Beruflich Dokumente
Kultur Dokumente
(IMS)
Rohan Kiran Chitnis
Thomas M. Chen
Department of Electrical Engineering
Southern Methodist University
Dallas, Texas 75275
rchitnis@mail.smu.edu, tchen@engr.smu.edu
Tel: (214) 768-8541
Abstract – Early IMS has been recognized as an evolutionary step from existing
networks to full IMS. Concern has been raised about the adequacy of incomplete
security. This paper examines the concepts of identity and potential identity threats in
early IMS. The early IMS authentication process designed to protect against the most
likely identity threats is described.
1. Introduction
In the very broad picture, mobile devices (cell phones, smartphones, wireless
PDAs) and the Internet stand out as recent successes in the telecommunications field.
There are now more than 2 billion mobile device users around the world, and demand
continues to grow for faster 3G services. Mobile devices have clearly evolved from
simple phones to multimedia computing devices similar in capabilities to traditional PCs.
Multimedia mobile devices have a need beyond simply accessing the Internet; they need
sophisticated real-time multimedia services built on common Internet protocols [1].
The initial idea of building an IMS (IP Multimedia Subsystem) architecture for
delivering IP-based (Internet Protocol) multimedia to mobile users came from the 3G.IP
(3rd Generation Internet Protocol Forum) industry forum. The initial IMS architecture
was brought to 3GPP (3rd Generation Partnership Project) which was working on
standards for the Universal Mobile Telecommunications System (UMTS). 3GPP Release
4 completed in 2001 included IP transport for the core network, and IMS was added in
3GPP Release 5 in 2002. Release 5 identified architectural entities, reference points,
quality of service, AKA (authentication and key agreement) for security, and SIP (session
initiation protocol) for signaling.
In 2004, 3GPP Release 6 added interoperability with wireless local area networks,
IP address-based authentication, confidentiality protection of SIP messages, and some
enhancements to IMS such as PoC (push to talk over cellular). In 2006, 3GPP Release 7
added more support for fixed broadband networks.
“Early IMS” was defined to allow an evolutionary path towards fully compliant
IMS implementations. In particular, it was believed that a complete IMS security
implementation would take considerable time to be realized [2,3]. One reason is that IMS
uses IPv6 (version 6), which is far from ubiquitous. Early IMS can use IPv4 and aims to
incorporate some security defenses against the most significant threats [4].
In this paper, we examine the shortcomings of security in early IMS. In particular,
we discuss the concept of identities in IMS and possible threats to identities in early IMS.
1
A goal of early IMS is “strength of subscriber authentication comparable to the level of
authentication provided for existing chargeable services in mobile networks” [4].
2. IMS Identities
2
A public identity may be shared by multiple mobile devices, each device using a
different private identity, so that multiple people may be reached with the same public
identity. In this case, a group of people share the same IMS subscription and service
profile. Figure 1 shows that a private identity can have multiple public identities, and a
public identity may be associated with multiple private identities.
Public Service
identity 1 profile 1
Private
identity 1
Private Service
identity 2 profile 2
Public
identity 3
3
controller. As the first point of contract from the IMS user, all signaling messages go
through the P-CSCF. It is able to inspect and process all signaling messages.
IM
HSS
S
I-CSCF S-CSCF
P-CSCF
GGSN
User
The I-CSCF is a SIP proxy that resides in the user’s home network and serves as
the point of contact for calls going to that user’s home network. It queries the HSS (home
subscriber server) for S-CSCFs, and chooses one and routes SIP requests to that S-CSCF.
The S-CSCF is another SIP proxy residing in the user’s home network. It consults
the HSS to look up information about a user and his/her service profile (authorized
services). After determining which services are authorized, the S-CSCF forwards SIP
signaling to the appropriate application servers. The S-CSCF maintains session state to
support services.
4
3.1. Basic Registration Process
A user Alice must register with IMS in order to use services. Alice’s private
identity is used for authentication and associating her with the correct service profile. The
registration process is based on challenge-response and carried out in two phases. The
first phase shown in Figure 3 results in a challenge from the network sent to Alice. In the
second phase shown in Figure 4, Alice returns a response to prove his/her identity.
HSS
(3) S-CSCF (5) Authentication Home
assignment data network
(4) Register
I-CSCF S-CSCF
(6) 401 Unauthorized
(2) Register (7) 401 Unauthorized
P-CSCF
Visited
(8) 401 Unauthorized network
(1) Register
Alice
5
HSS
(11) S-CSCF (13) User profile
assignment
(12) Register
I-CSCF S-CSCF
(14) 200 OK
(10) Register (15) 200 OK
P-CSCF
Alice
6
3.2. User Authentication
“Early IMS” refers to the industry’s recognition that existing networks will take
significant time to evolve to an IMS architecture that is fully compliant with standards.
For one thing, IMS requires IPv6 but early IMS may use IPv4. Early IMS is an
evolutionary stage between existing networks and full IMS, where security mechanisms
in particular may not be complete but should be adequate to ensure confidentiality
(especially over the radio interface) and authentication of subscribers to access their
authorized services [4]. Existing 3GPP access including GSM (Global System for
Mobile) and GPRS (General Packet Radio Service) is specifically supported with early
IMS security.
Since 2G-only mobile devices might access early IMS, the interim security in
early IMS may not depend on ISIM-based authentication, as described above. Early IMS
security aims only to protect against the most likely and serious security threats, under
these constraints:
7
• low impact on existing mobile devices
• smooth migration towards full IMS security
• co-existence with full IMS security
• support for secure 3GPP access (GSM/GPRS)
• a single early IMS solution.
What are the most likely and serious identity threats? The presumed goal of
identity theft is to masquerade as someone else in order to access and steal network
services [4]. One can easily imagine different ways to perpetrate masquerade by an
intruder Trudy:
Scenario 1: intruder Trudy accesses the network with her own IP address and
IMS identity, and sends a SIP INVITE request (to set up a connection) with her own IP
address but a legitimate user Alice’s IMS identity. In this way, Trudy would be charged
for IP connectivity but IMS service would be fraudulently charged to Alice.
Scenario 2: intruder Trudy sends a SIP INVITE request with her own IMS
identity but a legitimate user Alice’s IP address. In this way, Trudy would be charged for
IMS service but Alice would be fraudulently charged for IP connectivity. This would
have no impact on Alice if she is already paying a flat fee for unlimited IP connectivity.
In addition, this fraud makes sense for Trudy only for IMS services with outgoing traffic
because incoming packets will go to Alice instead of Trudy.
Scenario 3: intruder Trudy sends a SIP INVITE request with a legitimate user
Alice’s IMS identity and Alice’s IP address. In this way, Alice will be fraudulently
charged for IP connectivity and IMS services. However, Trudy does not accomplish that
much. Similar to scenario 2, this fraud makes sense for Trudy only for IMS services with
outgoing traffic because incoming packets will go to Alice instead of Trudy.
Naturally, a wide range of identity attacks are possible, for example, man-in-the-
middle attacks, session hijacking, DNS (domain name system) attacks, or rogue SIP
proxies. Early IMS does not attempt to protect against every potential threat and does not
claim to provide adequate protection against sophisticated attacks.
8
HSS
(4) S-CSCF Home
(6) Public identity,
assignment stored IP address network
(5) Register
I-CSCF S-CSCF
(7) 200 OK
(3) Register (8) 200 OK
P-CSCF
Visited
(9) 200 OK network
(2) Register
GGSN
Alice
For registration to work, the HSS must know the public identity associated with
Alice’s subscription. Before the process is initiated, it is important for Alice to contact the
HSS, going through the GGSN, to establish a binding between her MSISDN, IMSI, and
IP address. The procedure for this initial contact is not shown in Figure 5.
The registration process in Figure 5 assumes that the HSS has a binding between
Alice’s MSISDN, IMSI, and IP address. Alice initiates registration by a SIP REGISTER
request to the GGSN. The GGSN knows the proper binding between Alice’s public
identity and her IP address, and will check for IP address spoofing in the REGISTER
request. The REGISTER message is forwarded to the P-CSCF and then I-CSCF. The I-
CSCF passes the public identity to the HSS, which designates a S-CSCF. The
REGISTER request is forwarded to the assigned S-CSCF, which queries the HSS with
Alice’s public identity. The HSS checks the MSISDN or IMSI bound to that public
identity to determine Alice’s IP address. After learning Alice’s IP address from the HSS,
the S-CSCF compares the proper IP address to the IP address in the REGISTER request.
If the IP addresses match, then Alice’s identity is authenticated, and a 200 OK response is
returned back to her.
9
5. Conclusions
6. References
10