1 / 6

1xEV-DO Roamer Authentication

1xEV-DO Roamer Authentication. Sarvar Patel, Simon Mizikovsky, Zhibi Wang. AAA. AAA. zhibiwang: User Authentication uses CHAP?. 1xEV-DO Security Architecture. RNC. Corp. FW. A10/A11. 1xEV-DO BTS. PDSN. Internet. Session Key Agreement. A12. A13. Device Authentication (Inner CHAP).

blade
Download Presentation

1xEV-DO Roamer Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1xEV-DO Roamer Authentication Sarvar Patel, Simon Mizikovsky, Zhibi Wang

  2. AAA AAA zhibiwang: User Authentication uses CHAP? 1xEV-DO Security Architecture RNC Corp. FW A10/A11 1xEV-DO BTS PDSN Internet Session Key Agreement A12 A13 Device Authentication (Inner CHAP) User Authentication (Outer CHAP) Session Authentication (Integrity MAC) IPSec RAN Encryption (AES)

  3. Current status • Operator A can performs (NULL, MN-AAA) (RAN level, PDSN level) authentication • Operator B can performs (A12 CHAP, NULL) • A roaming solution: • Operator A set RAN-AAA CHAP password to be the same as MN-AAA key so that Operator B can perform a RAN level CHAP when Operator A’s user roams into Operator B network. • Operator A Analyze the realm at the A12 level, and if it is an Operator A user, RAN level CHAP will be bypassed. If Operator B user, RAN level CHAP will be performed against AN-AAA in Operator B’s network.

  4. Potential attack • Since NAI/Authentication at the RAN level and the PDSN level are independent and can be different • An attacker can • Use an Operator A NAI at the RAN level Operator A bypasses RAN level CHAP (it thinks the user is an Operator A customer at this level) • Use an Operator B NAI at the PDSN level Operator A bypasses PDSN level authentication (it thinks the user is an Operator B customer at this level)

  5. A Possible Solution • Operator A Performs (A12 CHAP, Mobile IP Authentication) for its users and (A12 CHAP, NULL) for Operator B roamers • An attacker can still avoids usage billing by • Subscribe Operator A service and use Operator A NAI and CHAP password to gain RAN level access, at the PDSN level the attacker uses Operator B NAI, this causes Operator A to bypass PDSN level authentication • Since Operator A does billing at the PDSN level the attackers extra usage would not be accounted for

  6. Solution • RNC report to PDSN the NAI that is used by the AT at the system access • PDSN verify the NAIs at two different level, if they are mismatch, terminate the session • Requires A11 interface change to transport the ID of the HRPD AT, specifically the NAI, to the PDSN

More Related