1. Revised Solution for Device Binding Revised from S40-20121003-001 3GPP2 TSG-SX WG4 SX40-20130321-002 Source: Qualcomm Incorporated Contact(s): Anand Palanigounder, apg@qti.qualcomm.comapg@qti.qualcomm.com Aram Perez, aramp@qti.qualcomm.comaramp@qti.qualcomm.com Recommendation: For Discussion & Decision Notice QUALCOMM Incorporated grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include all or portions of this contribution; and at the Organizational Partner’s sole discretion to permit others to reproduce in whole or in part such contribution or the resulting Organizational Partner’s standards publication. QUALCOMM Incorporated is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non- discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution. This document has been prepared by QUALCOMM Incorporated to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on QUALCOMM Incorporated. QUALCOMM Incorporated specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of QUALCOMM Incorporated other than provided in the copyright statement above.

2. Overview Background Terms Solution Principles Device Binding Function Message Flow 2

3. Background This presentation proposes a high level solution to the Device Binding requirement in document S.R0146-0: – SEC-04: cdma2000 networks shall support a mechanism to restrict the use of a cdma2000 M2M access subscription to a specific cdma2000 M2M Device or a M2M group of devices. This is a revised contribution of S40- 20121003-001 based on received comments 3

4. Terms BSC – Base Station Controller DBF – Device Binding Function FFS – For Future Study IE – Information Element IMSI – International Mobile Subscription Identifier ME – Mobile Equipment MEID – Mobile Equipment Identifier ME_SIG – signature calculated using the ME’s private key MIN – Mobile Identification Number MSID – Mobile Station Identifier MSC – Mobile Switching Center VLR – Visitor Location Register 4

5. Solution Principles (1) The solution is proposed for cdma2000 1x networks – Whether a solution is required for (e)HRPD is FFS If required, applicability of this proposed solution to (e)HRPD is FFS Device manufacturer provisions a private key associated with device identity (MEID) – How the device manufacturer issues the private key and certificate is outside the scope of standard The network has access to the certificate of a ME 5

6. Solution Principles (2) During the 1x registration process, the MSC/VLR queries the DBF (new logical entity) whether the subscription is restricted MSC/VLR sends a Status Request message requesting MEID authentication The BSC transparently forwards the Status Request / Response message from the MSC/VLR (Status Request) or ME (Status Response) 6

7. Solution Principles (3) MEs support the Device Binding functionality responds with a authentication signature in the Status Response message – NOTE: If the subscription requires Device Binding, but the ME does not respond with a signature, the network should deny service to the ME 7

8. Device Binding Function The Device Binding Function (DBF) is a new logical function in the network that – Determines whether a particular subscription, identified by the MSID associated with the subscription, is restricted to an ME or a group of ME’s. The ME is identified by its Mobile Equipment Identifier (MEID) – Maintains the mapping between MSIDs (subscription) and MEID bindings – Generates a nonce used to authenticate the ME – Performs authentication of MEID and sends a response to MSC/VLR indicating whether to allow / deny service to the MS DBF could be part of an existing network element or a new network element 8

9. Message Flow for 1x (1) The figure in the following slide shows the high level message flow for Device Binding in cdma2000 1x networks Color coding: – Items in red means something new being added 9

10. Message Flow for 1x (2) 10

11. Message Flow (3) 1.The MS sends 1x Registration request to BSC 2.The BSC, MSC/VLR and HLR perform Location Updating and exchange subscription authentication information 3.The BSC and MS perform the subscription authentication using either CAVE or AKA 4.The BSC and MSC/VLR confirms subscription authentication 11

12. Message Flow (4) A.The MSC/VLR sends a Device Restriction Query message that contains the MSID to the Device Binding Function (DBF). B.Based on the MSID, the DBF checks if the subscription is restricted to a ME or group of ME’s. – The DBF maintains the binding between the MSID and the ME’s. C.If the MSID is not restricted, the DBF sends a Device Restriction Response to the MSC/VLR with a Status value indicating that restriction is not required. The MSC/VLR continues with step 5 on slide 18. 12

13. Message Flow (5) D.If the MSID is restricted, the DBF generates a random 128-bit Nonce value and sends a Device Restriction Response, with a Status value indicating that restriction is required and the Nonce. – The DBF saves the Nonce for the MSID to be used later in step J. E.The MSC/VLR sends a Status Request to the BSC, requesting the ME’s MEID and includes the Nonce that it received from the DBF. – The presence of the Nonce indicates to the ME that Device Authentication is required. 13

14. Message Flow (6) F.The BSC forwards the Status Request to the ME G.The ME generates a digital signature using the private key associated with the MEID over the Nonce, MSID and MEID, called ME_SIG, and includes it in the Status Response to the BSC along with the MEID. – If the ME does not support this security framework, it sends back a normal Status Response with just the MEID. 14

15. Message Flow (7) H.The BSC forwards the Status Response to the MSC/VLR. I.The MSC/VLR sends a Validate Device Request message to the DBF. The message includes the MSID, the MEID and the ME_SIG from the MS. 15

16. Message Flow (8) J.The DBF validates the ME by checking that the MSID and MEID pairing is allowed. If not allowed, validation fails and the message flows continues with step K. If allowed, then the DBF uses the Nonce it saved in step D to verify the ME_SIG. In addition, in order to verify the ME_SIG, the DBF needs to have access to the certificate associated with the MEID. – How the DBF gets access to the certificate is outside the scope of this framework. 16

17. Message Flow (9) K.Based on the validation result, the DBF sends a Validate Device Response message to the MSC/VLR with the Status set to Allow if the binding is successfully validated by the DBF or Deny otherwise. L.If the Status is Allow, the MSC/VLR accepts the registration (step 5 on slide 18). M.If the Status is Deny, the MSC/VLC sends MS registration rejection. 17

18. Message Flow (10) 5.The BSC informs the MS that it has been registered 18

19. Proposal Discuss & Adopt the solution concept 19