriber identity (IMSI) to identify the client, supplied to the CSCF in the request username= parameter. The AuC manages the shared secret, K, and sequence number, SQN on behalf of each client. When the AuC receives a request for a new AV it starts by generating a fresh sequence number SQN and a random, unpredictable challenge RAND ①. The values for MAC, XRES, CK, IK, and AK are computed and an AUTN is constructed ②. The resulting values are bundled together into an AV and returned to the calling CSCF ③. The CSCF will assemble a nonce from the RAND and AUTN parameters for delivery to the client ④. It saves the CK, IK, and XRES parameters to verify the client response and create any necessary security associations.
3-1 How HSS or AuC create AV : 17 The AuC uses the permanent subscriber identity (IMSI) to identify the client, supplied to the CSCF in the request username= parameter. The AuC manages the shared secret, K, and sequence number, SQN on behalf of each client. When the AuC receives a request for a new AV it starts by generating a fresh sequence number SQN and a random, unpredictable challenge RAND ①. The values for MAC, XRES, CK, IK, and AK are computed and an AUTN is constructed ②. The resulting values are bundled together into an AV and returned to the calling CSCF ③. The CSCF will assemble a nonce from the RAND and AUTN parameters for delivery to the client ④. It saves the CK, IK, and XRES parameters to verify the client response and create any necessary security associations.
4- IN UE: ○ Response Decoding and Verification of the Network 18
4-1 Response Decoding and Verification of the Network 19 The UE receives and decodes the nonce value into a string of 320bits. The UE extracts the RAND and AUTN values to send to the SIM using the AUTHENTICATE (RAND, AUTN) command [3gppTS31.102]. Each of the RAND and AUTN parameters are 128bits (16bytes) in length. There may be some server-specific bytes appended to the end (64bits) (unused at this point). The SIM will calculate the password response (RES), security keys (IK & CK), the expected sequence number (SQN), and a message authentication code (XMAC). nonce="glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==" Base64 decode to Hex 825b14b0500b3320a77980ab99e6c8d0 ecacee3e761b0000bf78b29c86e4cb 99 3338313832663200 RAND (16byte) AUTN (16byte) Server-specific unused (8byte) (40 Byte)
20 nonce="glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==" Base64 decode to Hex 825b14b0500b3320a77980ab99e6c8d0 ecacee3e761b0000bf78b29c86e4cb99 3338313832663200 RAND AUTN Server-specific unused 40 Byte f5 AK MACAMFSQN ꚛ AK bf78b29c86e4cb990000ecacee3e761b ꚛ SQN K is embedded in SIM f1 f2 f3 f4
21 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN))
22 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN)) If xmac != mac: the client and CSCF do not have the same shared secret If the MAC does not match the XMAC no auts= is sent, and the final response= value is empty.
23 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN)) If xmac != mac: the client and CSCF do not have the same shared secret If the MAC does not match the XMAC no auts= is sent, and the final response= value is empty. If SQN not in range sim(SQN): the SIM will return a (re-)Synchronization Token (AUTS) value to be sent to the CSCF in the challenge response. The AUTS is coded to inform the CSCF that the sequence numbers are out of sync and a resynchronization process needs to be performed.
24 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN)) If (xmac == mac) && (SQN in range sim(SQN)): Means network is authenticate for UE If xmac != mac: the client and CSCF do not have the same shared secret If the MAC does not match the XMAC no auts= is sent, and the final response= value is empty. If SQN not in range sim(SQN): the SIM will return a (re-)Synchronization Token (AUTS) value to be sent to the CSCF in the challenge response. The AUTS is coded to inform the CSCF that the sequence numbers are out of sync and a resynchronization process needs to be performed.
25 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN)) If (xmac == mac) && (SQN in range sim(SQN)): Means network is authenticate for UE If xmac != mac: the client and CSCF do not have the same shared secret If the MAC does not match the XMAC no auts= is sent, and the final response= value is empty. If SQN not in range sim(SQN): the SIM will return a (re-)Synchronization Token (AUTS) value to be sent to the CSCF in the challenge response. The AUTS is coded to inform the CSCF that the sequence numbers are out of sync and a resynchronization process needs to be performed. Let’s Go to next step: We have RES , CK , IK
26 Now we have two algorithm for authenticateAKAv1 Use RES IK CK In AKAv1 RES is password And IK and CK is for IPSEC
27 Now we have two algorithm for authenticate AKAv2 AKAv1 Use RES IK CK In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
28 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
30 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” ) RES IK CK In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
31 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” ) RES IK CK Part A Part B In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
32 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” ) RES IK CK Part A Part B 09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca64681464 || (0X00 * 28)C = In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
33 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” ) RES IK CK Part A Part B 09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca64681464 || (0X00 * 28) 09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca6468146400000000000000000000000000000000000000000000000000000000 C = D = In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
34 For every byteꚛ0X36 3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636E =
35 For every byteꚛ0X36 3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 Part B Convert string to HEX 687474702d6469676573742d616b6176322d70617373776f7264 E = F =
36 For every byteꚛ0X36 3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 Part B Convert string to HEX 687474702d6469676573742d616b6176322d70617373776f7264 E = F = G = MD5(E||F) = MD5(3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 687474702d6469676573742d616b6176322d70617373776f7264) = f4e838c0595529b7c34ece17baa41145
37 For every byteꚛ0X36 3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 Part B Convert string to HEX 687474702d6469676573742d616b6176322d70617373776f7264 E = F = G = MD5(E||F) = MD5(3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 687474702d6469676573742d616b6176322d70617373776f7264) = f4e838c0595529b7c34ece17baa41145 Now from D XOR to 0X0C for every byte 09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca6468146400000000000000000000000000000000000000000000000000000000D =
38 For every byteꚛ0X5C 559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5cH =
39 For every byteꚛ0X5C 559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5cH = I = MD5 (H || G) = MD5(559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c f4e838c0595529b7c34ece17baa41145) = b11ff4fe419cdd5d3fae868a788d530f
40 For every byteꚛ0X5C 559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5cH = I = MD5 (H || G) = MD5(559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c f4e838c0595529b7c34ece17baa41145) = b11ff4fe419cdd5d3fae868a788d530f In AKAv2 HMAC( RES || IK || CK , “http-digest-akav2-password” ) = b11ff4fe419cdd5d3fae868a788d530f In akav1 password is RES = 09c96fcb and IK & CK is used for IPSEC In akav2 password is HMAC( RES || IK || CK , “http-digest-akav2-password” ) = b11ff4fe419cdd5d3fae868a788d530f
4-2 HTTP Digest calculation from HMAC-MD5 password generation 41 In akav2 password is b11ff4fe419cdd5d3fae868a788d530f For HTTP Digest in AKAv2 Convert password hex to base64 Base64(b11ff4fe419cdd5d3fae868a788d530f) = sR/0/kGc3V0/roaKeI1TDw== A1 = 311480000832290@vzims.com:vzims.com:sR/0/kGc3V0/roaKeI1TDw== MD5(A1) = 56f3f5e3296c3a313ac900eef63a6d97 Convert A1 to MD5 A2 = REGISTER:sip:vzims.com
42 MD5(A2) = 4f9c96eef99b18cdc160734cc7b0d664 Convert A2 to MD5 Now understand from WWW-Authenticate and (about to be) Authorization: headers nonce = glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==“ nc = 00000001 cnonce = MJIwMDA0 qop = auth MD5(MD5(A1):nonce:nc:cnonce:auth:MD5(A2)) MD5(56f3f5e3296c3a313ac900eef63a6d97:glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kz ODE4MmYyAA==:00000001:MjIwMDA0:auth:4f9c96eef99b18cdc160734cc7b0d664)
43 MD5(MD5(A1):nonce:nc:cnonce:auth:MD5(A2)) = aaed79818a9e0ce70bac6c5b5834d1a7 Response = aaed79818a9e0ce70bac6c5b5834d1a7 REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> … Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" nonce=”glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==” uri="sip:vzims.com" response=”aaed79818a9e0ce70bac6c5b5834d1a7” algoritm=AKAv2-MD5 cnonce=”” qop=auth nc=000000001 ...
44 UE P/I/C cscf (5) REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" nonce= glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA== uri="sip:vzims.com" response= aaed79818a9e0ce70bac6c5b5834d1a7 algoritm=AKAv2-MD5 cnonce= qop=auth nc=000000001 ...
45 5- Overview The shared secret (K) is created and assigned to a SIM and the AuC. The AuC produces an Authentication Vector (AV) based on K and a Sequence Number (SQN). The AV contains a random number challenge (RAND), Network Authentication Token (AUTN), an expected result password (XRES), and cryptographic keys for integrity checking (IK) and encryption (CK). In response to a client (UE) registration request, the server (CSCF) creates an authentication challenge containing the RAND and AUTN parameters. The challenge is delivered to the client. The client presents the challenge to the SIM which verifies the AUTN. If the verification is successful, the network has been authenticated. The SIM creates the password response (RES) and local versions of the keys (IK, CK). The client creates the response from these parameters and re-attempts the registration. The server verifies the password for authentication of the UE to the network.
46 6- Reference VERIZON WIRELESS WHITE PAPER-IMS AKAv1 AKv2 implementation It is access on slideshare: https://www.slideshare.net/AlokPrasad5/ims-akav1-akv2-verizon
Thank You Norozzudegan@gmail.com https://www.linkedin.com/in/norouzzadegan

More Related Content

IMS Authentication with AKAv1 and AKAv2

  • 1. IMS Authentication accordingto AKAv1AKAv2 Mohammad Norouzzadegan January 2020 Norozzudegan@gmail.com
  • 2. IMS Authentication according to AKAv1 AKAv2: ��� Introduction • UE Authenticate ○ In Sim • Creating a Shared Secret • Other Thing in Sim ○ IMS Registration • How HSS or AuC create AV ○ IN UE • Response Decoding and Verification of the Network • HTTP Digest calculation from HMAC-MD5 password generation ○ Overview ○ Reference 2
  • 3. 1- Introduction 3 IMS specifies a set of connectivity and communications services based on a number of Internet Engineering Task Force (IETF) protocols and standards, particularly Session Initiation Protocol [RFC 3261]. The 3gpp IMS specifications, outlined in [3gppTS24.229], provide detailed requirements for implementations that follow the standard. The current document focuses on one critical aspect of IMS, implementation of the mutual authentication of user equipment and network. IMS AKA is an application of HTTP Digest Authentication [RFC2617] intended to overcome the weaknesses in the HTTP procedure. Two variants have been defined: AKAv1 with IPsec and AKAv2 with TLS. AKAv1 uses AKA techniques to create a secure connection and IPsec [RFC4301] to ensure continued confidentiality and integrity. AKAv1 is subject to man-in-the-middle attacks if not properly secured using IPsec. AKAv2 addresses this weakness by using stronger passwords and may employ TLS to secure the channel.
  • 4. 1-1 UE Authenticate 4 Mutual authentication is performed when a User Equipment (UE) registers for service with the IMS. The UE has established radio connection with the Radio Access Network (RAN) and is permitted to pass traffic to the network to obtain services. The UE sends a SIP registration request to a designated IMS Registrar (CSCF) to begin the exchange. The CSCF and the UE exchange credentials derived from a predetermined shared secret. The end result of the exchange is a one-time password that summarizes the shared knowledge. When there is agreement both ends use the derived parameters to create security associations to ensure integrity and confidentiality of subsequent communication.
  • 5. Illustrates the process of SIM creation and distribution of authentication credentials 5
  • 6. 2- In Sim: ○ Creating a Shared Secret ○ Other Thing in Sim 6
  • 7. 2-1 Creating a Shared Secret 7 The shared secret (K) is created when a SIM (UICC) is manufactured. The secret is embedded in the SIM and is not visible to any device into which the SIM could be inserted. The secret is also distributed to the authentication center managed by the Home Subscription Server (HSS) located in the core 5 network. The secret is never directly exposed, but is used to create credentials which are then exchanged and compared using authentication and key agreement (AKA) protocols. IN and HSS or AuC(Authentication center)
  • 8. 2-2 Other Thing in Sim 8 The essential data contents (for this discussion) of a SIM are a 4-tuple of unique values: the ICCID – Integrated Circuit Card IDentifier, IMSI – International Mobile Subscriber Identity, SQN – a sequence number, and K – the secret. Also, there is a set of message authentication and key generating algorithms f1, f2, f3, f4, and f5 embedded in the SIM and are the same as the corresponding functions at the AuC.
  • 9. 3- IMS Registration: 9 IMS follows the familiar SIP challenge-response message exchange with inclusion of the IMS AKA Digest method. Next slide figure is a message timeline indicating the order and important contents of the registration request-response sequence.
  • 10. 3- IMS Registration: 10 IMS follows the familiar SIP challenge-response message exchange with inclusion of the IMS AKA Digest method. Figure below is a message timeline indicating the order and important contents of the registration request-response sequence.
  • 11. 11 The UE sends an initial SIP REGISTER request that includes its IMSI and waits for the challenge to be offered by the Registrar (CSCF). The initial registration request includes an Authorization: header containing username, realm, and domain uri parameters. REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> … CSeq: 1 REGISTER Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" uri="sip:vzims.com" Content-Length: 0
  • 12. 12 The UE sends an initial SIP REGISTER request that includes its IMSI and waits for the challenge to be offered by the Registrar (CSCF). The initial registration request includes an Authorization: header containing username, realm, and domain uri parameters. UE (1) HSS or Auc P/I/C cscf REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> CSeq: 1 REGISTER Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" uri="sip:vzims.com" Content-Length: 0 REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> … CSeq: 1 REGISTER Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" uri="sip:vzims.com" Content-Length: 0
  • 13. 13 The CSCF creates a request for the HSS Cx interface (Diameter) for one or more authentication vectors (AV) using the identifying keys supplied on the registration request. The AV contains the challenge values. REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> … CSeq: 1 REGISTER Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" uri="sip:vzims.com" Content-Length: 0 UE HSS or Auc (2)
  • 14. 14 Each AV is an n-tuple that describes the authentication process and consists of the following fields: UE HSS or Auc (3) P/I/C cscf Response(vector [<=m]) Authentication Vectors : Scheme – TLS-Digest-AKAv2 or IPsec-Digest-AKAv1 XRES – this is the expected response to the challenge. RAND – a random number challengevalue AUTN – Network Authentication Token IK – Integrity key used to protect subsequent signaling CK – cipherkey used to protect subsequent signaling • Scheme – TLS-Digest-AKAv2 or IPsec-Digest-AKAv1 (Coded in the AMF?) • XRES – this is the expected response to the challenge. • RAND – a random number challenge value • AUTN – Network Authentication Token • IK – Integrity key used to protect subsequent signaling • CK – cipher key used to protect subsequent signaling
  • 15. 15 The CSCF creates a response for the UE using the RAND and AUTN parameters from the AV. The response, coded according to [RFC2617] and [RFC3310], will consist of nonce, algorithm, and qop parameters bundled into a WWW-Authenticate: header. A 401 Unauthorized status containing the challenge is returned to the client. UE HSS or Auc P/I/C cscf 401 Unauthorized(nonce,algorithm,qop) nonce = RAND || AUTN || Server data algoritm = AKAv1-MD5 or AKAv2-MD5 qop = auth (4) SIP/2.0 401 Unauthorized … CSeq: 1 REGISTER WWW-Authenticate: Digest realm="vzims.com" nonce="glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==" algorithm=AKAv2-MD5 qop="auth" Content-Length: 0 Packet received by UE:
  • 16. 3-1 How HSS or AuC create AV : 16 The AuC uses the permanent subscriber identity (IMSI) to identify the client, supplied to the CSCF in the request username= parameter. The AuC manages the shared secret, K, and sequence number, SQN on behalf of each client. When the AuC receives a request for a new AV it starts by generating a fresh sequence number SQN and a random, unpredictable challenge RAND ①. The values for MAC, XRES, CK, IK, and AK are computed and an AUTN is constructed ②. The resulting values are bundled together into an AV and returned to the calling CSCF ③. The CSCF will assemble a nonce from the RAND and AUTN parameters for delivery to the client ④. It saves the CK, IK, and XRES parameters to verify the client response and create any necessary security associations.
  • 17. 3-1 How HSS or AuC create AV : 17 The AuC uses the permanent subscriber identity (IMSI) to identify the client, supplied to the CSCF in the request username= parameter. The AuC manages the shared secret, K, and sequence number, SQN on behalf of each client. When the AuC receives a request for a new AV it starts by generating a fresh sequence number SQN and a random, unpredictable challenge RAND ①. The values for MAC, XRES, CK, IK, and AK are computed and an AUTN is constructed ②. The resulting values are bundled together into an AV and returned to the calling CSCF ③. The CSCF will assemble a nonce from the RAND and AUTN parameters for delivery to the client ④. It saves the CK, IK, and XRES parameters to verify the client response and create any necessary security associations.
  • 18. 4- IN UE: ○ Response Decoding and Verification of the Network 18
  • 19. 4-1 Response Decoding and Verification of the Network 19 The UE receives and decodes the nonce value into a string of 320bits. The UE extracts the RAND and AUTN values to send to the SIM using the AUTHENTICATE (RAND, AUTN) command [3gppTS31.102]. Each of the RAND and AUTN parameters are 128bits (16bytes) in length. There may be some server-specific bytes appended to the end (64bits) (unused at this point). The SIM will calculate the password response (RES), security keys (IK & CK), the expected sequence number (SQN), and a message authentication code (XMAC). nonce="glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==" Base64 decode to Hex 825b14b0500b3320a77980ab99e6c8d0 ecacee3e761b0000bf78b29c86e4cb 99 3338313832663200 RAND (16byte) AUTN (16byte) Server-specific unused (8byte) (40 Byte)
  • 20. 20 nonce="glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==" Base64 decode to Hex 825b14b0500b3320a77980ab99e6c8d0 ecacee3e761b0000bf78b29c86e4cb99 3338313832663200 RAND AUTN Server-specific unused 40 Byte f5 AK MACAMFSQN ꚛ AK bf78b29c86e4cb990000ecacee3e761b ꚛ SQN K is embedded in SIM f1 f2 f3 f4
  • 21. 21 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN))
  • 22. 22 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN)) If xmac != mac: the client and CSCF do not have the same shared secret If the MAC does not match the XMAC no auts= is sent, and the final response= value is empty.
  • 23. 23 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN)) If xmac != mac: the client and CSCF do not have the same shared secret If the MAC does not match the XMAC no auts= is sent, and the final response= value is empty. If SQN not in range sim(SQN): the SIM will return a (re-)Synchronization Token (AUTS) value to be sent to the CSCF in the challenge response. The AUTS is coded to inform the CSCF that the sequence numbers are out of sync and a resynchronization process needs to be performed.
  • 24. 24 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN)) If (xmac == mac) && (SQN in range sim(SQN)): Means network is authenticate for UE If xmac != mac: the client and CSCF do not have the same shared secret If the MAC does not match the XMAC no auts= is sent, and the final response= value is empty. If SQN not in range sim(SQN): the SIM will return a (re-)Synchronization Token (AUTS) value to be sent to the CSCF in the challenge response. The AUTS is coded to inform the CSCF that the sequence numbers are out of sync and a resynchronization process needs to be performed.
  • 25. 25 f1 f2 f3 f4 XMAC RES CK IK Test((xmac == mac) && (SQN in range sim(SQN)) If (xmac == mac) && (SQN in range sim(SQN)): Means network is authenticate for UE If xmac != mac: the client and CSCF do not have the same shared secret If the MAC does not match the XMAC no auts= is sent, and the final response= value is empty. If SQN not in range sim(SQN): the SIM will return a (re-)Synchronization Token (AUTS) value to be sent to the CSCF in the challenge response. The AUTS is coded to inform the CSCF that the sequence numbers are out of sync and a resynchronization process needs to be performed. Let’s Go to next step: We have RES , CK , IK
  • 26. 26 Now we have two algorithm for authenticateAKAv1 Use RES IK CK In AKAv1 RES is password And IK and CK is for IPSEC
  • 27. 27 Now we have two algorithm for authenticate AKAv2 AKAv1 Use RES IK CK In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
  • 28. 28 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
  • 29. Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
  • 30. 30 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” ) RES IK CK In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
  • 31. 31 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” ) RES IK CK Part A Part B In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
  • 32. 32 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” ) RES IK CK Part A Part B 09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca64681464 || (0X00 * 28)C = In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
  • 33. 33 Now we have two algorithm for authenticate AKAv2 AKAv1 For example: RES = 09c96fcb IK = 01bcc42bd27cfe2ceea34d66f35fc129 CK = 82cb63773e19bc44dc02c8ca64681464 Use RES IK CK Use hmac HMAC( RES || IK || CK , “http-digest-akav2-password” ) Hmac(09c96fcb 01bcc42bd27cfe2ceea34d66f35fc129 82cb63773e19bc44dc02c8ca64681464 , “http-digest-akav2-password” ) RES IK CK Part A Part B 09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca64681464 || (0X00 * 28) 09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca6468146400000000000000000000000000000000000000000000000000000000 C = D = In AKAv1 RES is password And IK and CK is for IPSEC But in AKAv2 for get password need to calculate HMAC
  • 34. 34 For every byteꚛ0X36 3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636E =
  • 35. 35 For every byteꚛ0X36 3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 Part B Convert string to HEX 687474702d6469676573742d616b6176322d70617373776f7264 E = F =
  • 36. 36 For every byteꚛ0X36 3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 Part B Convert string to HEX 687474702d6469676573742d616b6176322d70617373776f7264 E = F = G = MD5(E||F) = MD5(3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 687474702d6469676573742d616b6176322d70617373776f7264) = f4e838c0595529b7c34ece17baa41145
  • 37. 37 For every byteꚛ0X36 3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 Part B Convert string to HEX 687474702d6469676573742d616b6176322d70617373776f7264 E = F = G = MD5(E||F) = MD5(3fff59fd378af21d e44ac81ad8957b50 c569f71fb4fd5541 082f8a72ea34fefc 525e225236363636 3636363636363636 3636363636363636 3636363636363636 687474702d6469676573742d616b6176322d70617373776f7264) = f4e838c0595529b7c34ece17baa41145 Now from D XOR to 0X0C for every byte 09c96fcb01bcc42bd27cfe2ceea34d66f35fc12982cb63773e19bc44dc02c8ca6468146400000000000000000000000000000000000000000000000000000000D =
  • 38. 38 For every byteꚛ0X5C 559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5cH =
  • 39. 39 For every byteꚛ0X5C 559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5cH = I = MD5 (H || G) = MD5(559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c f4e838c0595529b7c34ece17baa41145) = b11ff4fe419cdd5d3fae868a788d530f
  • 40. 40 For every byteꚛ0X5C 559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5cH = I = MD5 (H || G) = MD5(559533975de09877 8e20a270b2ff113a af039d75de973f2b 6245e018805e9496 383448385c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c 5c5c5c5c5c5c5c5c f4e838c0595529b7c34ece17baa41145) = b11ff4fe419cdd5d3fae868a788d530f In AKAv2 HMAC( RES || IK || CK , “http-digest-akav2-password” ) = b11ff4fe419cdd5d3fae868a788d530f In akav1 password is RES = 09c96fcb and IK & CK is used for IPSEC In akav2 password is HMAC( RES || IK || CK , “http-digest-akav2-password” ) = b11ff4fe419cdd5d3fae868a788d530f
  • 41. 4-2 HTTP Digest calculation from HMAC-MD5 password generation 41 In akav2 password is b11ff4fe419cdd5d3fae868a788d530f For HTTP Digest in AKAv2 Convert password hex to base64 Base64(b11ff4fe419cdd5d3fae868a788d530f) = sR/0/kGc3V0/roaKeI1TDw== A1 = 311480000832290@vzims.com:vzims.com:sR/0/kGc3V0/roaKeI1TDw== MD5(A1) = 56f3f5e3296c3a313ac900eef63a6d97 Convert A1 to MD5 A2 = REGISTER:sip:vzims.com
  • 42. 42 MD5(A2) = 4f9c96eef99b18cdc160734cc7b0d664 Convert A2 to MD5 Now understand from WWW-Authenticate and (about to be) Authorization: headers nonce = glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==“ nc = 00000001 cnonce = MJIwMDA0 qop = auth MD5(MD5(A1):nonce:nc:cnonce:auth:MD5(A2)) MD5(56f3f5e3296c3a313ac900eef63a6d97:glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kz ODE4MmYyAA==:00000001:MjIwMDA0:auth:4f9c96eef99b18cdc160734cc7b0d664)
  • 43. 43 MD5(MD5(A1):nonce:nc:cnonce:auth:MD5(A2)) = aaed79818a9e0ce70bac6c5b5834d1a7 Response = aaed79818a9e0ce70bac6c5b5834d1a7 REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> … Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" nonce=”glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA==” uri="sip:vzims.com" response=”aaed79818a9e0ce70bac6c5b5834d1a7” algoritm=AKAv2-MD5 cnonce=”” qop=auth nc=000000001 ...
  • 44. 44 UE P/I/C cscf (5) REGISTER sip:vzims.com SIP/2.0 From: <sip:+14438055906@vzims.com>;tag=LGIMS_17458000-2228227 To: <sip:+14438055906@vzims.com> Authorization: Digest username="311480000832290@vzims.com" realm="vzims.com" nonce= glsUsFALMyCneYCrmebI0Oys7j52GwAAv3iynIbky5kzODE4MmYyAA== uri="sip:vzims.com" response= aaed79818a9e0ce70bac6c5b5834d1a7 algoritm=AKAv2-MD5 cnonce= qop=auth nc=000000001 ...
  • 45. 45 5- Overview The shared secret (K) is created and assigned to a SIM and the AuC. The AuC produces an Authentication Vector (AV) based on K and a Sequence Number (SQN). The AV contains a random number challenge (RAND), Network Authentication Token (AUTN), an expected result password (XRES), and cryptographic keys for integrity checking (IK) and encryption (CK). In response to a client (UE) registration request, the server (CSCF) creates an authentication challenge containing the RAND and AUTN parameters. The challenge is delivered to the client. The client presents the challenge to the SIM which verifies the AUTN. If the verification is successful, the network has been authenticated. The SIM creates the password response (RES) and local versions of the keys (IK, CK). The client creates the response from these parameters and re-attempts the registration. The server verifies the password for authentication of the UE to the network.
  • 46. 46 6- Reference VERIZON WIRELESS WHITE PAPER-IMS AKAv1 AKv2 implementation It is access on slideshare: https://www.slideshare.net/AlokPrasad5/ims-akav1-akv2-verizon