JSP电信通讯计费系统设计(含英文文献翻译)
LAWFUL INTERCEPTION
Lawful interception functionality is a mandatory requirement for most 3G operators. There is no reason to expect the 3GPP-WLAN interworking architecture to be exempt from lawful intercep- tion requirements. We note that in a roaming environment the access network and core network may be located in different countries and subject to different legislations.
AUTHENTICATION, CONFIDENTIALITYC, AND INTEGRITY
Given that we have mandated that the 3GPP-WLAN architecture shall use the UMTS AKA procedure, the issue of authentication and key distribution is already taken care of.
Confidentiality is a security service to offer protection against inappropriate disclosure of user or system data. Confidentiality is targeted at protecting the system and user data against passive attacks. 3GPP-WLAN confidentiality services are provided by symmetric key encryption.
The companion security service integrity is to provide protection against illicit data modifica- tion. Cryptographic integrity protection is thus a security service aimed at protecting data against active attacks. The 3GPP-WLAN integrity service is implemented by (symmetric) keyed cryptographic checksum functions. These functions are known as message authentication codes (MAC); as the name implies, they also provide per message authentication.
It is presumed that the access network can support both confidentiality and integrity services for the over-the-air link. For the IEEE WLAN standard this is problematic in that the current standard only supports the relatively weak and cumbersome WEP method. The forthcoming IEEE 802.11i specification promises to solve this problem. While waiting for the standard to be completed, an interim solution called Wi-Fi protected access (WPA) has been standardized by the Wi-Fi alliance. The WPA method is directly based on the Temporal Key Integrity Protocol (TKIP) of the IEEE 802.11i standard (based on the draft 3.0version).
Another essential question with regard to the confidentiality and integrity services is how deep into the network the services should extend. For a public WLAN system this is an important question. The access points are small and inexpensive devices. The access points will certainly not be unprotected, but one cannot realistically expect them to offer much in terms of physical protection. Being distributed, one must assume that an adversary will be able to gain physical access to the devices. Then it is naive to assume that the access points would be able to withstand dedicated attacks. So we face a situation were the APs may not always be able to protect the session keys. One way to solve the problem is to require the WLAN system to extend its confidentiality and integrity services to the access server. The access server is a device assumed to have some physical access security and therefore better suited to store the session keys. We also note that UMTS has protected data connections between the UE and the radio network controller (RNC).
Generally speaking, the security services provided by a wireless system for over-the-air protection are implemented at the link layer. Apart from solving the pressing issue of over-the-air protection, this approach is locked to the specific link layer mechanism. This is also the case for the IEEE 801.11 WLAN system.
So if one wants the security services to extend beyond the AP, one must seek a solution above the link layer. One solution is to create an Ipsec tunnel between the UE and the NAS. Such a solution has the drawback of requiring extra client side configuration. There are also scenarios where the home network wants more control, and one may set up a protected tunnel from the UE to the WLAN access gateway (WAG) in thehome network.
STANDARDIZATION OF SECURITY FOR 3G-WLAN INTERWORKING
THE UMTS AUTHENTICATION AND KEY AGREEMENT PROTOCOL
The security architecture of 3GPP-WLAN interworking in UMTS is directly modeled on the UMTS security architecture for access security.Access security in UMTS is based on a one- pass mutual entity authentication scheme executed between the user (USIM) and the SN. In addition to providing authentication, the AKA procedure also includes generation of session keys for confidentiality (128-bit) and integrity (128-bit) protection.
In the UMTS system the AKA procedure is executed in two phases. The first phase involves transfer of authentication vectors (AVs) from the HE to the SN. This part of the UMTS AKA procedure is not found in the 3GPP-WLAN interworking version of the AKA scheme. The reason is that one does not delegate responsibility for authentication to the SN for 3GPP-WLAN access. Instead, one executes the AKA globally from the HE toward the USIM. In the UMTS only scenario, the second AKA phase is where the SN executes the AKA procedure.
For the UMTS scenario the HE delegates responsibility for the authentication to the SN.For the 3GPP-WLAN interworking scenario the AKA procedure is executed globally. The drawback is that the signaling paths and thus the round-trip delay may increase. The advantage is improved home control since there is no need to distribute AVs or authentication control to the SN.
The cryptographic functions used in the AKA procedure are only implemented in the USIM and HSS, and are thus only dependent on the HE operator. The outcome of a successful AKA sequence is that the USIM and network will be mutually authenticated, and will have derived common key material.
The AKA may occasionally fail. The USIM may find the challenge to be invalid and therefore reject the network. Conversely, the SN may receive an invalid response from the USIM and therefore reject the USIM. In addition, the AKA protocol may also fail due to the use of expired security credentials. This event is treated as a synchronization failure, and one can recover through a resynchronization procedure. A more detailed description of the UMTS AKA procedure specifics can be found in some literature.
THE 3GPP-WLAN SECURITY ARCHITECTURE
A benefit of the loose interworking approach is that the 3GPP-WLAN architecture is a fairly simple architecture. The architecture contains the WLAN access network and a UMTS core network in addition to glue technology to connect the two systems. The two key glue components of the interworking solution are the AAA and EAP technologies. These are used to execute the UMTS AKA protocol from the 3G system’s home domain toward the WLAN user equipment. The AAA architecture and the RADIUS and/or Diameter protocol are to be used as the bridge between the 3GPP system and the WLAN access network. The EAP-AKA protocol allows the UMTS AKA security protocol, which was originally designed for execution over UTRAN, to be executed over the WLAN access toward the user equipment.
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>
JSP电信电话计费系统设计(含英文文献翻译) 第3页下载如图片无法显示或论文不完整,请联系qq752018766
