1

May 14, 2007

Zhibi Wang, Simon Mizikovsky – Alcatel-Lucent

Vidya Narayanan, Anand Palanigounder – QUALCOMM

ABSTRACT: Access authentication architecture for the UMB RAN-AGW is provided. RECOMMENDATION: Review and approve.

Notice: Contributors grant a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. Contributors are also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution.

This document has been prepared by the contributors to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on the contributors. Contributors specifically reserve the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of the contributors other than provided in the copyright statement above.

UMB Access Authentication Architecture

3GPP2 TSG-S WG4

2

Access Authentication in UMB• Initial authentication

– AT authenticates to the H-AAA using EAP; S-RNC is the authenticator– The Master Session Key (MSK) is delivered via AAA to the S-RNC

• AT and the H-AAA derive the MSK as part of the EAP method execution• If EAP Re-authentication Protocol (ERP) is supported, the AT and the H-AAA derive the

DSRK– The H-AAA delivers the DSRK to the L-AAA via AAA protocol

– AT initiates a 3-way key exchange protocol (KEP) with eBS to derive Transient Session Keys (TSKs)

• Subsequent communication between the AT and eBS are protected by TSK

• If the MSK lifetime is close to expiry, a full EAP authentication is required through the S-RNC.

• In the S-RNC relocation case, a full EAP authentication may be required through the S-RNC.

• When a New eBS is added to the active set, – The AT may run full EAP authentication via the eBS. In this case, the S-RNC sends

MSK’ (derived from MSK) to the eBS as part of the session. MSK’ derivation does not require interactions with AAA.

– eBS may obtain MSK’ from S-RNC without performing a full EAP authentication.– The AT may run the EAP Re-authentication Protocol (ERP) via the eBS as the ER

Authenticator. In this case, rMSK is delivered to the eBS from the Local AAA.

3

AT SRNCVAAA(Proxy)

1. UMB Session Setup

AAA-L HAAAeBS

2. EAP/UMB

3. SRNC receives MSK; derives PMK-

SRNC

3. AT derives MSK and PMK-SRNC

4. Key Exchange Protocol

5. SRNC derives TSK5. AT derives TSK

6. AT adds eBS to active set

8. GetSession

9. SRNC derives MSK’

10. Session (MSK’)

12. RouteOpenResponseKeyResponse

9. AT derives MSK’ = MSK-eBS and PMK-eBS

14. KeyComplete

11. eBS receives MSK’= MSK-eBS; derives PMK-eBS

13. AT derives TSK-eBS

13. eBS derives TSK-eBS

7. RouteOpenRequestKeyRequest

2. EAP/AAA

EAP Authentication and use of MSK’

4

Introduction to Derived MSKs

• Derived MSK is delivered as part of session transfer – Standardization of EAP Re-authentication Protocol (described later)

may not happen in time for UMB release

• Steps: – When AT performs EAP, an MSK is delivered to the SRNC– SRNC derives a PMK from the MSK and performs KEP with AT

• PMK = EHMAC-SHA-256 (MSK, “PMK”)– When AT adds an eBS to the active set, the eBS fetches session from

SRNC– SRNC computes MSK’ and provides that to the eBS along with the

session• MSK’ = EHMAC-SHA-256 (MSK, “Temp MSK”, RouteCounter)

– RouteCounter is monotonically increasing for every RouteOpen message– RouteCounter is sent by the AT and verified by the SRNC.

– eBS receives the MSK’ and makes it its MSK• eBS computes PMK from its MSK and runs KEP with the AT

– Temp MSK or MSK’ has a configurable lifetime• eBS runs ERP or EAP full authentication before the lifetime expires

5

EAP Re-authentication Protocol (ERP)

• EAP Re-authentication Protocol (ERP) streamlines fast re-authentication process.– AT re-authenticates with Local AAA (L-AAA) using the Domain-

Specific Root Key (DSRK).– DSRK is computed from EMSK and delivered to the L-AAA

during the initial EAP procedure. – When SRNC moves, effectively moving Authenticator, there is

no need for full EAP authentication with HAAA.

• EAP Re-authentication (ERP), bootstrapping, and key hierarchy are specified in IETF draft-ietf-hokey-erx-01

6

AT SRNCVAAA(Proxy)

1. UMB Session Setup

AAA-L HAAAeBS

2. EAP/AAA

3. SRNC receives MSK

3. AT derives MSK EMSK and DSRK

4. Key Exchange Protocol

5. SRNC derives TSK5. AT derives TSK

6. AT adds eBS to active set

7. RouteOpenRequestEAP Initiate/Re-auth/UMB

KeyRequest 7. EAP Initiate/Re-auth/AAA

8. EAP Finish/Re-auth/AAA

9. eBS receives rMSK

10. AT derives TSK-eBS

10. eBS derives TSK-eBS

2. EAP/UMB

3. AAA-L may receive DSRK

9. AT derives rMSK

8. RouteOpenResponseEAP Finish/Re-auth/UMB

KeyResponse

11. KeyComplete

EAP Authentication and ERP

7

MSK’ Derivation

MSKSRNC

PMKSRNC = F2(MSKSRNC)

TSKSRNC = F3(PMKSRNC )

MSKeBS1

PMKeBS1 = F2(MSKeBS1)

TSKeBS1 = F3(PMKeBS1 )

Keys between SRNC & AT Keys between eBS1 & AT

MSK‘eBS1 = F1(MSKSRNC)

• F1: MSK’ = EHMAC-SHA-256 (MSK, “Temp MSK”, RouteCounter) • F2: PMK = EHMAC-SHA-256 (MSK, “PMK”)• F3: As defined in the air interface spec for Key Exchange Protocol (KEP)