1 r-uim support for secure lbs (stage 2) zhimin du lijun zhao zdu, [email protected] qualcomm...
TRANSCRIPT
1
R-UIM Support for Secure LBS (Stage 2)
Zhimin Du Lijun Zhao
zdu, [email protected] Incorporated
June 20, 2005
2
Copyright
Notice©2005 QUALCOMM Incorporated. All rights reserved.QUALCOMM Incorporated grants a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. Qualcomm Incorporated is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution.This document has been prepared by Qualcomm Incorporated to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on Qualcomm Incorporated. Qualcomm Incorporated specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of Qualcomm Incorporated other than provided in the copyright statement above.Qualcomm Incorporated may hold one or more patents or copyrights that cover information contained in this contribution. A license will be made available to applicants under reasonable terms and conditions that are demonstrably free of any unfair discrimination. Qualcomm Incorporated reserves the right to use all material submitted in this contribution for its own purposes, including republication and distribution to others.
3
Outline
• Background and overview
• Four protocols in S.P0110– LCS Provisioning Protocol – S-SAFE Protocol – TLS Session-A Protocol – TLS Session-B Protocol
• Proposed changes in C.S0023
4
Background (1/2)
Security functional architecture for IP-based LCS
ME
PDE
H-PS
MS-LCS Client
IP Cloud
Access
Network
S-PS
PDE in Home Network
PDE in Visited Network
LCS-x
LCS-y
LCS-z
18
18
LCS-x Store-and-Forward
UIM
Mobile Station
5
Background (2/2)
NI call flow example (from X.P0024)
PDE PS
a
b
c
d
e
f
g
h
i
j
IP_LOC_REQ [MSidentity, PQOS, LBA_ID]
SUPL_START [MSID, LCS_CORRID, MS_INFO, PQOS, ServingCellinfo, POSMODE]
PDE_ACK [PORTNUM]
SUPL_POS [MSID, LCS_CORRID, TIA-801 message]
IP_LOC_RESP [POSINFO]
MSLCS
Client
Home
PDE_RESPONSE [MSID, LCS_CORRID, POSINFO, POSRSULT]
PDE_REQ [MSID, LCS_CORRID, MS_INFO, PQOS, ServingCellinfo]
TSUPL TPDE1
SUPL_RESPONSE [LCS_CORRID, RESPONSE_TYPE, PDE_ADDRS]
SUPL_POS [MSID, LCS_CORRID, TIA-801 message]
LBALCS
Client
SUPL_INIT [PQOS, LCS_CORRID, POSMODE]
TPD
TINIT
TPDE2
6
S.P0110: IP-based Location Services Security Framework
• Developed in TSG-S, for security of X.P0024 IP-based Location Services
• Comprise 4 protocols:– LCS Provisioning Protocol
» for key provisioning and derivation
– S-SAFE Protocol » to secure the NI trigger message SUPL-INIT (i.e. step b in previous page)
– TLS Session-A Protocol » to secure the LCS-x interface communications between MS and H-PS (i.e.
steps c and f in previous page)
– TLS Session-B Protocol » to secure the LCS-y interface communications between MS and PDE, only
applied to non-proxy mode (i.e. mainly steps g, h in previous page)
7
LCS Provisioning Protocol (1/3)
LCS_ROOT_KEY– The root key of IP-based LCS for one subscriber. Other keys are
derived from it. – To be provisioning into H-PS and UIM (while manufacturing, or through
OTASP, or derived from a more general root key).– Invisible to ME, PDE and other entities.
• LCS_UIM_S_SAFE_KEY– Derived from LCS_ROOT_KEY with f3 algorithm specified in S.S0055-A
(by UIM and H-PS, separately)» f3 (K=LCS_ROOT_KEY, fi=0x45, RAND=“LCS_UIM_S_SAFE_K”,
Fmk=0x004B4352)
– Only used in S-SAFE protocol.– Invisible to ME, PDE and other entities.
8
LCS Provisioning Protocol (2/3)
• LCS_UIM_HPS_TLS_PSK_KEY– Derived from LCS_ROOT_KEY with f3 algorithm specified in S.S0055-A
(by UIM and H-PS, separately)» f3 (K=LCS_ROOT_KEY, fi=0x45, RAND=“LCS_UIM_HPS_TLS_”,
Fmk=0x004B4352)
– Only used in TLS Session-A protocol– Invisible to ME, PDE and other entities.
• LCS_UIM_PDE_ROOT_KEY– Derived from LCS_ROOT_KEY with f3 algorithm specified in S.S0055-A
(by UIM and H-PS, separately)» f3 (K=LCS_ROOT_KEY, fi=0x45, RAND=“LCS_UIM_PDE_ROOT”,
Fmk=0x004B4352)
– Used to derive the LCS_UIM_PDE_TLS_PSK_KEY for each PDE assignment, which will be used in TLS Session-B protocol to secure LCS-y communications
– Invisible to ME, PDE and other entities.
9
LCS Provisioning Protocol (3/3)
• LCS_UIM_PDE_TLS_PSK_KEY derivation– H-PS generates a LCS_UIM_PDE_TLS_PSK_RAND with f0 algorithm– H-PS derives LCS_UIM_PDE_TLS_PSK_KEY from
LCS_UIM_PDE_ROOT_KEY and LCS_UIM_PDE_TLS_PSK_RAND with f3 algorithm
» f3 (K=LCS_UIM_PDE_ROOT_KEY, fi=0x45, RAND=LCS_UIM_PDE_TLS_PSK_RAND, Fmk=0x004B4352)
– H-PS passes LCS_UIM_PDE_TLS_PSK_VERSION, LCS_UIM_PDE_TLS_PSK_EXPIRY, LCS_UIM_PDE_TLS_PSK_RAND, LCS_UIM_PDE_TLS_PSK_KEY to PDE (may through S-PS when need, e.g. when roaming)
– H-PS passes LCS_UIM_PDE_TLS_PSK_VERSION, LCS_UIM_PDE_TLS_PSK_EXPIRY, LCS_UIM_PDE_TLS_PSK_RAND to MS in SUPL_RESPONSE message (with TLS Session-A protection, i.e. through TLS Application Data Protocol)
– UIM derives LCS_UIM_PDE_TLS_PSK_KEY by itself with the same algorithm
– LCS_UIM_PDE_TLS_PSK_KEY is used in TLS Session-B Protocol– LCS_UIM_PDE_TLS_PSK_KEY is invisible to ME.
10
S-SAFE Protocol (1/2)
S-SAFE: Secure Store And Forward Encapsulation – Provides authenticity, integrity protection, freshness protection and encryption
(optional) of data in store-and-forward messages. – H-PS forms an Envelope to enable these functions.
Parameter Name Octets
LCS_S_SAFE_GEN_TIME 4
LCS_S_SAFE_LOG_LIFE_TIME 1
LCS_S_SAFE_VERSION 2 (defined in Section 5.2.1)
LCS_S_SAFE_GOODIES_LENGTH 2
LCS_S_SAFE_GOODIES
LCS_S_SAFE_ALG 2
LCS_S_SAFE_RAND 16
LCS_S_SAFE_PAYLOAD_LEN = LCS_S_SAFE_DATA_LEN
2
LCS_S_SAFE_ PAYLOAD Variable
LCS_S_SAFE_MAC 8
11
S-SAFE Protocol (2/2)
– ME performs Expiry Check and Replay Detection with LCS_S_SAFE_GEN_TIME and LCS_S_SAFE_LOG_LIFE_TIME
– If success, ME passes the envelope to the UIM– UIM derives LCS_S_SAFE_CK from LCS_UIM_S_SAFE_KEY and
LCS_S_SAFE_RAND with f3 algorithm» f3 (K=LCS_UIM_S_SAFE_KEY, fi=0x45, RAND=LCS_S_SAFE_RAND,
Fmk=0x004B4352)
– UIM derives LCS_S_SAFE_IK from LCS_UIM_S_SAFE_KEY and LCS_S_SAFE_RAND with f4 algorithm
» f4 (K=LCS_UIM_S_SAFE_KEY, fi=0x46, RAND=LCS_S_SAFE_RAND, Fmk=0x004B4352)
– UIM performs Integrity Check using the MAC generation algorithm with LCS_S_SAFE_IK and LCS_S_SAFE_MAC_DATA
– If success, UIM performs Decryption using the cipher algorithm with LCS_S_SAFE_CK and LCS_S_SAFE_PAYLOAD
» This step may be skipped if encryption is not enabled (as indicated with LCS_S_SAFE_CIPHER_ALG=0x00)
– UIM passes the LCS_S_SAFE_DATA_LEN and LCS_S_SAFE_DATA (i.e. the SUPL_INIT message in this case) to ME
12
TLS Protocol Brief
General Transport Layer Security protocol (IETF RFC 2246)
• Client Server• ------ ------• ClientHello[H] ------->• ServerHello[H]• <-------
ServerHelloDone[H]• ClientKeyExchange[H]• ChangeCipherSpec[C]• Finished[H] ------->• ChangeCipherSpec[C]• <------- Finished[H]• Application Data[D] <------> Application Data[D]
• [H] Handshake protocol• [C] Change cipher spec protocol• [D] application Data protocol.• Note: The Finished message will include Verify Data, which enable the authentication.
13
UIM H-PSME
ClientHello(session_id(opt),client_random):
ServerHello(session_id(opt),server_random)
ServerHelloDone
Other_secret,
client_random,
server_random
Include session_id if desire to resume session
Gen client_random
Resume session?
Assign session_id?
Gen server_random.
Session secrets
ChangeCipherSpec + Finished(MS verify_data)
ClientKeyExchange (psk_identity =MIN or IMSI)
Gen. session secrets
Form MS verify_digest
Other_secret,
MS verify_digest
MS verify_data
ChangeCipherSpec + Finished(H-PS verify_data)
Form H-PS verify_digest
Form other_secrets
Other_secret,
H-PS verify_digest
H-PS verify_data
confirm H-PS verify_data
Skip to here if H-PS agrees to resume a previous session
Confirm MS verify_data
Gen. H-PS verify_data
Application Data (encrypted with Session Secret)
TLS Session-A Protocol
• TLS Session-A protocol is based on TLS protocol with LCS_UIM_HPS_TLS_PSK_KEY as Pre-Shared Key
• Two protocols:– Handshake Protocol– Application Data
Protocol
14
R-UIM Functionality in TLS Session-A
Two type ME and R-UIM interactions• Session Secret Generation
– ME sends Other_Secret, Master_Client_RAND, Master_Server_RAND, Current_Client_RAND, Current_Server_RAND, Server_Version, Cipher_Suite to R-UIM as input parameters.
– R-UIM runs the process to generate the Session_Secret and returns it back.
– ME and H-PS will use Session_Secret in bulk ciphering and integrity protection for application data.
• Verify Data Generation– ME generates Verify_Digest, and sends Verify_Digest, Other_Secret,
Master_Client_RAND, Master_Server_RAND, Finished_Label to R-UIM as input parameters
– R-UIM runs the process to generate the Verify_Data and returns it back.
– ME and H-PS will authenticate each other by comparing the received Verify_Data and locally recomputed Verify_Data.
15
TLS Session-B Protocol
• TLS Session-B protocol is based on TLS protocol with LCS_UIM_PDE_TLS_PSK_KEY (derived from LCS_UIM_PDE_ROOT_KEY) as Pre-Shared Key
• Two main portions:– Assignment– Interaction,
including Handshake Protocol and Application Data Protocol
Skip to here if PDE agrees to resume a previous session
Interaction
UIM H-PSME
ClientHello(session_id(opt),client_random)
ServerHello(session_id(opt),server_random)
ServerHelloDone
PSK_VERSION, PSK_RAND, other_secret, client_random, Server_Random
Include session_id if desire to resume session
Gen client_random
Session secrets
ChangeCipherSpec + Finished(MS verify_data)
ClientKeyExchange(psk_identity =PSK_VERSION, PSK_RAND)
PSK_VERSION, PSK_RAND, other_secret, MS verify_digest
MS verify_data
ChangeCipherSpec + Finished(PDE verify_data)
Form other_secret
other_secret,
PDE verify_digest
PDE verify_dataconfirm PDE verify_data
PDE
Form MS verify_digest
gen PSK_VERSION, PSK_EXPIRY, PSK_RAND
gen PSK from PDE_ROOT_KEY, PSK_RAND
PSK_VERSION,
PSK_EXPIRY, PSK_RAND, PSK_KEY
Form PSK_KEY from PSK_RAND, PDE_ROOT_KEY
Generate session secrets
Form PDE verify_digest
Gen session_secrets
Confirm MS verify_data
Gen PDE verify_data
Form PSK_KEY as above
Gen.MS verify data
Assignment• PSK_VERSION,
PSK_EXPIRY, PSK_RAND
Resume session?
Assign session_id?
Gen server_random.
Form PSK_KEY as above
Gen.PDE verify data
Application Data (encrypted with Session Secret)
16
R-UIM Functionality in TLS Session-B
Two type ME and R-UIM interactions (Similar procedures as in Session A, just more input parameters to
generate LCS_UIM_PDE_TLS_PSK_KEY first)• Session Secret Generation
– ME sends PSK_Protocol_Version, PSK_RAND, Other_Secret, Master_Client_RAND, Master_Server_RAND, Current_Client_RAND, Current_Server_RAND, Server_Version, Cipher_Suite to RUIM as input parameters
– R-UIM runs the process to generate the Session_Secret and returns it back.
– ME and PDE will use Session_Secret in bulk ciphering and integrity protection for application data.
• Verify Data Generation– ME generates Verify_Digest, then sends PSK_Protocol_Version,
PSK_RAND, Verify_Digest, Other_Secret, Master_Client_RAND, Master_Server_RAND, Finished_Label to RUIM as input parameters
– R-UIM runs the process to generate the Verify_Data and returns it back.
– ME and PDE will authenticate each other by comparing the received Verify_Data and locally recomputed Verify_Data.
17
Security Function Requirements to R-UIM and ME (1/2)
• R-UIM Side
Protocol Algorithm Version Algorithm SpecifierSpecified in
Function Reference Section
S-SAFE
LCS_S_SAFE_CK Generation
LCS_S_SAFE_VERSION = 0x0001
N/A f3
[S.S0055-A]
2.2.2.6
LCS_S_SAFE_IK Generation
N/A f4 2.2.2.7
Decryption
LCS_S_SAFE_CIPHER_ALG = 0x00
NULL N/A N/A
LCS_S_SAFE_CIPHER _ALG = 0x01
ESP_AES [S.S0055-A]
2.3.2.2.4
XLCS_S_SAFE_MAC Generation
LCS_S_SAFE_MAC _ALG = 0x01
ehmacsha [S.S0078-A] 2.1.2.1
TLS Session-A
Functions for generating master_secret,
session_secrets and verify_data
Server_version = ( 3,1 )
N/A PRF [RFC2246] 5
TLS Session-B
LCS_UIM_PDE_TLS_PSK_KEY Generation
LCS_UIM_PDE_TLS_PSK_VERSION = 0x0001
f3 [S.S0055-A] 2.2.2.6
Function for generating master_secret,
session_secrets and verify_data
Server_version = ( 3,1 )
N/A PRF [RFC2246] 5
18
Security Function Requirements to R-UIM and ME (2/2)
• ME Side
Protocol Algorithm VersionAlgorithm
Specifier
Specified in
Function Reference Section
S-SAFE - - - - - -
TLS Session-A
+ TLS Session-B
Computing verify_digest
Server_version = ( 3,1 )
N/AMD5
[RFC2246] 7.4.9SHA-1
Bulk ciphering for application
data
BulkCipherAlgorithm=
AES_128_CBC
AES_128_CBC
[RFC3268]
MAC algorithm for application
data
MACAlgorithm = SHA
HMAC-SHA-1
[RFC2246] A.6
TLS Session-B
LCS_TIMELCS_UIM_PDE_TLS_PSK_VE
RSION = 0x0001N/A S.P0110 6.6.1
19
Impact on C.S0023 (1/2)
Proposed changes:• KEY provisioning and storage
– LCS_ROOT_KEY– EF(LCS TLS Protocol Version): To indicate which S-SAFE and TLS protocol
version the RUIM supports
• Security algorithms supporting– will make reference to S.P0110 for specific algorithm requirements
• Commands from ME to R-UIM(The idea is to generate universal commands that can be reused by other services that
may use S-SAFE or TLS)– S-SAFE Verification and Decryption command – TLS Session Secret Generation Command (Can cover H-PS Verify Data)
» with two P1s, for Session-A and Session-B, respectively
– TLS Verify Data Generation Command (e.g. MS Verify Data)» with two P1s, for Session-A and Session-B, respectively
20
Impact on C.S0023 (2/2)
Proposed changes• Other related changes
– New References– LCS service indicator in EF(CST)– New EF to store H-PS address (IP and/or URL address)
• Procedures description– Needs to wait for TSG-S WG4 Document to get stable.