Data Integrity and Network Security in Wireless LAN/3G ...

Data Integrity and Network Data Integrity and Network Security in Wireless LAN/3G Security in Wireless LAN/3G Integrated Networks Integrated Networks

Abbas Jamalipour

The University of SydneyAustralia

International Workshop on Internet Security and Management 2004

a.a.jamalipourjamalipour@@ieeeieee.org.org

Sendai, Japan, Jan. 29, 2004

2003A. JamalipourA. JamalipourA. JamalipourA. Jamalipour2

ContentsContents

1.1. Mobile Internet and the Wireless LANMobile Internet and the Wireless LAN2.2. Integrated Network ArchitectureIntegrated Network Architecture3.3. Security ArrangementsSecurity Arrangements4.4. Concluding RemarksConcluding Remarks

Mobile Internet and the Mobile Internet and the Wireless LANWireless LAN

11


Wireless local area networksWireless local area networks

! Wireless LAN is becoming increasingly popular! Mobile users’ typical demands of information access is

characterized by heavy data files and applications; W-LAN can provide mobility and speed at the same time

! In major structured hot spots such as airports and rail stations, the mobile radio infrastructure support of data communications seems to be inadequate and expensive

! For office users, mobility, simple and low-cost network scalability, and high-speed access are advantageous factors

! For home users, advantages of mobility without new wiring and at the same time high-speed access are the key issues

" W-LAN provides network flexibility: No infrastructure (ad hoc), single-cell network (BSS), or cellular topology (ESS)

" Use of unlicensed spectrum reduces the user’s cost


Mobile Internet using WMobile Internet using W--LANLAN

! Simple structure and cost-efficient equipment involved in W-LAN can easily extend the fixed Internet into the mobile environment! Mobility is supported but in a limited scale; more than that is

neither logically feasible nor economically efficient! Data integrity, user and network security, and billing

methods are not sufficiently supported by current standards! Can be done (as it is undergoing) but this will add the

complexity and cost of the network, resulting in lighter image of original advantages of W-LAN

! Traffic is loosely controlled through multiple access scheme; more traffic requires better traffic management and licensed spectrum, adding the cost and network complexity

! Co-located W-LANs could interferer each other easily


Mobile Internet using cellular networksMobile Internet using cellular networks

! 2.5G/3G cellular systems will provide some infrastructure for the mobile Internet service, but not necessarily sufficient ! Cellular deployment timetable was not fast enough! Cellular data rate growth does not follow the rapid increase

in new applications’ bandwidth demand! Cellular tariffs are not easily reducible! Cellular radio access will remain “the” limiting factor in

competing speed with wired network! Compatibility and roaming issues between IP networks and

cellular systems are not necessarily resolved within cellular-only implementations ! Need for hybrid networks


Hybrid networksHybrid networks

! To support new and existing mobile Internet applications! Horizontal communication among existing access technology

! cellular, cordless, W-LAN, short-range connectivity, wired

! On a common platform to complement services of each other! Connected through a common, flexible, seamless IP-based

core network (questionable but promising)! An advanced media access technology that connects the core

network to different access technologies! Global roaming and inter-working between different access

technologies both horizontal (intra-system) and vertical (inter-system) handover

! Seamless, transparent service negotiation including mobility, security, quality (data rate, delay, dropping probability, etc)


Vision of a hybrid networkVision of a hybrid network

Inter-Network Access Technology

IP Core Network

Satellite Backbone

Private IP Network

Global Internet

Wireless LAN

GSM

cdmaOne

DECT

GPRS/UMTS Core

cdma2000 Core

cdma2000 Access Network

UMTS Access Network

PSTN/ISDN

ADSL


ShortShort-- and longand long--term solutionsterm solutions

! Long-term solutions! Merging IP and cellular networks at core and access sides! Reducing dissimilarities in management of the two systems! Improving radio access technology! Global interconnection of cellular and IP networks

! Short-term solutions! Use of available infrastructures and try to accommodate

simple systems within individual cellular networks! Push of IP-oriented applications into cellular services! Gradual decrease in traffic load from non-IP services! Blend all traffic data into one mixed-type! All, in order to be prepared for longer-term solutions

Integrated Network Integrated Network ArchitectureArchitecture

22


Wireless LANWireless LAN

! W-LAN: The most accessible network to start with the short-term solutions! Much higher speed than 3G systems: 11-54 Mbps and above

compared with 300 Kbps – 2 Mbps! Close relation with the legacy wired IP networks (basically

an extension)! Use of unlicensed spectrum and low-cost equipments that

may enable low end-user tariffs too! Already deployed in major hot-spots and is rapidly

expanding; easily deployable anywhere! Potential integrating elements in its architecture with cellular

3G systems! Advantage of huge research work undergoing toward its

standardization and regulation, access control, and security


WW--LAN and 3GPPLAN and 3GPP

! 3GPP has already started the initiative for cellular-Wireless LAN internetworking architecture.! To be included in the 3GPP Release 6 specifications

! Issues that need to be considered:! Integrating a highly-standardized system such as UMTS with

a loosely standardized network; i.e. the W-LAN! Standardize the W-LAN network architecture or its radio

interface? Maybe not; keep it undefined

! Integrating a multi-service network such as UMTS with mainly IP-service network of W-LAN

! Whether the W-LAN should be administrated by the UMTS operator or treated just as a foreign network

! User data routing and access to available services ! UMTS CN versus IP backbone


WW--LAN architectureLAN architecture

Access Point 1

Access Point 2

Mobile Nodes Mobile

Nodes

LAN bus

Access Router

IP backbone network

AAA server/proxy

Billing

HTTP server

Gateway NAPT

Users database

DHCP

DNS

Layer 2 distribution network

External IP networks interfaces

IP interface

AAA interface

W-LAN Extended Service Set (ESS)


WW--LAN general architectureLAN general architecture

! DHCP to facilitate the W-LAN terminal IP address! DNS to resolve Internet fully equipped domain name

(FQDN) addresses into IP addresses! Gateway NAPT (network address and port

translation) to external networks (Internet)! Using W-LAN private-space IP address and enabling services

offered by external networks at the same time

! HTTP server for local application-level services! Billing system for accounting! Access point: A layer 2 bridge between 802.11 and

the Ethernet! Security: using WEP, IEEE 802.11x/802.11i, RADIUS


User subscriptionUser subscription

! 3GPP! A heavily worked area for all subscriber’s charging and

billing systems using SIM/USIM smart cards! User database kept at home subscriber servers (HSS) for IP

and other packet services over the packet-switched CN! Establishment of global roaming among 3G operators! Overall, not to compromise such a high-level of security just

for a new interworking domain

! Concluded that! The W-LAN needs to reuse the 3GPP subscription system! Equipping a W-LAN terminal with SIM/USIM! Making the AAA signaling a roaming case, where all

subscription services will be provided by the 3GPP HSS


Authentication and authorizationAuthentication and authorization

! 3GPP! Use of (U)SIM card for subscriber authentication for network

access and for secret key agreement used for encryption and integrity protection

! Use of a challenge and response algorithm for key management and authentication in GSM/GPRS; and an advanced version in UMTS

! Wireless LAN integrated network! Utilizing the new IEEE 802.11i for authentication, access

control and key agreement functions, especially the extensible authentication protocol (EAP) based on RADIUS

! Use of EAP-SIM: mainly using SIM’s key agreement algorithm! Use of EAP-AKA: encapsulation UMTS authentication and key

agreement (AKA) within EAP


Integration optionsIntegration options

! Use of W-LAN as a Peer Network! Really an “inclusion” not “integration”! Connecting W-LAN and cellular systems independently to the

IP core network

! Tight Coupling! Accommodating W-LAN “tightly” inside cellular core network! Achieving virtual high-speed at the end-user level

! Loose Coupling! Take advantage of both IP core network and cellular core

network without getting virtual (imaginary) high-speed! Better option to get the two network really “integrated” ! Obviously with adding more overall complexity

V.K. Varma, S. Ramesh, K.D. Wong and J.A. Friedhoffer, “Mobility management in integrated UMTS/WLAN networks,” 2003 IEEE International Conference on Communications (ICC ’03), vol. 2, pp. 1048-1053, 11-15 May 2003.


Integration optionsIntegration options

MS

Tight Coupling

AP AP

AP GW SGSN’

802.11b

MS

RNC Node B

Node B Iu-ps

MS

Peer Network

AP AP

AP

AAA /HLR

AGW /HA

MS

802.11b

HSS AAA

GGSN/HA

BG

SGSN

UMTS CN

Core IP Network

CN

AP AP

AP GW GSN’

802.11b

MS

Loose Coupling


Peer NetworkPeer Network

MS

MS

RNC Node B

Node B Iu-ps

MS

HSS AAA

GGSN/HA

BG

SGSN

UMTS CN

Core IP Network

CN AP AP

AP GW

802.11b MS

AP AP

AP GW AGW/

HA

802.11b AAA/ HLR’

��

��

��

��

��

��

��

��

��

��

! Operation by a same or different UMTS W-LAN operators! Use of Mobile IP for mobility management among peer networks! Inclusion of a HA functionality and a AAA server inside UMTS CN

for supporting mobility among UMTS and non-UMTS networks! Multiple ESSs are connected via an access gateway to IP CN


Peer NetworkPeer Network

! Authentication to UMTS and other peer networks! To UMTS: through a HLR emulator (HLR’) in W-LAN

! W-LAN: appearing as a foreign UMTS network

! To other peer networks: through an AAA server and HA

! Roaming from UMTS to W-LAN, MS! Associates with an access point! Performs AAA functions with the local AAA server which

interacts with the AAA server in UMTS home! Obtains a CoA and sends a binding update! Interaction of HA with HSS in UMTS CN to update location

! Similar procedure for roaming from W-LAN to UMTS


Tight couplingTight coupling

! W-LAN emulates either a RNC or a SGSN (shown as SGSN’)! W-LAN is deployed either by UMTS or an independent operator! Mobility between two networks means an inter-SGSN RA update! With the same GGSN, IP address will be assigned from the same pool:

mobility results in no change in IP address! All signaling and data traffic and the user location are maintained by

the home subscriber server (HSS)

MS

MS

RNC Node B

Node B Iu-ps

MS

HSS AAA

GGSN/HA

BG

SGSN

UMTS CN

Core IP Network

CN AP AP

AP GW SGSN’

802.11b

��

��

��

��

��

��

��

��


Tight couplingTight coupling

! This coupling allows independent W-LAN operators! SGSN emulator meets the UMTS CN at Gp interface

! Simple architecture and procedure! Use of UMTS mobility management! To roam into a W-LAN high-speed network, an MS

! Associates with an access point! Enters into an inter-SGSN routing area update with SGSN’! Connects to the UMTS CN via SGSN’

! Moving within W-LAN ESS follows the W-LAN MM procedure

! Signal strength, bandwidth measurement, etc may be used to select between the two networks when both are available


Loose couplingLoose coupling

! A master/slave architecture: UMTS: Master, W-LAN: Slave! Connection of several W-LAN ESSs via individual GWs to a

combined SGSN/GGSN emulator (GSN’)! Possible deployment of W-LAN by UMTS or independent

operator: W-LAN is a visiting network to the UMTS CN

MS

MS

RNC Node B

Node B Iu-ps

MS

HSS AAA

GGSN/HA

BG

SGSN

UMTS CN

Core IP Network

CN AP AP

AP GW

802.11b

MS

AP AP

AP GW GSN’

802.11b

��

��

��

��

��

��

��

��

��

signaling

data



! Different routing areas for UMTS and W-LAN! Different sets of IP address domains! Simplifying GGSN in forwarding packets from GSN’

! Different handling of signaling and data traffics! Signaling goes to UMTS CN; directly (same operator) or

indirectly (different operators)! Data traffic goes to IP core directly

! Mobility management is more complex than in tight coupling as a user has a different IP address when roaming from one network to another



! While in UMTS! Performing Attach and PDP context activation! Following GPRS mobility management for moving around

! Roaming to W-LAN! Associating with an access point! Acquiring an IP address from the W-LAN domain! Attaching to GSN’ similar to UMTS attach! Authentication with UMTS by GSN’ (via old SGSN)! Updating MS location and canceling it in HSS! Exchanging packets directly through IP core network! DNS or SIP could be used to identify the MS within the IP

network; ongoing research

! Similar procedure when roaming to UMTS


Other issues in WOther issues in W--LAN/3G LAN/3G interworkinginterworking

! Mobility management! Roaming between W-LAN and cellular networks

! Criteria for roaming! data rate, signal strength, traffic load, application, user

preference, network preference, handheld device type, …

! Timing for roaming! Frequency for roaming! QoS guarantee issues after roaming! Device auto-detection and auto-configuration

! Network administration! One administrator or more for

! AAA! Billing! Customer care


InterworkingInterworking scenariosscenarios

! Only common billing and customer care! With no internetworking still this may be possible

! To have same AAA functions as defined by 3GPP! This requires AAA procedures to be adopted in W-LAN

too! To have UMTS-specific services in W-LAN

! More internetworking is needed so that either a gateway to those service is emulated or they are accessed directly

! Service continuity is maintained! We can restrict the type of services to be maintained

continuously based on QoS availability (e.g. voice delay)! Seamless service across two networks! Access even to the UMTS circuit-switched services from the

W-LAN

Security ArrangementsSecurity Arrangements

33


Security requirementsSecurity requirements

! Requirements! The integrated system should not compromise 3G security

! Use of UMTS authentication and key agreement (AKA)! AKA challenge-response procedure is network independent and

may be run over other transport mechanisms! E.g., EAP-over-LAN supported by IEEE 802.11

! The home network in the integrated system should be always the 3GPP home

! The serving network should support EAP-AKA! AAA node to handle transport of EAP

! UMTS AKA relies on the terminal’s smartcard! USIM application runs the UMTS AKA cryptographic algorithm

! W-LAN terminal should be able to access USIM! Not necessarily have a smartcard reader; can be accessed via host

system


Security elementsSecurity elements

! Authentication! No problem as the integrated network still uses UMTS AKA

procedure

! Confidentiality! Use of symmetric key encryption to protect disclosure of

user and system data by passive attacks

! Integrity! Use of (symmetric) keyed cryptographic checksum function

to protect data modifications by active attacks! Functions are called message authentication codes (MAC); per

message authentication


Security on the airSecurity on the air

! Assumptions: Access network supports confidentiality and integrity services over the air! Problem for W-LAN due to its weak WEP method

! Use of new IEEE 802.11i specification! Use of interim solutions such as Wi-Fi protected access (WPA)

! Based on Temporal Key Integrity Protocol (TKIP) of 802.11i

! W-LAN access points must be also protected against dedicated attacks that aim to get access to session keys

! Possible solution is to extend the W-LAN integrity and confidentiality services to the access server (similar to UMTS where data connections are protected between UE and RNC

! To solve the problem of confidentiality and integrity services over the air, we must go beyond the usual “link-layer” security mechanisms (e.g., create an IPSec tunnel between UE and the network)


Security standardsSecurity standards

! Security architecture of the integrated system is directly modeled in the UMTS security architecture! UMTS access security: based on one-pass mutual entity

authentication scheme between USIM and serving network! AKA procedure provides authentication and generation of

128-bit session keys for confidentiality and integrity protection

! AKA procedure implementation! Cryptographic functions are implemented in USIM and HSS;

depend only on HE operator

! AKA successful outcome! The USIM and network will be mutually authenticated ! They will get common key materials


UMTS AKA procedureUMTS AKA procedure

! AKA procedure consists of two phases! Phase 1: Transfer of authentication vectors (AV) from home

environment (HE) to the serving network (SN)! Not available in the interworking version of AKA; AKA is globally

executed from the HE toward the USIM! Phase 2: Execution of AKA procedure by the SN

USIM MS Node B RNC SGSN/VLR HLR/AuC

User Serving Network (SN) Home Environment (HE)

Access Point (AP) Radio Network Controller

Serving Network (SN)

Home Subscriber Server (HSS)

AV transport over MAP

One-Pass Challenge/Response

Iu Interface

User Equipment (UE)

G. M. Koien and T. Haslestad, “Security aspects of 3G-WLAN interworking,” IEEE Communications Mag., pp. 82-88, Nov. 2003


Challenge/Response mechanismChallenge/Response mechanism

! If the AKA fails, either during challenge from network or response from USIM, a resynchronization procedure will be required

USIM Network

• Authenticate the network; if not ok proceed with failure

• Check sequence number in AUTN; if not ok resynchronize

• Compute response: RES• Generate key material

Valid AV presentsChallenge (RAND, AUTN)

Response (RES)

Failure (resync or MAC failure)

Reject (cause)

• Verify (authenticate) USIM; if not ok proceed with reject


Security architecture (loose coupling)Security architecture (loose coupling)

! Rather simple architecture using AAA and EAP ! To execute UMTS AKA from 3G home domain toward W-LAN

UE! AAA architecture, RADIUS and/or Diameter protocols are

used to bridge 3GPP and W-LAN access networks! EAP-AKA allows execution of UMTS AKA over W-LAN

UE APNetwork access server

3GPP AAA

proxy

3GPP AAA

Home subscriber

server

Internet

W-LAN access network

Home NetworkVisited Network

Wr Wr Wx


Extensible authentication protocol (EAP)Extensible authentication protocol (EAP)

! A key element in security architecture of the integrated system! Provides a generic peer-to-peer based request-response

transaction for authentication dialogs! Supports multiple authentication mechanisms! Does not provide authentication itself but supports existing

authentication methods through specialized EAP methods! Using a negotiation sequence where the authenticator asks information

on which authentication method to use! The main authentication method supported is EAP-AKA, but always a

backend authentication server can help authenticator for unsupported authentication methods

! Runs directly over link layer (no need for IP)! Has its own flow control mechanisms! Can remove duplicate messages! Can retransmits lost messages! Runs over different link layer protocols including the IEEE 802.11

W-LAN link layer

Concluding RemarksConcluding Remarks

44


Concluding remarksConcluding remarks

! A hybrid W-LAN/cellular network takes the advantages of wide area coverage of the cellular systems and high-bandwidth and low-cost equipment of the W-LAN! The three integrated architectures look good, but is there any

other option?! The three architectures use one of available mobility

management techniques: GPRS/UMTS, W-LAN, MIP, SIP; are there any better option for MM in hybrid networks?

! While authentication and authorization are handled through different combination of available methods (AAA, W-LAN, GPRS/UMTS, HLR, etc), are those techniques sufficient?

! Radio access security! Network access security


Further reading Further reading

! 3GPP, “ 3GPP System to Wireless Local Area Network (WLAN) Interworking; System Description,” Tech. rep. 3GPP TS 23.234 v1.10.0, May 2003

! 3GPP, “Feasibility Study on 3GPP System to Wireless Local Area Network (WLAN) Interworking,” Tech. rep. 3GPP TR 22.934 v6.1.0, Dec. 2002

! K. Ahmavaara, H. Haverinen, and R. Pichna, “Interworking Architecture Between 3GPP and WLAN Systems,” IEEE Communications Mag., pp. 74-81, Nov. 2003

! A.K. Salkintzis, C. Fors, and R. Pazhyannur, “WLAN-GPRS Integration for Next-generation Mobile Data Networks,” IEEE Wireless Communications, vol. 9, no. 5, pp. 112-124, Oct. 2002

! A. Doufexi, E. Tameh, A. Nix and S. Armour, “Hotspot Wireless LANs to Enhance the Performance of 3G and Beyond Cellular Networks,” IEEE Communications Magazine, vol. 41, no. 7, pp. 58-65, July 2003

! B. Sarikaya and T. Ozugur, “Dormant Mode Operation Support for Roaming from WLAN to UMTS,” IEEE International Conference on Communications (ICC '03), vol. 2, pp. 1038-1042, 11-15 May 2003

! Shiao-Li Tsao and Chin-Ching Lin, “VGSN: A Gateway Approach to Interconnect UMTS/WLAN Networks,” The 13th IEEE Int. Symposium on Personal, Indoor and Mobile Radio Communications, vol. 1, pp. 275-279, 15-18 Sept. 2002

! ETSI, “Requirements and Architectures for Interworking Between HIPERLAN/3 and 3rd

Generation Cellular Systems,” Tech. rep. ETSI TR 101 957 v1.1.1, Aug. 2001 ! G. M. Koien and T. Haslestad, “Security Aspects of 3G-WLAN Interworking,” IEEE

Communications Mag., pp. 82-88, Nov. 2003

Data Integrity and Network Security in Wireless LAN/3G ...

Documents

Transcript of Data Integrity and Network Security in Wireless LAN/3G ...