1

R-UIM Support for Secure LBS (Stage 2)

Zhimin Du Lijun Zhao

zdu, lzhao@qualcomm.comQUALCOMM Incorporated

June 20, 2005

2

Copyright

Notice©2005 QUALCOMM Incorporated. All rights reserved.QUALCOMM Incorporated grants a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. Qualcomm Incorporated is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution.This document has been prepared by Qualcomm Incorporated to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on Qualcomm Incorporated. Qualcomm Incorporated specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of Qualcomm Incorporated other than provided in the copyright statement above.Qualcomm Incorporated may hold one or more patents or copyrights that cover information contained in this contribution. A license will be made available to applicants under reasonable terms and conditions that are demonstrably free of any unfair discrimination. Qualcomm Incorporated reserves the right to use all material submitted in this contribution for its own purposes, including republication and distribution to others.

3

Outline

• Background and overview

• Four protocols in S.P0110– LCS Provisioning Protocol – S-SAFE Protocol – TLS Session-A Protocol – TLS Session-B Protocol

• Proposed changes in C.S0023

4

Background (1/2)

Security functional architecture for IP-based LCS

ME

PDE

H-PS

MS-LCS Client

IP Cloud

Access

Network

S-PS

PDE in Home Network

PDE in Visited Network

LCS-x

LCS-y

LCS-z

18

18

LCS-x Store-and-Forward

UIM

Mobile Station

5

Background (2/2)

NI call flow example (from X.P0024)

PDE PS

a

b

c

d

e

f

g

h

i

j

IP_LOC_REQ [MSidentity, PQOS, LBA_ID]

SUPL_START [MSID, LCS_CORRID, MS_INFO, PQOS, ServingCellinfo, POSMODE]

PDE_ACK [PORTNUM]

SUPL_POS [MSID, LCS_CORRID, TIA-801 message]

IP_LOC_RESP [POSINFO]

MSLCS

Client

Home

PDE_RESPONSE [MSID, LCS_CORRID, POSINFO, POSRSULT]

PDE_REQ [MSID, LCS_CORRID, MS_INFO, PQOS, ServingCellinfo]

TSUPL TPDE1

SUPL_RESPONSE [LCS_CORRID, RESPONSE_TYPE, PDE_ADDRS]

SUPL_POS [MSID, LCS_CORRID, TIA-801 message]

LBALCS

Client

SUPL_INIT [PQOS, LCS_CORRID, POSMODE]

TPD

TINIT

TPDE2

6

S.P0110: IP-based Location Services Security Framework

• Developed in TSG-S, for security of X.P0024 IP-based Location Services

• Comprise 4 protocols:– LCS Provisioning Protocol

» for key provisioning and derivation

– S-SAFE Protocol » to secure the NI trigger message SUPL-INIT (i.e. step b in previous page)

– TLS Session-A Protocol » to secure the LCS-x interface communications between MS and H-PS (i.e.

steps c and f in previous page)

– TLS Session-B Protocol » to secure the LCS-y interface communications between MS and PDE, only

applied to non-proxy mode (i.e. mainly steps g, h in previous page)

7

LCS Provisioning Protocol (1/3)

LCS_ROOT_KEY– The root key of IP-based LCS for one subscriber. Other keys are

derived from it. – To be provisioning into H-PS and UIM (while manufacturing, or through

OTASP, or derived from a more general root key).– Invisible to ME, PDE and other entities.

• LCS_UIM_S_SAFE_KEY– Derived from LCS_ROOT_KEY with f3 algorithm specified in S.S0055-A

(by UIM and H-PS, separately)» f3 (K=LCS_ROOT_KEY, fi=0x45, RAND=“LCS_UIM_S_SAFE_K”,

Fmk=0x004B4352)

– Only used in S-SAFE protocol.– Invisible to ME, PDE and other entities.

8

LCS Provisioning Protocol (2/3)

• LCS_UIM_HPS_TLS_PSK_KEY– Derived from LCS_ROOT_KEY with f3 algorithm specified in S.S0055-A

(by UIM and H-PS, separately)» f3 (K=LCS_ROOT_KEY, fi=0x45, RAND=“LCS_UIM_HPS_TLS_”,

Fmk=0x004B4352)

– Only used in TLS Session-A protocol– Invisible to ME, PDE and other entities.

• LCS_UIM_PDE_ROOT_KEY– Derived from LCS_ROOT_KEY with f3 algorithm specified in S.S0055-A

(by UIM and H-PS, separately)» f3 (K=LCS_ROOT_KEY, fi=0x45, RAND=“LCS_UIM_PDE_ROOT”,

Fmk=0x004B4352)

– Used to derive the LCS_UIM_PDE_TLS_PSK_KEY for each PDE assignment, which will be used in TLS Session-B protocol to secure LCS-y communications

– Invisible to ME, PDE and other entities.

9

LCS Provisioning Protocol (3/3)

• LCS_UIM_PDE_TLS_PSK_KEY derivation– H-PS generates a LCS_UIM_PDE_TLS_PSK_RAND with f0 algorithm– H-PS derives LCS_UIM_PDE_TLS_PSK_KEY from

LCS_UIM_PDE_ROOT_KEY and LCS_UIM_PDE_TLS_PSK_RAND with f3 algorithm

» f3 (K=LCS_UIM_PDE_ROOT_KEY, fi=0x45, RAND=LCS_UIM_PDE_TLS_PSK_RAND, Fmk=0x004B4352)

– H-PS passes LCS_UIM_PDE_TLS_PSK_VERSION, LCS_UIM_PDE_TLS_PSK_EXPIRY, LCS_UIM_PDE_TLS_PSK_RAND, LCS_UIM_PDE_TLS_PSK_KEY to PDE (may through S-PS when need, e.g. when roaming)

– H-PS passes LCS_UIM_PDE_TLS_PSK_VERSION, LCS_UIM_PDE_TLS_PSK_EXPIRY, LCS_UIM_PDE_TLS_PSK_RAND to MS in SUPL_RESPONSE message (with TLS Session-A protection, i.e. through TLS Application Data Protocol)

– UIM derives LCS_UIM_PDE_TLS_PSK_KEY by itself with the same algorithm

– LCS_UIM_PDE_TLS_PSK_KEY is used in TLS Session-B Protocol– LCS_UIM_PDE_TLS_PSK_KEY is invisible to ME.

10

S-SAFE Protocol (1/2)

S-SAFE: Secure Store And Forward Encapsulation – Provides authenticity, integrity protection, freshness protection and encryption

(optional) of data in store-and-forward messages. – H-PS forms an Envelope to enable these functions.

Parameter Name Octets

LCS_S_SAFE_GEN_TIME 4

LCS_S_SAFE_LOG_LIFE_TIME 1

LCS_S_SAFE_VERSION 2 (defined in Section 5.2.1)

LCS_S_SAFE_GOODIES_LENGTH 2

LCS_S_SAFE_GOODIES

LCS_S_SAFE_ALG 2

LCS_S_SAFE_RAND 16

LCS_S_SAFE_PAYLOAD_LEN = LCS_S_SAFE_DATA_LEN

2

LCS_S_SAFE_ PAYLOAD Variable

LCS_S_SAFE_MAC 8

11

S-SAFE Protocol (2/2)

– ME performs Expiry Check and Replay Detection with LCS_S_SAFE_GEN_TIME and LCS_S_SAFE_LOG_LIFE_TIME

– If success, ME passes the envelope to the UIM– UIM derives LCS_S_SAFE_CK from LCS_UIM_S_SAFE_KEY and

LCS_S_SAFE_RAND with f3 algorithm» f3 (K=LCS_UIM_S_SAFE_KEY, fi=0x45, RAND=LCS_S_SAFE_RAND,

Fmk=0x004B4352)

– UIM derives LCS_S_SAFE_IK from LCS_UIM_S_SAFE_KEY and LCS_S_SAFE_RAND with f4 algorithm

» f4 (K=LCS_UIM_S_SAFE_KEY, fi=0x46, RAND=LCS_S_SAFE_RAND, Fmk=0x004B4352)

– UIM performs Integrity Check using the MAC generation algorithm with LCS_S_SAFE_IK and LCS_S_SAFE_MAC_DATA

– If success, UIM performs Decryption using the cipher algorithm with LCS_S_SAFE_CK and LCS_S_SAFE_PAYLOAD

» This step may be skipped if encryption is not enabled (as indicated with LCS_S_SAFE_CIPHER_ALG=0x00)

– UIM passes the LCS_S_SAFE_DATA_LEN and LCS_S_SAFE_DATA (i.e. the SUPL_INIT message in this case) to ME

12

TLS Protocol Brief

General Transport Layer Security protocol (IETF RFC 2246)

• Client Server• ------ ------• ClientHello[H] ------->• ServerHello[H]• <-------

ServerHelloDone[H]• ClientKeyExchange[H]• ChangeCipherSpec[C]• Finished[H] ------->• ChangeCipherSpec[C]• <------- Finished[H]• Application Data[D] <------> Application Data[D]

• [H] Handshake protocol• [C] Change cipher spec protocol• [D] application Data protocol.• Note: The Finished message will include Verify Data, which enable the authentication.

13

UIM H-PSME

ClientHello(session_id(opt),client_random):

ServerHello(session_id(opt),server_random)

ServerHelloDone

Other_secret,

client_random,

server_random

Include session_id if desire to resume session

Gen client_random

Resume session?

Assign session_id?

Gen server_random.

Session secrets

ChangeCipherSpec + Finished(MS verify_data)

ClientKeyExchange (psk_identity =MIN or IMSI)

Gen. session secrets

Form MS verify_digest

Other_secret,

MS verify_digest

MS verify_data

ChangeCipherSpec + Finished(H-PS verify_data)

Form H-PS verify_digest

Form other_secrets

Other_secret,

H-PS verify_digest

H-PS verify_data

confirm H-PS verify_data

Skip to here if H-PS agrees to resume a previous session

Confirm MS verify_data

Gen. H-PS verify_data

Application Data (encrypted with Session Secret)

TLS Session-A Protocol

• TLS Session-A protocol is based on TLS protocol with LCS_UIM_HPS_TLS_PSK_KEY as Pre-Shared Key

• Two protocols:– Handshake Protocol– Application Data

Protocol

14

R-UIM Functionality in TLS Session-A

Two type ME and R-UIM interactions• Session Secret Generation

– ME sends Other_Secret, Master_Client_RAND, Master_Server_RAND, Current_Client_RAND, Current_Server_RAND, Server_Version, Cipher_Suite to R-UIM as input parameters.

– R-UIM runs the process to generate the Session_Secret and returns it back.

– ME and H-PS will use Session_Secret in bulk ciphering and integrity protection for application data.

• Verify Data Generation– ME generates Verify_Digest, and sends Verify_Digest, Other_Secret,

Master_Client_RAND, Master_Server_RAND, Finished_Label to R-UIM as input parameters

– R-UIM runs the process to generate the Verify_Data and returns it back.

– ME and H-PS will authenticate each other by comparing the received Verify_Data and locally recomputed Verify_Data.

15

TLS Session-B Protocol

• TLS Session-B protocol is based on TLS protocol with LCS_UIM_PDE_TLS_PSK_KEY (derived from LCS_UIM_PDE_ROOT_KEY) as Pre-Shared Key

• Two main portions:– Assignment– Interaction,

including Handshake Protocol and Application Data Protocol

Skip to here if PDE agrees to resume a previous session

Interaction

UIM H-PSME

ClientHello(session_id(opt),client_random)

ServerHello(session_id(opt),server_random)

ServerHelloDone

PSK_VERSION, PSK_RAND, other_secret, client_random, Server_Random

Include session_id if desire to resume session

Gen client_random

Session secrets

ChangeCipherSpec + Finished(MS verify_data)

ClientKeyExchange(psk_identity =PSK_VERSION, PSK_RAND)

PSK_VERSION, PSK_RAND, other_secret, MS verify_digest

MS verify_data

ChangeCipherSpec + Finished(PDE verify_data)

Form other_secret

other_secret,

PDE verify_digest

PDE verify_dataconfirm PDE verify_data

PDE

Form MS verify_digest

gen PSK_VERSION, PSK_EXPIRY, PSK_RAND

gen PSK from PDE_ROOT_KEY, PSK_RAND

PSK_VERSION,

PSK_EXPIRY, PSK_RAND, PSK_KEY

Form PSK_KEY from PSK_RAND, PDE_ROOT_KEY

Generate session secrets

Form PDE verify_digest

Gen session_secrets

Confirm MS verify_data

Gen PDE verify_data

Form PSK_KEY as above

Gen.MS verify data

Assignment• PSK_VERSION,

PSK_EXPIRY, PSK_RAND

Resume session?

Assign session_id?

Gen server_random.

Form PSK_KEY as above

Gen.PDE verify data

Application Data (encrypted with Session Secret)

16

R-UIM Functionality in TLS Session-B

Two type ME and R-UIM interactions (Similar procedures as in Session A, just more input parameters to

generate LCS_UIM_PDE_TLS_PSK_KEY first)• Session Secret Generation

– ME sends PSK_Protocol_Version, PSK_RAND, Other_Secret, Master_Client_RAND, Master_Server_RAND, Current_Client_RAND, Current_Server_RAND, Server_Version, Cipher_Suite to RUIM as input parameters

– R-UIM runs the process to generate the Session_Secret and returns it back.

– ME and PDE will use Session_Secret in bulk ciphering and integrity protection for application data.

• Verify Data Generation– ME generates Verify_Digest, then sends PSK_Protocol_Version,

PSK_RAND, Verify_Digest, Other_Secret, Master_Client_RAND, Master_Server_RAND, Finished_Label to RUIM as input parameters

– R-UIM runs the process to generate the Verify_Data and returns it back.

– ME and PDE will authenticate each other by comparing the received Verify_Data and locally recomputed Verify_Data.

17

Security Function Requirements to R-UIM and ME (1/2)

• R-UIM Side

Protocol Algorithm Version Algorithm SpecifierSpecified in

Function Reference Section

S-SAFE

LCS_S_SAFE_CK Generation

LCS_S_SAFE_VERSION = 0x0001

N/A f3

[S.S0055-A]

2.2.2.6

LCS_S_SAFE_IK Generation

N/A f4 2.2.2.7

Decryption

LCS_S_SAFE_CIPHER_ALG = 0x00

NULL N/A N/A

LCS_S_SAFE_CIPHER _ALG = 0x01

ESP_AES [S.S0055-A]

2.3.2.2.4

XLCS_S_SAFE_MAC Generation

LCS_S_SAFE_MAC _ALG = 0x01

ehmacsha [S.S0078-A] 2.1.2.1

TLS Session-A

Functions for generating master_secret,

session_secrets and verify_data

Server_version = ( 3,1 )

N/A PRF [RFC2246] 5

TLS Session-B

LCS_UIM_PDE_TLS_PSK_KEY Generation

LCS_UIM_PDE_TLS_PSK_VERSION = 0x0001

f3 [S.S0055-A] 2.2.2.6

Function for generating master_secret,

session_secrets and verify_data

Server_version = ( 3,1 )

N/A PRF [RFC2246] 5

18

Security Function Requirements to R-UIM and ME (2/2)

• ME Side

Protocol Algorithm VersionAlgorithm

Specifier

Specified in

Function Reference Section

S-SAFE - - - - - -

TLS Session-A

+ TLS Session-B

Computing verify_digest

Server_version = ( 3,1 )

N/AMD5

[RFC2246] 7.4.9SHA-1

Bulk ciphering for application

data

BulkCipherAlgorithm=

AES_128_CBC

AES_128_CBC

[RFC3268]

MAC algorithm for application

data

MACAlgorithm = SHA

HMAC-SHA-1

[RFC2246] A.6

TLS Session-B

LCS_TIMELCS_UIM_PDE_TLS_PSK_VE

RSION = 0x0001N/A S.P0110 6.6.1

19

Impact on C.S0023 (1/2)

Proposed changes:• KEY provisioning and storage

– LCS_ROOT_KEY– EF(LCS TLS Protocol Version): To indicate which S-SAFE and TLS protocol

version the RUIM supports

• Security algorithms supporting– will make reference to S.P0110 for specific algorithm requirements

• Commands from ME to R-UIM(The idea is to generate universal commands that can be reused by other services that

may use S-SAFE or TLS)– S-SAFE Verification and Decryption command – TLS Session Secret Generation Command (Can cover H-PS Verify Data)

» with two P1s, for Session-A and Session-B, respectively

– TLS Verify Data Generation Command (e.g. MS Verify Data)» with two P1s, for Session-A and Session-B, respectively

20

Impact on C.S0023 (2/2)

Proposed changes• Other related changes

– New References– LCS service indicator in EF(CST)– New EF to store H-PS address (IP and/or URL address)

• Procedures description– Needs to wait for TSG-S WG4 Document to get stable.