Ims Security Services Ausarbeitung
Ims Security Services Ausarbeitung
Ims Security Services Ausarbeitung
Lehrstuhl fr
U N I K A S S E L
Kommunikationstechnik
V E R S I T T Prof. Dr.-Ing. Klaus David
Report on
By
July 2005
1
Security Services in IMS
CONTENTS
1. ABSTRACT................................................................................................................ 3
4. SECURITY ..................................................................................................................... 8
4.1 Need for Security...................................................................................................................................... 8
5. CONCLUSION ........................................................................................................... 23
6. REFERENCES: ............................................................................................................ 24
2
Security Services in IMS
1. Abstract
The Security issue is one of the essential for such a service. Security experts preach that
hackers, software vandals, content pirates and other security threats will never be totally
eliminated. The tools of the hackers' trade -- the viruses, worms and other assorted
collections of malicious codehave a way of morphing and mutating into new forms and
shapes. Since IMS is an open architecture, it is vulnerable to threats.
In this report, we have presented the present market trends in Communication, role of
IMS and its overview, IMS security architecture & various security services in IMS.
3
Security Services in IMS
More than 100 years ago, the telephone eliminated the obstacle of distance. The mobile
phone came next, removing the obstacle of location. Today, telephony, mobility, and the
Internet are converging.
Mobile phones were used initially for voice communications. With the invention of short
message service (SMS), or text messaging, mobile services began to shift towards
becoming increasingly data-based. Today, we are on the brink of having mobile
communications as varied and powerful as our imagination.
User and enterprise needs will drive multimedia service evolution for both
mobile and fixed operators. Users expect to be able to do more with their
communications services, for less money, and are showing an interest in
services beyond voice. They are attracted towards wide range of communications
information and entertainment services in a user friendly and cost effective way. Users
want access to the services wherever, whenever and however they want.
Technologies like broadband access, Voice over IP (VoIP) and wireless LAN
4
Security Services in IMS
(WLAN, or WiFi) are reducing the entry barrier to new service providers in both
the fixed and mobile communications worlds.
For Customer
Rich user experience more broadband on move, communicate in real time using
any combination of voice, video, picture & messages
For Operator
5
Security Services in IMS
IP-based systems offer network operators the opportunity to expand their services,
integrating voice and multimedia communications and delivering them into new
environments with new purposes. This is what the industry calls convergence, bringing
multiple media, multiple points of access, and multiple modes of and purposes for
communication together into a single network..
6
Security Services in IMS
IMS carries signaling and bearer traffic over the IP layer, functioning as an intelligent
routing engine that matches a user profile with an appropriate call handling server and
switches the call control over to the designated handler. IMS includes the capability
to add, modify or delete sessions in an existing multimedia call, and extends the IP
network all the way to the user equipment, enabling the core network to remain access
agnostic. Each end-user can have a personalized experience involving simultaneous
voice, data, and multimedia sessions.
IMS provides a very good fit with the user and operator requirements outlined
in Section 2 and will therefore be the natural technology solution. It provides an
open, standardized way of using horizontal, layered network architecture.
Because IMS supports open service creation and third party applications and application
servers, operators have the chance to customize services and applications for their own
customers. Open service creation will give operators the tools to optimize IP multimedia
services for local requirements. It will also allow them to develop their service concepts
in co-operation with external application developers.
The IMS offers ability to offer service on packet networks whereby the network operator
has awareness and control of the service. It uses IETF/SIP for call session control.
With the IP Multimedia Subsystem on the network, subscribers can control when and
how they communicate. They can choose the most appropriate medium or combination of
mediavideo, voice, text, images, or instant messagesall available simultaneously and
in real time.
7
Security Services in IMS
4. Security
The security breaches that have posed a constant threat to desktop computers over the
last 10 years are migrating to the world of wireless communications where they will pose
a threat to mobile phones, smart phones, personal digital assistants (PDAs), laptop
computers and other yet-to-be invented devices that capitalize on the convenience of
wireless communications. Unfortunately, protecting wireless communications and the
applications that use this medium will be more difficult than securing desktop computer
applications. Unlike wireless devices, desktop computers have limited and identifiable
points of entry, and these entry points can be controlled and safeguarded. But with
wireless communications, important and often vital information is often placed on a
mobile device that is vulnerable to theft and loss. In addition, this information is
frequently transmitted over the unprotected airwaves. Now, some new applications like
mobile-commerce (m-commerce) require that this critical information be decrypted by a
server somewhere in the communications chain before it is encrypted again and
forwarded to its destination. Every point in the wireless communications chain where
information is decrypted represents vulnerability in the security of the system.
Destruction
Corruption
Removal
Disclosure
Interruption
Security
Access control
Authentication
Data confidentiality
Communication security
Data integrity
Availability
8
Security Services in IMS
Privacy
9
Security Services in IMS
4.3 IMS Security Architecture
1
Figure 4 The IMS Security Architecture Ref [12]
There are five different security associations and different needs for security protection
for IMS and they are numbered 1,2, 3, 4 and 5 in figure 4 where:
1. Provides mutual authentication. The HSS (Home Subscriber Server) delegates the
performance of subscriber authentication to the S-CSCF ( Serving-Call Session Control
Function). However the HSS is responsible for generating keys and challenges. The long-
term key in the ISIM (IP Multimedia Services Identity module) and the HSS is associated
with the IMPI. (IP Multimedia Private Identity).
The subscriber will have one (network internal) user private identity (IMPI) and at
least one external user public identity (IMPU).
2. Provides a secure link and a security association between the UE (User Equipment)
and a P-CSCF (Proxy-Call Session Control Function) for protection of the Gm reference
point. Data origin authentication is provided i.e. the corroboration that the source of data
received is as claimed
3. Provides security within the network domain internally for the Cx-interface.
4. Provides security between different networks for SIP capable nodes. This security
association is only applicable when the P-CSCF resides in the VN (Visited Network) and
if the P-CSCF resides in the HN then bullet point number five below applies
5. Provides security within the network internally between SIP capable nodes. Note that
this security association also applies when the P-CSCF resides in the HN.
10
Security Services in IMS
Definition:
Breakout Gateway
Media Resources
ISIM (IP Multimedia Services Identity Module)
UICC (Universal Integrated Circuit Card)
SIP (Session Initiation Protocol)
A P-CSCF (Proxy-CSCF) is a SIP proxy that is the first point of contact for the IMS
terminal. It can be located either in the visited network (in full IMS networks) or in the
home network (when the visited network isn't IMS compliant yet). The terminal will
discover its P-CSCF with either DHCP, or it's assigned in the PDP Context (in GPRS).
it's assigned to a IMS terminal during registration, and does not change for the
duration of the registration
it sits on the path of all signaling messages, and can inspect every message
it authenticates the user and establishes a IPsec security association with the IMS
terminal. This prevents spoofing attacks and replay attacks and protects the
11
Security Services in IMS
privacy of the user. Other nodes trust the P-CSCF, and do not have to authenticate
the user again.
it can also compress and decompress SIP messages, which reduces the round-trip
over slow radio links
it may include a PDF (Policy Decision Function), which authorizes media plane
resources and manages quality of service (QoS) over the media plane. It's used for
policy decisions, lawful interception, bandwidth management, etc ... The PDF can
also be a separate function, for example in a Session Border Controller
it also generates charging towards a charging collection node
A S-CSCF (Serving-CSCF) is the central node of the signaling plane. It's a SIP server,
but performs session control as well. It's always located in the home network. The S-
CSCF uses DIAMETER Cx and Dx interfaces to the HSS to download and upload user
profiles - it has no local storage of the user.
it handles SIP registrations, which allows it to bind the user location (e.g. the IP
address of the terminal) and the SIP address
it sits on the path of all signaling messages, and can inspect every message
it decides to which application server(s) the SIP message will be forwarded to, in
order to provide their services
it provides routing services, typically using ENUM lookups
it enforces the policy of the network operator
Breakout Gateway
A BGCF (Breakout Gateway Control Function) is a SIP server that includes routing
functionality based on telephone numbers. It's only used when calling is from the IMS to
a phone in a circuit switched network, such as the PSTN or the PLMN.
Media Resources
A MRF (Media Resource Function) provides a source of media in the home network. It's
used to play announcements, mix media streams, trans-code between different codecs,
etc... Each MRF is further divided into :
12
Security Services in IMS
A MRFC (Media Resource Function Controller) is a signaling plane node that
acts as a SIP User Agent to the S-CSCF, and which controls the MFRP with a
H.248 interface
A MRFP (Media Resource Function Processor) is a media plane node that
implements all media-related functions.
The HSS (Home Subscriber Server) is a user database that stores user profiles, and
performs authentication and authorization of the user. It's similar to the GSM HLR and
AUC.
A SLF (Subscriber Location Function) is needed when multiple HSSs are used. Both the
HSS and the SLF implement the DIAMETER protocol (Cx, Dx and Sh interfaces).
ISIM resides in this Universal Integrated Card, it is physically secure device that could be
inserted and removed from User Equipment.
13
Security Services in IMS
4.4.3 Authentication Process in IMS
As shown in above fig, on the UICC the ISIM resides and responsible for generation of
many keys which is required to communicate with IMS. AKA (Authentication and Key
Agreement Module) resides in ISIM, and accept some parameters and generate the
resultant in form of different keys, Session Key is one of the key generated by ISIM.
UE can use this session Key to communicate with IMS, and the first point to
communicate with IMS is P-CSCF, it will authenticate the user and will transfer the
control to further SIP servers like I-CSCF and S-CSCF, as I-CSCF is a first point of
administrative domain of IMS, it is used to encrypt the SIP message so the
communication could be more secure within IMS. After all this process user can be able
to use the services of IMS.
The scheme for authentication and key agreement in the IMS is called IMS AKA. The
IMS AKA achieves mutual authentication between the ISIM and the HSS.
The HSS shall choose the IMS AKA scheme for authenticating an IM subscriber. The
security parameters e.g. keys generated by the IMS AKA scheme are transported by SIP.
The AKA vectors will be fetched from Home Subscriber Server and user will be checked
by specific generated keys by ISIM and if user data will be found in HSS it will be
Authenticated to use the Services of IMS.
14
Security Services in IMS
4.4.4 Session Initiation Process in IMS
2. After inspecting SIP message and to perform tasks to build up IP security, the
message will be transferred to I-CSCF (Interrogating-Call/Session Control
Function).
3& 4. I-CSCF will communicate to the HSS (Home Subscriber Server) to get user
data to authenticate the user.
5&6. I-CSCF will check out which kind of services can be provided to this user
and what are the requirements for these services.
8&9. S-CSCF will request HSS to provide the updated information of user so, it
can know the current location and profile of user.
10. 200 is the response which shows the success of authentication, will be
forwarded to I-CSCF back, after all necessary tasks performed by S-CSCF.
12. It will be transferred to User Equipment with the successful authentication of user
and Session will be generated between UE and IMS
15
Security Services in IMS
Integrity Mechanism
IPsec ESP (Encapsulating Security Payload) shall provide integrity protection of SIP
signalling between the UE and the P-CSCF, protecting all SIP signalling messages at the
IP level. IPSec ESP general concepts on Security Policy management, Security
Associations and IP traffic processing shall also be considered. ESP integrity shall be
applied in transport mode between UE and P-CSCF.
The method to set up ESP security associations (SAs) during the SIP registration
procedure as a result of an authenticated registration procedure, two pairs of
unidirectional SAs between the UE and the P-CSCF, all shared by TCP and UDP, shall
be established in the P-CSCF and later in the UE. One SA pair is for traffic between a
client port at the UE and a server port at the P-CSCF and the other SA is for traffic
between a client port at the P-CSCF and a server port at the UE.
The integrity key IKESP is the same for the two pairs of simultaneously established SAs.
The integrity key IKESP is obtained from the key IKIM established as a result of the
AKA procedure, using a suitable key expansion function. This key expansion function
depends on the ESP integrity algorithm.
The integrity key expansion on the user side is done in the UE. The integrity key
expansion on the network side is done in the P-CSCF.
Hiding mechanisms
The Hiding Mechanism is optional for implementation. All I-CSCFs in the HN shall
share the same encryption and decryption key. If the mechanism is used and the operator
policy states that the topology shall be hidden the I-CSCF shall encrypt the hiding
information elements when the I-CSCF forwards SIP Request or Response messages
outside the hiding networks domain.
16
Security Services in IMS
4.4.6 User within Home Network
Fig showing the Subscriber within his own Home Network. The first contact point within
IMS by UE will be P-CSCF of the Home network.
After performing the necessary tasks by P-CSCF the control will be transferred to I-
CSCF of the same Network (Home Network).
And the further process will be done for the authenticate the user and initiate the session
between user and IMS
17
Security Services in IMS
Fig 9 showing the Subscriber within visited Network. The first contact point within IMS
by UE will be P-CSCF of the Visited Network.
After performing the necessary tasks by P-CSCF the control will be transferred to I-
CSCF of the Users Home Network.
And the further process will be done for the authenticate the user and initiate the session
between user and IMS.
18
Security Services in IMS
The use of HTTP within IMS for various Service-Related purposes, confirms the
access security for HTTP services. Many solutions and suggestions has been
proposed to solve security problem in IMS.
This solution does not require registration of UE to the IMS before accessing to some
Application Server, if this service requires HTTP transport only. This independence also
allows operators to add Application service later on the top of existing IMS.
19
Security Services in IMS
Network Domain Security for IP- based protocols is based on IPsec and offers the same
set of security services as IPsec. IPsec has two different security protocols.
Authentication header (AH) and Encapsulating Security Payload (ESP). AH provides
integrity/message authentication while ESP provides both integrity/message
authentication and confidentiality. For the confined domain in the UMTS core network
some simplification is made in the IPsec. For NDS/IP, it is clear that confidentiality is
essential requirement and it cannot be met by AH. Hence only ESP is used and it is
operated in Tunnel mode.
The tunnel mode is an IPsec mode that provides protection for the whole of the original
IP packet. This is used between the security gateways.
The NDS/IP architecture would have Security Gateways (SEGs) between security
domains, the tunnel mode is a necessary requirement of the NDS/IP architecture.
The NDS/IP is specified in the network layer and hence the protection for the new IP
protocols is achieved cost free.
20
Security Services in IMS
NDS/IP Architecture
The NDS/IP consists of two interfaces and a Security Gateway (SEG) node. The two
interfaces are
Za interface is between the Security Gateways. The SEG is placed next to the Za
interface boundary and are responsible for enforcing the security policies of the security
domain.
The Zb interface is an optional interface between the network elements within one
security domain. Within the intra domain, every element can communicate with the other
element directly. The Za interface is restricted to use only ESP and tunnel mode, whereas
this does not apply to Zb interface since there is no roaming issues in Zb interface.
Hence, the security policy of the Zb interface can be framed by the security domain
administration.
For the inter-domain, all packets should be sent via SEG to the external destination.
Consider the case that the packet has to be sent from NEA2 to NEB1. For such a case, the
packet is transmitted from NEA2 to SEGA, SEGA will forward the packet to SEGB and
finally the packet is forwarded to its destination NEB1. Thus in security point of view, it
makes lot of sense to restrict external access to a limited set of gateways.
21
Security Services in IMS
3GPP standard does not currently provide any support for IMS Level Media
Plane Security
22
Security Services in IMS
5. Conclusion
The hacking and other security threats cannot be defeated in the sense that they will
never be totally eliminated. But individual security threats can be foiled by innovative and
powerful security counter-measures. For mobile wireless communications devices that
means identifying the vulnerabilities, adopting a security strategy that takes into account
all possible weaknesses, and deploying an architecture that's powerful enough to defeat
today's threats yet adaptable enough to meet head-on the unimagined threats of
tomorrow.
23
Security Services in IMS
6. References:
3. HTTP Security -
http://www.3gpp.org/ftp/tsg_sa/WG3_Security/TSGS3_25_Munich/Docs/PDF/S3
-020528.pdf
24
Security Services in IMS
13. 3G Security, Access Security for IP Based Services, Release 5 -
http://www.arib.or.jp/IMT-2000/V440Mar05/2_T63/ARIB-STD-
T63/Rel5/33/A33203-590.pdf
14. The IMS and concepts in the mobile domain (wiley) by Miikka Poikselk
25