Registration & Authentication In IMS Network

Registration & Authentication In IMS:-

In IMS, all users must register their IP Address and port in the S-CSCF, which acts as a SIP Registrar.

Registration is performed when a client is started. A SIP REGISTER request is then sent to the IMS Network, including the IP and port, and the user’s public identity.

On receipt of the REGISTER message the IMS network:

Checks if the user belongs to the home domain and has a subscription.

Authenticates the user, if required.

Allows the user to register in the system.

Authentication:-

Authentication is the procedure used to verify the identity of a user when Registering or sending messages.

Four types of authentication are used in IMS.

1.      HTTP Digest:-

When using HTTP Digest Authentication, the User is challenged by the S-CSCF. It receives a nonce, which it uses together with a password to calculate a response. The S-CSCF calculates its own response, using information from the HSS, and if it matches the one from the user, the authentication is successful.

The HTTP Digest mechanism requires the user password to be stored in HSS and in the UE.

2.      GPRS IMS Bundled Authentication (GIBA):-

When using GIBA, neither the UE nor the IMS System need to provide a user password.

GIBA relies on the user being authenticated when attaching to GPRS. The GGSN will send the UE IP address and the MSISDN and IMSI of the user to HSS using RADIUS. This triplet is referred to as the master session. It is compared to the information received in the REGISTER.

3.      NASS Bundled Authentication (NBA):-

NBA is similar to GIBA, but for fixed users. It implies that the user is authenticated when gaining IP access to the operator's access network. The lineID from which the user will be authenticated is provisioned in HSS, and compared to the information in the SIP REGISTER. If there is a match, authentication is successful.

4.      IMS Authentication and Key Agreement (IMS-AKA):-

The IMS AKA procedure is similar to the SIP Digest authentication, but requires a specific set of SIP headers and parameters to establish IPSec associations between the UE and the P-CSCF. When the IMS AKA procedure is done, all subsequent SIP messages between the UE and P-CSCF will be protected by IPSec.

Let’s have a look at this example of a Registration using Digest Autherntication.

1. The IMS client attempts to register by sending a REGISTER request to the P-CSCF.
2. The P-CSCF forwards the REGISTER request to the I-CSCF.
3. The I-CSCF polls the HSS for data used to decide which S-CSCF should manage the REGISTER request. The I-CSCF then makes that decision.
4. The I-CSCF forwards the REGISTER request to the appropriate S-CSCF.
5. The S-CSCF typically sends the P-CSCF a 401 (UNAUTHORIZED) response as well as a challenge string in the form of a “number used once” or “nonce”.
6. The P-CSCF forwards the 401 – UNAUTHORIZED response to the UE.
7. Both the UE and the network have stored some Shared Secret Data (SSD), the UE in its ISIM or USIM and the network on the HSS. The UE uses an algorithm per RFC 33101 (e.g. AKAv2-MD5) to hash the SSD and the nonce.”
8. The UE sends a REGISTER request to the P-CSCF. This time the request includes the result of the hashed nonce and SSD.
9. The P-CSCF forwards the new REGISTER request to the I-CSCF.
10. The I-CSCF forwards the new REGISTER request to the S-CSCF.
11. The S-CSCF polls the HSS (via the I-CSCF) for the SSD, hashes it against the nonce and determines whether the UE should be allowed to register. Assuming the hashed values match, the S-CSCF sends 200 – OK response to the P-CSCF. At this point an IPSec security association is established by the P-CSCF.
12. The P-CSCF forwards the 200 – OK response to the UE.