SIP roaming solution
amongst different WLAN-based
service providers
Julián F. Gutiérrez1, Alessandro Ordine1, Luca Veltri2
1
2
DIE, University of Rome "Tor Vergata", Italy
Dpt. of Information Engineering - University of Parma, Italy
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
Overview
 Scope
 roaming amongst (WLAN-based) access networks
• WLAN access networks are widely used
• current wireless internet providers (WISPs) use different
authentication schemes
• lack of an integrated and open authentication framework
 Goal
 open solution for secure authentication in wireless (also wired)
access scenario based on a distributed AAA architecture and on
SIP protocol
• enabling the use through standard 3G terminals
 testbed implementation
 Characteristics
 captive portal like solution (layer-two independent)
 based on SIP registration procedure
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
Outline
 SIP authentication overview
 Digest authentication
 AKA
 Digest-AKA
 Uni-Fy architecture
 SIP-based authentication scheme
 Implementation
 Future work
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
SIP Digest authentication
 It follows a challenge-based scheme based on a shared secret for
authentication purposes (as on HTTP authentication)
 Any time that a proxy server or UA receives a request, it MAY challenge the
initiator of the request to provide assurance of its identity
UAS
Register/Redirect/Proxy Server
UAC
A
INVITE / REGISTER
challenge
generation
401 /407
(with nonce)
B
response
generation
C
INVITE
/ REGISTER
(with response)
response
verification
200/OK
D
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
SIP AKA
MT
Auth Server
User Id Retrieval
HSS
AV request
[User Id]
Generation of
AV=RAND,AUT
N,XRES,IK,CK
USIM
AV push
RAND,AUTN
Authentication challenge
[RAND,AUTN]
Run AKA algorithm:
- verify AUTN
- compute RES
- generate IK,CK
RES
Authentication response
[RES]
[RAND,AUTN,XRES,IK,CK
]
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
SIP Digest-AKA
SIP Request
AV request
Generation
AV={RAND,AUTN,
XRES,IK,CK}
AV
SIP response 401/407
RAND,AUTN
AKA HSS
[challenge=RAND,AUTN]
Start of AKA
algorithm
ACK
RES
AKA SIM
Digest calculation of
"response" using
RES as password
SIP Request
[challenge,response]
Checks Digest
"response" using
XRES as password
SIP Request
(authenticated)
SIP UAC
SIP server
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
Uni-Fy
 Proposed solution based on Uni-Fy distributed access control
system
 Uni-Fy characteristics
 Wireless LAN/HotSpot management system with
• distributed authentication
• access and policy control
• other capabilities
 authentication and authorization functions implemented at
application layer
 access control is applied at IP layer by means of firewalling
capability
 overall scheme can be viewed as a captive portal implementation
 used within the TWELVE research project (developed by the
University of Trento)
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
Uni-Fy architecture
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
Uni-Fy architecture
 Access network
 through which mobile users can attach the rest of the network (e.g.
Internet), and, after being successfully authenticated, gain connectivity
towards it
 Gateway
 acts as access router for the access network
 enforces the policy rules (as PEP) dynamically setup by the Gatekeeper
 Gatekeeper
 together with the Gateway enforces authentication procedure before
granting access to mobile users
 it works at application level redirecting specific application sessions to a
proper authentication server
 Authentication Provider
 directly or indirectly trusted by the Gatekeeper; application sessions are
redirected to it in order to force a proper authentication procedure
 implementation strictly depend on the specific application supported for
authentication purpose (HTTP, SIP, others)
 optionally uses a backend authentication server (an AAA server such as a
RADIUS or Diameter server) and an LDAP or DB repository
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
GW and GK architecture
 GW and GK can be co-located or implemented on different nodes
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
SIP-based authentication scheme
 Proposal of a captive-portal-like mechanism based on
 access control scheme based on the Uni-Fy architecture
• open and flexible
 SIP authentication procedure
• same signaling platform used for multimedia real-time service and
used by 3G mobile networks
 When a mobile user roams into a new visited network
 it tries to authenticate with his own SIP server
 such procedure is intercepted by the local GK administrated by the
visited ISP
 the authentication procedure between the mobile user and his SIP
server goes on with some modifications
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
SIP extension
 For ISP-to-ISP authentication and correct authorization
information retrieval an extension of the SIP authentication
procedure is proposed
 Two new header fields defined
 Proxy-To-Proxy-Authenticate (pp-authenticate)
• used to carry authentication request information
• sent by a generic intermediate proxy to authenticate a next-hop
entity, in order to correctly trust information sent as response from
such next hop entity
• inserted by the proxy within the second SIP request from the UAC
to the next hop entity
 Proxy-To-Proxy-Authorization (pp-authorization)
• used to carry authentication response information
• inserted in a SIP response message by the next hop entity in
response to the pp-authenticate request
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
Authentication scheme
Uni-Fy
CLIENT (UAC)
SIP SERVER (UAS)
CLIENT REGISTER
401 UNAUTHORIZED
(WITH CHALLENGE)
CLIENT REGISTER
(WITH RESPONSE)
New header
“Proxy-To-Proxy-Authenticate”
added by Uni-Fy
CLIENT REGISTER
(WITH RESPONSE)
+
pp-authenticate
Answer to the usual
supplicant authentication
procedure
+
Answer to the challenge
coming from Uni-Fy (“ProxyTo-Proxy-Authorization”)
200/OK
+
pp-authorization
Uni-Fy checks the response to the challenge.
Independently, the 200/OK is sent to the
supplicant
200/OK
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
Implementation testbed
 Whole authentication and authorization scenario implemented in
a testbed
 based on the Uni-Fy access control mechanism
 GW and GK nodes have been realized based on the original UniFy implementation (TWELVE project; http://netmob.unitn.it/twelve.html)
 GK plugin for SIP has been developed in C++
 based on the reSIProcate C++ SIP stack library
(http://www.sipfoundry.org/reSIProcate)
 Proxy server (opportunely extended with proxy-to-proxy
authentication) has been implemented in Java
 based on the mjsip SIP stack library and reference implementation
(http://www.mjsip.org)
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
Future Work
 Improve the actual shared secret mechanism between Uni-Fy
and the next hop entity
 Access to the 3G SIM card in order to base the authentication
procedure in the credentials stored in the SIM card
Università degli Studi di Parma
Dipartimento di Ingegneria dell'Informazione
WLAN/3Gsecure
secureauthentication
authenticationbased
basedon
onSIP
SIP
WLAN/3G
 Thank you for your attention!!
 For further details, please contact:
[email protected]
Scarica

WLAN/3G secure authentication based on SIP