Data Integrity and Network Security in Wireless LAN/3G Integrated Networks

(1)

Data Integrity and Network

Security in Wireless LAN/3G

Integrated Networks

Abbas Jamalipour

International Workshop on Internet Security and Management 2004

a.

a.jamalipourjamalipour@@ieeeieee.org.org

(2)

2003 A. Jamalipour A. Jamalipour A. Jamalipour A. Jamalipour 2

1.

1. Mobile Internet and the Wireless LAN

Mobile Internet and the Wireless LAN

2.

2. Integrated Network Architecture

Integrated Network Architecture

3.

3. Security Arrangements

Security Arrangements

4.

(3)

Mobile Internet and the

Wireless LAN

1

(4)

Wireless local area networks

!

Wireless LAN is becoming increasingly popular

! Mobile users’ typical demands of information access is

characterized by heavy data files and applications; W-LAN can provide mobility and speed at the same time

! In major structured hot spots such as airports and rail

stations, the mobile radio infrastructure support of data communications seems to be inadequate and expensive

! For office users, mobility, simple and low-cost network

scalability, and high-speed access are advantageous factors

! For home users, advantages of mobility without new wiring

and at the same time high-speed access are the key issues

" W-LAN provides network flexibility: No infrastructure (ad

hoc), single-cell network (BSS), or cellular topology (ESS)

(5)

Mobile Internet using W

-

_-

LAN

_LAN

!

Simple structure and cost-efficient equipment

involved in W-LAN can easily extend the fixed

Internet into the mobile environment

! Mobility is supported but in a limited scale; more than that is

neither logically feasible nor economically efficient

! Data integrity, user and network security, and billing

methods are not sufficiently supported by current standards

! Can be done (as it is undergoing) but this will add the

complexity and cost of the network, resulting in lighter image of original advantages of W-LAN

! Traffic is loosely controlled through multiple access scheme;

more traffic requires better traffic management and licensed spectrum, adding the cost and network complexity

(6)

Mobile Internet using cellular networks

!

2.5G/3G cellular systems will provide some

infrastructure for the mobile Internet service, but not

necessarily sufficient

! Cellular deployment timetable was not fast enough

! Cellular data rate growth does not follow the rapid increase

in new applications’ bandwidth demand

! Cellular tariffs are not easily reducible

! Cellular radio access will remain “the” limiting factor in

competing speed with wired network

! Compatibility and roaming issues between IP networks and

cellular systems are not necessarily resolved within cellular-only implementations

(7)

Hybrid networks

!

To support

new

and

existing

mobile Internet applications

! Horizontal communication among existing access technology

! cellular, cordless, W-LAN, short-range connectivity, wired

! On a common platform to complement services of each other

! Connected through a common, flexible, seamless IP-based

core network (questionable but promising)

! An advanced media access technology that connects the core

network to different access technologies

! Global roaming and inter-working between different access

technologies both horizontal (intra-system) and vertical (inter-system) handover

! Seamless, transparent service negotiation including mobility,

(8)

Vision of a hybrid network

Inter-Network Access Technology

IP Core Network Satellite Backbone Private IP Network Global Internet Wireless LAN GSM cdmaOne DECT GPRS/UMTS Core cdma2000 Core

cdma2000 Access Network

UMTS Access Network

PSTN/ISDN ADSL

(9)

Short

-

_-

and long

_{and long}

-

_-

term solutions

_{term solutions}

!

Long-term solutions

! Merging IP and cellular networks at core and access sides

! Reducing dissimilarities in management of the two systems

! Improving radio access technology

! Global interconnection of cellular and IP networks

!

Short-term solutions

! Use of available infrastructures and try to accommodate

simple systems within individual cellular networks

! Push of IP-oriented applications into cellular services

! Gradual decrease in traffic load from non-IP services

! Blend all traffic data into one mixed-type

(10)

Integrated Network

Architecture

2

(11)

Wireless LAN

!

W-LAN: The most accessible network to start with

the short-term solutions

! Much higher speed than 3G systems: 11-54 Mbps and above

compared with 300 Kbps – 2 Mbps

! Close relation with the legacy wired IP networks (basically

an extension)

! Use of unlicensed spectrum and low-cost equipments that

may enable low end-user tariffs too

! Already deployed in major hot-spots and is rapidly

expanding; easily deployable anywhere

! Potential integrating elements in its architecture with cellular

3G systems

! Advantage of huge research work undergoing toward its

(12)

W

-

_-

LAN and 3GPP

_{LAN and 3GPP}

!

3GPP has already started the initiative for

cellular-Wireless LAN internetworking architecture.

! To be included in the 3GPP Release 6 specifications

!

Issues that need to be considered:

! Integrating a highly-standardized system such as UMTS with

a loosely standardized network; i.e. the W-LAN

! Standardize the W-LAN network architecture or its radio interface? Maybe not; keep it undefined

! Integrating a multi-service network such as UMTS with

mainly IP-service network of W-LAN

! Whether the W-LAN should be administrated by the UMTS

operator or treated just as a foreign network

! User data routing and access to available services

(13)

W

-

_-

LAN architecture

_{LAN architecture}

Access Point 1 Access Point 2 Mobile Nodes Mobile Nodes LAN bus Access Router IP backbone network AAA server/ proxy Billing HTTP server Gateway NAPT Users database DHCP DNS Layer 2 distribution network External IP networks interfaces IP interface AAA interface W-LAN Extended Service Set (ESS)

(14)

W

-

_-

LAN general architecture

_{LAN general architecture}

!

DHCP to facilitate the W-LAN terminal IP address

!

DNS to resolve Internet fully equipped domain name

(FQDN) addresses into IP addresses

!

Gateway NAPT (network address and port

translation) to external networks (Internet)

! Using W-LAN private-space IP address and enabling services

offered by external networks at the same time

!

HTTP server for local application-level services

!

Billing system for accounting

!

Access point: A layer 2 bridge between 802.11 and

the Ethernet

(15)

User subscription

!

3GPP

! A heavily worked area for all subscriber’s charging and

billing systems using SIM/USIM smart cards

! User database kept at home subscriber servers (HSS) for IP

and other packet services over the packet-switched CN

! Establishment of global roaming among 3G operators

! Overall, not to compromise such a high-level of security just

for a new interworking domain !

Concluded that

! The W-LAN needs to reuse the 3GPP subscription system

! Equipping a W-LAN terminal with SIM/USIM

! Making the AAA signaling a roaming case, where all

(16)

Authentication and authorization

!

3GPP

! Use of (U)SIM card for subscriber authentication for network

access and for secret key agreement used for encryption and integrity protection

! Use of a challenge and response algorithm for key

management and authentication in GSM/GPRS; and an advanced version in UMTS

!

Wireless LAN integrated network

! Utilizing the new IEEE 802.11i for authentication, access

control and key agreement functions, especially the

extensible authentication protocol (EAP) based on RADIUS

! Use of EAP-SIM: mainly using SIM’s key agreement algorithm ! Use of EAP-AKA: encapsulation UMTS authentication and key

(17)

Integration options

!

Use of W-LAN as a Peer Network

! Really an “inclusion” not “integration”

! Connecting W-LAN and cellular systems independently to the

IP core network !

Tight Coupling

! Accommodating W-LAN “tightly” inside cellular core network

! Achieving virtual high-speed at the end-user level

!

Loose Coupling

! Take advantage of both IP core network and cellular core

network without getting virtual (imaginary) high-speed

! Better option to get the two network really “integrated”

(18)

Integration options

MS Tight Coupling AP AP AP GW SGSN’ 802.11b MS RNC Node B Node B Iu-ps MS Peer Network AP AP AP AAA /HLR AGW /HA MS 802.11b HSS AAA GGSN/ HA BG SGSN UMTS CN Core IP Network CN AP AP AP GW GSN’ 802.11b MS Loose Coupling

(19)

Peer Network

MS MS RNC Node B Node B Iu-ps MS HSS AAA GGSN/ HA BG SGSN UMTS CN Core IP Network CN AP AP AP GW 802.11b MS AP AP AP GW AGW/ HA 802.11b AAA/ HLR’

! Operation by a same or different UMTS W-LAN operators

! Use of Mobile IP for mobility management among peer networks

! Inclusion of a HA functionality and a AAA server inside UMTS CN

for supporting mobility among UMTS and non-UMTS networks Multiple ESSs are connected via an access gateway to IP CN

(20)

Peer Network

!

Authentication to UMTS and other peer networks

! To UMTS: through a HLR emulator (HLR’) in W-LAN

! W-LAN: appearing as a foreign UMTS network

! To other peer networks: through an AAA server and HA

!

Roaming from UMTS to W-LAN, MS

! Associates with an access point

! Performs AAA functions with the local AAA server which

interacts with the AAA server in UMTS home

! Obtains a CoA and sends a binding update

! Interaction of HA with HSS in UMTS CN to update location

(21)

Tight coupling

! W-LAN emulates either a RNC or a SGSN (shown as SGSN’)

! W-LAN is deployed either by UMTS or an independent operator ! Mobility between two networks means an inter-SGSN RA update

! With the same GGSN, IP address will be assigned from the same pool:

mobility results in no change in IP address

! All signaling and data traffic and the user location are maintained by

MS MS RNC Node B Node B Iu-ps MS HSS AAA GGSN/ HA BG SGSN UMTS CN Core IP Network CN AP AP AP GW SGSN’ 802.11b

(22)

Tight coupling

!

This coupling allows independent W-LAN operators

! SGSN emulator meets the UMTS CN at G_p interface

!

Simple architecture and procedure

! Use of UMTS mobility management

! To roam into a W-LAN high-speed network, an MS

! Associates with an access point

! Enters into an inter-SGSN routing area update with SGSN’ ! Connects to the UMTS CN via SGSN’

! Moving within W-LAN ESS follows the W-LAN MM procedure

!

Signal strength, bandwidth measurement, etc may be

used to select between the two networks when both

are available

(23)

Loose coupling

! A master/slave architecture: UMTS: Master, W-LAN: Slave

! Connection of several W-LAN ESSs via individual GWs to a

combined SGSN/GGSN emulator (GSN’)

! Possible deployment of W-LAN by UMTS or independent

operator: W-LAN is a visiting network to the UMTS CN

MS MS RNC Node B Node B Iu-ps MS HSS AAA GGSN/ HA BG SGSN UMTS CN Core IP Network CN AP AP AP GW 802.11b MS AP AP AP GW GSN’ 802.11b signaling data

(24)

Loose coupling

!

Different routing areas for UMTS and W-LAN

! Different sets of IP address domains

! Simplifying GGSN in forwarding packets from GSN’

!

Different handling of signaling and data traffics

! Signaling goes to UMTS CN; directly (same operator) or

indirectly (different operators)

! Data traffic goes to IP core directly

!

Mobility management is more complex than in tight

coupling as a user has a different IP address when

roaming from one network to another

(25)

Loose coupling

!

While in UMTS

! Performing Attach and PDP context activation

! Following GPRS mobility management for moving around

!

Roaming to W-LAN

! Associating with an access point

! Acquiring an IP address from the W-LAN domain

! Attaching to GSN’ similar to UMTS attach

! Authentication with UMTS by GSN’ (via old SGSN)

! Updating MS location and canceling it in HSS

! Exchanging packets directly through IP core network

! DNS or SIP could be used to identify the MS within the IP

network; ongoing research

(26)

Other issues in W

-

_-

LAN/3G

_LAN/3G

interworking

_interworking

!

Mobility management

! Roaming between W-LAN and cellular networks

! Criteria for roaming

! data rate, signal strength, traffic load, application, user

preference, network preference, handheld device type, …

! Timing for roaming ! Frequency for roaming

! QoS guarantee issues after roaming

! Device auto-detection and auto-configuration

!

Network administration

! One administrator or more for

! AAA ! Billing

(27)

Interworking

scenarios

_scenarios

!

Only common billing and customer care

!

With no internetworking still this may be possible

!

To have same AAA functions as defined by 3GPP

!

This requires AAA procedures to be adopted in W-LAN

too

!

To have UMTS-specific services in W-LAN

!

More internetworking is needed so that either a gateway

to those service is emulated or they are accessed directly

!

Service continuity is maintained

!

We can restrict the type of services to be maintained

continuously based on QoS availability (e.g. voice delay)

!

Seamless service across two networks

!

Access even to the UMTS circuit-switched services from the

(28)

Security Arrangements

3

(29)

Security requirements

!

Requirements

! The integrated system should not compromise 3G security

! Use of UMTS authentication and key agreement (AKA)

! AKA challenge-response procedure is network independent and may be run over other transport mechanisms

! E.g., EAP-over-LAN supported by IEEE 802.11

! The home network in the integrated system should be

always the 3GPP home

! The serving network should support EAP-AKA

! AAA node to handle transport of EAP

! UMTS AKA relies on the terminal’s smartcard

! USIM application runs the UMTS AKA cryptographic algorithm

! W-LAN terminal should be able to access USIM

! Not necessarily have a smartcard reader; can be accessed via host

(30)

Security elements

!

Authentication

! No problem as the integrated network still uses UMTS AKA

procedure

!

Confidentiality

! Use of symmetric key encryption to protect disclosure of

user and system data by passive attacks !

Integrity

! Use of (symmetric) keyed cryptographic checksum function

to protect data modifications by active attacks

! Functions are called message authentication codes (MAC); per message authentication

(31)

Security on the air

!

Assumptions: Access network supports confidentiality

and integrity services over the air

! Problem for W-LAN due to its weak WEP method

! Use of new IEEE 802.11i specification

! Use of interim solutions such as Wi-Fi protected access (WPA)

! Based on Temporal Key Integrity Protocol (TKIP) of 802.11i

! W-LAN access points must be also protected against

dedicated attacks that aim to get access to session keys

! Possible solution is to extend the W-LAN integrity and

confidentiality services to the access server (similar to UMTS where data connections are protected between UE and RNC

! To solve the problem of confidentiality and integrity services

over the air, we must go beyond the usual “link-layer”

security mechanisms (e.g., create an IPSec tunnel between UE and the network)

(32)

Security standards

!

Security architecture of the integrated system is

directly modeled in the UMTS security architecture

! UMTS access security: based on one-pass mutual entity

authentication scheme between USIM and serving network

! AKA procedure provides authentication and generation of

128-bit session keys for confidentiality and integrity protection

! AKA procedure implementation

! Cryptographic functions are implemented in USIM and HSS; depend only on HE operator

! AKA successful outcome

! The USIM and network will be mutually authenticated ! They will get common key materials

(33)

UMTS AKA procedure

! AKA procedure consists of two phases

! Phase 1: Transfer of authentication vectors (AV) from home

environment (HE) to the serving network (SN)

! Not available in the interworking version of AKA; AKA is globally executed from the HE toward the USIM

! Phase 2: Execution of AKA procedure by the SN

USIM MS Node B RNC SGSN/VLR HLR/AuC

User Serving Network (SN) _{Home Environment (HE)}

Access Point (AP) Radio Network

Controller Serving Network (SN) Home Subscriber Server (HSS)

AV transport over MAP

One-Pass Challenge/Response

I_u Interface User Equipment (UE)

(34)

Challenge/Response mechanism

!

If the AKA fails, either during challenge from network

or response from USIM, a resynchronization

procedure will be required

USIM Network

• Authenticate the network; if not ok proceed with failure • Check sequence number in

AUTN; if not ok resynchronize • Compute response: RES

• Generate key material

Valid AV presents Challenge (RAND, AUTN)

Response (RES)

Failure (resync or MAC failure) Reject (cause)

• Verify (authenticate) USIM; if not ok proceed with reject

(35)

Security architecture (loose coupling)

!

Rather simple architecture using AAA and EAP

! To execute UMTS AKA from 3G home domain toward W-LAN

UE

! AAA architecture, RADIUS and/or Diameter protocols are

used to bridge 3GPP and W-LAN access networks

! EAP-AKA allows execution of UMTS AKA over W-LAN

UE AP Network access server 3GPP AAA proxy 3GPP AAA Home subscriber server Internet

W-LAN access network

Home Network Visited Network

(36)

Extensible authentication protocol (EAP)

! A key element in security architecture of the integrated system

! Provides a generic peer-to-peer based request-response

transaction for authentication dialogs

! Supports multiple authentication mechanisms

! Does not provide authentication itself but supports existing

authentication methods through specialized EAP methods

! Using a negotiation sequence where the authenticator asks information on which authentication method to use

! The main authentication method supported is EAP-AKA, but always a backend authentication server can help authenticator for unsupported authentication methods

! Runs directly over link layer (no need for IP)

! Has its own flow control mechanisms ! Can remove duplicate messages

! Can retransmits lost messages

! Runs over different link layer protocols including the IEEE 802.11

(37)

Concluding Remarks

4

(38)

Concluding remarks

!

A hybrid W-LAN/cellular network takes the advantages

of wide area coverage of the cellular systems and

high-bandwidth and low-cost equipment of the W-LAN

! The three integrated architectures look good, but is there any

other option?

! The three architectures use one of available mobility

management techniques: GPRS/UMTS, W-LAN, MIP, SIP; are there any better option for MM in hybrid networks?

! While authentication and authorization are handled through

different combination of available methods (AAA, W-LAN, GPRS/UMTS, HLR, etc), are those techniques sufficient?

! Radio access security ! Network access security

(39)

Data Integrity and Network Security in Wireless LAN/3G Integrated Networks