3GPP2 S.S0086-B Version: 2.0 Date: February 2008 IMS Security Framework COPYRIGHT 3GPP2 and its Organizational Partners claim copyright in this document and individual Organizational Partners may copyright and issue documents or standards publications in individual Organizational Partner's name based on this document. Requests for reproduction of this document should be directed to the 3GPP2 Secretariat at [email protected]. Requests to reproduce individual Organizational Partner's documents should be directed to that Organizational Partner. See www.3gpp2.org for more information. S.S0086-B v2.0 EDITOR Zhibi Wang Alcatel-Lucent (630)713-8381 [email protected] REVISION HISTORY 1.0 Initial Publication December 2005 2.0 Addressed TIA legal comments February 2008 (This page intentionally left blank) S.S0086-B v2.0 1 2 3 CONTENTS 4 5 6 1 SCOPE ................................................................................................................................................... 1 7 8 2 REFERENCES...................................................................................................................................... 1 9 2.1 NORMATIVE REFERENCES ................................................................................................................ 1 10 NFORMATIVE EFERENCES 11 2.2 I R .............................................................................................................. 2 12 3 DEFINITIONS, SYMBOLS AND ABBREVIATIONS..................................................................... 2 13 14 3.1 DEFINITIONS..................................................................................................................................... 2 15 3.2 ABBREVIATIONS............................................................................................................................... 3 16 4 OVERVIEW OF THE SECURITY ARCHITECTURE ................................................................... 3 17 18 19 5 SECURITY FEATURES...................................................................................................................... 6 20 5.1 SECURE ACCESS TO IMS................................................................................................................... 6 21 5.1.1 Authentication of the subscriber and the network................................................................... 6 22 5.1.2 Re-Authentication of the subscriber ........................................................................................ 7 23 5.1.3 Confidentiality protection........................................................................................................ 7 24 5.1.4 Integrity protection.................................................................................................................. 7 25 ETWORK TOPOLOGY HIDING 26 5.2 N ........................................................................................................... 8 27 5.3 SIP PRIVACY HANDLING IN IMS NETWORKS ................................................................................... 8 28 5.4 SIP PRIVACY HANDLING WHEN INTERWORKING WITH NON-IMS NETWORKS................................... 8 29 6 SECURITY MECHANISMS ............................................................................................................... 9 30 31 6.1 AUTHENTICATION AND KEY AGREEMENT ......................................................................................... 9 32 6.1.1 Authentication of an IM-subscriber......................................................................................... 9 33 6.1.2 Authentication failures .......................................................................................................... 12 34 6.1.2.1 User authentication failure ................................................................................................ 12 35 6.1.2.2 Network authentication failure.......................................................................................... 13 36 6.1.2.3 Incomplete authentication ................................................................................................. 14 37 6.1.3 Synchronization failure ......................................................................................................... 14 38 6.1.4 Network Initiated authentications ......................................................................................... 15 39 6.1.5 Integrity protection indicator ................................................................................................ 16 40 6.2 CONFIDENTIALITY MECHANISMS .................................................................................................... 16 41 42 6.3 INTEGRITY MECHANISMS................................................................................................................ 16 43 6.4 HIDING MECHANISMS ..................................................................................................................... 17 44 6.5 CSCF INTEROPERATING WITH PROXY LOCATED IN A NON-IMS NETWORK ..................................... 17 45 7 SECURITY ASSOCIATION SET-UP PROCEDURE.................................................................... 18 46 47 7.1 SECURITY ASSOCIATION PARAMETERS ........................................................................................... 18 48 7.2 SET-UP OF SECURITY ASSOCIATIONS (SUCCESSFUL CASE)............................................................... 22 49 7.3 ERROR CASES IN THE SET-UP OF SECURITY ASSOCIATIONS ............................................................. 24 50 7.3.1 Error cases related to IMS AKA............................................................................................ 24 51 7.3.1.1 User authentication failure ................................................................................................ 24 52 7.3.1.2 Network authentication failure.......................................................................................... 25 53 7.3.1.3 Synchronisation failure...................................................................................................... 25 54 7.3.1.4 Incomplete authentication ................................................................................................. 25 55 7.3.2 Error cases related to the Security-setup .............................................................................. 25 56 7.3.2.1 Proposal unacceptable to P-CSCF..................................................................................... 25 57 58 7.3.2.2 Proposal unacceptable to UE............................................................................................. 25 7.3.2.3 Failed consistency check of Security-setup lines at the P-CSCF ...................................... 25 i S.S0086-B v2.0 1 2 7.4 AUTHENTICATED RE-REGISTRATION .............................................................................................. 26 3 7.4.1 Void ....................................................................................................................................... 26 4 7.4.1a Management of security associations in the UE ................................................................... 26 5 7.4.2 Void ....................................................................................................................................... 27 6 7.4.2a Management of security associations in the P-CSCF........................................................... 27 7 7.5 RULES FOR SECURITY ASSOCIATION HANDLING WHEN THE UE CHANGES IP ADDRESS................... 28 8 9 8 SECURE MEMORY WITHIN UE ................................................................................................... 29 10 11 8.1 REQUIREMENTS ON THE SECURE MEMORY OF AN IMS CAPABLE UE ............................................ 29 12 9 NETWORK DOMAIN SECURITY.................................................................................................. 30 13 14 9.1 INTER-DOMAIN SECURITY.............................................................................................................. 30 15 9.2 INTRA-DOMAIN SECURITY ............................................................................................................. 30 16 9.3 PROFILES OF NETWORK DOMAIN SECURITY METHODS.................................................................. 30 17 9.3.1 Support of IPSec ESP............................................................................................................ 30 18 9.3.1.1 Support of ESP authentication and encryption ................................................................. 31 19 9.3.2 Support of TLS ...................................................................................................................... 31 20 ANNEX A (NORMATIVE): THE USE OF SECURITY MECHANISM AGREEMENT FOR SIP 21 22 SESSIONS (REF. [12]) FOR SECURITY MODE SET-UP.................................................................... 32 23 24 ANNEX B (NORMATIVE): KEY EXPANSION FUNCTIONS FOR IPSEC ESP ............................. 34 25 26 ANNEX C (INFORMATIVE): RECOMMENDATIONS TO PROTECT THE IMS FROM UES 27 BYPASSING THE P-CSCF ....................................................................................................................... 35 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 ii S.S0086-B v2.0 1 2 3 FOREWORD 4 5 This Technical Specification has been produced by the 3rd Generation Partnership Project 2 (3GPP2) based 6 on “3rd Generation