Content for TS 33.203 Word version: 17.1.0
1 Scope
2 References
3 Definitions, symbols and abbreviations
3.1 Definitions
3.2 Symbols
3.3 Abbreviations
...
...
1 Scope p. 10
The scope for this technical specification is to specify the security features and mechanisms for secure access to the IM subsystem (IMS) for the 3G mobile telecommunication system.
Since the scope also encompasses the use of these security features and mechanisms for secure access to IMS in the context of fixed broadband networks and 3GPP2 networks, Annex L and Annex S specify how the material in the main body and other normative Annexes of this document apply to the fixed broadband networks and 3GPP2 networks respectively.
The IMS supports IP Multimedia applications such as video, audio and multimedia conferences. SIP, Session Initiation Protocol, was chosen as the signalling protocol for creating and terminating Multimedia sessions, cf. RFC 3261. This specification only deals with how the SIP signalling is protected between the subscriber and the IMS, how the subscriber is authenticated and how the subscriber authenticates the IMS.
2 References p. 10
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TS 33.102: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Security Architecture".
[2] Void.
[3]
TS 23.228: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; IP Multimedia (IM) Subsystem".
[4] Void.
[5]
TS 33.210: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G Security; Network domain security; IP network layer security".
[6]
RFC 3261 "SIP: Session Initiation Protocol".
[7]
TS 21.905: "3rd Generation Partnership Project: Technical Specification Group Services and System Aspects; Vocabulary for 3GPP specifications".
[8]
TS 24.229: "3rd Generation Partnership Project: Technical Specification Group Core Network; IP Multimedia Call Control Protocol based on SIP and SDP".
[9]
TS 23.002: "3rd Generation Partnership Project: Technical Specification Group Services and System Aspects, Network Architecture".
[10]
TS 23.060: "3rd Generation Partnership Project: Technical Specification Group Services and System Aspects, General Packet Radio Service (GPRS); Service Description".
[11]
TS 24.228: "3rd Generation Partnership Project: Technical Specification Group Core Network; Signalling flows for the IP multimedia call control based on SIP and SDP".
[12]-[16] Void.
[17]
RFC 3310 (2002): "HTTP Digest Authentication Using AKA". April, 2002.
[18] Void
[19] Void.
[20] Void
[21]
RFC 3329 (2003): "Security Mechanism Agreement for the Session Initiation Protocol (SIP)".
[22] Void
[23]
RFC 3263 (2002): "Session Initiation Protocol (SIP): Locating SIP Servers".
[24]
TS 33.310: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Network Domain Security (NDS); Authentication Framework (AF)".
[25] Void.
[26]
ETSI ES 282 001: "TISPAN - Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Functional Architecture for NGN Release 1".
[27]
RFC 3947 (2005): "Negotiation of NAT-Traversal in the IKE".
[28]
RFC 3948 (2005): "UDP Encapsulation of IPsec ESP Packets".
[29]
RFC 3323 (2002): "A Privacy Mechanism for the Session Initiation Protocol (SIP)".
[30]
RFC 3325 (2002): "Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Network".
[31]
TS 23.167: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; IP Multimedia Subsystem (IMS) emergency sessions".
[32]
RFC 5626 (2009): "Managing Client Initiated Connections in the Session Initiation Protocol (SIP)".
[33] Void.
[34] Void
[35] Void.
[36]
ETSI ES 282 004: "NGN Functional Architecture; Network Attachment Sub-System (NASS)"
[37]
ETSI TS 187 001: " Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN SECurity (SEC); Requirements"
[38] Void.
[39]
TS 29.228: "3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; IP Multimedia (IM) Subsystem Cx and Dx interfaces; Signalling flows and message contents".
[40]
3GPP2 X.S0011: "cdma2000 Wireless IP Network Standard".
[41]
3GPP2 C.S0023: "Removable User Identity Module for Spread Spectrum Systems".
[42] Void.
[43]
3GPP2 S.S0055: "Enhanced Cryptographic Algorithms".
[44]
3GPP2 S.S0078: "Common Security Algorithms".
[45]
3GPP2 C.S0065: "cdma2000 Application on UICC for Spread Spectrum Systems".
[46]
TS 23.003: "3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Numbering, addressing and identification".
[47] Void
[48] Void
[49] Void
[50]
TS 23.292: "IP Multimedia Subsystem (IMS) Centralized Services; Stage 2".
[51]
TS 31.103: "3rd Generation Partnership Project: Technical Specification Group Core Network and Terminals; Characteristics of the IP Multimedia Services Identity Module (ISIM) application".
[52]
RFC 5280: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile".
[53]
RFC 4301: "Security Architecture for the Internet Protocol".
[54]
RFC 4303: "IP Encapsulating Security Payload (ESP)".
[55] Void
[56]
TS 23.401: "General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access".
[57]
ETSI TS 187 003 v3.4.1: "Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Security Architecture".
[58] Void.
[59] Void
[60]
RFC 6544: "TCP Candidates with Interactive Connectivity Establishment (ICE) ".
[61] Void
[62]
RFC 6062: "Traversal Using Relays around NAT (TURN) Extensions for TCP Allocations".
[63]
RFC 2817: "Upgrading to TLS Within HTTP/1.1".
[64]
RFC 6623: "Indication of Support for Keep-Alive".
[65]
RFC 4169: "Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) Version-2".
[66]
TS 33.220: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)".
[67]
RFC 6750: "The OAuth 2.0 Authorization Framework: Bearer Token Usage".
[68]
RFC 7376: "Problems with Session Traversal Utilities for NAT (STUN) Long-Term Authentication for Traversal Using Relays around NAT (TURN)".
[69] Void
[70]
RFC 7635: "Session Traversal Utilities for NAT (STUN) Extension for Third Party Authorization".
[71]
draft-ietf-oauth-pop-architecture-02 "OAuth 2.0 Proof-of-Possession (PoP) Security Architecture".
[71] Void
[73]
RFC 4106: "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)".
[74]
RFC 4543: "The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH".
[75]
RFC 7800: "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)".
[76]
RFC 7616: "HTTP Digest Access Authentication".
[77]
RFC 8489: "Session Traversal Utilities for NAT (STUN)".
[78]
RFC 8656: " Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)".
[79]
RFC 8445: "Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal".
[80]
RFC 8839: "Session Description Protocol (SDP) Offer/Answer Procedures for Interactive Connectivity Establishment (ICE)".
[81]
RFC 8981: "Temporary Address Extensions for Stateless Address Autoconfiguration in IPv6".
[82]
RFC 7296: "Internet Key Exchange Protocol Version 2 (IKEv2)".
3 Definitions, symbols and abbreviations p. 13
3.1 Definitions p. 13
For the purposes of the present document, the following terms and definitions apply.
Authenticated (re-) registration:
A registration i.e. a SIP register is sent towards the Home Network which will trigger a authentication of the IMS subscriber i.e. a challenge is generated and sent to the UE.
Authentication vector:
A quintet (as defined in TS 33.102) or an SD-AV.
Confidentiality:
The property that information is not made available or disclosed to unauthorised individuals, entities or processes.
Data integrity:
The property that data has not been altered in an unauthorised manner.
Data origin authentication:
The corroboration that the source of data received is as claimed.
Entity authentication:
The provision of assurance of the claimed identity of an entity.
Key freshness:
A key is fresh if it can be guaranteed to be new, as opposed to an old key being reused through actions of either an adversary or authorised party.
IMS Credentials (IMC):
This is defined in TS 21.905.
ISIM - IM Subscriber Identity Module:
For the purposes of the present document the ISIM is a term that indicates the collection of IMS security data and functions on a UICC. The ISIM may be a distinct application on the UICC.
Security Domain:
Networks that are managed by a single administrative authority. Within a security domain the same level of security and usage of security services will be typical.
SIP Digest authentication vector (SD-AV) :
Temporary authentication data that enables the IMS network to engage in SIP Digest with a particular user. An SD-AV consists of four elements: a) protection space user hint realm, b) the authentication algorithm, c) the quality of protection value qop and d) the hash of IMPI, realm and password H(A1).
3.2 Symbols |R8| p. 13
For the purposes of the present document, the following symbols apply:
Cx
Reference point between a CSCF and an HSS.
Gi
Reference point between GPRS and an external packet data network
Gm
Reference point between a UE and a P-CSCF
Za
Reference point between SEGs belonging to different networks/security domains
Zb
Reference point between SEGs and NEs or between NEs within the same network/security domain
3.3 Abbreviations p. 14
For the purposes of the present document, the following abbreviations apply, TS 21.905 contains additional applicable abbreviations:
AAA
Authentication Authorisation Accounting
AKA
Authentication and Key Agreement
APN
Access Point Name
AS
Application Server
AV
Authentication Vector
CLF
Connectivity Session and Repository Location Function
CSCF
Call Session Control Function
ESP
Encapsulating Security Payload
GIBA
GPRS-IMS-Bundled Authentication
GGSN
Gateway GPRS Support Node
HN
Home Network
HSS
Home Subscriber Server
IBCF
Interconnection Border Control Function
I-CSCF
Interrogating CSCF
IKE
Internet Key Exchange
IM
IP Multimedia
IMC
IM Credentials
IMPI
IM Private Identity
IMPU
IM Public Identity
IMS
IP Multimedia Core Network Subsystem
IPsec
Internet Protocol Security
ISIM
IM Services Identity Module
MAC
Message Authentication Code
ME
Mobile Equipment
NAPT
Network Address and Port Translation
NASS
Network Access Sub-S ystem
NAT
Network Address Translation
NDS
Network Domain Security
P-CSCF
Proxy-CSCF
R-UIM
Removable User Identity Module
S-CSCF
Serving-CSCF
SA
Security Association
SEG
Security Gateway
SD-AV
SIP Digest Authentication Vector
SDP
Session Description Protocol
SIP
Session Initiation Protocol
TLS
Transport Layer Security
TNA
Trusted Node Authentication
UA
User Agent
