Beruflich Dokumente
Kultur Dokumente
Contents
Contents
10 Authentication Feature..........................................................................................................10-1
10.1 Service Description ...................................................................................................................................10-2 10.1.1 Function Code..................................................................................................................................10-2 10.1.2 Definition .........................................................................................................................................10-2 10.1.3 Benefits ............................................................................................................................................10-2 10.2 Availability ................................................................................................................................................10-3 10.2.1 Requirements for NEs......................................................................................................................10-3 10.2.2 Requirements for License ................................................................................................................10-3 10.2.3 Applicable Versions..........................................................................................................................10-3 10.3 Working Principle......................................................................................................................................10-3 10.4 Service Flow..............................................................................................................................................10-4 10.4.1 UMTS Authentication ......................................................................................................................10-4 10.4.2 GSM Authentication ........................................................................................................................10-5 10.5 Data Configuration....................................................................................................................................10-7 10.5.1 Data Configuration on MSOFTX3000.............................................................................................10-7 10.5.2 Data Configuration on HLR.............................................................................................................10-7 10.6 Service Management .................................................................................................................................10-7 10.6.1 Subscription of Authentication.........................................................................................................10-7 10.6.2 Query of Authentication...................................................................................................................10-7 10.7 Charging and CDR ....................................................................................................................................10-7 10.8 Service Interaction ....................................................................................................................................10-8 10.9 Reference ..................................................................................................................................................10-8 10.9.1 Protocols and Specifications ............................................................................................................10-8 10.9.2 Glossary, Acronyms and Abbreviations ...........................................................................................10-8
Issue 09 (2007-05-20)
Figures
Figures
Figure 10-1 Flow of UMTS authentication ......................................................................................................10-4 Figure 10-2 Flow of GSM authentication.........................................................................................................10-6
ii
Issue 09 (2007-05-20)
Tables
Tables
Table 10-1 Function names and functions codes in the authentication and encryption ....................................10-2 Table 10-2 Benefits for carriers and mobile subscribers...................................................................................10-2 Table 10-3 NEs involved in the authentication and encryption ........................................................................10-3 Table 10-4 Versions of the products that support the authentication and encryption........................................10-3 Table 10-5 Steps of configuring authentication data.........................................................................................10-7
Issue 09 (2007-05-20)
iii
10 Authentication Feature
10
About This Chapter
Section 10.1 Service Description 10.2 Availability
Authentication Feature
The following table lists the contents of this chapter. Describes This section describes the function code, function definition of this feature, and the benefits that carriers and mobile subscribers can obtain from this feature. This section describes the network elements (NEs) that are required for the feature, whether Licenses are required, and the version requirements of the NEs. This section describes the functions of the NEs, and networking requirements. This section describes the service flow of the network when providing this feature. This section describes the data configurations that are required on the MSOFTX3000 and the UMG8900. This section describes the service operations that carriers and mobile subscribers are required to implement when the network provides this feature. None None This section describes the protocols and specifications that this feature must comply with, and the acronyms and abbreviations of this chapter.
10.3 Working Principle 10.4 Service Flow 10.5 Data Configuration 10.6 Service Management
Issue 09 (2007-05-20)
10-1
10 Authentication Feature
10.1.2 Definition
Authentication is a process used for a network to verify the validity of an UE. In the UMTS, an UE can also verify the validity of a network. Authentication, as part of the security management of a wireless network, guarantees the confidentiality and integrity of the wireless network, so that illegal subscribers cannot use the services that the network provides.
10.1.3 Benefits
Table 10-2 lists the benefits for carriers and mobile subscribers. Table 10-2 Benefits for carriers and mobile subscribers Beneficiary Carriers Description Authentication is an elementary feature of a network. Authentication enables carriers to verify the validity of MSs/UEs, and prevents illegal subscribers from accessing the network and using the services that the network provides. Authentication protects mobile subscribers from illegal attack.
Mobile subscribers
10-2
Issue 09 (2007-05-20)
10 Authentication Feature
10.2 Availability
10.2.1 Requirements for NEs
The authentication and encryption requires the cooperation of the UE/MS, base station subsystem (BSS) , radio access network (RAN) and core network (CN). For details, see Table 10-3. Table 10-3 NEs involved in the authentication and encryption UE/ MS NodeB /BTS RNC/ BSC MSC Server MGW SGSN GGSN VLR HLR
Issue 09 (2007-05-20)
10-3
10 Authentication Feature
Uu UE RAN
RANAP Iu MSC
MAP B VLR
MAP D HLR/AuC
1. Send a service request (call setup/location update/ supplementary serice/SMS) 2. Send a MAP request (CKSN, IMSI/TMSI) 5. Start authentication 5 5 (RAND, AUTN) 3. Send a request for authntication parameters ( IMSI) 4. Return parameters IMSIRANDCK IKAUTNXRES
6. Refuse authentication (XMAC MAC) 6. Synchronization fails (SQNHE SQNMS) 7. Send an authentication response
AuC re-synchronization
7. Accept the request/ Refuse the request Sends an acceptance response Authentication succeeds legal UE Authentication fails illegal UE
Explanations of the flow of UMTS authentication are as follows: Step 1 The UE sends an authentication request to the mobile switching center (MSC). The authentication of services is defined by the data configured on the MSC. Step 2 The MSC sends a MAP_PROCESS_ACCESS_REQUEST to the VLR, requesting the authentication set from the VLR. If there are available authentication sets in the VLR, the VLR returns the RAND and AUTN contained in the authentication set to the MSC before starting authentication. The MSC then directly transfers the two parameters to the UE over the RAN, without interacting with the AuC. That is, step 5 takes place immediately after step 2. If no available authentication set is in the VLR, step 3 takes place.
10-4
Issue 09 (2007-05-20)
10 Authentication Feature
Step 3 The VLR requests the authentication set from the AuC. Step 4 The AuC returns one to five groups of quintuples to the VLR based on actual conditions. Step 5 The VLR starts authentication. Step 6 The UE calculates the authentication parameters XMAC and SQNMS at the UE side, based on the RAND and AUTN returned by the VLR. The UE then compares the XMAC and SQNMS with the MAC and SQNHE in AUTN. If MAC is not equal to XMAC, the authentication of the UE to the network fails. In this case, the VLR reports the authentication failure message to the AuC. If the difference between SQNMS and SQNHE is not within the specific range, it means the authentication of the UE to the network fails. In this case, the VLR sends a re-synchronization message to the AuC. The re-synchronization flow is similar to the flow of obtaining authentication set from the AuC. The difference is that the MAP_SEND_AUTHENTICATION_INFO message carries the re-synchronization information containing AUTS and RAND. After receiving the re-synchronization message, the AuC calculates MAC based on the RAND in the message, and compares the MAC with the MAC-S in AUTS, to judge whether the re-synchronization is valid. The AuC adjusts its own SQNHE based on the SQNMS in AUTS, and calculates a new group of authentication values for the VLR. The VLR starts authentication again with the new group of authentication values, and returns AUTN and RAND to the UE. After that, steps 3 and 4 are repeated. If the validity verification succeeds, then the authentication succeeds. Step 7 The UE calculates XRES based on the AUTN and RAND returned from the VLR, and sends an authentication response carrying XRES to the VLR. Step 8 The VLR compares the XRES returned by the UE with the XRES calculated by the AuC. If the two values are different, the VLR sends an authentication rejection response to the UE. The UE receives the response. This means the UE is invalid and the authentication fails. If the two values are the same, the authentication of the network to the UE succeeds. In this case, the network sends a response to the UE, indicating that the service or location update is accepted. ----End
Issue 09 (2007-05-20)
10-5
10 Authentication Feature
6. Send an authentication response 6 Sends an acceptance response 7. Accept the request/ Refuse the request Authentication succeeds legal UE Authentication fails illegal UE 8. Compare SRES and XRES
Explanations of the flow of GSM authentication are as follows: Step 1 The MS sends an authentication request to the MSC. The authentication of services is defined by the data configured on the MSC. Step 2 The MSC sends a MAP_PROCESS_ACCESS_REQUEST to the VLR, requesting the authentication set from the VLR. If there are available authentication sets in the VLR, the VLR returns the RAND and AUTN contained in the authentication set to the MSC before starting authentication. The MSC then directly transfers the two parameters to the MS, without interacting with the AuC. That is, step 5 takes place immediately after step 2. If no available authentication set is in the VLR, step 3 takes place. Step 3 The VLR requests the authentication set from the AuC. Step 4 The AuC returns one to five groups of triplets to the VLR based on actual conditions. Step 5 The VLR starts authentication. Step 6 The MS calculates SRES based on the RAND returned from the VLR, and sends an authentication response carrying SRES to the VLR. Step 7 The VLR compares the SRES returned by the MS with the SRES calculated by the AuC. If the two values are different, the VLR sends an authentication rejection response to the MS. The MS receives the response. This means the MS is invalid and the authentication fails. If the two values are the same, the authentication of the network to the MS succeeds. In this case, the network sends a response to the MS, indicating that the service or location update is accepted.
10-6
Issue 09 (2007-05-20)
10 Authentication Feature
----End
When a UMTS subscriber roams in the GSM, the AuC may return a quintuple to the VLR. In this case, the VLR must transform the quintuple to a triplet. After that, the VLR returns the ciphering key sequence number (CKSN) together with the RAND in the triple to the MS.
Issue 09 (2007-05-20)
10-7
10 Authentication Feature
10.9 Reference
10.9.1 Protocols and Specifications
3GPP TS 33.102: <3rd Generation Partnership Project;Technical Specification Group Services and System Aspects;3G Security;Security Architecture> 3GPP TS 29.002: <3rd Generation Partnership Project;Technical Specification Group Core Network;Mobile Application Part (MAP) specification;>
Quintuple
10-8
Issue 09 (2007-05-20)
10 Authentication Feature
Acronym/Abbreviation VLR
Issue 09 (2007-05-20)
10-9