Unlicensed Mobile Access (UMA)

Dasun Weerasinghe

School of Engineering and Mathematical Sciences

City University

London

Agenda

What is UMA

UMA Architecture

Security in UMAAuthentication

Encryption

EAP-AKA Authentication

Future Work

What is UMA

UMA allows to access the mobile voice and data services of the cellular network over a Wireless LAN

Subscribers are enabled to roam and handover between cellular networks and wireless networks

UMA Technology specification was published in September 2004

3GPP approved the specification as “Generic Access to A/Gb interfaces”

Pilot project by Nokia in Finland

What is UMA ( Contd..)

UMA Architecture

Mobile devices access the Core Network through Unlicensed Mobile Access Network (UMAN).

UMAN has 3 major entities Unlicensed wireless network

IP access network

UMA Network controller (UNC)

UNC authorizes and authenticates the Mobile devices for accessing the Core Network

UMA Architecture ( Contd..)

UMA Security

Authentication Authenticate MS with UNC to make secure tunnel

Based GSM or UMTS credentials

Protocol of authentication is IKEv2

GSM : EAP-SIM or UMTS : EAP-AKA

Mutual Authentication of MS and Mobile Network

Session Key Generation – IK and CK

UMA Security – EAP Authentication

Steps in Authentication ( EAP )MS establish a link with AP

Determines the UNC to be connected

Initiate the connection with UNC with IKE

UNC connects with the local AAA

UMA Security - EAP Authentication (Contd..)

Local AAA linked to the Home AAA

EAP procedure is performed between MS and AAA

UNC is a relay for EAP messages

EAP-AKA

EAP-AKA steps

MS finds an AP

MS finds the UNC-SGW and initiates the IKEv2 authentication procedure

MS sends to NAI to UNC-SGW which contains IMSI

UNC-SGW communicates with local AAA

Local server determines the Home AAA by using the NAI. Routing path may include several AAA proxies

Leading digits in NAI indicates the authentication procedure is EAP - AKA

EAP-AKA steps ( contd..)

AAA requests the user profile and UMTS authentication vectors from HSS

UMTS authentication vector consists with RAND, authentication part (AUTH), expected result, IK and CK

AAA send the EAP Request/AKA Challenge to UNC-SGW with RAND, AUTH, MAC ( message authentication key ) and re-authentication identity.

UNG-SGW forwards the EAP Request/AKA Challenge to MA

EAP-AKA steps ( contd..)

MS runs the UMTS algorithm and verifies the AUTH. It computes the RES, IK, CK and calculates MAC using the generated IK and CKMS sends EAP Response/AKA Challenge with RES and MACAAA verifies the received MAC and compares RES with XRESAAA sends IK and CK to UNC-SGW for the communication with MSUNC-SGW informs the successful authentication to MS

EAP-AKA Fast Re-Authentication

Used to reduce the network load due to the authentication

AAA server authenticates the user based on the keys derived by the last full authentication

Re-authentication ID is generated by the AAA in the full authentication process

EAP-AKA Fast Re-Authentication (Contd..)

EAP-AKA Fast Re-Authentication StepsMS initiates the IKEv2 authentication procedure

Re-Authentication identity is sent to the UNC-SGWUNC-SGW sends EAP Response/Identity to AAA with re-authentication Id AAA initiates a counter and sends EAP Request/AKA-Reauthentication message with counter value, MAC and re-authentication id for the next fast authentication.MS verifies the counter value and the MAC and send the EAP Response/AKA-Reauthentication with the same counter value and calculated MAC.AAA server verifies the counter value and MACEAP success message is sent to MS

Encryption

CK is generated during the authentication process

Negotiated cryptographic algorithms are used.

Future Work

Calls handing off between the cellular network and the wireless LAN with fast authentication processSSO from one UNC to another Introduce UNC to the Mobile Shopping Mall. UNC can be a web service. Introduce XML security to the communication between MS and UNCAuthentication of the UNC to the networkSome security holes in Fast authentication