2/24/2011 Verizon Wireless: Security - Page 3

Sign In | Join | | About

Home Finance Resource Center 2011 AllBusiness AllStar Franchises Franchises for Sale Shop Legal Forms Small Business Blog Dow nload Center Business Resource Center

Starting a Business Operating Your Business Sales & Marketing Finance Hum an Resources Technology Business Library Resources

Security Let Verizon Wireless

help your Small
This section briefly describes CDMA 1xRTT and 1xEV-DO. It introduces the idea of a
Business in a big way
call setup, procedures involved, and the differences in call setup for 1xRTT and 1xEV-
DO. A mobile station is used to illustrate call setup. Learn more about Small Business solutions from VzW

4.1 1xRTT Autonomous Registration Authentication

Successful autonomous registration authentication is diagrammed in Figure 3. The authentication sequence

comprises 15 steps and focuses on the major protocol exchanges that begin with authentication between the mobile
station (MS) and the base station controller (BSC).

Figure 3: 1xRTT Autonomous Registration Authentication.

1. MS acquires the system, collecting a complete set of configuration messages before it is allowed to operate
on the system. The BS tells all mobiles when they should register in the System Parameters Message (one of
the messages in the set of configuration messages).
2. MS notices that it is obligated to register and so transmits a Registration Message.
3. The serving-system mobile switching center (MSC) or visitor location register (VLR) issues the ANSI-41
Registration Notification (REGNOT) Message for MS service qualification.
4. The home location register (HLR) responds with the REGNOT Result including the MS services profile.
5. Upon successful validation of service qualification in the REGNOT message, the BS confirms the MS’s

allbusiness.com/…/6480550-3.html 1/6
2/24/2011 Verizon Wireless: Security - Page 3
registration was successful with a Base Station Acknowledgment Message.
6.

a. Upon receipt of REGNOT in step 3 above, the Authentication Center (AC), based on its internal
authentication algorithms, initiates the SSD Update process. The first step is executing the Cellular
Authentication and Voice Encryption (CAVE) algorithm using the MS’s authentication key (A-Key),
electronic serial number (ESN), and a random number, called the RandomVariableSSD (RANDSSD). The
result is the new, "pending’ SSD subkey. The SSD has two parts: SSD-A (used for authentication) and
SSD-B (used for session key derivation).
b. The AC then selects RANDU (Unique Challenge) and calculates unique challenge authentication
signature (AUTHU). AUTHU is calculated by executing the CAVE algorithm again using the SSD-A (lower
64 bits of the SSD) RANDU, ESN, and mobile identifier number (MIN). The SSD Update process occurs
in parallel with the registration process.
c. ANSI-41 AuthenticationDirective Invoke message (AUTHDIR) is used to transfer the [RANDSSD,
RANDU, AUTHU] triplet from the AC to the VLR or serving MSC.

7. The serving system acknowledges the SSD update request by sending the ANSI-41 AUTHDIR to the AC.

8.

a. The BS sends an SSD Update Message, including the RANDSSD, to the MS.
b. The MS extracts the RANDSSD and independently computes the SSD.

9. The MS sends the SSD Update Confirmation Order confirming SSD update.
10. The BS executes a unique challenge by sending an Authentication Challenge Message including the
RANDU.

a. The MS extracts the RANDU and independently computes the AUTHU.

11. The MS returns the calculated AUTHU in the Authentication Challenge Response Message.
12. The serving system completes the unique challenge by validating whether the mobile station successfully
completed the unique challenge.
13. Serving MSC/VLR sends a report, including the SSD update and unique challenge results, to the AC in the
ANSI-41 ASREPORT message.
14. The HLR/AC verifies that the information in the ASREPORT is the expected result. If not, the HLR/AC
forwards the information to a Fraud Information Gathering System (FIGS) for use in determining fraudulent
activity.
15. The AC acknowledges the authentication report by sending the ANSI-41 ASREPORT to the VLR.

4.2 EV-DO Access Authentication

This section explains the process of how EV-DO access is granted and authenticated.

allbusiness.com/…/6480550-3.html 2/6
2/24/2011 Verizon Wireless: Security - Page 3

Figure 4: EVDO A12 Authentication.

1. The mobile node (MN) sends a Unicast Access Terminal Identifier (UATI)-Request.
2. The RNC assigns UATI.
3. UATI assignment is completed.
4. The EV-DO session is set up between the MN and RNC.
5. PPP/Link Control Protocol (LCP) negotiation completes between the MN and the RNC.
6. The RNC sends a Challenge-Handshake Authentication Protocol (CHAP) challenge to the MN.
7. The MN calculates a response based on the A12 CHAP key and includes this along with the A12 Network
Access Identifier (NAI) in a CHAP response to the RNC.
8. The RNC includes the challenge and response in a Radius Access Request to the local AN-AAA server.
9. The local AN-AAA server uses the NAI to forward the message to the proper home AN-AAA server, possibly
via brokers.
10. The home AN-AAA server validates the CHAP response and responds with an authorization response that
may be delivered using security between foreign (visited) and home networks. If the response is valid, the home
AN-AAA server returns the IMSI in the Radius Access-Accept.
11. The local AN-AAA server forwards the response to the RNC.
12. The RNC informs the MN of the A12 authentication result. The PPP link is terminated after A12
authentication.

4.3 Mobile IP (Public Network) or Enterprise Home Agent (Private Network) Access

This section explains how access to a public or private network is granted and the process needed for
authentication.

allbusiness.com/…/6480550-3.html 3/6
2/24/2011 Verizon Wireless: Security - Page 3

allbusiness.com/…/6480550-3.html 4/6
2/24/2011 Verizon Wireless: Security - Page 3

Figure 5: 3GMIPv4 Authentication.

1. The MN sends an Origination Message with the Data Ready to Send (DRS) bit set to the number (1), which
indicates a request to establish a traffic channel to the BS/MSC to request packet data service.
2. The BS/MSC acknowledges the receipt of the Origination Message with a Base Station Acknowledgement
Order to the Mobile Station.
3. The traffic channel is set up between the MN and BS/MSC.
4. The BS/MSC sends a SETUP message to the PCF.
5. The PCF sends back a CONNECT message to BS/MSC.
6. The PCF sends a R-P request to the PDSN to establish the R-P (i.e., A10/A11 interface) connection.
7. The PDSN responds to the PCF connection request and the A10/A11 connection is established.
8. The BS/MSC sends a second SETUP message to provide "airlink start" accounting information.
9. The second RELEASE message to the BS/MSC is required to acknowledge the above SETUP message. In
this case the RELEASE message does not "release" any resources.
10. The PCF sends an R-P Registration Request RRQ message to the PDSN containing "airlink start"
accounting information.
11. The PDSN records the accounting information and responds back to the PCF with the R-P Registration
Response RRP message.
12. The BS/MSC sends a Radio Link Protocol RLP synchronization message to the MN.
13. A PPP session is established between the MN and the PDSN.
14. PPP negotiation completes. IP Control Protocol (IPCP) configures a simple IP address or rejects IPCP IP
address configuration to indicate mobile IP service is requested (versus simple IP service).
15. After PPP initialization, the PDSN sends Foreign Agent Challenge (FAC) extension advertisements to the
mobile station. The mobile station may send an agent solicitation message to the PDSN/foreign agent following
PPP initialization.

allbusiness.com/…/6480550-3.html 5/6
2/24/2011 Verizon Wireless: Security - Page 3
16. The mobile station generates a mobile IP registration request containing four MIPv4 extensions: NAI, MN-HA
Authentication, FAC, and MN-AAA Authentication Extension. In this example we assume the user is requesting
a secure reverse tunnel (see steps 33 and 36) as part of the MIP RRQ message.
17. Using the NAI, the RADIUS protocol, the PDSN sends an authentication request to the local AAA. This
request includes the MN NAI, MN-AAA authentication, and FAC/HA address (if any), as well as other
information.
Site Map | Contact Us | FAQs | About Us | RSS Directory | Newsletters | Disclosure Policy | Media Kit
18. The local AAA server uses the NAI to forward the message to the proper home AAA server, possibly via
brokers. Copyright © 1999 - 2011 AllBusiness.com, Inc. All rights reserved.
No part of this content or the data or information included therein may be reproduced,
19. The home AAA responds with an authorization response that may be delivered using security between foreign
republished or redistributed without the prior written consent of AllBusiness.com.
(visited) and home networks. If the MN-AAA authenticator is valid, the home AAA returns the FA-HA secret key
Use of this site is governed by our Copyright and Intellectual Property Policy, Terms of Use Agreement and Privacy Policy.
and key index in the Radius Access-Accept.
Get In-Depth
20. The local AAA forwards the response Company Information from Hoover's | What is in Your Company's D&B Credit Report?
to the PDSN.
View All D&B Sales & Marketing Solutions | Get Email Lists from D&B Professional Contacts | Build Mailing Lists from Zapdata | Company Profiles
21. The PDSN sets up a security association with the HA (if one does not already exist) with an Internet Key
Information and opinions on AllBusiness.com solely represent the thoughts and opinions of the authors and are not endorsed by, or reflect the beliefs of,
Exchange (IKE) pre-shared secret. Note: The IKE pre-shared secret can be dynamically configured as per IS-835
AllBusiness.com, its parent company D&B, and its affiliates.
(distributed by the Home RADIUS server) or statically configured.
22. The HA acknowledges and responds to the IKE exchange.
23. The PDSN sends the mobile IP RRQ to the HA. If the Mobile Station wants to use its static Home Address
(or the Mobile Station already has a mobile IP address and the same mobile IP session is being continued), the
Mobile includes the IP Address as the MIP RRQ (step 16) home address. If the Mobile Station wants a dynamic
home address, it sets the home address to zero (0.0.0.0). Thus, in this case the HA field of the mobile IP RRQ is
set to zero (0.0.0.0).
24. The HA requests the MN-HA key from the AAA.
25. The AAA returns the MN-HA secret key corresponding to the NAI in an Access-Accept (on a secure
channel).
26. The HA validates the MN-HA authenticator. If valid, the HA responds with a mobile IP RRP Message, and if
requested, provides a dynamic IP address for the MN. Otherwise, the supplied address offered in the MIPv4 RRQ
is accepted.
27. The PDSN sends the RRP to the MS after recording the reply in the visitor entry list.
28. The PDSN sends an accounting start to the AAA server (which may forward the message to the AAA via
optional brokers).
29. For roaming services, the local AAA server forwards the accounting start to the remote AAA server.
30. The remote AAA server records the accounting start and responds back to the local AAA server.
31. The local AAA server forwards the accounting response to the PDSN.
32. User data flows from the MS over the PPP link to the PDSN.
33. User data flows in the IPSec tunnel between the PDSN and the HA.
34. User data flows in an IP packet from the HA to the host.
35. User data flows in an IP packet from the host to the HA.
36. User data flows over the IPSec tunnel between the HA and the PDSN.
37. The PPP Packet flows from the PDSN to the MS.

Previous Page 1 2 3 4 Next Page

More Verizon Wireless White Papers

CONNECTIVITY
Wireless connectivity and data transport solutions from Verizon Wireless allow companies to
establish a private, direct connection between the enterprise network and the Verizon Wireless
broadband network.

PRIVATE NETWORK
Over time, more and more demands have been made on the capabilities of corporate networks.
Workers want more mobility, high-speed access, and an extension of applications across the
enterprise, all of which can strain current IT capabilities.

allbusiness.com/…/6480550-3.html 6/6