ebook img

TS 133 328 - V9.3.0 - Universal Mobile Telecommunications System (UMTS); LTE; IP Multimedia Subsystem (IMS) media plane security (3GPP TS 33.328 version 9.3.0 Release 9) PDF

0.29 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview TS 133 328 - V9.3.0 - Universal Mobile Telecommunications System (UMTS); LTE; IP Multimedia Subsystem (IMS) media plane security (3GPP TS 33.328 version 9.3.0 Release 9)

ETSI TS 133 328 V9.3.0 (2011-01) Technical Specification Universal Mobile Telecommunications System (UMTS); LTE; IP Multimedia Subsystem (IMS) media plane security (3GPP TS 33.328 version 9.3.0 Release 9) 3GPP TS 33.328 version 9.3.0 Release 9 1 ETSI TS 133 328 V9.3.0 (2011-01) Reference RTS/TSGS-0333328v930 Keywords LTE, SECURITY, UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute 2011. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. LTE™ is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI 3GPP TS 33.328 version 9.3.0 Release 9 2 ETSI TS 133 328 V9.3.0 (2011-01) Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http://webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the corresponding ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http://webapp.etsi.org/key/queryform.asp. ETSI 3GPP TS 33.328 version 9.3.0 Release 9 3 ETSI TS 133 328 V9.3.0 (2011-01) Contents Intellectual Property Rights ................................................................................................................................ 2 Foreword ............................................................................................................................................................. 2 Foreword ............................................................................................................................................................. 5 Introduction ........................................................................................................................................................ 6 1 Scope ........................................................................................................................................................ 7 2 References ................................................................................................................................................ 7 3 Definitions, symbols and abbreviations ................................................................................................... 8 3.1 Definitions .......................................................................................................................................................... 8 3.2 Symbols .............................................................................................................................................................. 8 3.3 Abbreviations ..................................................................................................................................................... 8 4 IMS media plane security overview ......................................................................................................... 9 4.1 Introduction ........................................................................................................................................................ 9 4.1.1 General .......................................................................................................................................................... 9 4.1.2 Solution overview ......................................................................................................................................... 9 4.1.2.1 SDES based solution ............................................................................................................................... 9 4.1.2.2 KMS based solution ................................................................................................................................ 9 4.2 IMS media plane security architecture ............................................................................................................. 10 4.2.1 General ........................................................................................................................................................ 10 4.2.2 E2ae security ............................................................................................................................................... 11 4.2.3 E2e security using SDES ............................................................................................................................ 11 4.2.4 E2e security using KMS ............................................................................................................................. 11 5 IMS media plane security features ......................................................................................................... 12 5.1 General ............................................................................................................................................................. 12 5.2 Media integrity protection ................................................................................................................................ 12 5.3 Media confidentiality protection ...................................................................................................................... 13 5.4 Authentication and authorization ..................................................................................................................... 13 5.4.1 Authentication and authorization for e2ae protection ................................................................................. 13 5.4.2 Authentication and authorization for e2e protection using SDES .............................................................. 13 5.4.3 Authentication and authorization for e2e protection using KMS................................................................ 13 5.5 Security properties of key management, distribution and derivation ............................................................... 14 5.5.1 General security properties for protection using SDES .............................................................................. 14 5.5.2 Additional security properties for e2ae protection using SDES.................................................................. 14 5.5.3 Security properties for e2e protection using KMS ...................................................................................... 15 6 Security mechanisms .............................................................................................................................. 15 6.1 Media security mechanisms ............................................................................................................................. 15 6.1.1 Media security mechanisms for real-time traffic ........................................................................................ 15 6.2 Key management mechanisms for media protection ........................................................................................ 16 6.2.1 Key management mechanisms for e2ae protection ..................................................................................... 16 6.2.1.1 Endpoints for e2ae protection ............................................................................................................... 16 6.2.1.2 Key management protocol for e2ae protection ..................................................................................... 16 6.2.1.3 Functional extension of the Iq interface for e2ae protection ................................................................. 16 6.2.2 Key management mechanisms for e2e protection using SDES .................................................................. 17 6.2.3 Key management mechanisms for e2e protection using KMS ................................................................... 17 6.2.3.1 General .................................................................................................................................................. 17 6.2.3.2 KMS user and user group identities ...................................................................................................... 17 6.2.3.3 IMS UE local policies ........................................................................................................................... 18 6.2.3.4 Ticket data ............................................................................................................................................. 18 6.2.3.4.1 Ticket format ................................................................................................................................... 18 6.2.3.4.2 Allocation of ticket subtype and version for ticket type 2 ............................................................... 18 6.2.3.5 Authentication of public identities in REQUEST_INIT and RESOLVE_INIT .................................... 18 6.2.3.6 Authentication of terminating user identity ........................................................................................... 19 ETSI 3GPP TS 33.328 version 9.3.0 Release 9 4 ETSI TS 133 328 V9.3.0 (2011-01) 6.2.3.7 Reusable tickets ..................................................................................................................................... 19 6.2.3.8 Signalling between KMSs ..................................................................................................................... 19 7 Security association set-up procedures for media protection ................................................................. 19 7.1 IMS UE registration procedures ....................................................................................................................... 19 7.2 IMS UE originating procedures ........................................................................................................................ 20 7.2.1 IMS UE originating procedures for e2ae .................................................................................................... 20 7.2.2 IMS UE originating procedures for e2e using SDES .................................................................................. 22 7.2.3 IMS UE originating procedures for e2e using KMS ................................................................................... 24 7.3 UE terminating procedures ............................................................................................................................... 25 7.3.1 UE terminating procedures for e2ae ........................................................................................................... 25 7.3.2 IMS UE terminating procedures for e2e using SDES ................................................................................. 27 7.3.3 IMS UE terminating procedures for e2e using KMS .................................................................................. 29 7.4 Session update procedures ................................................................................................................................ 30 7.5 Handling of emergency calls ............................................................................................................................ 30 Annex A (Normative): HTTP based key management messages ..................................................... 31 A.1 General aspects ....................................................................................................................................... 31 A.2 Key management procedures ................................................................................................................. 31 A.3 Error situations ....................................................................................................................................... 32 Annex B (Normative): KMS based key management ........................................................................ 33 B.1 UE originating procedures ...................................................................................................................... 33 B.1.1 Preconditions .................................................................................................................................................... 33 B.1.2 Procedures ........................................................................................................................................................ 33 B.2 UE terminating procedures ..................................................................................................................... 34 B.2.1 General ............................................................................................................................................................. 34 B.2.2 Procedures for the case with one KMS domain................................................................................................ 34 B.2.2.1 Preconditions .............................................................................................................................................. 34 B.2.2.2 Procedures................................................................................................................................................... 34 B.2.3 Procedures for the case with two KMS domains .............................................................................................. 35 B.2.3.1 Preconditions .............................................................................................................................................. 35 B.2.3.2 Procedures................................................................................................................................................... 35 Annex C (Normative): SRTP profiling for IMS media plane security ............................................ 37 Annex D (Normative): MIKEY-TICKET profile for IMS media plane security ........................... 38 D.1 Scope ...................................................................................................................................................... 38 D.2 General ................................................................................................................................................... 38 D. 2A Keys, RANDs and algorithms................................................................................................................ 38 D.3 Exchanges ............................................................................................................................................... 38 D.3.1 Ticket Request .................................................................................................................................................. 38 D.3.2 Ticket Transfer ................................................................................................................................................. 39 D.3.3 Ticket Resolve .................................................................................................................................................. 39 D.4 Profiling of tickets .................................................................................................................................. 39 Annex E (normative): Profiling of SDES ........................................................................................... 41 Annex F (informative): Change history ............................................................................................... 42 History .............................................................................................................................................................. 43 ETSI 3GPP TS 33.328 version 9.3.0 Release 9 5 ETSI TS 133 328 V9.3.0 (2011-01) Foreword This Technical Specification has been produced by the 3rd Generation Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying change of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. y the second digit is incremented for all changes of substance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. ETSI 3GPP TS 33.328 version 9.3.0 Release 9 6 ETSI TS 133 328 V9.3.0 (2011-01) Introduction With Common IMS it has become possible to use IMS over a wide variety of access networks. These access networks provide security of varying strengths, or, in some cases, no security at all. It is therefore desirable to have a standard for IMS media plane security, which provides uniform protection of IMS media against eavesdropping and undetected modification across access networks. Furthermore, media transport in the core network, although generally less vulnerable than in the access network, may also be realised in varying ways with different guarantees of protection. It is therefore also desirable to have a standard for IMS media plane security, which guarantees protection of IMS media against eavesdropping and undetected modification in an end-to-end (e2e) fashion between two terminal devices. ETSI 3GPP TS 33.328 version 9.3.0 Release 9 7 ETSI TS 133 328 V9.3.0 (2011-01) 1 Scope The present document presents IMS media plane security for RTP based media which is designed to meet the following three main objectives: 1. to provide security for media usable across all access networks 2. to provide an end-to-end (e2e) media security solution to satisfy major user categories 3. to provide end-to-end (e2e) media security for important user groups like enterprises, National Security and Public Safety (NSPS) organizations and different government authorities who may have weaker trust in the inherent IMS security and/or may desire to provide their own key management service. The media plane security in this release of the TS is based on the well established protocol SRTP. Key management solutions for SRTP are defined in this specification. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. - References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific. - For a specific reference, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document. [1] 3GPP TR 21.905: "Vocabulary for 3GPP Specifications". [2] 3GPP TS 23.002: "Network architecture". [3] 3GPP TS 23.228: "IP Multimedia (IM) Subsystem". [4] 3GPP TS 33.203: "3G Security; Access security for IP-based services". [5] 3GPP TS 33.210: "3G Security; Network domain security; IP network layer security". [6] 3GPP TS 33.220: "Generic Authentication Architecture (GAA); Generic bootstrapping architecture". [7] IETF RFC 1035: "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION". [8] IETF RFC 2616: "Hypertext Transfer Protocol -- HTTP/1.1". [9] IETF RFC 3711: "The Secure Real-time Transport Protocol (SRTP)". [10] IETF RFC 3550: "RTP: A Transport Protocol for Real-Time Applications". [11] IETF RFC 3830: "MIKEY: Multimedia Internet KEYing". [12] IETF RFC 4567: "Key Management Extensions for Session Description Protocol (SDP) and Real Time Streaming Protocol (RTSP)". [13] IETF RFC 4568: "Session Description Protocol (SDP) Security Descriptions for Media Streams". [14] IETF RFC 6043: "MIKEY-TICKET: Ticket-Based Modes of Key Distribution in Multimedia Internet KEYing (MIKEY)". [15] IETF RFC 4771: "Integrity Transform Carrying Roll-Over Counter for the Secure Real-time Transport Protocol (SRTP)". ETSI 3GPP TS 33.328 version 9.3.0 Release 9 8 ETSI TS 133 328 V9.3.0 (2011-01) [16] Otway, D. and Rees, O. 1987: "Efficient and timely mutual authentication." SIGOPS Oper. Syst. Rev. 21, 1 (Jan. 1987), 8-10. [17] IETF RFC 4566: "SDP: Session Description Protocol". [18] 3GPP TS 24.229: "IP multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP)". [19] 3GPP TS 24.109: "Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details". [20] 3GPP TS 29.162: "Interworking between the IM CN subsystem and IP networks ". 3 Definitions, symbols and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in TR 21.905 [1] and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905 [1]. End-to-access edge security: This term refers to media protection extending between an IMS UE and the first IMS core network node in the media path without being terminated by any intermediary. End-to-end security: This term refers to media protection extending between two IMS UEs without being terminated by any intermediary. IMS User Equipment: User equipment used for IMS media communications over access networks. Use of such equipment for IMS media communications over any 3GPP access network shall require presence of a UICC. KMS User Identity: A KMS user identity is derived from a user's public SIP-URI and it is the NAI-part of the SIP URI. 3.2 Symbols Void 3.3 Abbreviations For the purposes of the present document, the abbreviations given in TR 21.905 [1] and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905 [1]. e2ae End-to-access edge e2e End-to-end GW Gateway IMS-ALG IMS Application Level Gateway IMS UE IMS User Equipment KMS Key Management Service MIKEY Multimedia Internet KEYing NAF Network Application Function TEK Traffic Encryption Key TGK TEK Generation Key ETSI 3GPP TS 33.328 version 9.3.0 Release 9 9 ETSI TS 133 328 V9.3.0 (2011-01) 4 IMS media plane security overview 4.1 Introduction 4.1.1 General IMS media plane security is composed of two more or less independent key management solutions. The first solution, SDES, is for e2ae and for e2e media protection. The solution relies on the security of the SIP infrastructure and in particular on SIP signalling security. The second solution is for e2e protection and aims for high security, independent of the signalling and transport network. It is based on use of a Key Management Service (KMS) and a ticket concept. The security offered is anchored in the KMS including the functionality used for user authentication and key generation towards the KMS. Irrespectively of key management solution used, SRTP [9] is used as the security protocol to protect RTP based traffic. Specifically, the key(s) provided by this specification are used as the so called SRTP master key. 4.1.2 Solution overview 4.1.2.1 SDES based solution SDES (Session Description Protocol Security Descriptions for Media Streams, cf. RFC 4568 [13]), is a simple key management protocol for media streams, which are to be secured by means of SRTP [9]. SDES defines a Session Description Protocol (SDP) RFC 4566 [17] cryptographic attribute for unicast media streams. The attribute describes a cryptographic key and other parameters that serve to configure security for a unicast media stream in either a single message or a roundtrip exchange. The attribute can be used with a variety of SDP media transports, and RFC 4568 [13] defines how to use it for the SRTP unicast media streams. The SDP crypto attribute requires the services of a data security protocol to secure the SDP message. For the use of SDES in IMS, the SIP signalling security mechanisms defined for IMS shall be used, for more details cf. clause 5.5. SDES basically works as follows: when an offerer A and an answerer B establish a SIP session they exchange cryptographic keys for protection of the ensuing exchange of media with SRTP. A includes the key, by which the media sent from A to B is protected, in a SIP message to B, and B responds with a SIP message including a second key, by which the media sent from B to A is protected. In this specification, SDES is used for two modes of operation: e2ae mode and e2e mode. For the e2ae mode, SDES is run between an IMS UE and a SIP edge proxy, i.e. a P-CSCF (IMS-ALG). In the originating network, he P-CSCF (IMS-ALG) evaluates and subsequently deletes SDES cryptographic attributes that are passed to it from the IMS UE in SIP messages, and creates SDES cryptographic attributes and passes them to the IMS UE in SIP messages. This is done similarly in the terminating network. The resulting SRTP session is then established between the IMS UE and the media node controlled by the P-CSCF (IMS-ALG), i.e. the IMS Access Gateway (GW). This means that, for the e2ae mode, media is protected only over the access part of the network. The purpose of the e2ae mode is to provide access protection, i.e. guarantee protection of IMS media against eavesdropping and undetected modification in a uniform manner across heterogeneous access networks with various strengths of link layer protection. Access protection on the originating side is provided independently of access protection on the terminating side. For the e2e mode, SDES is run between two IMS UEs, and the resulting SRTP session is then established between the two IMS UEs. This e2e media plane security solution should be suitable for anyone for whom the security level, with which SIP signalling messages are protected, is sufficient. When used in e2e mode SDES has minor requirements on the network infrastructure. When used in e2aemode, the requirements on the network infrastructure can be seen from clause 4.2.2. 4.1.2.2 KMS based solution The KMS based solution is an e2e security solution which protects media from one IMS UE all the way to another IMS UE not allowing any network entity access to plaintext media. It is designed to rely on a well defined and limited set of entities that have to be trusted, simplifying the task of evaluation and assessment of offered security level. ETSI

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.