1. IEEE 802.21 MEDIA INDEPENDENT HANDOVER
DCN: xxx-00-0sec-3gpp-security-non802handover
Title: A Study on Security Solutions in non- IEEE 802 Wireless – 3GPP AKA and Interworking with WLAN
Date Submitted: September 3, 2008
Presented at IEEE session #28 in Big Island, HI
Authors or Source(s):
 Lily Chen (NIST)
Abstract: This presentation reviews security solutions for 3GPP and 3GPP - WLAN interworking. The purpose is to explore possible security handover strategies with non-802 networks.
xxx-00-0sec

2. IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws < and in Understanding Patent Issues During IEEE Standards Development
IEEE presentation release statements
This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual < and in Understanding Patent Issues During IEEE Standards Development
xxx-00-0sec

3. Purpose Study non-IEEE 802 wireless network security solutions
Explore possible security handover strategies with non-IEEE 802 networks.
xxx-00-0sec

4. Outline UMTS Authentication and Key Agreement (AKA) EAP-AKA
3GPP and WLAN interworking
Interworking vs. handover
xxx-00-0sec

5. UMTS Network ArchitectureBS
RNC
MSC/VLR
SGSN
HE/AuC
PSTN / ISDN
IP Networks
USIM K UE
K – Long term authentication key stored in the USIM card at the mobile side and Authentication Center (AuC) at the network side.
USIM – UMTS Subscriber Identity Module
BS- Base Station
RNC – Radio Network Controlor
VLR – Visitor Location Register
SGSN – Serving GPRS Support Node
HE – Home Environment
AuC – Authentication Center
PSTN – Public Switched Telephone Network
xxx-00-0sec

6. Authentication and Key Agreement (AKA) - Introduction
AKA is the subscriber authentication and session key generation protocol specified in 3GPP for UMTS (see 3GPP TS33.102).
The authentication is based on symmetric key method, assuming that the subscriber and the network share a long term key K.
The main idea is to use “Authentication Vectors (AVs)” to delegate the authentication to VLR/SGSN.
xxx-00-0sec

7. Authentication and Key Agreement (AKA) - Authentication Vector
An authentication vector is a quintuplet:
AV = (RAND||AUTN||XRES||CK||IK)
The components are
RAND – Random challenge
AUTN – Authentication token to authenticate the network
XRES – Expected response to RAND
CK – Cipher (encryption) key
IK – Integrity key
xxx-00-0sec

8. Authentication and Key Agreement (AKA) - Generation of Authentication Vector
Generate SQN
Generate RAND
RAND K f5 AK f4 f3 f2 f1 IK CK
XRES
MAC
AMF
Long term authentication key
Random challenge
AUTN:= SQNAK||AMF||MAC
fi ‘s are operator specified functions. 3GPP developed an example algorithm (Milenage).
xxx-00-0sec

9. Authentication and Key Agreement (AKA) - Protocol
Subscriber device with USIM K
VLR/SGSN
HLR/AuC K
Access Request
Authentication Data Request
Authentication Vectors
RANDj || AUTNj
RESj
RNC
IKj and CKj
Protected
AVi = { RANDj || AUTNj || XRESj || CKj || IKj} j =1,2, …t
Verify AUTNj =?
XRESj f2 f3 f4
CKj
IKj
xxx-00-0sec

10. UMTS Security in Handover
AKA is executed for each registration not for each handover.
Session keys IK and CK are generated for each AKA execution.
The same session keys can be used by different RNCs. They are distributed through handover.
UMTS allows the different RNCs to share the same session keys, while in IEEE , different APs are not trusted to share the same session keys!
HLR
Authentication Center
MSC VLR
CK, IK
CK, IK
RNC2
Radio
Access Network
RNC1
xxx-00-0sec

11. EAP-AKA - Motivation and main ideas
USIM is considered as an asset to service providers. It holds credentials to authenticate subscribers.
Use common credentials for both cellular and WLAN access authentication will get the best use of USIM.
EAP-AKA is an EAP method using USIM to conduct authentication for WLAN access.
WLAN AAA server interfaces with the 3GPP AuC to get authentication vectors.
WLAN AAA server uses AVs to derive EAP keys.
HLR/AuC
AVs
WLAN Device
Access Point
AAA server
EAP-AKA
Derive EAP keys from AV
Derive EAP keys from AV
Deliver MSK
Protected data
xxx-00-0sec

12. EAP-AKA - How to use authentication vectors
RAND
XRES CK IK
AUTN
AT(RAND)
Verify AT(RES)
AT(AUTN)
Hash MK
KDF
TEKs
MSK
EMSK
Use “RAND” and “XRES” as random challenge and response.
AUTN is used for network authentication.
Use IK and CK to derive EAP Keys.
Kaut
Kencr
xxx-00-0sec

13. EAP-AKA Protocol Outline*
WLAN Device
AAA server
HLR/AC
AVi
EAP-Request / Identity
EAP-Response / Identity
Generate MK. MAC is generated using Kaut.
EAP-Request / AKA-challenge
(RAND, AUTN, MAC)
Generate MK. MAC is generated using Kaut.
EAP-Response / AKA-Challenge
(RES, MAC)
EAP-Success (or Failure)
MSK
*For details, see RFC 4187.
xxx-00-0sec

14. 3GPP and WLAN Interworking
WLAN UE
3GPP AAA
HLR/AuC
AVs
EAP-AKA
3GPP and WLAN interworking is to allow a device
to access Internet through WLAN by authenticating through 3GPP network (direct access).
to access Internet through 3GPP IP network (WLAN 3GPP IP Access).
The security in interworking is specified in 3GPP
It allows User Equipment (UE) to authenticate to WLAN network using the same credentials of 3GPP AKA through EAP-AKA.
It specifies interfaces between 3GPP network and WLAN to pass all sorts of information and also support access authentication.
It is 3GPP specific with 3GPP specified network function entities.
It is an application of EAP-AKA.
Internet
3GPP Network
WLAN Access Network
Packet data gateway
3GPP AAA
AuC
xxx-00-0sec

15. AKA vs. EAP-AKA
EAP-AKA allows using AKA authentication vector for WLAN access authentication and key establishment.
AKA and EAP-AKA have different trust models:
Session keys generated through AKA can be shared among RNCs.
MSK, generated through EAP-AKA, is specific for an given authenticator. Wireless protection session keys are AP specific.
UMTS and IEEE 802 network have different secure handover solutions.
UMTS has infrastructure to handover the session keys.
IEEE 802 (e.g r) executes a handshake in each handover to generate new session keys.
Interworking does not provide mechanisms to handover keys between IEEE 802 wireless network and non-802 network.
xxx-00-0sec

16. Different Trust Models and Secure Handover Solutions - Illustration
HLR/AuC
VLR/SGSN
Authenticator
RNC1
RNC2
AV1
CK, IK
AAA Server
AV2
AKA
MSK
PTK1
PTK2
EAP-AKA
Handover
Transition
xxx-00-0sec

17. Summary 3GPP AKA employs a different trust model from EAP-AKA.
From security perspective, real handover between 802 and non-802 network is barely possible.
“Transition” from 3GPP to IEEE (or others) can use pre-authentication through EAP-AKA, if 3GPP AuC can provide authentication vectors to network. (This can hardly be called “handover”, since it is really a full authentication.)
The possibility of security handover is questionable if a MN roams from a 802 network to a 3GPP network.
In the case that the 802 network uses EAP-AKA. If an authentication vector is used in EAP-AKA, then it cannot be re-used back to 3GPP network based on
When the 802 network uses some other authentication methods than EAP-AKA, e.g. EAP-TLS, then it will need to change the 3GPP trust model completely to allow (IK, CK) being generated from MSK (or other EAP keys).
xxx-00-0sec

18. Back Up slides
xxx-00-0sec

19. EAP-AKA Fast Re-authentication
After a full EAP-AKA execution, the TEK = (Kencr, Kaut) can be used for a fast re-authentication.
The server generates a random number NS and use Kencr to encrypt it. The server message includes a MAC.
Upon receiving E(Kencr,NS), the peer decrypts it. The MN generates a MAC over NS using Kaut and sends it to the server. The MAC serves as an authentication response.
For each fast re-authentication, it generates a new MK using the old MK and NS.
A counter is maintained to record the number of fast re-authentications.
xxx-00-0sec