aaa architecture as per 3gpp standards in wireless communications

7/29/2019 AAA architecture as per 3GPP standards in wireless communications

1/30


2/30

Authentication, Authorization and Accounting (AAA) is a framework

for intelligently controlling access to computer network resources,

enforcing policies, auditing usage, and providing the information

necessary to bill for services. These combined processes are considered

important for effective network management and security.

Some of the AAA Protocols are listed below:

CHAP: Challenge Handshake Authentication Protocol

DIAMETER Protocol: This protocol is designed to replace the

RADIUS.PAP: Password Authentication Protocol

RADIUS: Remote Authentication Dial-In User Service


3/30

What is 3GPP?

3GPP stands forThird Generation Partnership Project. Thisgroup includes telecommunications companies from Japan,

South Korea, China, North America and Europe.


4/30

4

3GPP Stands for 3rd Generation Partnership Project

The Partners are Standards Developing Organizations:

Contribution driven companies participate in 3GPP through their membership ofone of these OrganizationalPartners

Currently over 350 Individual Members (Operators, Vendors, Regulators)

12 Market Representation Partners See final slide. These organisations give

perspectives on market needs and drivers

4

(Japan)

(Japan)

(China) (Korea)

(USA) (Europe)


5/30

3GPP prepares and maintains specifications for thefollowing technologies:

GSM GPRS

EDGE

W-CDMA FDD (Frequency Division Duplex)

TD-CDMA TDD (Time Division Duplex) in High Chip

Rate and Low Chip Rate (TD-SCDMA) modes

NTT

DoCoMo

BT

i.e. all of the technologieson the GSM evolution path


6/30

The Enhanced UTRAN (E-UTRAN) will:

be optimised for mobile speeds 0 to 15 km/h

support, with high performance, speeds between 15 and

120 km/h

maintain mobility at speeds between 120 and 350 km/h

and even up to 500 km/h depending on frequency

band

support voice and real-time services over entire speed

range

with quality at least as good as UTRAN


7/30

7

3GPP Specified Radio Interfaces 2G radio: GSM, GPRS, EDGE

3G radio: WCDMA, HSPA, LTE

4G radio: LTE Advanced

3GPP Core Network

2G/3G: GSM core network

3G/4G: Evolved Packet Core (EPC)

3GPP Service Layer

GSM services

IP Multimedia Subsystem (IMS) Multimedia Telephony (MMTEL)

Support of Messaging and other OMA functionality

Emergency services and public warning

Etc.


8/30

TSG RAN Objectives Define and further develop the UMTS (WCDMA and TDD

including TD SCDMA) Radio Access Network

Specify tests for User Equipment as well as Base Station

TSG RAN Organization

Five subgroups WG1 specifying the Layer 1

WG2 specifying the Signalling over the radio Interface

WG3 specifying the architecture and the interface within theAccess Network

WG4 specifying the requirement for the radio performancesincluding test specifications for Base Station

WG5 specifying tests for the User Equoment inclusive ofthe core networks aspects


9/30

AUTHENTICATION is to the process where an entity's identity is authenticated,

typically by providing evidence that it holds a specific digital identity such as an identifier

and the corresponding credentials. Examples of types of credentials are password, one

time token, digital certificates, and phone numbers (calling/called).

AUTHORIZATION is a process of granting or denying access to a network resource.

Most computer security system is based on two step process. The 1st stage is

authentication, which ensures that a user is who he or he claims to be. The 2nd stage isauthorization, which allows user to various resources based on users identity. e.g.:-

encryptions.

ACCOUNTING is a process of keeping track of a users activity while accessing the

network resource, including the amount of time spent in the network the service accessed

there are the amount of data transferred during the session, accounting data is used for

trend analysis, capacity planning, billing and cost allocation

Introduction


10/30

We divide AAA communications into the following categories: Client to PolicyEnforcement Point (PEP), PEP to Policy Decision Point (PDP), Client to PDP, and

PDP to Policy Information Point (PIP). For easy reference, the AAA flow diagramfrom Part One of this article is reproduced here.

Fig 1: A Client Connects to a AAA-Protected Network
http://www.cisco.com/web/about/ac123/ac147/images/ipj/ipj_10-2/102_aaa_fig1_lg.jpg


11/30

Remote Authentication Dial In User Service (RADIUS) is a

networking protocol that provides centralized Authentication,Authorization, and Accounting (AAA) management for computers toconnect and use a network service. RADIUS was developed byLivingston Enterprises, in 1991.

RADIUS serves three functions:

1. to authenticate users or devices before granting them access to anetwork,

2. to authorize those users or devices for certain network services and

3. to account for usage of those services.


12/30

1. The user contact the Web-site and is presented with alogin page.

2. A Radius Access-Request issent from the SSL-VPN to

the Radius server.3. The Radius server returns an

Access-Accept withauthorization info.

4. The user accesses theIntranet via the SSL-VPNportal.


13/30

Attribute value pair:

Fig2 : Structure of RADIUS
http://en.wikipedia.org/wiki/File:RADIUS_AVP_layout.svghttp://en.wikipedia.org/wiki/File:RADIUS_packet_format.svg


14/30

1. User initiates PPP authentication to the NAS.

2. NAS prompts for username and password (if Password

Authentication Protocol [PAP]) or challenge (if Challenge

Handshake Authentication Protocol [CHAP]).

3. User replies.4. RADIUS client sends username and encrypted password to the

RADIUS server.

5. RADIUS server responds with Accept, Reject, or Challenge.

6. The RADIUS client acts upon services and services parameters

bundled with Accept or Reject.


15/30

The RADIUS server authenticates nemo, and sends an Access-Accept UDP packet to

the NAS telling it to telnet nemo to host 192.168.1.3

The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (0),

Length (38), the Request Authenticator from above, the attributes in this reply, and

the shared secret.

02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf 9b 55 e0 b2 06 06 00 00 00 01 0f 06

00 00 00 00 0e 06 c0 a8 01 03

1 Code = Access-Accept (2)1 Identifier = 0 (same as in Access-Request)

2 Length = 38

16 Response Authenticator

Attribute List:

6 Service-Type (6) = Login (1)

6 Login-Service (15) = Telnet (0)6 Login-IP-Host (14) = 192.168.1.3

Example of Response Packates


16/30

Client/Server Model

Network Security

Flexible Authentication Mechanisms Extensible Protocol


17/30

Response Authenticator Based Shared Secret Attack Attacker listens to requests and server responses, and pre-

compute MD5 state, which is the prefix of the responseauthenticator:

MD5(Code+ID+Length+ReqAuth+Attrib)

Perform an exhaustive search on shared secret, adding it to the

above MD5 state each time. User-Password Attribute Based Shared Secret Attack

Perform an exhaustive search on shared secret.

The attacker attempts a connection to the NAS, and interceptsthe access-request.

User-Password Based Password Attack

Performs an exhaustive / dictionary attack on password,XORing it with above MD5 and sending it each time inappropriate attribute.

Possible due to no authentication on request packet.


18/30

Shared Secret Hygiene Viewed as single client Small key size enabling easy attack

Request Authenticator Based Attacks Passive User-Password Compromise through Repeated Request

Authenticators Active User-Password Compromise through Repeated Request

Authenticators Attacker builds a dictionary as before. When he predicts he can cause NAS to use a certain ReqAuth,

he tries to connect it and intercepts access-request.

Replay of Server Responses through Repeated RequestAuthenticators The attacker builds a dictionary with ReqAuth, ID and entire server

response. Most server responses will be access-accept.


19/30

RADIUS has several weaknesses.

Usage of stream cipher

Transaction of Access-Request not

authenticated at all

The RADIUS specification should require

each client use a different Shared Secret. Itshould also require the shared secret to be a

random bit string at least 16 octets long that is

generated by a PRNG.

DIAMETER brought in to replace RADIUS and

fix some of the flaws


20/30

Diameter is an AAA (Authentication, Authorization and Accounting)

protocol for applications such as network access or IP mobility. The

basic concept is to provide a base protocol that can be extended in

order to provide AAA services to new access technologies. Diameter

is intended to work in both local and roaming AAA situations.

Diameter operates on top of reliable transport protocols like TCP


21/30

FIG: AVP format:

FIG:DIAMETER PACKET STURUCTURE


22/30

Better Proxying

Better Session Control

Better Security

Interoperability

Better Transport


23/30

fig:Diameter protocol reaction timefig:Radius protocol reaction time


24/30

fig:Traffic operated during connection

to the primary server

fig:Traffic operated during connection

to the secondary server


25/30

Characteristic RADIUS Deficiency DIAMETER Improvement

Strict limitation

of attribute data

Only 1 byte reserved for the

length of a data field (max.

255) in its attribute header

Reserves 2 bytes for its

length of a data field

(max. 16535)

Inefficient

retransmission

algorithm

Only 1 byte as identifier field

to identify retransmissions.

This limits the number of

requests that can be pending

(max. 255)

Reserved 4 bytes for this

purpose (max. 2^32)

Inability to

control flow to

servers

Operates over User

Datagram Protocol (UDP)

and has no standard scheme

to regulate UDP flow

Scheme that regulates the

flow of UDP packets

(windowing scheme)

No support

for user-

specific

commands

Supports vendor-

specific attributes, but

not vendor-specific

commands

Supports vendor

specific command

codes25


26/30

Consumer-Managed Applications

Enterprise-Managed Applications

Carrier-Managed Applications

Emerging Applications


27/30

Security and Identity Convergence

User-Centric AAA

Federation


28/30

RADIUS protocol Represent fast user identification with few packages. But in fact

unable to control

its traffic and peers in communication chain with ineffective in

overly crowded

networks.

Diameter protocol

Is recommended for congestion networks because it can control

their traffic

Solves the server inaccessibility problems much faster Better equipped for dealing with problems that are encountered

in the present-day

networks.

PDF created


29/30

untruth.org

J. Liu, S. Jiang, H. Lin ibm.com originally souced from (blog within =

wikipedia article)[Retrieved 2011-12-28]

Bernard Aboba, Jari Arkko, David Harrington, "Introduction to

Accounting Management", RFC 2975, IETF, Oct. 2000.

"How Does RADIUS Work?". Cisco. 2006-01-19. Retrieved 2009-04-15.

RFC 2865 Remote Authentication Dial In User Service (RADIUS)

RFC 2866 RADIUS Accounting

Pat R. Calhoun, Glen Zorn and Ping Pan (2001-02).

"DIAMETER.

Framework Document". IETF. Retrieved 2009-04-30

Naman Mehta (2009-03-20). "Introduction to Diameter Protocol -

What is Diameter Protocol?". Sun Microsystems Retrieved 2009- 04-

30.


30/30

Thank you

aaa architecture as per 3gpp standards in wireless communications

Documents