Upload
praveena-annadurai
View
222
Download
0
Embed Size (px)
Citation preview
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
1/30
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
2/30
Authentication, Authorization and Accounting (AAA) is a framework
for intelligently controlling access to computer network resources,
enforcing policies, auditing usage, and providing the information
necessary to bill for services. These combined processes are considered
important for effective network management and security.
Some of the AAA Protocols are listed below:
CHAP: Challenge Handshake Authentication Protocol
DIAMETER Protocol: This protocol is designed to replace the
RADIUS.PAP: Password Authentication Protocol
RADIUS: Remote Authentication Dial-In User Service
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
3/30
What is 3GPP?
3GPP stands forThird Generation Partnership Project. Thisgroup includes telecommunications companies from Japan,
South Korea, China, North America and Europe.
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
4/30
4
3GPP Stands for 3rd Generation Partnership Project
The Partners are Standards Developing Organizations:
Contribution driven companies participate in 3GPP through their membership ofone of these OrganizationalPartners
Currently over 350 Individual Members (Operators, Vendors, Regulators)
12 Market Representation Partners See final slide. These organisations give
perspectives on market needs and drivers
4
(Japan)
(Japan)
(China) (Korea)
(USA) (Europe)
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
5/30
3GPP prepares and maintains specifications for thefollowing technologies:
GSM GPRS
EDGE
W-CDMA FDD (Frequency Division Duplex)
TD-CDMA TDD (Time Division Duplex) in High Chip
Rate and Low Chip Rate (TD-SCDMA) modes
NTT
DoCoMo
BT
i.e. all of the technologieson the GSM evolution path
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
6/30
The Enhanced UTRAN (E-UTRAN) will:
be optimised for mobile speeds 0 to 15 km/h
support, with high performance, speeds between 15 and
120 km/h
maintain mobility at speeds between 120 and 350 km/h
and even up to 500 km/h depending on frequency
band
support voice and real-time services over entire speed
range
with quality at least as good as UTRAN
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
7/30
7
3GPP Specified Radio Interfaces 2G radio: GSM, GPRS, EDGE
3G radio: WCDMA, HSPA, LTE
4G radio: LTE Advanced
3GPP Core Network
2G/3G: GSM core network
3G/4G: Evolved Packet Core (EPC)
3GPP Service Layer
GSM services
IP Multimedia Subsystem (IMS) Multimedia Telephony (MMTEL)
Support of Messaging and other OMA functionality
Emergency services and public warning
Etc.
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
8/30
TSG RAN Objectives Define and further develop the UMTS (WCDMA and TDD
including TD SCDMA) Radio Access Network
Specify tests for User Equipment as well as Base Station
TSG RAN Organization
Five subgroups WG1 specifying the Layer 1
WG2 specifying the Signalling over the radio Interface
WG3 specifying the architecture and the interface within theAccess Network
WG4 specifying the requirement for the radio performancesincluding test specifications for Base Station
WG5 specifying tests for the User Equoment inclusive ofthe core networks aspects
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
9/30
AUTHENTICATION is to the process where an entity's identity is authenticated,
typically by providing evidence that it holds a specific digital identity such as an identifier
and the corresponding credentials. Examples of types of credentials are password, one
time token, digital certificates, and phone numbers (calling/called).
AUTHORIZATION is a process of granting or denying access to a network resource.
Most computer security system is based on two step process. The 1st stage is
authentication, which ensures that a user is who he or he claims to be. The 2nd stage isauthorization, which allows user to various resources based on users identity. e.g.:-
encryptions.
ACCOUNTING is a process of keeping track of a users activity while accessing the
network resource, including the amount of time spent in the network the service accessed
there are the amount of data transferred during the session, accounting data is used for
trend analysis, capacity planning, billing and cost allocation
Introduction
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
10/30
We divide AAA communications into the following categories: Client to PolicyEnforcement Point (PEP), PEP to Policy Decision Point (PDP), Client to PDP, and
PDP to Policy Information Point (PIP). For easy reference, the AAA flow diagramfrom Part One of this article is reproduced here.
Fig 1: A Client Connects to a AAA-Protected Network
http://www.cisco.com/web/about/ac123/ac147/images/ipj/ipj_10-2/102_aaa_fig1_lg.jpg7/29/2019 AAA architecture as per 3GPP standards in wireless communications
11/30
Remote Authentication Dial In User Service (RADIUS) is a
networking protocol that provides centralized Authentication,Authorization, and Accounting (AAA) management for computers toconnect and use a network service. RADIUS was developed byLivingston Enterprises, in 1991.
RADIUS serves three functions:
1. to authenticate users or devices before granting them access to anetwork,
2. to authorize those users or devices for certain network services and
3. to account for usage of those services.
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
12/30
1. The user contact the Web-site and is presented with alogin page.
2. A Radius Access-Request issent from the SSL-VPN to
the Radius server.3. The Radius server returns an
Access-Accept withauthorization info.
4. The user accesses theIntranet via the SSL-VPNportal.
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
13/30
Attribute value pair:
Fig2 : Structure of RADIUS
http://en.wikipedia.org/wiki/File:RADIUS_AVP_layout.svghttp://en.wikipedia.org/wiki/File:RADIUS_packet_format.svg7/29/2019 AAA architecture as per 3GPP standards in wireless communications
14/30
1. User initiates PPP authentication to the NAS.
2. NAS prompts for username and password (if Password
Authentication Protocol [PAP]) or challenge (if Challenge
Handshake Authentication Protocol [CHAP]).
3. User replies.4. RADIUS client sends username and encrypted password to the
RADIUS server.
5. RADIUS server responds with Accept, Reject, or Challenge.
6. The RADIUS client acts upon services and services parameters
bundled with Accept or Reject.
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
15/30
The RADIUS server authenticates nemo, and sends an Access-Accept UDP packet to
the NAS telling it to telnet nemo to host 192.168.1.3
The Response Authenticator is a 16-octet MD5 checksum of the code (2), id (0),
Length (38), the Request Authenticator from above, the attributes in this reply, and
the shared secret.
02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf 9b 55 e0 b2 06 06 00 00 00 01 0f 06
00 00 00 00 0e 06 c0 a8 01 03
1 Code = Access-Accept (2)1 Identifier = 0 (same as in Access-Request)
2 Length = 38
16 Response Authenticator
Attribute List:
6 Service-Type (6) = Login (1)
6 Login-Service (15) = Telnet (0)6 Login-IP-Host (14) = 192.168.1.3
Example of Response Packates
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
16/30
Client/Server Model
Network Security
Flexible Authentication Mechanisms Extensible Protocol
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
17/30
Response Authenticator Based Shared Secret Attack Attacker listens to requests and server responses, and pre-
compute MD5 state, which is the prefix of the responseauthenticator:
MD5(Code+ID+Length+ReqAuth+Attrib)
Perform an exhaustive search on shared secret, adding it to the
above MD5 state each time. User-Password Attribute Based Shared Secret Attack
Perform an exhaustive search on shared secret.
The attacker attempts a connection to the NAS, and interceptsthe access-request.
User-Password Based Password Attack
Performs an exhaustive / dictionary attack on password,XORing it with above MD5 and sending it each time inappropriate attribute.
Possible due to no authentication on request packet.
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
18/30
Shared Secret Hygiene Viewed as single client Small key size enabling easy attack
Request Authenticator Based Attacks Passive User-Password Compromise through Repeated Request
Authenticators Active User-Password Compromise through Repeated Request
Authenticators Attacker builds a dictionary as before. When he predicts he can cause NAS to use a certain ReqAuth,
he tries to connect it and intercepts access-request.
Replay of Server Responses through Repeated RequestAuthenticators The attacker builds a dictionary with ReqAuth, ID and entire server
response. Most server responses will be access-accept.
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
19/30
RADIUS has several weaknesses.
Usage of stream cipher
Transaction of Access-Request not
authenticated at all
The RADIUS specification should require
each client use a different Shared Secret. Itshould also require the shared secret to be a
random bit string at least 16 octets long that is
generated by a PRNG.
DIAMETER brought in to replace RADIUS and
fix some of the flaws
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
20/30
Diameter is an AAA (Authentication, Authorization and Accounting)
protocol for applications such as network access or IP mobility. The
basic concept is to provide a base protocol that can be extended in
order to provide AAA services to new access technologies. Diameter
is intended to work in both local and roaming AAA situations.
Diameter operates on top of reliable transport protocols like TCP
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
21/30
FIG: AVP format:
FIG:DIAMETER PACKET STURUCTURE
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
22/30
Better Proxying
Better Session Control
Better Security
Interoperability
Better Transport
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
23/30
fig:Diameter protocol reaction timefig:Radius protocol reaction time
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
24/30
fig:Traffic operated during connection
to the primary server
fig:Traffic operated during connection
to the secondary server
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
25/30
Characteristic RADIUS Deficiency DIAMETER Improvement
Strict limitation
of attribute data
Only 1 byte reserved for the
length of a data field (max.
255) in its attribute header
Reserves 2 bytes for its
length of a data field
(max. 16535)
Inefficient
retransmission
algorithm
Only 1 byte as identifier field
to identify retransmissions.
This limits the number of
requests that can be pending
(max. 255)
Reserved 4 bytes for this
purpose (max. 2^32)
Inability to
control flow to
servers
Operates over User
Datagram Protocol (UDP)
and has no standard scheme
to regulate UDP flow
Scheme that regulates the
flow of UDP packets
(windowing scheme)
No support
for user-
specific
commands
Supports vendor-
specific attributes, but
not vendor-specific
commands
Supports vendor
specific command
codes25
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
26/30
Consumer-Managed Applications
Enterprise-Managed Applications
Carrier-Managed Applications
Emerging Applications
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
27/30
Security and Identity Convergence
User-Centric AAA
Federation
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
28/30
RADIUS protocol Represent fast user identification with few packages. But in fact
unable to control
its traffic and peers in communication chain with ineffective in
overly crowded
networks.
Diameter protocol
Is recommended for congestion networks because it can control
their traffic
Solves the server inaccessibility problems much faster Better equipped for dealing with problems that are encountered
in the present-day
networks.
PDF created
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
29/30
untruth.org
J. Liu, S. Jiang, H. Lin ibm.com originally souced from (blog within =
wikipedia article)[Retrieved 2011-12-28]
Bernard Aboba, Jari Arkko, David Harrington, "Introduction to
Accounting Management", RFC 2975, IETF, Oct. 2000.
"How Does RADIUS Work?". Cisco. 2006-01-19. Retrieved 2009-04-15.
RFC 2865 Remote Authentication Dial In User Service (RADIUS)
RFC 2866 RADIUS Accounting
Pat R. Calhoun, Glen Zorn and Ping Pan (2001-02).
"DIAMETER.
Framework Document". IETF. Retrieved 2009-04-30
Naman Mehta (2009-03-20). "Introduction to Diameter Protocol -
What is Diameter Protocol?". Sun Microsystems Retrieved 2009- 04-
30.
7/29/2019 AAA architecture as per 3GPP standards in wireless communications
30/30
Thank you