Registration & Authentication In IMS:-
In IMS, all users
must register their IP Address and port in the S-CSCF, which acts as a SIP
Registrar.
Registration is
performed when a client is started. A SIP REGISTER request is then sent to the
IMS Network, including the IP and port, and the user’s public identity.
On receipt of the
REGISTER message the IMS network:
Checks if the
user belongs to the home domain and has a subscription.
Authenticates the
user, if required.
Allows the user
to register in the system.
Authentication:-
Authentication
is the procedure used to verify the identity of a user when Registering or
sending messages.
Four types of
authentication are used in IMS.
1. HTTP Digest:-
When using HTTP
Digest Authentication, the
User is challenged by the
S-CSCF. It receives a nonce, which it uses together with a password to
calculate a response. The S-CSCF calculates its own response, using information
from the HSS, and if it matches the one from the user, the authentication is
successful.
The HTTP Digest
mechanism requires the user password to be stored in HSS and in the UE.
2. GPRS IMS Bundled Authentication (GIBA):-
When using GIBA,
neither the UE nor the IMS System need to provide a user password.
GIBA relies on
the user being authenticated when attaching to GPRS. The GGSN will send the UE
IP address and the MSISDN and IMSI of the user to HSS using RADIUS. This
triplet is referred to as the master session. It is compared to the information
received in the REGISTER.
3. NASS Bundled Authentication (NBA):-
NBA is similar to
GIBA, but for fixed users. It implies that the user is authenticated when
gaining IP access to the operator's access network. The
lineID from which the user will be authenticated is provisioned in HSS, and
compared to the information in the SIP REGISTER. If there is a match,
authentication is successful.
4. IMS Authentication and Key Agreement (IMS-AKA):-
The IMS AKA
procedure is similar to the SIP Digest authentication, but requires a specific
set of SIP headers and parameters to establish IPSec associations between the
UE and the P-CSCF. When the IMS AKA procedure is done, all subsequent SIP
messages between the UE and P-CSCF will be protected by IPSec.
Let’s have a look at this example of a Registration using Digest
Autherntication.
- The IMS client attempts to register
by sending a REGISTER request to the P-CSCF.
- The P-CSCF
forwards the REGISTER request to the I-CSCF.
- The I-CSCF polls
the HSS for data used to decide which S-CSCF should manage the REGISTER
request. The I-CSCF then makes that decision.
- The I-CSCF
forwards the REGISTER request to the appropriate S-CSCF.
- The S-CSCF
typically sends the P-CSCF a 401 (UNAUTHORIZED) response as well as a
challenge string in the form of a “number used once” or “nonce”.
- The P-CSCF
forwards the 401 – UNAUTHORIZED response to the UE.
- Both the UE and
the network have stored some Shared Secret Data (SSD), the UE in its ISIM
or USIM and the network on the HSS. The UE uses an algorithm per RFC 33101
(e.g. AKAv2-MD5) to hash the SSD and the nonce.”
- The UE sends a
REGISTER request to the P-CSCF. This time the request includes the result
of the hashed nonce and SSD.
- The P-CSCF
forwards the new REGISTER request to the I-CSCF.
- The I-CSCF
forwards the new REGISTER request to the S-CSCF.
- The S-CSCF polls
the HSS (via the I-CSCF) for the SSD, hashes it against the nonce and
determines whether the UE should be allowed to register. Assuming the
hashed values match, the S-CSCF sends 200 – OK response to the P-CSCF. At
this point an IPSec security association is established by the P-CSCF.
- The P-CSCF
forwards the 200 – OK response to the UE.
No comments:
Post a Comment