2G/3G Authentication with SIM cards: usage & roaming basics for the Internet challenged

Michael Haberler Internet Foundation Austria

outline
a SIM card mini-tutorial
features, protocol flow, usage, production, addressing

UMTS authentication and key agreement

principles and protocol flow

the universal integrated circuit card (UICC)

USIM app

how 2G, 3G roaming works over the air (OTA) loading of UICC apps
example: X.509 certificate download

(U)SIMs and Internet access authentication

how SIMs and RADIUS roaming works

(U)SIMs and SIP authentication

what the SIP server does

How the parameter logistics works a bonus business model thrown in summary

whats a 2G SIM card

crypto smart card as per ISO 7816 access protected by a PIN code(s) (card holder verification) fixed storage of subscriber identity IMSI (international mobile subscriber identity) GSM MAC address
E.164 number to IMSI mapping at the operator only

safe storage for shared secret - accessible only through CHAP operation
not broken as of today except for most stupid CHAP algorithm known

CHAP algorithm in hardware

operator chooses algorithm

tree structured filesystem

stream, record, cyclic record files can be readonly, read/write or none at all (for the key) some permission hierarchy

how are SIM cards produced

unprogrammed chips are personalized and closed (parameters written & sealed) mass product - $5-$7 apiece at 1000+
GEMplus, Giesecke & Devrient ....

everybody can have SIMs made even Mom&Pop ISP not everybody may
roam with other cellular operators use the GSM algorithm A3/A8 you wouldnt want it anyway must be member of GSM association for that

having your own algorithm in a chip mask is a circa $50K+ affair for testing & development unprogrammed castrated chips used (XOR algorithm for CHAP...)

how are (U)SIM cards accessed

2G, 3G use
builtin reader in the mobile handset

for Internet use:

maybe builtin in PDA, PC (e.g.DELL) external USB token 20$ apiece re-use a mobile SIM card via Bluetooth SIG SIM Access Profile (only if roaming against 2G/3G operator)

read 3G (U)SIM Security Reuse by Peripheral Decices on local interfaces contains some threat analysis

SIM usage in 2G authentication

access request
2G GSM handset

present IMSI
Authentication Center

present challenge ( RAND )

send RESP (challenge response) keys

shared secret

IMSI structure
MCC MNC MSIN Three digits Two to three digits Maximum of ten digits

IM SI Maximum of fifteen digits MCC MNC MSIN IMSI Mobile Country Code Mobile Network Code Mobile Subscriber Identification Number International Mobile Subscriber Identity
T0207420-98

MCC/MNC uniquely designates an operator and his authentication center when roaming, MCC/MNC tells the visiting network where to route the authentication request this is done via SS7 MAP (mobile application part)

what is OTA (over the air) loading?

SIM cards are writable by mobile equipment
if authenticated to network if instructed by operator over the air if file/directory is writable

example: ISIM X.509 certificate bootstrap

AKA authenticated:
let user visit PKI portal download certificates through HTTP/Digest mechanism certificates are stored in record structured files, as ar CA certifcates

The Air can also be an IP connection download of executable applets possible

SIM Toolkit, USAT (USIM Application toolkit) bytecode instructions sent encrypted by 3DES, stored on card

regularly used in 2G networks today for functionality upgrades & parameter download

UMTS authentication and key agreement (AKA)

substantially improved over 2G SIM protection against replay, MITM attacks sports also network-to-user authentication more complex algorithm compatibility functions 2G network/3G card, 3G network/2G card

3G AKA authentication flow

access request
3G UMTS handset

present IMSI
Authentication Center

challenge RAND || AUTN token

send RESP (challenge response) keys result: Cipher key Integrity key shared secret, Sequence numbers

whats the universal integrated circuit card (UICC) about

generic support mechanism for multiple applications on one card 2G,3G authentication become applications selected as needed
USIM application implements AKA 2G SIM app implements 2G CHAP additional apps possible (ISIM, PKI certificate storage etc) ISIM is pretty close to SIP client needs!!

mobile equipment chooses application

using (U)SIMs for Internet access authentication

embed flow in EAP and tunnel in RADIUS between 802.1x supplicant in client and RADIUS EAP backend using EAP-SIM or EAP-AKA RADIUS server MAY gateway to SS7 MAP and roam
WiFi network looks like a GSM roaming partner example: WiFi roaming through www.togewanet.com

OR RADIUS server access an ISP-style database for keys

ISP is the SIM card issuer!

using (U)SIM for SIP authentication

speak HTTP/AKA (RFC3310) between SIP UA and proxy proxy translates into EAP-AKA-in-RADIUS RFC specified only for AKA (3G auth) no mapping of EAP-SIM onto HTTP/SIM for 2G auth bad almost all networks today use 2G auth which breaks SIP authentication through GSM/UMTS operators we need to address this and spec HTTP/SIM

how 2G roaming works

mobile equipment presents IMSI visited network looks at MCC,MNC part of IMSI
if no roaming agreement, drop him otherwise send access request thru SS7 MAP to home network the home network verifies IMSI and sends a triplet: (challenge, expected response, cipher key) authentication vector visited network presents challenge, reads response if (response == expected response), service user

the triplet is essentially an access ticket

note no replay detection these fellows seem to trust each other

how 3G roaming works

not much different from 3G, just more parameters needed for AKA triplets become quintets

how the 2G/3G user ids (IMSIs) are mapped to RADIUS authentication:
take mobile country code, mobile network code use them to create a realm Example
IMSI = 232011234567890
means mcc=232 (Austria) mnc=01 (Mobilkom)

resulting realm
mnc01.mcc232.owlan.org

resulting RADIUS user

232011234567890@mnc01.mcc232.owlan.org routing to Radius servers decided by subdomain

convention established by Nokia Nokia owns owlan.org domain pro-bono from thereon this is vanilla RADIUS roaming but its just fine if we call it mnc01.mcc232.visionNG.org if that sounds better, realms just gotta be unique

how does 2G/3G address logistics work

if you are a service provider and have E.164 ranges, get a MNC from your MCC administrator (FCC, regulator...) the E.164 range might also be, for example, from visionNG (+87810 ff) MCC = 901 this doesnt mean youre part of 2G/3G roaming yet contracts & regulatory prerequisites needed but the addressing is all set to go!!

a bonus business model thrown in:

combine a SIP-based iTSP with a Mobile Virtual Network Operator (MVNO)
an MVNO has authentication, billing, customers, numbers, but the radio network is outsourced from somewhere else

issue (U)SIM cards which work both in a 2/3G handset AND as WiFi/SIP auth tokens note the same card authenticates both uses! leave choice to user how to connect Internet or cellular using the same E.164 number

Summary
2G/3G has a strong/very strong authentication architecture it is almost copy & paste for iTSP use at WiFi access, WiFi roaming acces, SIP and other levels (TBD!) it can serve to solve the X.509 certificate distribution problem operator model (2G/3G home network, ISP home network) has no impact on Internet-side terminals numbering & addressing resources are compatible and available (maybe not obviously so) the Internet could become the biggest (U)SIM authenticated mobile network ever to roam with 2G/3G land